Bug 62409 - Trojan in Windows Service Installer
Summary: Trojan in Windows Service Installer
Alias: None
Product: Tomcat 7
Classification: Unclassified
Component: Packaging (show other bugs)
Version: 7.0.88
Hardware: PC All
: P2 normal (vote)
Target Milestone: ---
Assignee: Tomcat Developers Mailing List
Depends on:
Reported: 2018-05-25 14:10 UTC by Jens-D. Doll
Modified: 2018-05-30 06:18 UTC (History)
0 users


Note You need to log in before you can comment on or make changes to this bug.
Description Jens-D. Doll 2018-05-25 14:10:37 UTC
Today my machine, Win10, told me that there was a Trojan in the "32-bit/64-bit Windows Service Installer" for Tomcat 7.088, called Win32/Vigorf.A. It is independent of the mirror and happened under several mirrors. The other versions of Tomcat, 8 and 9, do not show an infection.

My machine was infected several days ago. The IDE showed a strange behaviour and I had to reinstall, which took me a lot of effort.
Comment 1 Eduardo Guadalupe Quintanilla 2018-05-25 16:25:20 UTC
I tested the released file with virustotal and it is detecting some problems.

SHA256:	3091b51e650e3ae6b19d22e6cec60bd7ce4a97f4101f44f202cf857bbb2eadcb
Nombre:	apache-tomcat-7.0.88.exe
Detecciones:	4 / 61
Fecha de análisis:	2018-05-25 16:17:28 UTC ( hace 5 minutos )

Antivirus	     Resultado	                  Actualización
Bkav	             HW32.Packed.DE46      	  20180524
McAfee-GW-Edition    BehavesLike.Win32.Dropper.rc 20180525
Microsoft	     Trojan:Win32/Vigorf.A	  20180525
TrendMicro-HouseCall Suspicious_GEN.F47V0512	  20180525
Comment 2 Mark Thomas 2018-05-25 20:08:58 UTC
That the four different AV products each report a different issue is suggestive of a false positive.

Looking more closely:

Win32/Vigorf.A is a heuristic detection designed to generically detect a Potentially Unwanted Program

BehavesLike.Win32.Dropper.rc is a commonly seen false positive with the NSIS installer

Given that the Windows installer installs a Windows service, edits the registry, etc. false positives are not uncommon.

My fully patched Windows desktop runs the installer without any problems.

All the evidence is that this is a false positive.
Comment 3 Eduardo Guadalupe Quintanilla 2018-05-25 23:36:22 UTC
It must be a false positive.

In Windows 10 (10.0.17134.48) with Windows Defender activated the installer download is blocked automatically with a message that a virus was found.

Maybe something could be done to report the false positive to Microsoft. I will investigate if Microsoft has some procedure for those cases.
Comment 4 Jens-D. Doll 2018-05-26 07:20:26 UTC
A false positive does not explain that the Tomcat 8 and 9 installers do not contain such a pattern. So there must be something very suspicious in the Tomcat 7 installer.
Comment 5 Mark Thomas 2018-05-26 15:41:03 UTC
I tested a range of versions. The results were:

7.0.84 Bkav
7.0.85 Bkav, TrendMicro-HouseCall
7.0.86 Bkav
7.0.88 Bkav, TrendMicro-HouseCall, Microsoft, McAfee-GW-Edition

8.0.41 OK
8.0.42 OK
8.0.49 Bkav
8.0.50 Bkav
8.0.51 Bkav, TrendMicro-HouseCall, McAfee-GW-Edition
8.0.52 Bkav, TrendMicro-HouseCall, McAfee-GW-Edition

8.5.19 Bkav, TrendMicro-HouseCall, Rising
8.5.20 TrendMicro-HouseCall
8.5.21 Bkav
8.5.24 OK
8.5.28 OK
8.5.29 OK
8.5.30 OK
8.5.31 OK

All the files that were OK were digitally signed as part of the build process.

All the files there were not OK were not digitally signed as part of the build process.

The signing service has been unavailable for periods (hence why some 8.5.x releases are unsigned) and the 7.0.x build process has not been updated to integrate the signing process.

The variation in scanners reporting issues is consistent with differences in heuristic scans between virus scanners.

The 8.5.x releases were all performed on the same Windows VM. The VM is always fully patched before any release. The VM has only ever been used to perform Tomcat releases. At no point has the AV on that VM ever reported any virus.

The reports above are consistent with other reports of false positives in other projects using the NSIS installer.

The 8.5.x results alone are sufficient to convince me that this is a false positive. The 7.0.x and 8.0.x results are consistent with that conclusion.

All the evidence points towards this being a false positive.

None of the evidence points toward this being a genuine infection.
Comment 6 Jens-D. Doll 2018-05-28 11:48:36 UTC
Just one question: Why did you omit signing of binaries in your recent releases?
Comment 7 Christopher Schultz 2018-05-29 19:58:42 UTC
Bugzilla is not a support forum.

Please bring discussions onto the users mailing list.
Comment 8 Jens-D. Doll 2018-05-30 06:18:09 UTC
Leaving out an important task in the development process, build process, can downgrade the whole product. You should be aware of open doors for attacks.