none
Malware found in MRO 3.3.0 for OSX RRS feed

  • Question

  • Just downloaded and installed MRO 3.3.0. Intego Virus scanning found the following. Looks like there's a hitch hiker in the mac osx 3.3.0 release.

    7/26/16, 2:56:04 PM | Scan - Malware Found (1 scanned, 1 infected, 1 repaired): Macintosh HD ▸ Library ▸ Frameworks ▸ R.framework ▸ Versions ▸ 3.3 ▸ Resources ▸ library ▸ file418628a08195 ▸ openssl ▸ libs ▸ openssl.so.dSYM ▸ Contents ▸ Resources ▸ DWARF ▸ openssl.so
    7/26/16, 2:56:04 PM | Scan End
    7/26/16, 2:56:04 PM | Repaired (Trojan: OSX/Flashback.N): Macintosh HD ▸ Library ▸ Frameworks ▸ R.framework ▸ Versions ▸ 3.3 ▸ Resources ▸ library ▸ file418628a08195 ▸ openssl ▸ libs ▸ openssl.so.dSYM ▸ Contents ▸ Resources ▸ DWARF ▸ openssl.so
    7/26/16, 2:56:04 PM | Infected (Trojan: OSX/Flashback.N): Macintosh HD ▸ Library ▸ Frameworks ▸ R.framework ▸ Versions ▸ 3.3 ▸ Resources ▸ library ▸ file418628a08195 ▸ openssl ▸ libs ▸ openssl.so.dSYM ▸ Contents ▸ Resources ▸ DWARF ▸ openssl.so
    7/26/16, 2:56:04 PM | Scan Start
    7/26/16, 2:55:48 PM | Real-Time Scan - Malware Found (1 scanned, 1 infected, 0 repaired): Macintosh HD ▸ Library ▸ Frameworks ▸ R.framework ▸ Versions ▸ 3.3 ▸ Resources ▸ library ▸ file418628a08195 ▸ openssl ▸ libs ▸ openssl.so.dSYM ▸ Contents ▸ Resources ▸ DWARF ▸ openssl.so
    7/26/16, 2:55:48 PM | Infected (Trojan: OSX/Flashback.N): Macintosh HD ▸ Library ▸ Frameworks ▸ R.framework ▸ Versions ▸ 3.3 ▸ Resources ▸ library ▸ file418628a08195 ▸ openssl ▸ libs ▸ openssl.so.dSYM ▸ Contents ▸ Resources ▸ DWARF ▸ openssl.so

    Tuesday, July 26, 2016 7:06 PM

All replies

  • Hi, David,

    It does appear that your installation has a hitchhiker (the mysterious file418628a08195), but I am unable to find it in our installer, so I am at a loss to explain how it came to be on your system.

    I've scanned our installer with Intego and Malwarebytes and found nothing; on my systems, there is no "file*" under Library/Frameworks/R.framework/Versions/3.3/Resources/library (there should only be R packages there), and no openssl libraries anywhere under Library/Frameworks/R.framework.

    Did you compare the SHA256 hash code of your download with the published version on mran.microsoft.com?

    Cheers,

    Rich Calaway (richcala@microsoft.com)

    Microsoft R Release Manager

    Tuesday, July 26, 2016 10:06 PM
  • Thanks for checking the release. Downloading again and checking hash codes would be a good idea. I got in a hurry today and didn't check the download. Didn't think of it because every other time they've always matched. Maybe something happened in transit :-).
    Tuesday, July 26, 2016 11:54 PM
  • BTW, if you could, please post the version of Mac OS X you are running (and which version of Java).

    Cheers,

    Rich

    Tuesday, July 26, 2016 11:58 PM
  • I'm running OSX 10.11.6 and Java:

    java -version
    java version "1.6.0_65"
    Java(TM) SE Runtime Environment (build 1.6.0_65-b14-468-11M4833)
    Java HotSpot(TM) 64-Bit Server VM (build 20.65-b04-468, mixed mode)

    Just downloaded the installer again, verified the checksum and installed. The offending folder 'file418628a08195' doesn't exist. 

    At the time the error came up I was running a package install script that was installing a lot of packages. Perhaps something in that process produced this? I've run the script several times on windows machines, but don't recall running it on the mac. None of the windows machines have real-time virus scanning, but the mac does.

    Wednesday, July 27, 2016 12:29 AM
  • Hi, David--

    Thanks for the info. From what I've read, your machine configuration shouldn't be vulnerable to the Flashback Trojan--so I remain puzzled by what you've seen. But after your re-install, your R.framework seems clean?

    Thanks!

    --Rich

    Wednesday, July 27, 2016 12:40 AM
  • Found something similar at the link below. It was a false positive detect by the Intego software back in May 2016. I had recent virus definitions installed, but maybe the problem wasn't fully corrected. This does suggest though that the file came in during the package installs. There are text analytics packages included in the install list.

    https://github.com/IBMPredictiveAnalytics/Word_Cloud_Visualization/issues/1

    Wednesday, July 27, 2016 12:43 AM
  • I've verified with Intego that this is a false positive detection on a file in the openssl package. The virus definitions as of 8/4/2016 have been updated and the problem has been resolved.
    Friday, August 5, 2016 3:22 PM
  • Thanks for the update, David!
    Friday, August 5, 2016 3:26 PM