XCSSET malware infe...
 
Share:
Notifications
Clear all

2022-05-29: APP 2.0.0-beta2 has been released !

Release notes

Download links per platform:

windows 2.0.0-beta2

macOS x86_64 2.0.0-beta2

macOS arm64 M1 2.0.0-beta2

Linux DEB 2.0.0-beta2

Linux RPM 2.0.0-beta2

XCSSET malware infection in 2.0.0-beta2?


(@virjonen)
Molecular Cloud Customer
Joined: 4 years ago
Posts: 7
Topic starter  

Hi,

I was trying to install the 2.0.0-beta2 on my MacBook Pro. My antivirus software interfered (Intego) telling me there is an infection of XCSSET malware in /Applications/astropixelprocessor.app/Contents/MacOS/universalJavaApplicationStub and it quarantined the file.

image

After this I deleted the installation files and went back to the 1.083. I have not tested the 2.0.0-beta1.

Best Regards,
A-P

 


ReplyQuote
(@mabula-admin)
Quasar Admin
Joined: 5 years ago
Posts: 3183
 

Hi Virjonen @virjonen,

Thank you very much for reporting this. I will investigate this of course with high priority.

The universalJavaApplicationStub code is the startup script to run APP 2.0.0 on macOS and that script definitely does not contain XCSSET malware and I compiled the script myself to make it an executable. And then Apple approved this because the whole package was notarized by Apple. So it seems quite likely that your anti-virus is giving a false positive here, but to be sure I will scan all my mac computers for this problem and see what comes up.

Will report back as soon as I know more 😉

Mabula


ReplyQuote
(@mabula-admin)
Quasar Admin
Joined: 5 years ago
Posts: 3183
 

@virjonen, is this on an intel mac or an arm/M1 mac?


ReplyQuote
(@virjonen)
Molecular Cloud Customer
Joined: 4 years ago
Posts: 7
Topic starter  

@mabula-admin Intel MacBook Pro with Monterey Version 12.4.


ReplyQuote
(@philpaul3aol-com)
Hydrogen Atom Customer
Joined: 4 years ago
Posts: 1
 

Same here.  VirusBarrier 10.9.63 with latest Virus descriptions alerted me to

universalJavaApplicationStub - OSX/XCSSET

Intel 5k iMac running MacOS Monterey 12.4

I wanted to try APP 2.0.0 β2 because APP 1.083.2 is failing Star Analysis on my subs (Green especially) which, as far as I can tell, are fine.  In fact, it's failed some subs that look better than others that are accepted.


ReplyQuote
(@mabula-admin)
Quasar Admin
Joined: 5 years ago
Posts: 3183
 

Hi Philip @philpaul3aol-com and @virjonen,

I have taken a very! long time to investigate this issue and I can only conclude at the moment that your virus scanners are very likely giving a false positive on a possible XCSSET infection.

I use Bitdefender Total Security which has a very good reputation and it definitely knows the XCSSET infection. It does not find it on any of my macs and it does not find it in the beta2 release.

To add to this: the universalJavaApplicationStub is a small script that starts APP on your mac that I compile to a binary on my macs during build of the DMG installers.

This script simply does not contain XCSSET.

Furthermore XCSSET is spread using XCODE which is NOT used/involved in my development environment to create the mac installers for APP. So that alone makes it impossible for the DMG to contain it I think.

https://www.intego.com/mac-security-blog/mac-malware-exposed-xcsset-an-advanced-new-threat/

"One of the most interesting things about XCSSET is that its main target seems to be developers who use Apple’s Xcode app. An Xcode project infected by XCSSET can lead to malicious code being executed on a developer’s computer."

XCODE is simply not used by us since we develop cross-platform, which leads me to conclude that your virus scanners are not accurate unfortunately.

I will not close this issue for now, but at the moment, I can not do more I think to give you a more satisfying answer.

I understand that you both use Intego VirusBarrier right? So please be open to the possibility that Intego is not accurate here, since other AntiVirus packages report the 2.0.0-beta2 as clean/not infected.

Mabula

 

This post was modified 6 days ago by Mabula-Admin

ReplyQuote
(@virjonen)
Molecular Cloud Customer
Joined: 4 years ago
Posts: 7
Topic starter  

Hi @mabula-admin,

You're right, it's likely a false positive. I think I should contact Intego about this and see if they can tell us more and/or fix the likely false detection.

Will keep you posted,
A-P


ReplyQuote
(@mabula-admin)
Quasar Admin
Joined: 5 years ago
Posts: 3183
 

Hi @virjonen,

Thanks a lot ! that can only help 😉

Mabula


ReplyQuote
(@virjonen)
Molecular Cloud Customer
Joined: 4 years ago
Posts: 7
Topic starter  

Hi @mabula-admin,

Ping @philpaul3aol-com as well.

I just received a reply from Intego support. Like you suspected, it was a false positive and they have now fixed the definitions. I updated VirusBarrier and installed 2.0.0-beta2. No errors and everything works now.

Here is the reply from Intego:

---

Support Intego (Intego)

Aug 5, 2022, 02:49 CDT

Dear Intego Customer,
 
This is a false positive which has been fixed with new 2022080401 virus definitions.
 
Please check for updates with NetUpdate.
And remove this entry from the Quarantine or the Trusted Items list.
 
Please let us know if you have any other questions.
 
Sincerely,
The Intego European Support Team.
 
---
 
It is important to be careful with everything related to cybersecurity these days. Thank you for investigating!
 
"Case closed" 😉 
 
Best Regards,
A-P
 
This post was modified 4 days ago by Virjonen

ReplyQuote
(@mabula-admin)
Quasar Admin
Joined: 5 years ago
Posts: 3183
 

Hi @virjonen,

Excellent, thank you very much for contacting Intego about this. I am glad that they have confirmed it was a false positive 🙂 !

Mabula


ReplyQuote
Share: