Support » Plugin: Slimstat Analytics » TrojanDownloader:097M/Donoff detected in archive

  • Resolved iaps

    (@iaps)



    Trojan was detected by both Wordfence (when installing via WP Updates) and by Microsoft Security Essentials. I have since deleted this plugin from all my sites.

Viewing 8 replies - 1 through 8 (of 8 total)
  • Plugin Author Jason Crouse

    (@coolmann)

    Hi,

    Thank you for your message. We are not aware of any issues. I suspect a false positive. Do those softwares say exactly which file is affected? It would help me narrow down the issue and fix it.

    Best,
    Jason

    catmaniax

    (@catmaniax)

    That’s really weird!

    To my surprise, I can also confirm this.
    I just downloaded Slimstat from the repository here and uploaded it on virustotal.

    Here are the results:

    https://www.virustotal.com/#/file/8242c67a4feda469f5e44b4aa26e06a2d830e498420f74d26047e5783d42bc24/detection

    2 trojans found. I hope it’s a false positive.
    Can you please look into it Jason?

    Plugin Author Jason Crouse

    (@coolmann)

    I’m still confused. Which file exactly seems to contain this trojan? We package our source code meticulously and use reputable third-party packages. Also, if you quickly google that Trojan file referenced by Microsoft, you’ll find this page:

    https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=TROJANDOWNLOADER:O97M/DONOFF

    As you can read on that page, this Trojan infects Microsoft Word files, and as far as I know, there are NO such files in our plugin, I’m pretty sure of that.

    It’s definitely a false positive, where unfortunately the signature of our zipped file matches some signature associated to that trojan. I’m pretty sure this will go away once we release the next update in a few days.

    If you have proof that there is harmful code in Slimstat beyond what 2 antivirus out of about 100 say, then please contact our support team and we will fix the issue right away.

    As you know, our users’ security is out first priority.

    Best,
    Jason

    From Microsoft Security Essentials:

    Category: Trojan Downloader

    Description: This program is dangerous and downloads other programs.

    Recommended action: Remove this software immediately.

    Items:
    containerfile:C:\Users\iaps\Downloads\wp-slimstat.4.7.2.2.zip
    file:C:\Users\iaps\Downloads\wp-slimstat.4.7.2.2.zip->wp-slimstat/admin/view/index.php->(SCRIPT0021)

    Saša

    (@stodorovic)

    By my quick research, it seems that following code is reported as “virus”:

    for($i=1;$i<=12;$i++){
            if(!empty(wp_slimstat_db::$filters_normalized['date']['month']) && wp_slimstat_db::$filters_normalized['date']['month'] == $i) 
                    echo "<option value='$i' selected='selected'>".substr($GLOBALS['month'][zeroise($i, 2)], 0, 3)."</option>";
            else
                    echo "<option value='$i'>".substr($GLOBALS['month'][zeroise($i, 2)], 0, 3)."</option>";
    }
    

    But equivalent code is passed:

    for($i=1;$i<=12;$i++){
    	$i_month=substr($GLOBALS['month'][zeroise($i, 2)], 0, 3);
    	if(!empty(wp_slimstat_db::$filters_normalized['date']['month']) && wp_slimstat_db::$filters_normalized['date']['month'] == $i)
    		echo "<option value='$i' selected='selected'>".$i_month."</option>";
    	else
    		echo "<option value='$i'>".$i_month."</option>";
    }
    

    So, it’s definitely false positive report.

    PS: Possible replacement for previous code:

    global $wp_locale;
    $month_abbrev = $wp_locale->get_month_abbrev( $wp_locale->get_month( $i ) );
    
    • This reply was modified 10 months ago by  Saša.
    • This reply was modified 10 months ago by  Saša.
    catmaniax

    (@catmaniax)

    I’m glad it’s a false positive 🙂

    chenryahts

    (@chenryahts)

    I also had this in Windows Defender

    Plugin Author Jason Crouse

    (@coolmann)

    Thank you, all. We are going to update our code to remove this false positive per Sasa’s suggestion.

    Best,
    Jason.

Viewing 8 replies - 1 through 8 (of 8 total)
  • The topic ‘TrojanDownloader:097M/Donoff detected in archive’ is closed to new replies.