Virus / Trojan detected?

[Darthajack]

EDIT/UPDATE: Seems like a false positive. Probably nothing to worry about. Only one of Virustotal's 50+ malware detectors found anything, and running a new scan it finds nothing. In this long discussion, the developer provides detailed explanation of the results.

Initial text:
VirusTotal detects Trojan.Win64.Agent.HGU in latest release 1.5.
The sandbox installation also detects some port scans and DNS lookups. Highly unusual for an app that is supposed to only manage the battery and power....

[mhaeuser]

You could at least superficially inspect the code or throw the binary in IDA/GHIDRA before publicly announcing a false positive. I don’t know what a “sandbox installation” is or how it can detect port scans when there isn’t any networking code at all, not even an updater. (However, macOS automatically does some online shenanigans, like CRL, check for notarization, etc.)

I can see whether I’ll find the time to submit a report. I’m used to working on low-level firmware code and live patching of both bootloaders and kernels (OpenCore) - if I’ll ever distribute malware, I’ll be more proficient than having it detected by the go-to platform for sanity checks.

[Darthajack]

Just sharing results of Virustotal. It’s a legit discussion to have, especially if there is a false positive on a Trojan, and if there is nothing in the code calling portscans or IP addresses. You might want to look into that.

This looks like a very useful and well built utility, and I’m the first to vouch for its usefulness in spite of many saying it’s not necessary with Apple’s built-in battery optimization (I can attest it doesn’t work well, having changed my battery twice because constant charging to 100% made it swell out of shape).

To maximize the number of users who will enjoy this software, it would be good to have this discussion and address Virustotal’s results.

[mhaeuser]

Yes, as I said, if I find the time, I will file a report. Still, you implied it might be a true positive, and I explained why this cannot be.

[mhaeuser]

I tried to reproduce your findings and was only partially lucky, but fully shocked.

1. I downloaded Battery-Toolkit-1.5.zip from the Releases page at: https://github.com/mhaeuser/Battery-Toolkit/releases/tag/1.5
2. I unzipped the file to yield Battery Toolkit.app.
3. I went to VirusTotal and selected Battery Toolkit.app, which implicitly zip'd it again.

The result of that procedure can be found here: https://www.virustotal.com/gui/file/e86ba51581a2f1f0b5db6b02bece98149cb3f1e52b288bea2d782437638d3a3b

When I realized the app just gets zip'd again upon uploading, I also performed the procedure on Battery-Toolkit-1.5.zip directly and realized that someone already performed this, thus the result was already cached at: https://www.virustotal.com/gui/file/f83523b621b4e43cbbb7129f08dd2483137c3bb997efd704b9521803e7482075

Results for the second link, which is easier to check for authenticity:

• No malware detected at all. This contradicts your claims regarding Trojan.Win64.Agent.HGU, which seemed odd to me anyway, considering this is clearly a Windows signature. Not impossible obviously, as a Windows malware could be embedded and sent to an exploitable target (especially with a port scan) - but there was no such result to begin with.
• No DNS resolution by the app itself. There are a couple DNS resolutions performed by macOS. These are clearly originating from the api.apple-cloudkit.com resolution, which likely is Notarization, as I mentioned: https://docs.digicert.com/en/software-trust-manager/threat-detection/apple-notarization/notarize-apple-binaries.html
• No HTTP requests by the app itself. There are two requests to ocsp.comodoca.com performed by macOS. OCSP is what macOS uses rather than CLR, but the idea is the same - this is a certificate revocation check. Comodo is an issuer for Apple web server TLS certificates: https://ssl-tools.net/subjects/c84a9de250f206260e84ebf37c62a7f5b3b53f0f
• No port scanning performed by the app. As all network requests so far were done by macOS, this should be trivial. Still, traffic is recognized as attempted-recon, which apparently is used to classify information leaks. It might take offense with some local data sent to Apple, as not properly signed applications get checked for Notarization by sending the application hash to Apple servers (see HTTP requests): https://lapcatsoftware.com/articles/catalina-executables.html

Regarding the first link: It's clearly the same application uploaded. Yet, the Behavior check is vastly different. Inspecting the DNS resolution for example now yields us c.apple.news, which it did not before. So, unless I augmented the app privately with a news ticker that only sometimes activates, it clearly captures miscellaneous macOS network traffic and attributes it to the scanned application. Notice how the app is attributed check-hostname this time, when before it wasn't. This is ridiculous, thus good to know that VirusTotal behavioural tests are near worthless.

To make things even worse, after writing up all of the above to explain VirusTotal's results, I realized something about the "Highlighted Text" section (conveniently at the very end!!): "The application cannot be opened for an unexpected reason". Clearly, the application is not even launched (they probably are not using ARM runners) and yet there are multiple attributions of port scanning, network communication, and MITRE tactics to the app. Absolutely ridiculous, what a useless piece of junk.

I understand your intention might have been to neutrally inform the public about the results you got, but your last remark clearly is not neutral. As a result, I felt like this has to be resolved fast to get concerns off the table quickly, only to see that the main point of concern (malware signature detection) seems to be false and the rest clearly does not apply. Such results need to be interpreted with care, not just taken at face value from the summary box. I certainly would have preferred to not spend time on this tonight.

Anyway, thanks for the report and I hope things are cleared up now.

[Darthajack]

Your time to test and respond are appreciated.

I tested again and just replicated it. How I did it was to unzip the app first, then upload the "Battery Toolkit.app" itself. I used the same file as yesterday, got the same results. VirIT detected "Trojan.Win64.Agent.HGU".

For good measure, I downloaded it again, unzipped (but then it was named "Battery Toolkit (1).app" because was using the same folder). On upload, it zipped it. Then no threat detection. So I renamed that file "Battery Toolkit.app" and VirIT detected "Trojan.Win64.Agent.HGU" again. Tested multiple times. Uploading the zip file: nothing detected. Uploading as "Battery Tookit (1)" (or whatever other name): nothing detected. I rename the exact same file, upload again: virus detected.

Link (virus detected): https://www.virustotal.com/gui/file/f5f14a7f216a99b17982af6cee1a32ec1a35f93bbd601931ee4a79450ad05a86
Link (clean): https://www.virustotal.com/gui/file/645e7b8e7c26a463f711f95fb92f218ad3ea010c4a5b3874e148376447f0524e

What is strange is that when it does detect a virus, it says "Last analysis: 1 month ago", and when it doesn't, it says "2 days ago". Both even appear to have different behaviors (IP, portscan, etc.) as per the "Behaviors" tab. EXACT SAME FILE.

It is certainly a strange and inconsistent behavior by Virustotal, and no idea what could be causing that. I have no conclusion. (Edit #5: I'm even wondering if Virustotal is legit.)

I understand you would have preferred not to spend time doing that, but it's probably for the best. Releasing software publicly does involve managing and addressing user comments or concerns, at least if one wants to maintain trust. And I think your comments will reassure most people. Might even be worth looking up the developers of that "VirIT" scanner (developed by Italian Cybersecurity company TG Soft - https://www.tgsoft.it/ )to see what's up.

Again, I think this software is very useful and I thank you sincerely for making it. I might still install it in spite of concerns Virustotal are raising. Because I strongly believe Mac's "Battery Optimization" does NOT do what Apple fanboys say it's supposed to do, and I have two battery replacements (and comments from Apple tech that I shouldn't leave my Macbook plugged in all the time) to prove it.

[mhaeuser]

No, I didn’t say I didn’t want to spend time on it, I said I didn’t want to spend time on it yesterday night. I would have done it “some calm day” had the description been neutral and had there been a result link that’s clearly false positive.

There is nothing particularly strange about your new remarks. Renaming the app file name changes the hash of the zip, thus VirusTotal does not use a cached result from “1 month ago”, but it re-scans. You can also force a re-scan of the old result and the malware detection will vanish. Clearly, some other software was also flagged falsely and a definition update from between “1 month ago” and “2 days ago” resolved the issue. The older result with the older definitions is to be discarded.

Regarding Begavior, I thought I already explained it thoroughly. The app is not even launched and it evaluates the inconsistent networking behaviour of macOS and its inbuilt services and applications itself. None of the traffic originates from my app (it literally cannot) and I already explained, in great detail, all traffic by macOS itself.

There is nothing to contact VirIT about. They had an incorrect detection signature and they fixed the issue already. This happens all the time. One doesn’t use VirusTotal by dropping a file and going by the result of a single scanner, the point of the many scanners is both to get coverage on a broad range of recent definitions (so a few well-maintained databases might flag early) and to rule out false positives by comparing to the rest. 1 positive and over 60 negatives, by a niche scanner no less, is clearly false positive unless you look at the very early hours of a 0-day. A 0-day would be entirely implausible here to begin with.

TL;dr, VirusTotal raised a minimal risk for concern a month ago (but it was implausible even then) and, as of now, does not raise a concern at all.

Truthfully, people who are suspicious of me should simply not use the app. Like XZ, releases are done by me locally, so I could in theory inject malicious code as was done with its backdoor (hence I mentioned IDA/GHIDRA in the beginning). I thought about letting GitHub Actions build releases, but I simply don’t have the time and it would be a mess with code-signing. I also could have it Notarized, but as I’ve said in other threads, I’m not spending 99 € a year to maintain a free app. The only money that I was ever offered for it went to charity (directly, not proxied by me).

On the flip side, for those who are not generally suspicious, they will find that the app uses macOS Sandbox, macOS Hardened Runtime, and least-privilege, signed IPC as much as possible. It’s quite secure compared to comparable FOSS.

[Darthajack]

I understand how you'd take this personally, after all you put in a lot of time to write this great piece of software. But as mentioned before, putting something out there in the public opens up the possibility of a lot comments and questions of all sorts. Some praise, some complaints, some questions, some concerns. In this case, it was a legitimate user concern; a positive on a well-known virus checker. And it was important to address it, in case others experience the same thing.

I'd have edited the post (and might still) to reflect there was a false positive, in case other people also test Virustotal and get the same results. That is useful information. Keeping the discussion there addresses one of the potential concerns users may have.

But the phrasing of "I thought I already explained it thoroughly" and "There is nothing to contact VirIT about", among other things, come across as somewhat rude. I understand the software is free, and takes a lot of time investment. But at this point, it probably wouldn't hurt to remain patient. It's very little effort compared to everything put in developing and distribution the tool already and can make it that much more likeable.

Again, thank you for creating that software. I believe it really has its uses. I've used another similar tool (the only other one I know) and prefer this one. Not just because it's free, but simpler. Also because I believe the other one is behind a serious power and battery issue that required an SMC reset.

EDIT: Note that although Github tends to be visited by more technically-inclined people, it seems to be the only place (or trustworthy place) where to download Battery Toolkit. Because of this, there's bound to be non-technical people ending up here who won't understand the explanations, much less open and scrutinize the code.

[mhaeuser]

Your initial post was never edited and it’s what I keep referring back to. Image regarding malicious activity and image regarding personal interaction are two very different things. I don’t gain or lose anything from you using the app or not, do as you see fit. While you phrase things more politely, it is obvious that you refuse to acknowledge your own shortcomings, while I apologized for mine. Have a nice day.

[Darthajack]

I'll be less polite and more straightforward. Your pedantic, defensive and aggressive tone hurts your image just as much as a false positive. While my initial post may have created some concern, the rest of the discussion is on you. I’ve edited the initial comment to make sure anyone glancing at it can see it’s a false positive without having to read through your verbiage. Take that as an acknowledgment of the unnecessary concerns I might create to those who never thought about scanning, and some reparations. Have an excellent day. And I sincerely hope you keep up the good work, it’s really appreciated. On the side, you might want to work on your communication demeanor as well.

[mhaeuser]

It’s not like you’re entirely wrong about that, but one simply sweeps in front of their own door first, no matter developer or end-user. Now that you somewhat did that, I’ll apologize once more. Still, you kept framing things as if I somehow was a merchant who has to deal with arbitrary customer behaviour - no, I’m not a merchant, I gain nothing from this project, and I deserve to not be treated rudely no less than you do, period. Many other serious maintainers would have given you no more than “false positive, closing”, if even that. I think asking to be a bit more thorough in the future in return for a detailed analysis is not an unfair request (especially not when it’s asked for the third time). I’m fine if you or anyone else thinks I’m a for that, it’s not about that kind of image, but I prefer to not be known as a malicious threat actor for no reason.

[EdwardPrentice]

@Darthajack your arrogance is astonishing and you are lucky to have received such a comprehensive and educational explanation as to why your initial report is of less than zero value.

[Darthajack]

@Darthajack your arrogance is astonishing and you are lucky to have received such a comprehensive and educational explanation as to why your initial report is of less than zero value.

😘