#18923 closed defect (worksforme)
PowerShell Virus found in JOSM "josm-15628-tested.jar"
| Reported by: | anonymous | Owned by: | team |
|---|---|---|---|
| Priority: | critical | Milestone: | |
| Component: | Installer Windows | Version: | tested |
| Keywords: | Virus | Cc: | Don-vip |
Description
I have been running JOSM (josm-15628-tested.jar specifically - but likely in most downloads) as a standalone executable JAR without admin rights on my corporate Windows 10 laptop. Our security team contacted me to point out that it was responsible for a PowerShell execution that makes contact with the Taiwanese Government Service Network. These are the relevant details from their report (personal details anonymised). I recommend a regular, thorough virus scan of these downloads:
Alert is triggered due to the when user executed a PowerShell command.
On Mar 10, 2020, 9:08:12.398 PM, javaw.exe created process powershell.exe - "javaw.exe" -jar "C:\Users\XXX\Desktop\XXX\josm-15628-tested.jar"
Further powershell.exe created file
__PSScriptPolicyTest_n41xqwak.gvs.ps1 __PSScriptPolicyTest_fmqutwvz.sdc.psm1 _PSScriptPolicyTest_4lrcuaem.ycs.ps1 __PSScriptPolicyTest_3w1see1v.fzl.psm1
Evidence of xxxxx.psm1 and xxxxxx.ps1 created in C:\Users\XXX\AppData\Local\Temp\
Txt file “josm_exec_3310044807545867159.txt” is written and closed under the path - C:\Users\XXX\AppData\Local\Temp\josm_exec_3310044807545867159.txt
powershell -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;[System.Net.WebRequest]::Create('https://grca.nat.gov.tw').GetResponse()"
Checked the website present in the command Line, we found that this website is related to Government Public Key Infrastructure, Taiwan's Government Root Certification Authority (GRCA). This website and IP address is not reported in Virus Total and shows as clean.
XXX has not taken any action on this PowerShell execution.
ISP GSN Taiwan Government Service Network.
IP 210.241.69.210
Blacklist Status 0/35
Domain Registration Unknown
Usage Type Government
Hostname(s) 210-241-69-210.HINET-IP.hinet.net
Domain Name gsn.nat.gov.tw
Country Taiwan
City Taipei, Taipei
Attachments (0)
Change History (4)
comment:1 by , 5 years ago
| Cc: | added |
|---|
comment:2 by , 5 years ago
| Resolution: | → worksforme |
|---|---|
| Status: | new → closed |
comment:4 by , 5 years ago
Explanation is correct. Further comments to clear JOSM with your security team:
- The current list can be found here: https://josm.openstreetmap.de/browser/josm/trunk/src/org/openstreetmap/josm/io/CertificateAmendment.java#L150
- As you can see it's not only Taiwanese government but also Dutch, French, Slovakian, etc.
- I will add another one tomorrow for Spanish government: #18920
- You can disable this feature by setting advanced preference
tls.add-missing-certificates - You can also disable it by running JOSM with command line argument
--offline=certificates - The code that performs the Powershell web request is here: https://josm.openstreetmap.de/browser/josm/trunk/src/org/openstreetmap/josm/tools/PlatformHookWindows.java#L647
That's not a virus. As Java is extremely slow with adapting certificate authorities for a few authorities needed for operation of JOSM we have to load the CA data from the Windows keystore. Sadly the windows keystore is a somewhat dynamic thing and in some cases only contains the certificates when you access them once. So in this case it happens that JOSM on startup once causes such a call. Afterwards the certificate information is available and that call will never come again.
This process is not on-demand, so ATM it happens even if you personally will never need that certificate.
@Vincent: I hope I explained that correct. For Linux it's not any issue :-)