Modify

Opened 14 months ago

Closed 14 months ago

Last modified 14 months ago

#18923 closed defect (worksforme)

PowerShell Virus found in JOSM "josm-15628-tested.jar"

Reported by: anonymous Owned by: team
Priority: critical Milestone:
Component: Installer Windows Version: tested
Keywords: Virus Cc: Don-vip

Description

I have been running JOSM (josm-15628-tested.jar specifically - but likely in most downloads) as a standalone executable JAR without admin rights on my corporate Windows 10 laptop. Our security team contacted me to point out that it was responsible for a PowerShell execution that makes contact with the Taiwanese Government Service Network. These are the relevant details from their report (personal details anonymised). I recommend a regular, thorough virus scan of these downloads:


Alert is triggered due to the when user executed a PowerShell command.

On Mar 10, 2020, 9:08:12.398 PM, javaw.exe created process powershell.exe - "javaw.exe" -jar "C:\Users\XXX\Desktop\XXX\josm-15628-tested.jar"

Further powershell.exe created file

__PSScriptPolicyTest_n41xqwak.gvs.ps1
__PSScriptPolicyTest_fmqutwvz.sdc.psm1
_PSScriptPolicyTest_4lrcuaem.ycs.ps1
__PSScriptPolicyTest_3w1see1v.fzl.psm1

Evidence of xxxxx.psm1 and xxxxxx.ps1 created in C:\Users\XXX\AppData\Local\Temp\

Txt file “josm_exec_3310044807545867159.txt” is written and closed under the path - C:\Users\XXX\AppData\Local\Temp\josm_exec_3310044807545867159.txt

powershell -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;[System.Net.WebRequest]::Create('https://grca.nat.gov.tw').GetResponse()"

Checked the website present in the command Line, we found that this website is related to Government Public Key Infrastructure, Taiwan's Government Root Certification Authority (GRCA). This website and IP address is not reported in Virus Total and shows as clean.

XXX has not taken any action on this PowerShell execution.

ISP GSN Taiwan Government Service Network.
IP 210.241.69.210
Blacklist Status 0/35
Domain Registration Unknown
Usage Type Government
Hostname(s) 210-241-69-210.HINET-IP.hinet.net
Domain Name gsn.nat.gov.tw
Country Taiwan
City Taipei, Taipei

Attachments (0)

Change History (4)

comment:1 Changed 14 months ago by stoecker

Cc: Don-vip added

That's not a virus. As Java is extremely slow with adapting certificate authorities for a few authorities needed for operation of JOSM we have to load the CA data from the Windows keystore. Sadly the windows keystore is a somewhat dynamic thing and in some cases only contains the certificates when you access them once. So in this case it happens that JOSM on startup once causes such a call. Afterwards the certificate information is available and that call will never come again.

This process is not on-demand, so ATM it happens even if you personally will never need that certificate.

@Vincent: I hope I explained that correct. For Linux it's not any issue :-)

comment:2 Changed 14 months ago by stoecker

Resolution: worksforme
Status: newclosed

comment:3 Changed 14 months ago by anonymous

Ok - Thanks for the clarification!

comment:4 Changed 14 months ago by Don-vip

Explanation is correct. Further comments to clear JOSM with your security team:

Modify Ticket

Change Properties
Set your email in Preferences
Action
as closed The owner will remain team.
as The resolution will be set.
The resolution will be deleted.

Add Comment


E-mail address and name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.