[FalsePositive] VirtualBox 5.2.12 add-ons image infected by trojan malware

[sch2h2o]

---

Mod Edit:
This is a false positive!

Fixed with Windows Defender definitions
1.267.1702.0 (2018-05-20 16:28)
maybe earlier.

---

Hello

Sorry for opening this thread, but Oracle is not replying to the email that I have already sent to the security mailbox.
Looks like the add-ons package that can be downloaded from VBox web site is infected by a Trojan (Win32/Bluteal.B).
This is what Windows Defender is showing me, in two different computers.

Has anybody detected the same issue?
It is a false positive or it is really infected?
What could be impact on Windows guests?

Thanks

[socratis]

the add-ons package that can be downloaded from VBox web site

Which one are you referring to? The Extension Pack? If you can't post the link directly, obfuscate it and someone will fix it.

Has anybody detected the same issue?

No.

It is a false positive or it is really infected?

99.9999999% false positive.

What could be impact on Windows guests?

If you're talking about the Extension Pack, that's installed on the host, not on the guests, so there's no impact on the guests. Why do you care about the guests and not your host?

[Xinud]

I'm getting the same thing. Just tried downloading to my Windows 10 system and encountered:

Trojan:Win32/Bluteal.B!rfn

Window Defender quarantined file.

[socratis]

Can someone post a more detailed description of which exactly file are we talking about?
And post the last date of your Windows Defender definitions update.
Is it 2018-05-19 15:33 UTC, version 1.267.1645.0?

[Xinud]

From my machine Windows Defender version info is:

Version info
Antimalware client version: 4.14.17639.18041
Engine version: 1.1.14800.3
Antivirus definition: 1.267.1641.0
Antispyware definition: 1.267.1641.0
Network inspection system engine version: 1.1.14800.3
Network inspection system definition version: 1.267.1641.0

Files being obtained from the following link are being Quarantined (sorry not member for long enough so had to fudge complete link):
https://download.virtualbox.org/virtual ... ox-extpack

[sch2h2o]

I was thinking if, in case the Add-ons are really infected, that trojan can infect also Windows guests as part of the installation process of the Add-ons additions.
Independetly of the Vbox host OS, be it running Windows or Linux.

[Xinud]

Thank you for fixing link.

Just update Defender to the following versions (through normal Windows Update):

Antimalware client version: 4.14.17639.18041
Engine version: 1.1.14800.3
Antivirus definition: 1.267.1645.0
Antispyware definition: 1.267.1645.0
Network inspection system engine version: 1.1.14800.3
Network inspection system definition version: 1.267.1645.0

Same result - file from that link being quarantined.

[socratis]

Version 1.267.1641.0, dated 2018-05-19 14:09 UTC seems to be the first version that contains the Trojan:Win32/Bluteal.B!rfn definition. So, anything after that will also contain the warning, until MS fixes it. I repeat:

This is a false positive!
The Ext.Pack has been there since 2018-04-27, for more than three weeks 2018-05-09, for about 10 days. And suddenly, due to a definition update in Windows Defender it shows as a virus? I don't think so...

Marked as [FalsePositive].

Edit: Fixed wrong date of the Ext.Pack release

[socratis]

I was thinking if, in case the Add-ons are really infected, that trojan can infect also Windows guests as part of the installation process of the Add-ons additions.

No. There is complete separation between host and guest by default, unless you choose to make them talk to each other on purpose, either by networking or be read-write shared folders.

[socratis]

Here are the results of a VirusTotal scan. And according to the community comments:

False positive on Microsoft default antivirus can cause repeated failed downloads in Windows 10 unless active protection is turned off.

[socratis]

I don't know when this got fixed, but with 1.267.1702.0 (2018-05-20 16:28), Windows Defender does NOT trigger an alarm.

Back to DEFCON 0 people...