Re: [gemcutter] Malware reports for http://production.cf.rubygems.org/

231 views
Skip to first unread message

Nick Quaranto

unread,
Sep 5, 2012, 9:36:33 AM9/5/12
to gemc...@googlegroups.com
This sounds legit.

"A non official Rex gem based on the Metasploit framework's Rex Library"


Seems like it's for security testing purposes. I think if GitHub is hosting it, we're going to be fine.

-Nick

On Wednesday, September 5, 2012 at 8:32 AM, Shane Turner wrote:

Our office virus scanner is reporting that http://production.cf.rubygems.org/gems/librex-0.0.68.gem contains a trojan downloader.

I tried to find some contact information for the site, but I didn't see anything that seemed to be useful.

A couple of services list the site as a malware site:

https://www.virustotal.com/url/cacdda702e4890495527b20f4c1db9823d2374abf89cb4c1770929096afcb96d/analysis/

The gem is also flagged by multiple scanners as a problem:

https://www.virustotal.com/file/90369070c2ce1947dcb4e9e7f50b9999243ff276a51b8491a157c94f84b0ebf8/analysis/1346846438/

Our ESET detection report:

Column Name    Value
Date Received    2012-09-04 12:01:36
Date Occurred    2012-09-04 12:01:33
Level    Warning
Scanner    HTTP filter
Object    file
Name    http://production.cf.rubygems.org/gems/librex-0.0.68.gem
Threat    JS/TrojanDownloader.Agent.GJ trojan
Action    connection terminated - quarantined
Information    Threat was detected upon access to web by the application: C:\Program Files\VirtualBox\VirtualBox.exe.
Details    Ready

A little more searching at http://www.urlvoid.com/scan/production.cf.rubygems.org/ finds another problem file origami-1.2.3.gem:
https://www.virustotal.com/file/7009f6acf4da8ec14053f7faa663503d631308746f67e3168da79fdb1362451a/analysis/1346848086/

Thanks,
Shane

Luis Lavena

unread,
Sep 5, 2012, 10:33:31 PM9/5/12
to gemc...@googlegroups.com
On Wednesday, September 5, 2012 9:32:16 AM UTC-3, Shane Turner wrote:
Our office virus scanner is reporting that http://production.cf.rubygems.org/gems/librex-0.0.68.gem contains a trojan downloader.


librex is a plugin/extension for metaexploit framework, which can be flagged as trojan but is a legit tool to analyze and test system/software security.

If you are downloading that particular gem is either because you want to use metasploit or another gem depends on it.

Antivirus and malware detection will flag any metasploit related tool as bad because they try to over-protect you.
 
I tried to find some contact information for the site, but I didn't see anything that seemed to be useful.


See links provided by Nick:

 There you can find contact information.

Now, either you trust the antivirus and stop messing with metasploit at all or you disable the antivirus because you know what you're doing. I think that is your call.

Seems to me another tool that could be used for evil purposes (as indicated in the gem summary.

--
Luis Lavena

Reply all
Reply to author
Forward
0 new messages