Trojan attached to min.js file?

Upstate Steve's Avatar

Upstate Steve

10 Jan, 2019 10:20 PM

In Tuesday's scan of my iMac, ProtectWorks AntiVirus identified a trojan attached to a file in my install of Marked. Everything - Marked, Mac OS, ProtectWorks AV -- is the latest version. I have quarantined the file in question (below); Marked seems to work fine with a test file from Byword.

The identified threat: Txt.Trojan.Generic-6804604-0
The location in my HD: /Applications/Marked 2.app/Contents/Resources/marked.min.js

Anyone else seeing this?...

  1. Support Staff 1 Posted by Brett on 10 Jan, 2019 10:24 PM

    Brett's Avatar

    That file is just a text javascript file. It loads no external resources
    and is unlikely to have been tampered with. Is your version from the Mac
    App Store or direct?

    -Brett

  2. 2 Posted by Stephen DeLong on 11 Jan, 2019 12:59 AM

    Stephen DeLong's Avatar

    Apple Store
    June 1, 2015

    Stephen DeLong
    [email blocked]
    Drips @otinokyad
    Fire hose at jusido.com

  3. Support Staff 3 Posted by Brett on 11 Jan, 2019 01:32 AM

    Brett's Avatar

    I strongly believe your scanner is mistaken.

    - Brett

  4. 4 Posted by Upstate Steve on 15 Jan, 2019 04:22 PM

    Upstate Steve's Avatar

    Thanks, Brett. I take your "strongly" to be around 4- or 5-nines certainty, and I'm not challenging that. On the other hand, it is my iMac that could have a problem if I simply restored the file (which is still in quarantine and not deleted). So two questions in an effort to resolve my remaining 0.01 or 0.001% of doubt:
    (1) What functionality, however minimal, would I lose if I deleted the file and never restored it? (2) The AV program reported the file as being 907693 bytes with a creation date of Nov 3, 2018, 11:48 am. As a pseudo-checksum, do those values match the properties that I should see for my install, version 2.5.27 (965)?

  5. Support Staff 5 Posted by Brett on 15 Jan, 2019 04:53 PM

    Brett's Avatar

    1. All in-preview functionality (scrolling, keyboard shortcuts, keyword
    highlighting, everything).
    2. The date and file size are precisely correct.

    -Brett

  6. 6 Posted by Upstate Steve on 15 Jan, 2019 06:19 PM

    Upstate Steve's Avatar

    Again, thanks. A significant puzzle remains, which the (retired) lab scientist in me doesn't want to dismiss without explanation.

    I mentioned in my initial post that I had done a test Preview with a file from Byword. I just dragged it in again now, and on a quick check I have most (all?) functionality:
    * scrolling with mouse or KB * KB shortcuts such as Toggle Source, Full Screen, Stats & Readability Stats, Keyword Drawer * all six controls along the bottom border

    Is there something I'm missing, that is, something I'm not translating properly from your comment? It certainly doesn't look like "everything" is missing.

    One other thing... I did a search of the entire HD for min.js, and got about 40 files. The huge majority are for either WordPress (mostly) or Twitter (some). There is one for DayOne (diary app) and one for an ad blocker. The one for DayOne is simply jquery.min.js. Obviously none of these should be tied to Marked 2 functionality. Nonetheless, I wanted to mention it in the interest of "full disclosure."

  7. Support Staff 7 Posted by Brett on 15 Jan, 2019 06:24 PM

    Brett's Avatar

    Those features may appear to work, but you could be certain by trying to scroll the preview with "j" and "k". The Keyword Drawer would come up, but nothing would actually highlight in the text.

    min.js files are just JavaScript minified (compressed). They're not binary files. They're a potential vector for attack if an external force was smart enough to write in executable browser code and then the running application didn't do any safety checks on it. I won't say that Marked does a ton of blocking on JS execution, but it is fully code signed with hardened executable and any tampering with its source files would break its ability to launch.

  8. 8 Posted by Upstate Steve on 15 Jan, 2019 06:35 PM

    Upstate Steve's Avatar

    OK, confirmed that I can toggle the KW Drawer, but nothing highlights.

    Pondering a "restore," maybe leaving it in place to see if ProtectWorks will ID it again tonight.

    Thanks.

Reply to this discussion

Internal reply

Formatting help / Preview (switch to plain text) No formatting (switch to Markdown)

Attaching KB article:

»

Attached Files

You can attach files up to 10MB

If you don't have an account yet, we need to confirm you're human and not a machine trying to post spam.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac