Community
    • Login

    Compare plugin detected as malicious by both JoeSandbox and Crowdstrike Falcon

    Scheduled Pinned Locked Moved
    Security
    3
    5
    2.6k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • jonathandl2J
      jonathandl2
      last edited by

      I recently was prompted to auto-update Notepad++, which I did on my Windows 10 laptop. I then got a dialog informing me that the Compare plugin has been detected as not compatible with Notepad++ 8.3.3, and is disabled.

      So, I went to Plugins > Plugins Admin and clicked the checkbox next to Compare, and clicked the “Install” button. I get a User Account Control dialog prompting me to execute “C:\Program Files\Notepad++\updater\gup.exe” -unzipTo “C:\Program Files\Notepad++\notepad++.exe” “C:\Program Files\Notepad++\plugins” “ComparePlugin https://github.com/pnedev/compare-plugin/releases/download/v2.0.2/ComparePlugin_v2.0.2_X64.zip 4151fbc9778047991cf4b900363d846bda5b0d1783e5fed9eb77e4c8253ba315” which, I assume, downloads the ZIP file from the URL, extracts the DLLs and installs them.

      But I found that JoeSandbox.com rates https://github.com/pnedev/compare-plugin/releases/download/v2.0.2/ComparePlugin_v2.0.2_X64.zip URL as “malicious,” matching multiple rules:
      https://www.joesandbox.com/analysis/597349/0/executive

      Hybrid-Analysis.com also rates it as “suspicious.” So, in order to restore the old version of the plugin, I uninstall Notepad++ and re-install it from our internal IT department’s known-good repository, but I find that the approved version doesn’t have the plugin. Instead, it has the option to download the plugin. So I go through a similar process and it gives me a similar prompt with a download URL of https://github.com/pnedev/compare-plugin/releases/download/v2.0.0_npp7.7/ComparePlugin_v2.0.0_npp7.7_X64.zip

      Again, both JoeSandbox and Hybrid Analysis rate this ZIP file as malicious; this time Hybrid-analysis.com comes back with a score of 100/100! (indicating a 100% confidence level):
      https://www.hybrid-analysis.com/sample/c0f37cc70695cdd595432f7ec1c3b7e3e2fb509d96bd1da20e3ecea387c99f4f

      I was wondering if maybe the repository where the plugin is downloaded from has somehow been compromised?

      PeterJonesP 1 Reply Last reply Reply Quote 0
      • PeterJonesP
        PeterJones @jonathandl2
        last edited by PeterJones

        @jonathandl2 ,

        The incompatibility is known and fixed – you just have to use the right version of the plugin for which version of Notepad++ you are running. (Notepad++ made an internal change which required updates to most plugins to regain compatibility)

        There hasn’t been a compromise of the repository. I have never heard of any of the “rating” sites that never have a false positive; most of the time, when there’s a change to anything, they start rating things as “malicious” or “dangerous” for no good reason. (The algorithms such ratings use are looking for such small signatures in the binary that it can easily false-match tons of code, compared to the one malicious code that they’re really looking for.)

        jonathandl2J 1 Reply Last reply Reply Quote 3
        • jonathandl2J
          jonathandl2 @PeterJones
          last edited by

          @peterjones said in Compare plugin detected as malicious by both JoeSandbox and Crowdstrike Falcon:

          There hasn’t been a compromise of the repository. I have never heard of any of the “rating” sites that never have a false positive;

          Thank you for your thoughtful reply and for verifying that the plugin-repository was not compromised. You’re entirely right that false positives are not uncommon. That’s why I didn’t post until 2 separate sandbox services said they had found something. And the sheer number of JoeSandbox signatures that got “hit,” as well as the overall “appearance” of its tree diagram seem unusual, at least to the untrained eye.

          most of the time, when there’s a change to anything, they start rating things as “malicious” or “dangerous” for no good reason. (The algorithms such ratings use are looking for such small signatures in the binary that it can easily false-match tons of code, compared to the one malicious code that they’re really looking for.)

          While it is interesting that the brand-new Compare v2.0.2 plugin got rated as “suspicious,” what’s more interesting is that the current download of the Compare v2.0.0 plugin also got rated as malicious. This, in spite of the fact that version 2.0.0 has existed for over five years, so I would’ve expected any FP rating of it to have been resolved long ago, hence my wonderment whether the current 2.0.0 download is the same as the author’s original upload.

          R 1 Reply Last reply Reply Quote 0
          • R
            rdipardo @jonathandl2
            last edited by

            @jonathandl2,
            If you look closely at the heuristics, I would say the plugin is being penalized for things it was only designed to do.

            For example, it unpacks portable versins of sqlite3 and git2, which it needs to function; but these are flagged as potentially malicious “stowaways”:

            Persistence and Installation Behavior
            Drops PE files
            Source: C:\Windows\SysWOW64\7za.exe File created: C:\Users\user\Desktop\extract\ComparePlugin\sqlite3.dll
            Source: C:\Windows\SysWOW64\7za.exe File created: C:\Users\user\Desktop\extract\ComparePlugin\git2.dll
            Source: C:\Windows\SysWOW64\7za.exe File created: C:\Users\user\Desktop\extract\ComparePlugin.dll

            Calls to Win32 API functions like GetModuleHandleW are basic requirements for every single Notepad++ plugin (a Win32 application par excellence). But these are all essentially untrusted, simply because they have low-level access to the system:

            Contains functionality to dynamically determine API calls
            Source: C:\Windows\System32\rundll32.exe Code function: 8_2_00007FFBBDC91870 GetModuleHandleW,GetModuleFileNameW,PathRemoveExtensionW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

            Possibly a rule set could be written that accounts for the typical behaviour of plugins. But I think it would end up being so permissive that basically everything would get a free pass.

            jonathandl2J 1 Reply Last reply Reply Quote 3
            • jonathandl2J
              jonathandl2 @rdipardo
              last edited by jonathandl2

              @rdipardo said in Compare plugin detected as malicious by both JoeSandbox and Crowdstrike Falcon:

              …it unpacks portable versins of sqlite3 and git2, which it needs to function; but these are flagged as potentially malicious “stowaways”:

              Persistence and Installation Behavior

              Drops PE files

              Source: C:\Windows\SysWOW64\7za.exe
              File created: C:\Users\user\Desktop\extract\ComparePlugin\sqlite3.dll

              Source: C:\Windows\SysWOW64\7za.exe
              File created: C:\Users\user\Desktop\extract\ComparePlugin\git2.dll

              Source: C:\Windows\SysWOW64\7za.exe
              File created: C:\Users\user\Desktop\extract\ComparePlugin.dll

              Yes. It appears the sqlite3.dll and git2.dll files are the ones actually causing the Hybrid-Analysis sandbox to register the whole .zip as malicious as well. Not sure the best way to test them to verify they are good…

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              The Community of users of the Notepad++ text editor.
              Powered by NodeBB | Contributors