virus discovered called osx.Exploit.Iosjailbreak

It looks like that Bumptop DMG either contains a jailbreak or a file that ClamXav is erroneously identifying as the jailbreak. BumpTop is a couple of years ol, so it's quite possible that ClamXav is making a mistaken identification. In any case, as the others have said, it's not malware. Just delete the DMG and you should be fine.

Regards.

CoachAnnieG wrote:

also to clarify. Clamxav file is called "BumpTop-1.05.2.dmg"

Please upload that file to ClamAV using the "Send a false positive report" link.

wjosten wrote:

I'm gonna request our resident Virus/ClamAv guru post to this thread. Perhaps Thomas can shed more light & correct any errors in my posts & hopefully answer your questions.

I'm not Thomas, but he's been advised of discussions with the ClamAV folks on this matter most of the day.

Still a lot of things to sort out, but here's what I know right now.

Signatures were posted for Unix, Win and OSX on Tuesday for this iOS jailbreaking tool, based on a sample received from virustotal.com. The last time I checked it was not being detected as malware by any of the other A-V scan engines on VirusTotal (not that I would ever use that site to compare A-V software, just that apparently none of the other vendors has yet chosen to write a signature for it). When I asked about it, ClamAV indicated that this Forbes article's description of how the jailbrake was accomplished was at least partially responsible for their decision. The signature detects the .dmg file itself, but not the tool or anything else contain on the disk image.

As you can see, the article only describes the existence of iOS exploits, so there may not be any concern for Mac users, although one of our Colleagues is still checking on a couple of aspects regarding the OS X code.

Although there has been at least one other ClamAV signature written for a jailbreaking file (Oct 2, 2010) I'm not certain what platform it was used with or on, so this is relatively unprecedented.

I expect this conversation to continue for awhile and will attempt to update this space with additional details as they become available.

Glad to help. Were you able to upload the file to ClamAV?

LOL, you may not be me, but you're probably more qualified to talk about the ClamAV engine than I am!

I can add one thing, though. I found and downloaded a copy of BumpTop, which is a program to make your desktop look 3D. It's definitely not related to the evasi0n iOS jailbreak. However, ClamXav detects it as Osx.Exploit.Iosjailbreak for me as well. Looks strongly like a false positive to me!

I downloaded the .dmg file from here:

http://bumptop.en.softonic.com/mac/download

I did not install it or do anything else with it.

All,

I started a discussion over at the ClamXav forum having found this issue on the original jailbreak file and then subsequently in other files totally unrelated and unaltered.

Believe it has now been agreed to be a false positive and the guys over at ClamXav have submitted a FP report. This is why people are discovering files being flagged when they haven't even download the jailbreak.

Here is the link to the thread:-

http://www.clamxav.com/BB/viewtopic.php?f=1&t=3146

Hope this helps.

That's because this signature for osx.exploit.iosjailbreak was just added two days ago, and evidently the signature is severely flawed. Sounds like it's triggering on a number of other things as well.

In any case, this is not actually malware. Even if you had the file this signature was intended to detect, that file isn't actually malware either, and many people disagree with its inclusion in ClamAV's signature database in the first place.

Since Thomas had problems submitting your file, I went ahead and did that this morning along with another from my collection of old .dmg files. My scan has found eighty FP's so far, almost all from Koingo Software.

I've posted some information on the Clamav-User e-mail list, so should hear something back later today on what they have done about it.