Skip navigation

virus discovered called osx.Exploit.Iosjailbreak

1699 Views 26 Replies Latest reply: Feb 8, 2013 12:17 PM by CoachAnnieG RSS
  • varjak paw Level 10 Level 10 (167,195 points)
    Currently Being Moderated
    Feb 7, 2013 1:58 PM (in response to CoachAnnieG)

    It looks like that Bumptop DMG either contains a jailbreak or a file that ClamXav is erroneously identifying as the jailbreak. BumpTop is a couple of years ol, so it's quite possible that ClamXav is making a mistaken identification. In any case, as the others have said, it's not malware. Just delete the DMG and you should be fine.


    Regards.

  • MadMacs0 Level 4 Level 4 (3,330 points)
    Currently Being Moderated
    Feb 7, 2013 7:30 PM (in response to CoachAnnieG)

    CoachAnnieG wrote:

     

    also to clarify. Clamxav file is called "BumpTop-1.05.2.dmg"

    Please upload that file to ClamAV using the "Send a false positive report" link.

  • MadMacs0 Level 4 Level 4 (3,330 points)
    Currently Being Moderated
    Feb 7, 2013 7:52 PM (in response to wjosten)

    wjosten wrote:

     

    I'm gonna request our resident Virus/ClamAv guru post to this thread. Perhaps Thomas can shed more light & correct any errors in my posts & hopefully answer your questions.

    I'm not Thomas, but he's been advised of discussions with the ClamAV folks on this matter most of the day.

     

    Still a lot of things to sort out, but here's what I know right now.

     

    Signatures were posted for Unix, Win and OSX on Tuesday for this iOS jailbreaking tool, based on a sample received from virustotal.com. The last time I checked it was not being detected as malware by any of the other A-V scan engines on VirusTotal (not that I would ever use that site to compare A-V software, just that apparently none of the other vendors has yet chosen to write a signature for it). When I asked about it, ClamAV indicated that this Forbes article's description of how the jailbrake was accomplished was at least partially responsible for their decision. The signature detects the .dmg file itself, but not the tool or anything else contain on the disk image.

     

    As you can see, the article only describes the existence of iOS exploits, so there may not be any concern for Mac users, although one of our Colleagues is still checking on a couple of aspects regarding the OS X code.

     

    Although there has been at least one other ClamAV signature written for a jailbreaking file (Oct 2, 2010) I'm not certain what platform it was used with or on, so this is relatively unprecedented.

     

    I expect this conversation to continue for awhile and will attempt to update this space with additional details as they become available.

  • MadMacs0 Level 4 Level 4 (3,330 points)
    Currently Being Moderated
    Feb 7, 2013 8:57 PM (in response to CoachAnnieG)

    Glad to help. Were you able to upload the file to ClamAV?

  • thomas_r. Level 7 Level 7 (26,980 points)
    Currently Being Moderated
    Feb 8, 2013 5:17 AM (in response to MadMacs0)

    LOL, you may not be me, but you're probably more qualified to talk about the ClamAV engine than I am!

     

    I can add one thing, though. I found and downloaded a copy of BumpTop, which is a program to make your desktop look 3D. It's definitely not related to the evasi0n iOS jailbreak. However, ClamXav detects it as Osx.Exploit.Iosjailbreak for me as well. Looks strongly like a false positive to me!

     

    I downloaded the .dmg file from here:

     

    http://bumptop.en.softonic.com/mac/download

     

    I did not install it or do anything else with it.

  • Niall Mallyon Calculating status...
    Currently Being Moderated
    Feb 8, 2013 6:00 AM (in response to thomas_r.)

    All,

     

    I started a discussion over at the ClamXav forum having found this issue on the original jailbreak file and then subsequently in other files totally unrelated and unaltered.

    Believe it has now been agreed to be a false positive and the guys over at ClamXav have submitted a FP report.  This is why people are discovering files being flagged when they haven't even download the jailbreak.

     

    Here is the link to the thread:-

    http://www.clamxav.com/BB/viewtopic.php?f=1&t=3146

     

    Hope this helps.

  • thomas_r. Level 7 Level 7 (26,980 points)
    Currently Being Moderated
    Feb 8, 2013 7:51 AM (in response to CoachAnnieG)

    That's because this signature for osx.exploit.iosjailbreak was just added two days ago, and evidently the signature is severely flawed. Sounds like it's triggering on a number of other things as well.

     

    In any case, this is not actually malware. Even if you had the file this signature was intended to detect, that file isn't actually malware either, and many people disagree with its inclusion in ClamAV's signature database in the first place.

  • MadMacs0 Level 4 Level 4 (3,330 points)
    Currently Being Moderated
    Feb 8, 2013 12:03 PM (in response to CoachAnnieG)

    Since Thomas had problems submitting your file, I went ahead and did that this morning along with another from my collection of old .dmg files. My scan has found eighty FP's so far, almost all from Koingo Software.

     

    I've posted some information on the Clamav-User e-mail list, so should hear something back later today on what they have done about it.

1 2 Previous Next

Actions

More Like This

  • Retrieving data ...

Bookmarked By (1)

Legend

  • This solved my question - 10 points
  • This helped me - 5 points
This site contains user submitted content, comments and opinions and is for informational purposes only. Apple disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Apple Support Communities Terms of Use.