Trend Micro flagged 'jq' as Trojan.SH.HADGLIDER.TSE, installing on Ubuntu under WSL (Windows Subsystem for Linux)

Thank you for bringing this to our attention and doing so with a private report.

This is not the first time a common benign Linux utility running in WSL has been flagged by antivirus on Windows.

Example: https://github.com/microsoft/WSL/issues/4757

What I suspect is happening is that some Windows malware includes Windows builds of utilities like jq or GNU tools and/or download them as part of their payload.

This resembles malware behavior that occasionally results in binaries in WSL being flagged by antivirus, sometimes even by Windows Defender.

Kaspersky will so aggressively detect R binaries as malware it will corrupt some Windows machines: https://github.com/microsoft/WSL/issues/4716

This happens more often on WSL 1 where the WSL file system is fully extracted to C:\Users\<user>\AppData\Local\Packages\Ubuntu...\LocalState\rootfs\.

It is something to log and be aware of, but it is very unlikely to be actual malware.

To be on the safe side, I would run then through virustotal and if there are no hits, report as a false positive to Trend Micro.

Thank you!

When I ran it through Virus Total the following hits were received as seen in the attachment.

The alerts below claim there is a cryptolocker in the Debian package.

Note: The jq binaries from the jq repository do no cause VirusTotal to alert.

AegisLab Trojan.Linux.Miner.4!c
Kaspersky HEUR.Trojan.Linux.Miner.gen
Qihoo-360 Linux/Trojan.d48
TrendMicro-HouseCall Trojan.SH.HADGLIDER.TSE
ZoneAlarm by Check Point HEUR.Trojan.Linux.Miner.gen
Fortinet PossibleThreat
Microsoft Trojan.Win32/Casdet!rfn
TrenMicro Trojan.SH.HADGLIDER.TSE
ViRobo Script.S.Agent.30872

Here is the VirusTotal file hash.

bcfa215dec8fe15d4265c508c39c1ebafb7370acc95721e4e7d610b0459eb8dd

https://www.virustotal.com/gui/file/bcfa215dec8fe15d4265c508c39c1ebafb7370acc95721e4e7d610b0459eb8dd/detection

This issue also occurred on Linux machines.

Thank you Chuck, please do report back what you hear from the virus vendors.

I've had bad luck trying to get them to explain results before -- I strongly recommend when you send them the file to send it in an encrypted zip with a password like "probablyfalsepositive" or something similar.

Thanks

If you think these are false positives I'll close the issue here and take it up with the vendors.

Do you have any concerns?

By the way, I appreciate your help.

I'm no malware analyst but the jq binary didn't look at all out of the ordinary.

It's only 30kb which seems really tiny for something like cryptocurrency mining and returning 'mined' coins to a command and control server, but makes perfect sense for a small executable that uses libjq and libonig to do the work that it advertises itself as doing.

Not to mention that it'd only work on systems that call it in the course of doing something else.. it's not a particularly impressive target.

I'm content to say the AV vendors ought to describe why they feel this is a threat.

Thanks

Super.

Please close this issue.

We will work with the AV vendors.

Stay safe.

FWIW I have compared the jq_1.6.orig.tar.gz from the jq package in focal with the 1.6 upstream tarball - the only significant difference is that the tarball in debian/ubuntu removes the vendored / embedded copy of the oniguruma module - other than that it is the same as the upstream release.

Alex,

I understand and will contact at least 2 of the AV vendors tomorrow (i.e., Monday).

Thank you again to your Team!

Regards

Chuck can I make this bug report public? There is now a second duplicate bug report for this which I would like to dupe against this one but ideally I would make this one public (however this is your bug report so you get to make that call ☺)

Yes, you may make this bug report public.

Thank you again for your assistance!

*8^)

Status changed to 'Confirmed' because the bug affects multiple users.