Avast on macOS High Sierra claims it has caught the Windows-Only “Cryptonight” virus

39

15

Yesterday I ran a full system scan using my Avast antivirus software and it found a infection file. The file's location is :

/private/var/db/uuidtext/7B/BC8EE8D09234D99DD8B85A99E46C64

Avast categorizes the infection file as :

JS:Cryptonight [Trj]

So, after deleting the file I did several more full system scans to check to see if there were any more files. I found nothing, until I restarted my macbook pro today. The file reappeared in the same location. So I decided to let Avast put it in the virus chest, restarted the laptop, and again the file was in the same location again. Therefore the virus is re-creating the file every restart of the laptop.

I want to avoid wiping the laptop and re-installing everything, so that is why I am here. I researched the file path and cryptonight and found out that cryptonight is/can be malicious code that can run in the background of someone's computer to mine cryptocurrency. I've been monitoring my CPU usage, Memory, and Network and I haven't seen a single odd process running. My CPU is running below 30%, my RAM is generally below 5GB (installed 16GB), and my network hasn't had any processes sending out/receiving large amount of data. So if something is mining in the background, I can't tell at all. I have no clue what to do.

My Avast runs full system scans every week, so this just recently became an issue this week. I checked all of my chrome extensions and nothing is out of order, I haven't downloaded anything special within the past week, besides the new Mac operating system (macOS High Sierra 10.13.1). So I have no clue where this has came from to be honest and I have no clue how to get rid of it. Can someone please help me out.

I suspect that this supposed “virus” is coming from the Apple update and that it is just a pre-installed file that is created and runs every time the OS is booted/rebooted. But I am unsure since I only have one MacBook and no one else that I know that has a mac has updated the OS to High Sierra. But Avast keeps labeling this as a potential “Cryptonight” virus and no one else online has posted anything about this issue. Therefore, a common virus removal forum isn't helpful in my situation, since I've already attempted to remove it with both Avast, malwarebytes, and manually.

Lonely Twinky

Posted 2017-11-26T03:03:18.203

Reputation: 393

5It’s most likely a false positive. – JakeGould – 2017-11-26T04:23:10.893

1That's what I am coming to the conclusion to, but I want reassurance so that is what it is. – Lonely Twinky – 2017-11-26T04:24:40.583

5

@LonelyTwinky BC8EE8D09234D99DD8B85A99E46C64 Seems to be a magic number! See my answer for details.

– JakeGould – 2017-11-26T04:39:11.773

1What makes you think that cryptonight is windows-only? After a preliminary googling of "JS:Cryptonight" I get the impression that it's platform agnostic. It's an asm.js "trojan" used by some websites to steal your CPU time while you're visiting their pages and use it to mine cryptocurrency. Nothing about that is windows-specific. – bcrist – 2017-11-26T23:44:41.733

2

@bcrist The algorithm alone is platform agnostic, but the only Mac miners I can find that use Cryptonight are not JavaScript; they are all clearly system level binaries such as this one. More details on the C implementations here and here. If this were purely a JavaScript threat, then Linux users would be complaining as well. Besides, Macs have horrible video cards by default so they make terrible coin miners.

– JakeGould – 2017-11-27T03:03:52.637

3I've contacted Avast about the file being a false positive, I will post an update on their response whenever they contact me back. – Lonely Twinky – 2017-11-27T05:26:17.333

Good you contacted Avast. Avast employees: note that before this question was "protected" 4 "me too" posts were already deleted, and 3 duplicates have been closed too, while this question already has 4.7k views. Also note 1 deleted post says "I am also running macOS High Sierra 10.13.1 but only updated after Avast had detected the file, so it did not come from the update." – Arjan – 2017-11-27T18:28:25.197

Answers

67

Pretty sure there is no virus, malware or trojan at play and his is all a highly coincidental false positive.

It’s most likely a false positive since /var/db/uuidtext/ is related to the new “Unified Logging” subsystem that was introduced in macOS Sierra (10.2). As this article explains:

The first file path (/var/db/diagnostics/) contains the log files. These files are named with a timestamp filename following the pattern logdata.Persistent.YYYYMMDDTHHMMSS.tracev3. These files are binary files that we’ll have to use a new utility on macOS to parse them. This directory contains some other files as well including additional log *.tracev3 files and others that contain logging metadata. The second file path (/var/db/uuidtext/) contains files that are references in the main *.tracev3 log files.

But in your case the “magic” seems to come from the hash:

BC8EE8D09234D99DD8B85A99E46C64

Just check out this reference for known Windows malware files that references that one specific hash. Congratulations! Your Mac has magically created a filename that matches a known vector that has been primarily seen on Windows systems… But you are on a Mac and this filename is just a hash that is connected to the “Unified Logging” database system’s file structure and it is completely coincidental that it matches that malware filename and should not mean anything.

And the reason that specific file seems to regenerate is based on this detail from the above explanation:

The second file path (/var/db/uuidtext/) contains files that are references in the main *.tracev3 log files.

So you delete the file in /var/db/uuidtext/, but all it is is a reference to what is in /var/db/diagnostics/. So when you reboot, it sees it is missing and recreates it in /var/db/uuidtext/.

As for what to do now? Well, you can either tolerate the Avast alerts or you can download a cache cleaning tool such as Onyx and just force the logs to be recreated by truly purging them from your system; not just that one BC8EE8D09234D99DD8B85A99E46C64 file. Hopefully the hash names of the files it regenerates after a full cleaning won’t accidentally match a known malware file again.

UPDATE 1: It seems like Avast staff acknowledges the issue in this post on their forums:

I can confirm this is a false positive. The superuser.com post describes the issue quite well - MacOS seems to have accidentally created a file that contains fragments of malicious cryptocurrency miner which also happen to trigger one of our detections.

Now what is really odd about this statement is the phrase, “…MacOS seems to have accidentally created a file that contains fragments of malicious cryptocurrency miner.

What? Is this implying that someone on the core macOS software development team at Apple somehow “accidentally” setup the system so it generates neutered fragments of a known malicious cryptocurrency miner? Has anyone contacted Apple directly about this? This all seems a bit crazy.

UPDATE 2: This issue is further explained by someone Radek Brich the Avast forums as simply Avast self-identifying itself:

Hello, I'll just add a bit more information.

The file is created by MacOS system, it's actually part of "cpu usage" diagnostic report. The report is created because Avast uses the CPU heavily during the scan.

The UUID (7BBC8EE8-D092-34D9-9DD8-B85A99E46C64) identifies a library which is a part of Avast detections DB (algo.so). The content of the file is debugging information extracted from the library. Unfortunately, this seems to contain a string which is in return detected by Avast as a malware.

(The "rude" texts are probably just names of malware.)

JakeGould

Posted 2017-11-26T03:03:18.203

Reputation: 38 217

4Thank you for the explanation, you truly are a savior. Very well explained too. – Lonely Twinky – 2017-11-26T04:41:03.660

16Wow. On a related note, you should invest in a lotto ticket! That sort of "luck" is not supposed to be "once in a lifetime" it's supposed to be "once in the entire lifespan of the universe, from big bang to heat death." – Cort Ammon – 2017-11-26T18:07:41.463

14Wait what? What hash algorithm is that? If its even an old cryptographic one we have the equivalent of randomly solving a second pre-image attack and deserves a lot more recognition. – Joshua – 2017-11-26T19:25:08.313

3@Joshua Maybe an Apple engineer is a contributor to malware and let some hash generation code slip into their “day job” code? Wouldn’t that be a kick in the head! – JakeGould – 2017-11-26T23:36:34.353

3@Joshua any chance it's not a cryptographic hash at all, but more akin to Java's String hash? That is, string as base-(three-digit number) modulo (nine-digit number). Also note this hash is just 30 nibbles long = 120 bits. Decent, but not quite sufficient for cryptographical use and the odd length suggests that it is a custom-made thing. – John Dvorak – 2017-11-27T11:22:58.080

6@JohnDvorak The full path is /private/var/db/uuidtext/7B/BC8EE8D09234D99DD8B85A99E46C64, so the file name could be the just the last 120 bits of a 128 bit hash (the first 8 being 7B). That doesn't necessarily mean it's a cryptographic hash, but the length does match MD5. – Matthew Crumley – 2017-11-27T17:09:45.113

1@CortAmmon quite a lot of luck for one file on one pc on one virus, but I ran a quick and dirty calculation (3.6M files on my pc, 2B pcs, ~29.5M virus hashes) and got 1/10^13 chance of a collision (one in ten trillion—still impressive), and given md5's imperfect distribution, I'd expect that to go down even more, though I'm not sure how to factor that part in. – Kevin – 2017-11-27T18:40:14.023

@Kevin Well, can you provide another explanation for this happening? – JakeGould – 2017-11-27T19:07:21.260

1Nice find that forum post. Meanwhile it also explains: The file is created by MacOS system, it's actually part of "cpu usage" diagnostic report. The report is created because Avast uses the CPU heavily during the scan. The UUID (7BBC8EE8-D092-34D9-9DD8-B85A99E46C64) identifies a library which is a part of Avast detections DB (algo.so). The content of the file is debugging information extracted from the library. Unfortunately, this seems to contain a string which is in return detected by Avast as a malware. And: issue was in leaking some stirngs that may trigger a detection :-) cc @Joshua – Arjan – 2017-12-17T16:24:34.190

Asked: 2017-11-26T03:03:18.203

Viewed: 14 424 times

Active: 2017-12-17T16:32:23.913