Malicious cryptocurrency miner embedded in Journal website downloaded to PC by Zotero Extension

LiberoZibnote · November 27, 2017

I was backing up my library when Windows Defender detected and prevented a trojan named brocoiner, which was contained inside a script within a downloaded html webpage file, from being copied from the zotero storage directory to the backup location.

Unfortunately it didn't detect the html containing the virus script when I initially downloaded it. It appears that, before I navigated to the page with the PDF download link, I clicked the connector and it instead downloaded the webpage (.html file containing the virus script).

It doesn't run autonomously as pointed out in adasmith's post below (whew!) but in any case, please take care when downloading via the browser connector just like one would through any other mechanism, even from legitimate journal websites.

[Edit: thanks for merging the double post, it double posted when I tried to edit a clarification into the OP]

adamsmith · November 27, 2017

(no need to double-post: https://forums.zotero.org/discussion/69077/malicious-cryptocurrency-miner-embedded-in-journal-website-downloaded-to-pc-by-zotero-extension#latest)

javascript bitcoin miners only run when the page is open, so the issue is fairly minor from a Zotero user's perspective (though quite embarrassing for the journal, of course, and you should let them know).

DWL-SDCA · November 27, 2017

It appears that there may have been useful information that was lost when the original post was deleted. Although I’m curious about the safetyof visiting a hacked journal site (and the name of te journal); I’m more concerned that something unsaid happened. Are items with attachments imported into Zotero downloaded in a way that bypasses an anti-malware screen?

dstillman · November 28, 2017

There was no other information.

Zotero downloads snapshots directly from the site. They could be scanned once they hit the disk, but that's about all I can say. Tools that work within the browser wouldn't have any effect, but I don't think that would matter here, since I don't think Windows Defender runs on non-Microsoft browsers anyway.

LiberoZibnote · December 1, 2017

Original post was edited for clarity. Additional details listed below along with screenshots. Let me know if I can provide further.

- Windows Defender with up-to-date definitions
- Chrome Version 62.0.3202.94 (Official Build) (64-bit)
- uBlock origin with standard settings
- Picked it up during a backup/export library function from the default Zotero data directory to a non-Admin user documents folder.

Screenshots with more details:
1. https://imgur.com/WJEpnUN - Windows Defender notification
2. https://imgur.com/9xgdQJD - Directory containing files
3. https://imgur.com/l1zWIvR - Microsoft threat page
^ https://imgur.com/a/pUUFI - Album

Microsoft threat page:
https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:HTML/Brocoiner!rfn

dstillman · December 1, 2017

There's nothing we can do about this, I'm afraid. If you download from a site with malicious code, Zotero will dutifully save it — it's just JavaScript like any other. But as adamsmith says, this isn't really a big deal for an individual user. Delete the snapshot and report it to the site.