Plugin Appears to Have a Trojan

FYI:

I recently installed Zotero. Late last week I was infected with a Trojan that installed a CryptoCurrency Miner. I suspected it had been installed via Zotero. So today I restored my 'Zotero folder' and sure enough after a scan there were numerous Trojans found in the acroread PDF plugin. I've quarantined all instances. This was on Linux too! This was a default install.
  • Zotero doesn't contain an acroread PDF plugin and the official binaries contain no trojans.

    The most usual issue is typically that you've taken a webpage snapshot from a site that serves malware; this would be found in the storage directory. There's not much Zotero should be expected to do here. Because these are typically javascript-based miner, nothing would happen if the page isn't loaded in your browser & you may be able to remove the culprit files and still have a usable snapshot). Your quarantine may have shown whether this was/wasn't the case. You can also report and/or not visit sites that serve malware.

    The second most usual issue is a false positive.

    The third and least likely is that you downloaded a modified version of Zotero from an untrusted source.
  • OK Seems it may have been from a website serving malware javascript in PDFs downloaded. Here are the results, once scrubbed I no longer had the condition. Attaching them so others may be advised to be careful of PDF handling.

    /home/xxx/Zotero/storage/8PZLTV95/secureAnonymousFramework PUA.Win.Trojan.Xored-1

    /home/xxx/Zotero/storage/AJQW7RDG/context_static_r_5640.js PUA.Win.Trojan.Xored-1

    /home/xxx/Zotero/storage/TYFGUSIH/js_e9aef594554208d5ad1087102ba7af63.js PUA.Win.Tool.Packed-177

    /home/xxx/Zotero/storage/C4KZJSP6/secureAnonymousFramework PUA.Win.Trojan.Xored-1

    /home/xxx/Zotero/storage/QFSLCD7C/context_static_r_5698.js PUA.Win.Trojan.Xored-1

    /home/xxx/Zotero/storage/QFSLCD7C/loader.js PUA.Win.Trojan.Xored-1

    /home/xxx/Zotero/storage/EYTUUI4A/secureAnonymousFramework PUA.Win.Trojan.Xored-1

    /home/xxx/Zotero/storage/VZJHKCR2/moatuac.js PUA.Win.Trojan.Xored-1

    /home/xxx/Zotero/storage/AJQW7RDG/loader.js PUA.Win.Trojan.Xored-1

    /home/xxx/Zotero/storage/7L9Z6UEB/secureAnonymousFramework PUA.Win.Trojan.Xored-1

    /home/xxx/Zotero/storage/9V7YLYQD/secureAnonymousFramework PUA.Win.Trojan.Xored-1

    /home/xxx/Zotero/storage/SDW2XLD4/moatcontent.js PUA.Win.Trojan.Xored-1

    /home/xxx/Zotero/storage/F8VSQLUX/secureAnonymousFramework PUA.Win.Trojan.Xored-1

    /home/xxx/Zotero/storage/V545Z3PG/context_static_r_5447.js PUA.Win.Trojan.Xored-1

    /home/xxx/Zotero/storage/V545Z3PG/loader.js PUA.Win.Trojan.Xored-1

    /home/xxx/Zotero/storage/6GEAND5W/moatcontent.js
  • so that's the first option noksagt mentions; everything in Zotero/storage is content you saved.
  • Those are likely webpage snapshots, rather than PDFs, as indicated by the standalone javascript files.

    PUA means "potential unwanted application". PUA are not virusses; they are flagged when your AV system finds a file or extension that have been proven to be abused by others. It is likely that many of those are not harmful. So: it may be some mix of the first two options I list (these aren't really false positives, as they're flagged "PUA", but it has the same effect if the enduser doesn't understand that).

    In any case: I see nothing for Zotero to do better here.
  • I figured that was assumed without overtly stating it.
Sign In or Register to comment.