meteor-archive icon indicating copy to clipboard operation
meteor-archive copied to clipboard
verified publisher icon ManInMyVan

Why is VirusTotal showing that it's a malware?

Open K-K-L-L opened this issue 1 year ago • 8 comments

I downloaded Meteor client version 0.5.6 and scanned the JAR file just for fun, and surprisingly it showed that it is malware https://www.virustotal.com/gui/file/0058cfe2b24392bb6d84a7cbae10c66ecadfcef47b31e7fa5ad0e8f0b4f71c99.

Now, I'm not saying that this is malware but I'm concerned about the file that I downloaded (I ran the instance for a split second and then stopped it, I don't think the file actually ran lol)

K-K-L-L avatar Aug 26 '24 14:08 K-K-L-L

I know that this is a meteor client issue, but can I please get an explanation of why this had happened?

K-K-L-L avatar Aug 26 '24 14:08 K-K-L-L

Happens because of obfuscated Minecraft code or something

ManInMyVan avatar Aug 26 '24 15:08 ManInMyVan

Happens because of obfuscated Minecraft code or something

No, it's because you put malware in it. Those websites don't only do static analysis; they run the actual code in a VM and see what it does. That scanner ran your program and found that it did something (probably making web requests to your command and control server), and flagged it as malware. The only safe source of old meteor versions is from the official meteor github repository here https://github.com/MeteorDevelopment/meteor-client . There doesn't appear to be a releases page, so it looks like you'll have to compile an old version of the codebase on your own @K-K-L-L .

3zad avatar Jan 07 '25 23:01 3zad

No, it's because you put malware in it

if you download it from the official site from web.archive.org (https://web.archive.org/web/20240622124842/https://maven.meteordev.org/releases/meteordevelopment/meteor-client/0.5.6/meteor-client-0.5.6.jar), it will bring up the exact same page as the one linked in the issue when put into virustotal, meaning it has the exact same hash, how does one add malware to a file without changing the file?

probably making web requests to your command and control server

better idea: it makes web requests to the client's api

ManInMyVan avatar Jan 08 '25 00:01 ManInMyVan

if you download it from the official site from web.archive.org (https://web.archive.org/web/20240622124842/https://maven.meteordev.org/releases/meteordevelopment/meteor-client/0.5.6/meteor-client-0.5.6.jar), it will bring up the exact same page as the one linked in the issue when put into virustotal, meaning it has the exact same hash, how does one add malware to a file without changing the file?

Why would you upload actual jars at all then? Just create a list of webarchive links. Much safer and trustworthy for everyone.

3zad avatar Jan 08 '25 12:01 3zad

i need baritone 1.21.1

rtsstvtv avatar Jan 09 '25 08:01 rtsstvtv

i need baritone 1.21.1

Build it yourself from the Meteor Baritone fork

K-K-L-L avatar Jan 09 '25 12:01 K-K-L-L

https://tria.ge/251123-mcghlayqdp/behavioral1 its a 10/10

waffle245 avatar Nov 23 '25 10:11 waffle245