[INCORRECT] The ConstructSim VM Virus - Html.Exploit.CVE_2016_3271-2 FOUND

I tested the ROS framework yesterday on the TheConstrucSim platform, everything worked. But today I received a scam e-mail requesting payment in bitcoin…

Next that, I performed a “Full Scan” with Clamav and I found the result below:

2021-02-24_14-30

Hi @jefersonjl82 ,

thanks for your post.

Could you paste here the email message you received, and who sent it?

By investigating this CVE_2016_3271-2, I see it is related to Jenkins, which we don’t even use.

We want to publicly show here that we are concerned about Security in our platform, and as soon as someone reports anything, we are going to investigate, and if a threat is really found, it will be solved.

Please let us know if you have any new information.

Hi @ralves, thanks for your answer,

The scam e-mail was written in Portuguese (my native language) and it has offensive words, I’m not comfortable to share here. I don’t know if there is a relationship between the e-mail and the virus.

First of all, I’m not a Vulnerability Expert, I’m just an Engineer. What I know is:

  1. After the e-mail scam I did a Clamav scan in my computer and I saved the infected files in a folder “VIRUS”.
  2. The virus file is a binary, but I made a cat command in this file and in the tail I got to see a lot of information about theconstructsim. Let me share some screens:

Hi @jefersonjl82,

Thanks for the clarifications.

Could you please help with a few more questions?

  • What’s the from address of the email?
  • Did the email mention theconstructsim.com anywhere?
  • Did you open any link in the email or any of its attachments?

Some viruses and malware (or even adware) are able to track your browser history and then exploit them to send fake emails posing to be from the authentic domains therein. This is probably what happened (the addresses in the binary of the virus are the addresses your browser contacted while using our app).

It’s a good thing that you recognized the email as a scam in addition to having an up-to-date antivirus, as we need more than a good antivirus to fight cyberspace threats.

No cause for alarm here - just keep being vigilant as you keep pushing your ROS learning.

Hi @bayodesegun,

I’m here to help anyone that have the same problem … I can’t understand why did you guys rewrite the issue tittle as a INCORRECT tag?

  • What’s the from address of the email?
    No. The scam e-mail was send from dontcare@caribserve.net
  • Did the email mention theconstructsim.com anywhere?
    No
  • Did you open any link in the email or any of its attachments?
    No

I want to apologize for the created confusion! The scam email is not from theconstructsim… but the virus has information about theconstruction.com … this is a fact! I’m done here!

Hi @jefersonjl82,

Thanks again for clarifying.

We put the incorrect tag to indicate that the conclusion that the virus is a “The Construct VM virus” is incorrect, for the sake of members of the community who might be alarmed.

Those URLs you found in the virus are the ones your browser contacted recently, and this suggests that the virus had access to your browsing history and is probably trying to exploit that. And, based on your clarification, the virus may even have nothing to do with the email.

We appreciate that you voiced your doubts. Please don’t hesitate to contact us again if you find anything suspicious.