Unwelcome Surprise: Navigating Trojan malware in My Own Software

Today, I faced an unexpected and unsettling development. After four months of diligent work with my development partner on a Software product we planned to launch as a SaaS offering, I discovered that our creation had inadvertently turned against me, manifesting as Trojan malware.

Earlier today, my co-developer was addressing some bugs that had surfaced in the Software. Built into our program is a feature designed to automatically update the Software upon startup, checking for any changes made on the server. If discrepancies are detected, the software promptly updates itself to align with the latest server version.

After my colleague made updates and posted them on GitHub, I launched the executable to perform a user interface test. To my shock, I was met with immediate notifications from Windows Defender identifying threats, including two files marked as high-severity Trojan malware.

In a panic, I initiated a scan with Malwarebytes and scrambled to safeguard my critical files on Google Drive before deleting potentially infected items. After thorough scans, I found 47 malware files – a dramatic increase from a clean slate just weeks prior. Ultimately, I managed to eliminate the threats and quarantine the suspicious files, yet the experience left me bewildered.

Normally, I take my operational security seriously, and the thought that the software I co-own might have turned malicious was confounding. While I trust my development partner—I’ve worked closely with him for many hours—we’re left with questions. Could our AWS server have been breached? Is someone embedding malware into our code? Given our rigorous security protocols, this seemed unlikely.

As I continued my investigations, I discovered that many of the quarantined files originated from a particular identified as “Trojan: Win32/Wacatac.B!ml.” However, hindsight revealed indications of a potential false positive. My partner suggested that the alert might stem from our obfuscation methods designed to protect the software from reverse engineering. Coincidentally, he reported that his antivirus did not flag any issues.

What baffles me is why Windows Defender categorized our obfuscator as a threat after a month and a half without issues. Compounding the perplexity, VirusTotal revealed several antivirus services labeled our files as malicious, including reports from McAfee and Cyberreason.

As the dust settles, I analyze the situation with new clarity.