Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
clamav shows a trojan in stage3 2018-07-12 file
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
jagdpanther
Guru
Guru


Joined: 22 Nov 2003
Posts: 498

PostPosted: Sat Jul 14, 2018 3:51 am    Post subject: clamav shows a trojan in stage3 2018-07-12 file Reply with quote

I down loaded the amd64 stage 3 file
http://distfiles.gentoo.org/releases/amd64/autobuilds/20180712T214503Z/stage3-amd64-20180712T214503Z.tar.xz for a new system build tomorrow. I ran 'tar xJf' on that file as a regular user. (Yes, I expected the /dev/ files to fail.)
Then I ran 'clamscan -r -i' on the upper most directory and I keep getting one hit:

Code:
usr/bin/xzdec: Unix.Trojan.Vali-6606621-0 FOUND


I am not feeling good about building a new system tomorrow. Should I wait for another stage3 ?
Back to top
View user's profile Send private message
Chiitoo
Administrator
Administrator


Joined: 28 Feb 2010
Posts: 1689
Location: Here and Away Again

PostPosted: Sat Jul 14, 2018 5:38 am    Post subject: ><)))°€ Reply with quote

I'm inclined to believe that to be a false positive, but you never know. :]

For the sake of curiosity, I tested scanning the file too, two times.

First, with a “virus database is older than 7 days” (did not check how old, possibly one month almost exactly), and did not detect anything.

After a 'freshclam', however, I got what you got, so it's rather new what ever it is.

Might submit a suspected false positive report (or to confirm it's indeed bad report).
_________________
Kind Regards,
~ The Noob Unlimited ~

Sore wa sore, kore wa kore.
Back to top
View user's profile Send private message
Maitreya
Guru
Guru


Joined: 11 Jan 2006
Posts: 407

PostPosted: Sat Jul 14, 2018 11:27 am    Post subject: Reply with quote

https://forum.manjaro.org/t/clamav-detecting-viruses-on-manjaro/52066/13
https://www.linuxquestions.org/questions/showthread.php?p=5878457#post5878457

So it seems a overactive matching pattern is at play (or we are dealing with a massive infection across repositories and distributions, unlikely)
Back to top
View user's profile Send private message
bunder
Bodhisattva
Bodhisattva


Joined: 10 Apr 2004
Posts: 5802

PostPosted: Sat Jul 14, 2018 12:32 pm    Post subject: Reply with quote

FWIW...

Code:
main.cld is up to date (version: 58, sigs: 4566249, f-level: 60, builder: sigmgr)
daily.cld is up to date (version: 24751, sigs: 2013133, f-level: 63, builder: neo)
bytecode.cld is up to date (version: 324, sigs: 89, f-level: 63, builder: neo)


Code:
bloomfield ~ # clamscan -i /usr/bin/xzdec

----------- SCAN SUMMARY -----------
Known viruses: 6573260
Engine version: 0.100.1
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 0.01 MB
Data read: 0.01 MB (ratio 1.00:1)
Time: 23.375 sec (0 m 23 s)
bloomfield ~ # equery belongs /usr/bin/xzdec
 * Searching for /usr/bin/xzdec ...
app-arch/xz-utils-5.2.3 (/usr/bin/xzdec)
bloomfield ~ # equery l -op xz-utils
 * Searching for xz-utils ...
[IP-] [  ] app-arch/xz-utils-5.2.3:0
[-P-] [ ~] app-arch/xz-utils-5.2.4-r2:0
[-P-] [ -] app-arch/xz-utils-9999:0


https://ask.fedoraproject.org/en/question/123957/clamtk-scan-anomaly/
https://lists.debian.org/debian-user/2018/07/msg00579.html
_________________
overlay | patches
Neddyseagoon wrote:
The problem with leaving is that you can only do it once and it reduces your influence.


Last edited by bunder on Sun Jul 15, 2018 11:45 pm; edited 2 times in total
Back to top
View user's profile Send private message
Fitzcarraldo
Veteran
Veteran


Joined: 30 Aug 2008
Posts: 1636
Location: United Kingdom

PostPosted: Sat Jul 14, 2018 2:20 pm    Post subject: Reply with quote

I checked the same Gentoo Stage 3 download using the version of ClamAV on a Lubuntu installation (0.99.4, the same as the latest Gentoo Stable version), and it also flagged the same file:

Code:
Sat Jul 14 14:46:13 2018 -> ClamAV update process started at Sat Jul 14 14:46:13 2018
Sat Jul 14 14:46:13 2018 -> WARNING: Your ClamAV installation is OUTDATED!
Sat Jul 14 14:46:13 2018 -> WARNING: Local version: 0.99.4 Recommended version: 0.100.1
Sat Jul 14 14:46:13 2018 -> DON'T PANIC! Read http://www.clamav.net/documents/upgrading-clamav
Sat Jul 14 14:46:13 2018 -> main.cvd is up to date (version: 58, sigs: 4566249, f-level: 60, builder: sigmgr)
Sat Jul 14 14:46:15 2018 -> Downloading daily-24752.cdiff [100%]
Sat Jul 14 14:46:18 2018 -> daily.cld updated (version: 24752, sigs: 2013390, f-level: 63, builder: neo)
Can't query daily.24752.85.1.0.6810BA8A.ping.clamav.net
Sat Jul 14 14:46:18 2018 -> bytecode.cld is up to date (version: 324, sigs: 89, f-level: 63, builder: neo)
Sat Jul 14 14:46:21 2018 -> Database updated (6579728 signatures) from db.local.clamav.net (IP: 104.16.186.138)

Code:
ClamTk, v5.25
Sat Jul 14 15:02:10 2018
ClamAV Signatures: 6579639
Directories Scanned:
/home/fitzcarraldo/downloaded-gentoo-files/usr/bin

Found 1 possible threat (51374 files scanned).

/home/fitzcarraldo/downloaded-gentoo-files/usr/bin/xzdec      Unix.Trojan.Vali-6606621-0
----------------------------------------------------------------------

Whereas bunder's results are for ClamAV 0.100.1 (the latest Testing version in Gentoo), which gives the file the all-clear. So it looks like it could be the version of the ClamAV application, not the signatures, that is at fault.
_________________
Clevo W230SS: amd64 OpenRC elogind nvidia-drivers & xf86-video-intel.
Compal NBLB2: ~amd64 OpenRC elogind xf86-video-ati. Dual boot Win 7 Pro 64-bit.
KDE on both.

Fitzcarraldo's blog
Back to top
View user's profile Send private message
jagdpanther
Guru
Guru


Joined: 22 Nov 2003
Posts: 498

PostPosted: Sun Jul 15, 2018 1:06 am    Post subject: Reply with quote

Although it appears that the clamav 'hit' on /usr/bin/xzdec is a false positive, I noticed that on my old Gentoo system that is up to date (software wise, not hardware) does not trip clamav. So before I ran the chroot command on the new system, during the install, I just replaced the stage3 provided xzdec with the one from my old system. (Both are x86_64). They are a few bytes different in size and I suspect that my CFLAGS (and perhaps some useflag) settings account for the difference in size.
Back to top
View user's profile Send private message
krinn
Watchman
Watchman


Joined: 02 May 2003
Posts: 6968

PostPosted: Sun Jul 15, 2018 2:07 pm    Post subject: Reply with quote

You might also look at the trojan effect, it generally define its nature. While this one is name "Unix" it still seems that it's one for Windows and not nix.
And finding its partern inside an elf format file is then a false positive.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum