[arch-general] ClamAV Flagging systemd package
Greetings, My nightly full-system ClamAV scan kicked out this last night: /var/cache/pacman/pkg/systemd-238.133-4-x86_64.pkg.tar.xz: Unix.Trojan.Vali-6606621-0 FOUND Is this something I should be concerned about? TIA, Dave
On 14-07-18 16:52, David Murray via arch-general wrote:
Greetings,
My nightly full-system ClamAV scan kicked out this last night:
/var/cache/pacman/pkg/systemd-238.133-4-x86_64.pkg.tar.xz: Unix.Trojan.Vali-6606621-0 FOUND
Is this something I should be concerned about?
TIA, Dave
https://www.virustotal.com/#/file/1aef694958c06497a8c5e98b0e6914b2a9af48faff... That shows 2 engines that detect something, Baidu and ClamAV . https://pcfixguides.com/how-to-effectively-remove-unix-trojan-vali-6606621-0... It appears to be able to infect windows and Mac systems, and does look threatening. Not sure who should look into this, but Arch Security Team seems most applicable. https://wiki.archlinux.org/index.php/Arch_Security_Team LW
On 14-07-18 16:52, David Murray via arch-general wrote:
Greetings,
My nightly full-system ClamAV scan kicked out this last night:
/var/cache/pacman/pkg/systemd-238.133-4-x86_64.pkg.tar.xz: Unix.Trojan.Vali-6606621-0 FOUND
Is this something I should be concerned about?
TIA, Dave
https://www.virustotal.com/#/file/1aef694958c06497a8c5e98b0e6914b2a9af48faff...
That shows 2 engines that detect something, Baidu and ClamAV .
https://pcfixguides.com/how-to-effectively-remove-unix-trojan-vali-6606621-0...
It appears to be able to infect windows and Mac systems, and does look threatening.
Not sure who should look into this, but Arch Security Team seems most applicable. https://wiki.archlinux.org/index.php/Arch_Security_Team
LW
Most likely infected on your system, as the binary package in archive.archlinux.org seems to be clear: clamscan systemd-238.51-1-x86_64.pkg.tar.xz systemd-238.51-1-x86_64.pkg.tar.xz: OK
Hi Giovanni,
Most likely infected on your system, as the binary package in archive.archlinux.org seems to be clear:
clamscan systemd-238.51-1-x86_64.pkg.tar.xz
systemd-238.51-1-x86_64.pkg.tar.xz: OK
You’re not comparing the same file. I confirm the alert for my own package file taken from a brand new server (so most likely not infected) This is probably a false positive though. Kind regards, -- Ismael
On Sat, Jul 14, 2018 at 05:19:29PM +0200, LoneVVolf wrote:
On 14-07-18 16:52, David Murray via arch-general wrote:
Greetings,
My nightly full-system ClamAV scan kicked out this last night:
/var/cache/pacman/pkg/systemd-238.133-4-x86_64.pkg.tar.xz: Unix.Trojan.Vali-6606621-0 FOUND
Is this something I should be concerned about?
TIA, Dave
https://www.virustotal.com/#/file/1aef694958c06497a8c5e98b0e6914b2a9af48faff...
That shows 2 engines that detect something, Baidu and ClamAV .
https://pcfixguides.com/how-to-effectively-remove-unix-trojan-vali-6606621-0...
It appears to be able to infect windows and Mac systems, and does look threatening.
Not sure who should look into this, but Arch Security Team seems most applicable. https://wiki.archlinux.org/index.php/Arch_Security_Team
LW
Nobody. What's the point of running a scan of a host from that host itself? And on top of that, the suspected malware has already been executed because you mention a pkg in the cache... Anyway, a brief google search reveals that this particular trojan turned up in many distros, so it is most likely a false positive. Cheers, -- Leonid Isaev
On Sat, 14 Jul 2018 10:06:36 -0600, Leonid Isaev via arch-general wrote:
Anyway, a brief google search reveals that this particular trojan turned up in many distros, so it is most likely a false positive.
As most, if not all detected malicious software on Linux hosts, but, either way, I would upload it to https://www.clamav.net/reports/fp and additionally I would compare results of different antivirus software, at least by an online scan. The example was done with systemd-239.0-2-x86_64.pkg.tar.xz, ͟n͟o͟t͟ with the version in your cache: https://www.virustotal.com/#/file/d3b90812888f5d332d5f087688469ca5d2db701fa1...
On 07/14/2018 11:29 AM, Ralf Mardorf wrote:
On Sat, 14 Jul 2018 10:06:36 -0600, Leonid Isaev via arch-general wrote:
Anyway, a brief google search reveals that this particular trojan turned up in many distros, so it is most likely a false positive.
As most, if not all detected malicious software on Linux hosts, but, either way, I would upload it to https://www.clamav.net/reports/fp and additionally I would compare results of different antivirus software, at least by an online scan. The example was done with systemd-239.0-2-x86_64.pkg.tar.xz, ͟n͟o͟t͟ with the version in your cache:
https://www.virustotal.com/#/file/d3b90812888f5d332d5f087688469ca5d2db701fa1...
There was indeed a string of false positive in the systemd package, e.g. $ clamscan /var/cache/pacman/pkg/sys* /var/cache/pacman/pkg/sysfsutils-2.1.0-10-x86_64.pkg.tar.xz: OK /var/cache/pacman/pkg/sysfsutils-2.1.0-9-x86_64.pkg.tar.xz: OK /var/cache/pacman/pkg/syslinux-6.03-10-x86_64.pkg.tar.xz: OK /var/cache/pacman/pkg/sysstat-11.7.3-1-x86_64.pkg.tar.xz: OK /var/cache/pacman/pkg/systemd-238.133-1-x86_64.pkg.tar.xz: Unix.Trojan.Vali-6606621-0 FOUND /var/cache/pacman/pkg/systemd-238.133-2-x86_64.pkg.tar.xz: Unix.Trojan.Vali-6606621-0 FOUND /var/cache/pacman/pkg/systemd-238.133-4-x86_64.pkg.tar.xz: Unix.Trojan.Vali-6606621-0 FOUND /var/cache/pacman/pkg/systemd-238.76-1-x86_64.pkg.tar.xz: OK /var/cache/pacman/pkg/systemd-239.0-2-x86_64.pkg.tar.xz: OK /var/cache/pacman/pkg/systemd-sysvcompat-238.133-1-x86_64.pkg.tar.xz: OK /var/cache/pacman/pkg/systemd-sysvcompat-238.133-2-x86_64.pkg.tar.xz: OK /var/cache/pacman/pkg/systemd-sysvcompat-238.133-4-x86_64.pkg.tar.xz: OK /var/cache/pacman/pkg/systemd-sysvcompat-238.76-1-x86_64.pkg.tar.xz: OK /var/cache/pacman/pkg/systemd-sysvcompat-239.0-2-x86_64.pkg.tar.xz: OK submitted to clamav.net as false-positive report -- David C. Rankin, J.D.,P.E.
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ On July 14, 2018 3:19 PM, LoneVVolf <lonewolf@xs4all.nl> wrote:
On 14-07-18 16:52, David Murray via arch-general wrote:
Greetings,
My nightly full-system ClamAV scan kicked out this last night:
/var/cache/pacman/pkg/systemd-238.133-4-x86_64.pkg.tar.xz: Unix.Trojan.Vali-6606621-0 FOUND
Is this something I should be concerned about?
TIA,
Dave
Is this some of sort of joke or desire to receive attention? There are lots of false positives from antivirus software, especially in case of linux. Trojan in signed systemd package (if true) would have already done (Clamav found virus in 238 version) enormous damage to arch installations.
https://www.virustotal.com/#/file/1aef694958c06497a8c5e98b0e6914b2a9af48faff...
That shows 2 engines that detect something, Baidu and ClamAV .
https://pcfixguides.com/how-to-effectively-remove-unix-trojan-vali-6606621-0...
It appears to be able to infect windows and Mac systems, and does look
threatening.
This page looks like a search fake site which generates page in accordance to your request. Look at deliberate generalized (to fit random search) and unprofessional language ("ought to rank top in the list of danger", "When it goes into your PC, your security application will caution you that a few bugs are distinguished on your system", "From that point on, blue screen of death will regularly happen", "expects to break down the system security. To begin with, it would release the insurance, and then open the accesses for virus, adware, spyware, browser hijacker, etc." - wtf???, "is fit for controlling documents on your PC. It could unreservedly eliminate them, transform them, and in most of time, it will hijack them" ...)
Is this something I should be concerned about?
No. The Unix.Trojan.Vali-6606621-0 signature is a garbage signature. The signature itself is this: Unix.Trojan.Vali-6606621-0:6:EP+0:31ed4989d15e4889e24883e4f050544c8d055a050000488d0de3040000488d3d The string of hex characters after the last colon is the actual 'signature' which for this type of signature is just a hex dump of a portion of the binary. In this case it's the preamble located at the ELF entry point. This[0] is a dump of the entry point of the 'detected' systemd binary. If you pay attention to the hex characters in the second column you'll see that it matches the hex characters at the end of the signature. Meanwhile this[1] is the same section of code from the current pacman binary. If you look closely you'll find that the only difference is three bytes in the middle of line 7bff and 7c06. That section of code species the addresses that it's comparing against. The only reason all of our binaries don't match it is that the symbols it's comparing against will be put at different addresses by the linker based on what else it has to link. All-in-all, completely ignore the Unix.Trojan.Vali-6606621-0 signature, it's utterly pointless. [0]: https://ptpb.pw/1Vuq [1]: https://ptpb.pw/N67V -- Sincerely, Johannes Löthberg PGP Key ID: 0x50FB9B273A9D0BB5 PGP Key FP: 5134 EF9E AF65 F95B 6BB1 608E 50FB 9B27 3A9D 0BB5 https://theos.kyriasis.com/~kyrias/
On Jul 14, 2018, at 1:17 PM, Johannes Löthberg via arch-general <arch-general@archlinux.org> wrote:
All-in-all, completely ignore the Unix.Trojan.Vali-6606621-0 signature, it's utterly pointless.
Thanks for the thorough reply, Johannes. I appreciate it. Dave
participants (9)
-
David C. Rankin
-
David Murray
-
Giovanni Harting
-
Ismael Bouya
-
Johannes Löthberg
-
Leonid Isaev
-
LoneVVolf
-
Maksim Fomin
-
Ralf Mardorf