[arch-general] ClamAV Flagging systemd package
Johannes Löthberg
johannes at kyriasis.com
Sat Jul 14 17:17:27 UTC 2018
> Is this something I should be concerned about?
No. The Unix.Trojan.Vali-6606621-0 signature is a garbage signature.
The signature itself is this:
Unix.Trojan.Vali-6606621-0:6:EP+0:31ed4989d15e4889e24883e4f050544c8d055a050000488d0de3040000488d3d
The string of hex characters after the last colon is the actual
'signature' which for this type of signature is just a hex dump of a
portion of the binary. In this case it's the preamble located at the
ELF entry point.
This[0] is a dump of the entry point of the 'detected' systemd binary.
If you pay attention to the hex characters in the second column you'll
see that it matches the hex characters at the end of the signature.
Meanwhile this[1] is the same section of code from the current pacman
binary. If you look closely you'll find that the only difference is
three bytes in the middle of line 7bff and 7c06. That section of code
species the addresses that it's comparing against. The only reason all
of our binaries don't match it is that the symbols it's comparing
against will be put at different addresses by the linker based on what
else it has to link.
All-in-all, completely ignore the Unix.Trojan.Vali-6606621-0 signature,
it's utterly pointless.
[0]: https://ptpb.pw/1Vuq
[1]: https://ptpb.pw/N67V
--
Sincerely,
Johannes Löthberg
PGP Key ID: 0x50FB9B273A9D0BB5
PGP Key FP: 5134 EF9E AF65 F95B 6BB1 608E 50FB 9B27 3A9D 0BB5
https://theos.kyriasis.com/~kyrias/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1727 bytes
Desc: signature
URL: <https://lists.archlinux.org/pipermail/arch-general/attachments/20180714/8f8ca30a/attachment.asc>
More information about the arch-general
mailing list