Description of problem: Malware detected in EPEL8 package Version-Release number of selected component (if applicable): 8 How reproducible: Always Steps to Reproduce: 1. Enable EPEL8 as repo 2. Sync 3. Wait for error in satellite Actual results: Get error from zscaler for trojan.YVCM-7 Expected results: Additional info: Pkg link: http://ftp.nluug.nl/pub/os/Linux/distr/epel/8/Everything/x86_64/Packages/l/libemu-0.2.0-13.20130410gitab48695.el8.x86_64.rpm. Get the same result with other mirrors.
This package has changed maintainer in the Fedora. Reassigning to the new maintainer of this component.
This package has changed maintainer in Fedora. Reassigning to the new maintainer of this component.
Please can you be more specific which antivirus engine did this detection? Which file? The library itself (libemu.so.2.0.0) or the shell code test (sctest)? Libemu is focused on analyzing binary shell codes - such as exploit payloads. I can imagine that some AV might mis-fire on the procedure names being looked for. But the binary package is not containing not even the examples. So I guess this is false positive.
RPM package 16/60 https://www.virustotal.com/gui/file/b3cb077b2fa42773369df37c52f42fbec3bf238cb11cc5f45936ce80cc570b1e/detection The library and shell-code profiler seems to be OK 0/60 https://www.virustotal.com/gui/file/dd1448f427c7023abae6f2f218f51fd51bf393a442e7d39b02087d03b8a443e7/detection https://www.virustotal.com/gui/file/266bd6e867c8088fca95b22f2da16fa8f1398f0d0a300a7215fc0d6ce240417a/details The binary detected as malware is the sctest 18/60 https://www.virustotal.com/gui/file/fadbc6f0f5d486b1179982068e17fa155d47d9455265d624890c1f25bcda144d/detection I believe this is false positive detection, probably just based on the strings od function calls.
Binaries included in the rpm packages from mirror and from the koji package are binary the same do it was no compromise on the distribution: $ sha256sum mirror/* koji/* |sort 266bd6e867c8088fca95b22f2da16fa8f1398f0d0a300a7215fc0d6ce240417a koji/libemu.so.2.0.0 266bd6e867c8088fca95b22f2da16fa8f1398f0d0a300a7215fc0d6ce240417a mirror/libemu.so.2.0.0 dd1448f427c7023abae6f2f218f51fd51bf393a442e7d39b02087d03b8a443e7 koji/scprofiler dd1448f427c7023abae6f2f218f51fd51bf393a442e7d39b02087d03b8a443e7 mirror/scprofiler fadbc6f0f5d486b1179982068e17fa155d47d9455265d624890c1f25bcda144d koji/sctest fadbc6f0f5d486b1179982068e17fa155d47d9455265d624890c1f25bcda144d mirror/sctest
The sctest indeed contains various shell codes for testing. libemu/tools/sctest/tests.c $ sctest -l 0 ) win32_bind - EXITFUNC=seh LPORT=4444 Size=317 Encoder=None http://metasploit.com 1 ) win32_bind - EXITFUNC=seh LPORT=4444 Size=344 Encoder=Pex http://metasploit.com 2 ) win32_bind - EXITFUNC=seh LPORT=4444 Size=709 Encoder=PexAlphaNum http://metasploit.com 3 ) win32_bind - EXITFUNC=seh LPORT=4444 Size=344 Encoder=PexFnstenvSub http://metasploit.com 4 ) win32_bind - EXITFUNC=seh LPORT=4444 Size=344 Encoder=ShikataGaNai http://metasploit.com 5 ) win32_bind - EXITFUNC=seh LPORT=4444 Size=349 Encoder=JmpCallAdditive http://metasploit.com 6 ) win32_reverse - EXITFUNC=seh LHOST=216.75.15.231 LPORT=4321 Size=287 Encoder=None http://metasploit.com 7 ) win32_downloadexec - URL=http://nepenthes.mwcollect.org/bad.exe Size=378 Encoder=None http://metasploit.com 8 ) win32_exec - EXITFUNC=seh CMD=cmd -c ftp.exe -s foo.scripted_sequence; echo der fox hat die gans gezogen Size=205 Encoder=None http://metasploit.com 9 ) some old dcom shellcode 10) brihgtstor discovery 11) amberg 12) lindau - linkbot connectback version 13) bremen - linkbot bind version 14) halle - filetransferr via csend 15) tills neuer 16) win32_bind pex & ./clet -S win32_bind_pex -b 50 -t -B -c -f ../spectrum/stat2 -a -n 123 17) clet decoded nop slide (144 0x90 decoded with ./clet -S 144nop -b 50 -t -B -c -f ../spectrum/stat2 -a -n 123) 18) the hackers choice realplayer 8 exploit 19) win32_bind_vncinject - VNCDLL=/home/opcode/msfweb/framework/data/vncdll.dll EXITFUNC=seh AUTOVNC=1 VNCPORT=5900 LPORT=4444 Size=287 Encoder=None http://metasploit.com 20) windows/vncinject/reverse_tcp - 177 bytes (stage 1) http://www.metasploit.com DisableCourtesyShell=false, VNCHOST=127.0.0.1, VNCPORT=5900, EXITFUNC=seh, DLL=/tmp/framework-3.0/data/vncdll.dll, LPORT=4444, LHOST=192.168.53.20, AUTOVNC=true 21) till sein lsass dump 22) bindshell::schoenborn 23) sqlslammer 24) linux bindshell 25) Windows bindshell 0.0.0.0:8594 - tried exploit PNP_QueryResConfList/MS05-39 26) Windows bind filetransfer 0.0.0.0:38963 - tried to exploit DsRolerUpgradeDownlevelServer/MS04-11 27) libemu dos 28) windows/shell_bind_tcp AutoRunScript=, EXITFUNC=process, InitialAutoRunScript=, LPORT=4444, RHOST= http://www.metasploit.com 29) crash in loadlibrary 30) crash in fwrite 31) crash in lwrite/hwrite 32) crash in malloc 33) crash in send 34) crash in execve It can be used to test the libemu solution like: # Generate test case #10 to stdout sctest -vvv -d 10 | \ # Process the shell-code buffer with libemu ad flag suspicious calls. sctest -gvS -s 10000000 Sample output: verbose = 1 success offset = 0x0000001a Hook me Captain Cook! userhooks.c:132 user_hook_ExitThread ExitThread(4712) stepcount 271867 HMODULE LoadLibraryA ( LPCTSTR lpFileName = 0x00416fc6 => = "ws2_32"; ) = 0x71a10000; int WSAStartup ( WORD wVersionRequested = 257; LPWSADATA lpWSAData = 4288054; ) = 0; SOCKET WSASocket ( int af = 2; int type = 1; int protocol = 0; LPWSAPROTOCOL_INFO lpProtocolInfo = 0; GROUP g = 0; ... DWORD dwFlags = 0; ) = 66; int connect (
FEDORA-2021-02f075bee0 has been submitted as an update to Fedora 33. https://bodhi.fedoraproject.org/updates/FEDORA-2021-02f075bee0
FEDORA-EPEL-2021-947be1db28 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2021-947be1db28
FEDORA-EPEL-2021-2af4b80a8d has been submitted as an update to Fedora EPEL 8. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2021-2af4b80a8d
Package rebuild without the test-cases, which kind of cripples the sctest utility, on the another hand it should clear off the false positive detections of being trojan. In case somebody needs the test-cases it is possible to download the srpm from koji and rebuild locally with the testcases: wget https://kojipkgs.fedoraproject.org//packages/libemu/0.2.0/19.20130410gitab48695.el8/src/libemu-0.2.0-19.20130410gitab48695.el8.src.rpm rpmbuild --rebuild libemu-0.2.0-19.20130410gitab48695.el8.src.rpm --with testcases Antivirus scan of the disabled package should be fine: https://www.virustotal.com/gui/url/0457b6a2b7248078639f4adaa2109fcf08074b170a940ea7092ecca2e0b690ea/detection Best regards Michal Ambroz
FEDORA-2021-02f075bee0 has been pushed to the Fedora 33 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-02f075bee0` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-02f075bee0 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-EPEL-2021-947be1db28 has been pushed to the Fedora EPEL 7 testing repository. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2021-947be1db28 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-EPEL-2021-2af4b80a8d has been pushed to the Fedora EPEL 8 testing repository. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2021-2af4b80a8d See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2021-02f075bee0 has been pushed to the Fedora 33 stable repository. If problem still persists, please make note of it in this bug report.
FEDORA-EPEL-2021-2af4b80a8d has been pushed to the Fedora EPEL 8 stable repository. If problem still persists, please make note of it in this bug report.
FEDORA-EPEL-2021-947be1db28 has been pushed to the Fedora EPEL 7 stable repository. If problem still persists, please make note of it in this bug report.
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 500 days