Discussion:
ClamAV Flagging systemd package
(too old to reply)
David Murray via arch-general
2018-07-14 14:52:33 UTC
Permalink
Raw Message
Greetings,

My nightly full-system ClamAV scan kicked out this last night:

/var/cache/pacman/pkg/systemd-238.133-4-x86_64.pkg.tar.xz: Unix.Trojan.Vali-6606621-0 FOUND

Is this something I should be concerned about?

TIA,
Dave
LoneVVolf
2018-07-14 15:19:29 UTC
Permalink
Raw Message
Post by David Murray via arch-general
Greetings,
/var/cache/pacman/pkg/systemd-238.133-4-x86_64.pkg.tar.xz: Unix.Trojan.Vali-6606621-0 FOUND
Is this something I should be concerned about?
TIA,
Dave
https://www.virustotal.com/#/file/1aef694958c06497a8c5e98b0e6914b2a9af48faff736fcb42e3855377ee8e19/detection

That shows 2 engines that detect something, Baidu and ClamAV .

https://pcfixguides.com/how-to-effectively-remove-unix-trojan-vali-6606621-0-from-your-computer/

It appears to be able to infect windows and Mac systems, and does look
threatening.

Not sure who should look into this, but Arch Security Team seems most
applicable.
https://wiki.archlinux.org/index.php/Arch_Security_Team

LW
Giovanni Harting via arch-general
2018-07-14 16:03:04 UTC
Permalink
Raw Message
Post by LoneVVolf
Post by David Murray via arch-general
Greetings,
Unix.Trojan.Vali-6606621-0 FOUND
Is this something I should be concerned about?
TIA,
Dave
https://www.virustotal.com/#/file/1aef694958c06497a8c5e98b0e6914b2a9af48faff736fcb42e3855377ee8e19/detection
That shows 2 engines that detect something, Baidu and ClamAV .
https://pcfixguides.com/how-to-effectively-remove-unix-trojan-vali-6606621-0-from-your-computer/
It appears to be able to infect windows and Mac systems, and does look
threatening.
Not sure who should look into this, but Arch Security Team seems most
applicable.
https://wiki.archlinux.org/index.php/Arch_Security_Team
LW
Most likely infected on your system, as the binary package in
archive.archlinux.org seems to be clear:

clamscan systemd-238.51-1-x86_64.pkg.tar.xz



systemd-238.51-1-x86_64.pkg.tar.xz: OK
Ismael Bouya
2018-07-14 16:20:11 UTC
Permalink
Raw Message
Hi Giovanni,
Post by Giovanni Harting via arch-general
Most likely infected on your system, as the binary package in
clamscan systemd-238.51-1-x86_64.pkg.tar.xz
systemd-238.51-1-x86_64.pkg.tar.xz: OK
You’re not comparing the same file.

I confirm the alert for my own package file taken from a brand new
server (so most likely not infected)

This is probably a false positive though.

Kind regards,
--
Ismael
Leonid Isaev via arch-general
2018-07-14 16:06:36 UTC
Permalink
Raw Message
Post by LoneVVolf
Post by David Murray via arch-general
Greetings,
/var/cache/pacman/pkg/systemd-238.133-4-x86_64.pkg.tar.xz: Unix.Trojan.Vali-6606621-0 FOUND
Is this something I should be concerned about?
TIA,
Dave
https://www.virustotal.com/#/file/1aef694958c06497a8c5e98b0e6914b2a9af48faff736fcb42e3855377ee8e19/detection
That shows 2 engines that detect something, Baidu and ClamAV .
https://pcfixguides.com/how-to-effectively-remove-unix-trojan-vali-6606621-0-from-your-computer/
It appears to be able to infect windows and Mac systems, and
does look threatening.
Not sure who should look into this, but Arch Security Team
seems most applicable.
https://wiki.archlinux.org/index.php/Arch_Security_Team
LW
Nobody.

What's the point of running a scan of a host from that host itself? And on top
of that, the suspected malware has already been executed because you mention a
pkg in the cache...

Anyway, a brief google search reveals that this particular trojan turned up
in many distros, so it is most likely a false positive.

Cheers,
--
Leonid Isaev
Ralf Mardorf
2018-07-14 16:29:37 UTC
Permalink
Raw Message
Post by Leonid Isaev via arch-general
Anyway, a brief google search reveals that this particular trojan
turned up in many distros, so it is most likely a false positive.
As most, if not all detected malicious software on Linux hosts, but,
either way, I would upload it to https://www.clamav.net/reports/fp and
additionally I would compare results of different antivirus software,
at least by an online scan. The example was done with
systemd-239.0-2-x86_64.pkg.tar.xz, ͟n͟o͟t͟ with the version in your
cache:

https://www.virustotal.com/#/file/d3b90812888f5d332d5f087688469ca5d2db701fa14c58d20cbde66526046220/detection
David C. Rankin
2018-07-15 02:59:37 UTC
Permalink
Raw Message
Post by Ralf Mardorf
Post by Leonid Isaev via arch-general
Anyway, a brief google search reveals that this particular trojan
turned up in many distros, so it is most likely a false positive.
As most, if not all detected malicious software on Linux hosts, but,
either way, I would upload it to https://www.clamav.net/reports/fp and
additionally I would compare results of different antivirus software,
at least by an online scan. The example was done with
systemd-239.0-2-x86_64.pkg.tar.xz, ͟n͟o͟t͟ with the version in your
https://www.virustotal.com/#/file/d3b90812888f5d332d5f087688469ca5d2db701fa14c58d20cbde66526046220/detection
There was indeed a string of false positive in the systemd package, e.g.

$ clamscan /var/cache/pacman/pkg/sys*
/var/cache/pacman/pkg/sysfsutils-2.1.0-10-x86_64.pkg.tar.xz: OK
/var/cache/pacman/pkg/sysfsutils-2.1.0-9-x86_64.pkg.tar.xz: OK
/var/cache/pacman/pkg/syslinux-6.03-10-x86_64.pkg.tar.xz: OK
/var/cache/pacman/pkg/sysstat-11.7.3-1-x86_64.pkg.tar.xz: OK
/var/cache/pacman/pkg/systemd-238.133-1-x86_64.pkg.tar.xz:
Unix.Trojan.Vali-6606621-0 FOUND
/var/cache/pacman/pkg/systemd-238.133-2-x86_64.pkg.tar.xz:
Unix.Trojan.Vali-6606621-0 FOUND
/var/cache/pacman/pkg/systemd-238.133-4-x86_64.pkg.tar.xz:
Unix.Trojan.Vali-6606621-0 FOUND
/var/cache/pacman/pkg/systemd-238.76-1-x86_64.pkg.tar.xz: OK
/var/cache/pacman/pkg/systemd-239.0-2-x86_64.pkg.tar.xz: OK
/var/cache/pacman/pkg/systemd-sysvcompat-238.133-1-x86_64.pkg.tar.xz: OK
/var/cache/pacman/pkg/systemd-sysvcompat-238.133-2-x86_64.pkg.tar.xz: OK
/var/cache/pacman/pkg/systemd-sysvcompat-238.133-4-x86_64.pkg.tar.xz: OK
/var/cache/pacman/pkg/systemd-sysvcompat-238.76-1-x86_64.pkg.tar.xz: OK
/var/cache/pacman/pkg/systemd-sysvcompat-239.0-2-x86_64.pkg.tar.xz: OK

submitted to clamav.net as false-positive report
--
David C. Rankin, J.D.,P.E.
Maksim Fomin via arch-general
2018-07-14 16:56:36 UTC
Permalink
Raw Message
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
Post by LoneVVolf
​​
Post by David Murray via arch-general
Greetings,
/var/cache/pacman/pkg/systemd-238.133-4-x86_64.pkg.tar.xz: Unix.Trojan.Vali-6606621-0 FOUND
Is this something I should be concerned about?
TIA,
Dave
Is this some of sort of joke or desire to receive attention? There are lots of false positives from antivirus software, especially in case of linux. Trojan in signed systemd package (if true) would have already done (Clamav found virus in 238 version) enormous damage to arch installations.
Post by LoneVVolf
https://www.virustotal.com/#/file/1aef694958c06497a8c5e98b0e6914b2a9af48faff736fcb42e3855377ee8e19/detection
That shows 2 engines that detect something, Baidu and ClamAV .
https://pcfixguides.com/how-to-effectively-remove-unix-trojan-vali-6606621-0-from-your-computer/
It appears to be able to infect windows and Mac systems, and does look
threatening.
This page looks like a search fake site which generates page in accordance to your request. Look at deliberate generalized (to fit random search) and unprofessional language ("ought to rank top in the list of danger", "When it goes into your PC, your security application will caution you that a few bugs are distinguished on your system", "From that point on, blue screen of death will regularly happen", "expects to break down the system security. To begin with, it would release the insurance, and then open the accesses for virus, adware, spyware, browser hijacker, etc." - wtf???, "is fit for controlling documents on your PC. It could unreservedly eliminate them, transform them, and in most of time, it will hijack them" ...)
Johannes Löthberg via arch-general
2018-07-14 17:17:27 UTC
Permalink
Raw Message
Post by David Murray via arch-general
Is this something I should be concerned about?
No. The Unix.Trojan.Vali-6606621-0 signature is a garbage signature.

The signature itself is this:

Unix.Trojan.Vali-6606621-0:6:EP+0:31ed4989d15e4889e24883e4f050544c8d055a050000488d0de3040000488d3d

The string of hex characters after the last colon is the actual
'signature' which for this type of signature is just a hex dump of a
portion of the binary. In this case it's the preamble located at the
ELF entry point.

This[0] is a dump of the entry point of the 'detected' systemd binary.
If you pay attention to the hex characters in the second column you'll
see that it matches the hex characters at the end of the signature.

Meanwhile this[1] is the same section of code from the current pacman
binary. If you look closely you'll find that the only difference is
three bytes in the middle of line 7bff and 7c06. That section of code
species the addresses that it's comparing against. The only reason all
of our binaries don't match it is that the symbols it's comparing
against will be put at different addresses by the linker based on what
else it has to link.

All-in-all, completely ignore the Unix.Trojan.Vali-6606621-0 signature,
it's utterly pointless.

[0]: https://ptpb.pw/1Vuq
[1]: https://ptpb.pw/N67V
--
Sincerely,
Johannes Löthberg
PGP Key ID: 0x50FB9B273A9D0BB5
PGP Key FP: 5134 EF9E AF65 F95B 6BB1 608E 50FB 9B27 3A9D 0BB5
https://theos.kyriasis.com/~kyrias/
David Murray via arch-general
2018-07-14 19:22:37 UTC
Permalink
Raw Message
Post by Johannes Löthberg via arch-general
All-in-all, completely ignore the Unix.Trojan.Vali-6606621-0 signature,
it's utterly pointless.
Thanks for the thorough reply, Johannes. I appreciate it.

Dave
Loading...