You are not logged in.
What is a "dynamic" analysis?
But it's obviously different if there're behavioral analysis leading to the conclusion that something's wrong with the executable that's constantly trying to reach the servers of the ccpd.
Which is what loqs has asked for multiple times, I think.
Exactly.
Offline
What is a "dynamic" analysis?
But it's obviously different if there're behavioral analysis leading to the conclusion that something's wrong with the executable that's constantly trying to reach the servers of the ccpd.
Which is what loqs has asked for multiple times, I think.Then your premise is false - systemd or archlinux or any linux are not "an important piece of software" - certainly not to AV companies.
Here's from 2009 why "OMG the windows explorer (actually relevant to them because it's to the VAST majority of their clients) was falsely detected as virus" doesn't happen (and to give you an idea that this is, at all, not a new problem)
https://blog.nirsoft.net/2009/05/17/ant … evelopers/
And from 2008 where there was a massive problem in critical software and no AV vendor cared, https://www.schneier.com/blog/archives/ … ber_b.htmlAnd lastly, your premise is false again. Twice.
it is at least peculiar. Particularly given the timing
1. the timing would mandate that malicious actors go silent, you'd expect to see the exact opposite except if a bunch of trolls and freaked out users would randomly flag malware with a shotgun
2. this still hinges on the misconception that the virustotal results would provide any relevanceVT runs security checks like phoronix runs benchmarks: semi-opaque, hence not reproducible and with no explanation beyond an aggregated result.
It's (afaict, feel free to prove me wrong) not disclosed what exact scanners (versions, configurations, databases, patches) were used nor what patterns were concerned (the latter being an inherited problem and systematic, as that's "business secret", the former just bad style)
A *literal* result "virus scanner foo says it's bad but virus scanner bar says it's ok" would provide the exact same amount of information: none.
When you have an account, you can either via download or via the api get a per function breakdown (but not per vendor, per function, that they're flagging. If that makes any sense.) Of the file, the specific engine the scan was run on, by vendor. And whether or not it runs, times out, fails to run, or simply matches a blacklist/whitelist (hash matching). They even have a package (ironically written in go) that makes using the api super easy, simply called vt-cli (https://github.com/virustotal/vt-cli). Use of the api is on the basis you trade them an email (i.e creating an account) and don't employ it in a production environment without trading them money as well.
Dynamic analysis is simply throwing the executable into a virtual environment and hitting the equivalent of
! chmod ×x /sketchyfiletoanalyze && ./sktechyfiletoanalyzeand recording, everything. The fact of the matter is most modern malware now takes that as a cost of doing business and will test A. Whether or not it's in a virtualized environment through a litany of different techniques and B. Will query localhost, broadcast, and other networking tips and tricks to see if it's being ran in a data center or not. That's why you'll see so many boilerplate dns requests that seemingly do nothing. They're establishing whether or not the target is a legitimate target environment or whether or not they're being debug'd or analyzed. Dynamic analysis can be anywhere from a couple minutues. To hours long depending on the platform. For instance my tria.ge account runs all samples for a minimum of 30 mins with simulated network traffic and dns requests and even browser traffic or tor traffic to get the file to bite.
Behavorial analysis is slightly different, in it's actually taking a sample on a more professional or scientific setting for decompilation, reverse engineering, or deeper research analysis.
This is all my opinion, and how i understand it, at least.
Offline
https://www.hybrid-analysis.com/sample/ … 10ed066fe6
https://www.hybrid-analysis.com/sample/ … a058041151
https://www.hybrid-analysis.com/sample/ … 2ff500d2ab
I guess you should contact RedHat, RockyLinux and Ubuntu security teams as well since their libsystemd-shared-xxx.so binaries are also matched by the same Yara rules.
They cannot be detected by any AV scans because those files are whitelisted by AV vendors.
Those domains you flagged are just domain popping with the sandbox platform whatever sandboxing you asked for on Hybrid Analysis.
Don't get me wrong, I am not saying there is no malware that infected an Arch package.
But most of your indicators are false positive or are not even indicators of malicious ou suspicious activities.
Don't take anything those platforms says for granted.
If you are looking for something similar as the XZ backdoor, as others already told you, this will not be detected by AV scans or free sandboxing platform.
At the moment, you are probably doing more harm than good to help make sure FOSS are sane.
https://en.wikipedia.org/wiki/The_Boy_Who_Cried_Wolf
Offline
https://www.hybrid-analysis.com/sample/ … 10ed066fe6
https://www.hybrid-analysis.com/sample/ … a058041151
https://www.hybrid-analysis.com/sample/ … 2ff500d2abI guess you should contact RedHat, RockyLinux and Ubuntu security teams as well since their libsystemd-shared-xxx.so binaries are also matched by the same Yara rules.
They cannot be detected by any AV scans because those files are whitelisted by AV vendors.Those domains you flagged are just domain popping with the sandbox platform whatever sandboxing you asked for on Hybrid Analysis.
Don't get me wrong, I am not saying there is no malware that infected an Arch package.
But most of your indicators are false positive or are not even indicators of malicious ou suspicious activities.
Don't take anything those platforms says for granted.If you are looking for something similar as the XZ backdoor, as others already told you, this will not be detected by AV scans or free sandboxing platform.
At the moment, you are probably doing more harm than good to help make sure FOSS are sane.
https://en.wikipedia.org/wiki/The_Boy_Who_Cried_Wolf
Giving you the benefit of the doubt; maybe it's changed since you posted, but for one, none of those files are whitelisted and none of them are coming back as clean, either. On hybrid-analysis if a file is whitelisted it shows in the top left of the page. And in the detections column on the list page.
Also, the ubuntu sample was uploaded all the way back in 2022(?). So either they're still using a way outdated binary, or..
And lastly, this isn't even my thread, dude. So your quip about "boy who cried wolf" doesn't land. I've made one thread. One.
Edit: new hashes from libsystemd-core/shared come up clean after today's update.
e5d886b100963714cc0657b6387579a08ab64642315552a8c95859af3fcc38e8 /usr/lib/systemd/libsystemd-core-255.5-1.so
93bae24b4be3127895d72aaeea75a7e73c840ca6243cd1be578d41387d001736 /usr/lib/systemd/libsystemd-shared-255.5-1.so
Last edited by Mrkd1904 (2024-04-24 22:43:56)
Offline
The CentOS sample is the oldest one. The point is, you can probably go back to the Systemd's version 231 (the one introducing libsystemf-shared) and still have libsystemd-shared come up as "suspicious" or "ambiguous" in Hybrid Analysis.
The CentOS and RockyLinux files are tagged as "provided by Linux" on VT. Which shows how little VT care about Linux because for them Redhat is Linux.
Hybrid Analysis is provided by Crowd strike. CrowdStrike Falcon (their famous EDR and EPP-ish solution) cannot even do an AV scan on a Linux host. And CrowdStrike Falcon is considered one of the best out there.
Those tools are not reliable in stating whether linux binaries are sane or not. libsystemd-shared could be infected with backdoor for all we know, and it is certainly not VT or HA or whatever sandboxing platform that will give any kind of meaningful answer about that matter.
I'd rather believe @MS-DTYP, than any AV scans. Even if I don't know @MS-DTYP, and I don't know if they have any real skills in software engineering, malware engineering and reverse engineering.
Offline