You are not logged in.

#26 2024-04-22 15:46:59

MS-DTYP
Member
Registered: 2020-05-01
Posts: 30

Re: Have I been hacked?

NewArchUser0001 wrote:
MS-DTYP wrote:

I've taken a look into "kmod" with a disassembler and the file looks like an ordinary "kmod" to me. Of course, I can't speak for every byte.

Regarding Go, detecting Go files as viruses is quite normal for antivirus software, it's just the way it is.

And yet previous versions of the same files are clean?

I just have checked 9b48ba4164098171c6d6c7921c0483041b10e4fed58b3eb330e190fcf68879fc, I can't speak for any other file. I even don't have access to any other kmod.

My kmod is also 9b48ba4164098171c6d6c7921c0483041b10e4fed58b3eb330e190fcf68879fc, and I just have installed Arch. Likely it's clean. If this were not so, it would have been in the news long ago.

Last edited by MS-DTYP (2024-04-22 15:53:55)

Offline

#27 2024-04-22 16:47:06

NewArchUser0001
Member
Registered: 2024-03-29
Posts: 15

Re: Have I been hacked?

MS-DTYP wrote:
NewArchUser0001 wrote:
MS-DTYP wrote:

I've taken a look into "kmod" with a disassembler and the file looks like an ordinary "kmod" to me. Of course, I can't speak for every byte.

Regarding Go, detecting Go files as viruses is quite normal for antivirus software, it's just the way it is.

And yet previous versions of the same files are clean?

I just have checked 9b48ba4164098171c6d6c7921c0483041b10e4fed58b3eb330e190fcf68879fc, I can't speak for any other file. I even don't have access to any other kmod.

My kmod is also 9b48ba4164098171c6d6c7921c0483041b10e4fed58b3eb330e190fcf68879fc, and I just have installed Arch. Likely it's clean. If this were not so, it would have been in the news long ago.

Like i mentioned in a previous post, the version before the one you dissembled does come back as clean and unfortunately Virus Total as far as i can tell doesn't seem to have a history option to it where you can see if something was flagged and then those flags got cleared for previous versions of a program that would be helpful as well. I would also be skeptical of whats going to make it into the news as the XZ exploit showed, that all happened under the radar and if it wasn't for the Microsoft Dev noticing some issues who knows how far that would have made it into other distro's and the effect of that if exploited a few years from now once it got into everything.

Its great that OPEN source software means people can look at the code but how many people have a security skill set where they can check out loads of packages that are being updated all the time and spot cleverly hidden malicious code. A group of security experts would have issues just keeping up with the arch updates that come in ALL the time let alone whats going on in all the other distro's out there as well.

Offline

#28 2024-04-22 17:23:45

loqs
Member
Registered: 2014-03-06
Posts: 17,974

Re: Have I been hacked?

NewArchUser0001 wrote:

Its great that OPEN source software means people can look at the code but how many people have a security skill set where they can check out loads of packages that are being updated all the time and spot cleverly hidden malicious code. A group of security experts would have issues just keeping up with the arch updates that come in ALL the time let alone whats going on in all the other distro's out there as well.

Which is true irrespective of the the scan results.  Can you find anyone that you consider a security expect that is interested in the scan results?  Can you point to anything in the source or build process of any package that should be changed?

Offline

#29 2024-04-22 17:52:31

NewArchUser0001
Member
Registered: 2024-03-29
Posts: 15

Re: Have I been hacked?

loqs wrote:
NewArchUser0001 wrote:

Its great that OPEN source software means people can look at the code but how many people have a security skill set where they can check out loads of packages that are being updated all the time and spot cleverly hidden malicious code. A group of security experts would have issues just keeping up with the arch updates that come in ALL the time let alone whats going on in all the other distro's out there as well.

Which is true irrespective of the the scan results.  Can you find anyone that you consider a security expect that is interested in the scan results?  Can you point to anything in the source or build process of any package that should be changed?

Anyone that i have seen in the past that has software and is pushing out updates or selling software on (windows machines) if they know about Virus Total then they know people check software with it and there for if something is tripping up VT and they are getting a lot of detection's they will look into why they are getting those detection's and if they can fix them.

I had a case where a website i maintain showed up with only 1 VT detection on a scan and it was enough to get me to get in touch with the people who made the scan and get them to clear the scan. I was 100% certain the scan was a false positive and that was only because i knew what was on the server and the fact nothing had changed on it in years so it was highly likely their scanner was wrong and it turned out they were and they had it cleared in hours.

Like i said in the beginning of this thread i also think the files maybe clean however, when you see 14 detection's on 3 different files and all of them were the most current builds pushed from official repos that makes you take pause and maybe there is something more to this.

I'm also not a developer nor a package maintainer if i had those skill sets i would have dug down further into detail on this to see what the issue is. However those who did build the packages i'm sure they might have some idea of what might be triggering these detection's and if we knew what the issue was they could say not worry about it and we move on, the lack of information is what makes people wonder about these sorts of things and whether or not there is even a issue here.

Offline

#30 2024-04-22 18:05:02

loqs
Member
Registered: 2014-03-06
Posts: 17,974

Re: Have I been hacked?

NewArchUser0001 wrote:

I'm also not a developer nor a package maintainer if i had those skill sets i would have dug down further into detail on this to see what the issue is. However those who did build the packages i'm sure they might have some idea of what might be triggering these detection's and if we knew what the issue was they could say not worry about it and we move on, the lack of information is what makes people wonder about these sorts of things and whether or not there is even a issue here.

You can report an issue on Arch's gitlab instance.  Mrkd1904 has previously stated they already contacted the Arch security team,  the maintainers of the systemd package,  systemd upstream and the providers of each scanner that reported a detection and has not reported any response for a similar detection against that package.  You can do like wise. You can also submit the file to any scanner that does not detect it with an explanation you believe it is infected.

Offline

#31 2024-04-22 19:42:51

NewArchUser0001
Member
Registered: 2024-03-29
Posts: 15

Re: Have I been hacked?

loqs wrote:
NewArchUser0001 wrote:

I'm also not a developer nor a package maintainer if i had those skill sets i would have dug down further into detail on this to see what the issue is. However those who did build the packages i'm sure they might have some idea of what might be triggering these detection's and if we knew what the issue was they could say not worry about it and we move on, the lack of information is what makes people wonder about these sorts of things and whether or not there is even a issue here.

You can report an issue on Arch's gitlab instance.  Mrkd1904 has previously stated they already contacted the Arch security team,  the maintainers of the systemd package,  systemd upstream and the providers of each scanner that reported a detection and has not reported any response for a similar detection against that package.  You can do like wise. You can also submit the file to any scanner that does not detect it with an explanation you believe it is infected.

As i said in previous post i don't know if these files are infected or not but the fact it triggered so many positive hits on VT is what got my attention and i believe that's the same way Mrkd1904 is looking at it as well. I went back and looked at his posts and he has found this VT issue with other files then the three that we started with in this thread so that's a total of 6 files now that i have on my machine with more then a dozen+ hits each on VT.

Mrkd1904 if you here back from any of the virus scanners from VT be sure to post here as to what the results were.

On a side note here, is there a way to pull down the hash of a file from arch Repos? This way you could know that your 100% dealing with the same file that's on the Arch Repos.

Offline

#32 2024-04-22 20:22:48

loqs
Member
Registered: 2014-03-06
Posts: 17,974

Re: Have I been hacked?

NewArchUser0001 wrote:

I went back and looked at his posts and he has found this VT issue with other files then the three that we started with in this thread so that's a total of 6 files now that i have on my machine with more then a dozen+ hits each on VT.

Which leads on to https://bbs.archlinux.org/viewtopic.php … 1#p2165551 at least four different families of malware and a cryptominer all infecting a single shared library and if you follow the otx link you can add the CVEs for two Ubuntu only kernel exploits to the list of issues with the library.

Offline

#33 2024-04-22 22:28:55

Mrkd1904
Member
Registered: 2023-11-08
Posts: 63

Re: Have I been hacked?

NewArchUser0001 wrote:
loqs wrote:
NewArchUser0001 wrote:

I'm also not a developer nor a package maintainer if i had those skill sets i would have dug down further into detail on this to see what the issue is. However those who did build the packages i'm sure they might have some idea of what might be triggering these detection's and if we knew what the issue was they could say not worry about it and we move on, the lack of information is what makes people wonder about these sorts of things and whether or not there is even a issue here.

You can report an issue on Arch's gitlab instance.  Mrkd1904 has previously stated they already contacted the Arch security team,  the maintainers of the systemd package,  systemd upstream and the providers of each scanner that reported a detection and has not reported any response for a similar detection against that package.  You can do like wise. You can also submit the file to any scanner that does not detect it with an explanation you believe it is infected.

As i said in previous post i don't know if these files are infected or not but the fact it triggered so many positive hits on VT is what got my attention and i believe that's the same way Mrkd1904 is looking at it as well. I went back and looked at his posts and he has found this VT issue with other files then the three that we started with in this thread so that's a total of 6 files now that i have on my machine with more then a dozen+ hits each on VT.

Mrkd1904 if you here back from any of the virus scanners from VT be sure to post here as to what the results were.

On a side note here, is there a way to pull down the hash of a file from arch Repos? This way you could know that your 100% dealing with the same file that's on the Arch Repos.

We're actually up to 17 detections on libsystemd-shared at current. So we're trending in the wrong direction.

Unfortunately, no update. From anyone, yet. The fact of the matter is i'm not a security researcher in profession so getting ahold of the correct people via the correct channels at companies such as Google, Microsoft, AlibabaCloud, etc is something that either A. Takes time, which i'm aware of and allowing, or B. Something that i'm unexperienced with, and therefor uneffective, C. The vendors truly don't care, or D. Any mixture of them.

I'm still waiting to hear from Arch's security team, but going off of previous posts here in the forum it was advised to give it a week, and even after the week if you don't hear anything it's likely a non issue or not that much of a security threat to begin with.

Reaching out to any of the systemd maintainers has proved challenging. As i'm not on the mailing list and i've been gun shy about creating an issue on github for a litany of different reasons. Discretion and the overall rejection of this as overblown being a couple. Not only that but i lack the technological skillset to effectively communicate things i find, or even to know whether or not they are "things" being "found" at all.

I spent a large portion of the weekend reading the documentation on systemd after i kept getting errors within ghidra trying to decompile and debug libsystemd to isolate what may be tripping the detections and which functions are being flagged. But again, i'm still parsing what may be "normal" and "abnormal". So, it's a process.

What i can say as fact is with today's updates to the kernel and python my instance shed well over 150+MB'S net on the upgrades.. i'm not sure if that's normal frankly, but my intuition tells me it's not.

So as of yet, no update. From any of the vendors, anyone maintaining systemd, or any of the independent researchers that have signalled they're taking a look. The most promising is the couple of researchers who did say in one way shape or form that they'll "take a peek". Which, in my book is something.

I'll post here and my thread if or when i get an update.

Edit: has anyone looked into this?? https://www.bleepingcomputer.com/news/s … e-hosting/

Last edited by Mrkd1904 (2024-04-22 22:59:06)

Offline

#34 2024-04-22 23:39:15

NewArchUser0001
Member
Registered: 2024-03-29
Posts: 15

Re: Have I been hacked?

Mrkd1904 Thank you for taking the time out to do this work to see what the issue might be if there is one.

I don't envy you on the dissembler part of things, I have seen Ghidra in use by some Youtubers who are pretty hard core programmers and even them guys scratch their heads trying to figure Ghidra out. The Microsoft Dev who rang the bell on the XZ issues wasn't a security researcher either but yet he was able to put together the whole story as to what the exploit was trying to do etc etc so its good to have people around that are not willing to brush things off and instead they want some answers as to why they are seeing what they're seeing.

I don't know how much faith i would put into this but the Linuxfoundation says they take OSS seriously, maybe someone there could point you in the right direction i believe they have a security e-mail address..

security@linuxfoundation.org

They should be fairly well connected to the big players or at least one would think so, I can imagine getting a hold of Microsoft or Google for that matter since those two have also detected issues with the programs you mentioned will be quite the task but hopefully that won't be the case.

Offline

#35 2024-04-23 00:08:57

Mrkd1904
Member
Registered: 2023-11-08
Posts: 63

Re: Have I been hacked?

NewArchUser0001 wrote:

Mrkd1904 Thank you for taking the time out to do this work to see what the issue might be if there is one.

I don't envy you on the dissembler part of things, I have seen Ghidra in use by some Youtubers who are pretty hard core programmers and even them guys scratch their heads trying to figure Ghidra out. The Microsoft Dev who rang the bell on the XZ issues wasn't a security researcher either but yet he was able to put together the whole story as to what the exploit was trying to do etc etc so its good to have people around that are not willing to brush things off and instead they want some answers as to why they are seeing what they're seeing.

I don't know how much faith i would put into this but the Linuxfoundation says they take OSS seriously, maybe someone there could point you in the right direction i believe they have a security e-mail address..

security@linuxfoundation.org

They should be fairly well connected to the big players or at least one would think so, I can imagine getting a hold of Microsoft or Google for that matter since those two have also detected issues with the programs you mentioned will be quite the task but hopefully that won't be the case.


Shooting an email to them now - thanks for the tip.

And don't mention it. The fact is the data is telling us one thing. And data, albeit sometimes midirected or misinterpeted, doesn't lie. So finding a resolution to this either way is, i believe, in everyone's best interest.

Offline

#36 2024-04-23 00:09:29

loqs
Member
Registered: 2014-03-06
Posts: 17,974

Re: Have I been hacked?

Mrkd1904 wrote:

What i can say as fact is with today's updates to the kernel and python my instance shed well over 150+MB'S net on the upgrades.. i'm not sure if that's normal frankly, but my intuition tells me it's not.

The python updates are preparation for the python 3.12 major update if you do not have testing enabled or the major update itself if you do.

Were you able to determine the source of the matches from the YARAs?  Have you tried requesting help from the YARA authors?

Offline

#37 2024-04-23 00:59:35

Mrkd1904
Member
Registered: 2023-11-08
Posts: 63

Re: Have I been hacked?

loqs wrote:
Mrkd1904 wrote:

What i can say as fact is with today's updates to the kernel and python my instance shed well over 150+MB'S net on the upgrades.. i'm not sure if that's normal frankly, but my intuition tells me it's not.

The python updates are preparation for the python 3.12 major update if you do not have testing enabled or the major update itself if you do.

Were you able to determine the source of the matches from the YARAs?  Have you tried requesting help from the YARA authors?

Yara's actually been the easiest to work with. And prints a gang of fopen, open, unlink, opendir, readdir, accept, ACCEPT, Accept functions with prefixes: $a, $c, $g, $j, $k, $c0, and $f as the functions for ldpreload, rooter, and now spyeye as well as the corresponding memory addresses. And no, as yara seems to be working just fine.

The command i'm running to see the above is

/usr/bin/yara path/to/rules -rwms -p 4 /usr/lib/systemd/libsystemd-core-255.4.2.so

If we're in consensus that this is something that not sensitive I can try and start opening issues on all the aforormentioned gitbubs and gitlabs. But, i'm easily out of my league here. So any support would be more than appreciated.

@NewArchLinuxUser0001 - no dice on the mailing list, but i did CC Arch's security team so at the very least they should now have a second email. The error i'm getting is "account (email@myemail.com) is disabled. Which i'm assuming is because i'm not on the mailing list. Same happens for systemd-security@redhat.com

Edit:@loq - is it normal for there to be a net loss of bytes on large updates like that? Like on the scale of 100's of megabytes.

Edit 2: fuck it. Just bit my lip and opened an issue on systemd's github

https://github.com/systemd/systemd/issues/32421

Last edited by Mrkd1904 (2024-04-23 01:18:20)

Offline

#38 2024-04-23 01:46:30

loqs
Member
Registered: 2014-03-06
Posts: 17,974

Re: Have I been hacked?

Mrkd1904 wrote:

And no, as yara seems to be working just fine.

I meant the author of the YARA rules that detect libsystemd-core-255.4.2.so to see if they believe it is a false positive or correct identification.
Edit2:
The YARA rule is detecting SpyEye not Casdet, Lightaidra, Mirai,  Py.Trojan.NecroBot or Sakura?

Mrkd1904 wrote:

Edit:@loq - is it normal for there to be a net loss of bytes on large updates like that? Like on the scale of 100's of megabytes.

I can not think of a general explanation for such a loss.

Last edited by loqs (2024-04-23 02:15:06)

Offline

#39 2024-04-23 02:17:42

Mrkd1904
Member
Registered: 2023-11-08
Posts: 63

Re: Have I been hacked?

loqs wrote:
Mrkd1904 wrote:

And no, as yara seems to be working just fine.

I meant the author of the YARA rules that detect libsystemd-core-255.4.2.so to see if they believe it is a false positive or correct identification.
Edit2:
The YARA rule is detecting SpyEye not Casdet, Lightaidra, Mirai,  Py.Trojan.NecroBot or Sakura?

Mrkd1904 wrote:

Edit:@loq - is it normal for there to be a net loss of bytes on large updates like that? Like on the scale of 100's of megabytes.

I can not think of a general explanation for such a loss.

Correct - but, i'm not entirely sure the linux versions of the above said malwares are in the yara-rules/rules repo. Let me take a look.

Edit: gafgyt is, but the most recent rule is from 2017. Mirai is as well, also latest update being from 2017. Sakura is not, at all. Neither is Necrobot, or lightaidra. Casdet i've yet to find a yara rule for. Let me see if i cant dredge one up.

Edit 2: only one i can find on github is from elastic, and is for a cryptominer, not a RAT. Will take a swing at it in the morning. If you're so inclined you can paste it into virustotal's search function and see what comes up.

https://github.com/elastic/protections- … Casdet.yar

Btw - loq, i appreciate all the help. It honestly means a lot.

Last edited by Mrkd1904 (2024-04-23 02:31:20)

Offline

#40 2024-04-23 03:39:55

loqs
Member
Registered: 2014-03-06
Posts: 17,974

Re: Have I been hacked?

Is the ldpreload yara this one that will match any binary that uses (dlopen or dlysym) and any five from a list of file and network functions (many of which are common)?

rule ldpreload
{
        meta:
                author="xorseed"
                reference= "https://stuff.rop.io/"
	strings:
		$a = "dlopen" nocase ascii wide
		$b = "dlsym" nocase ascii wide
		$c = "fopen" nocase ascii wide
		$d = "fopen64" nocase ascii wide
		$e = "__fxstat" nocase ascii wide
		$f = "__fxstat64" nocase ascii wide
		$g = "accept" nocase ascii wide
		$h = "__lxstat" nocase ascii wide
		$i = "__lxstat64" nocase ascii wide
		$j = "open" nocase ascii wide
		$k = "rmdir" nocase ascii wide
		$l = "__xstat" nocase ascii wide
		$m = "__xstat64" nocase ascii wide
		$n = "unlink" nocase ascii wide
		$o = "unlikat" nocase ascii wide
		$p = "fdopendir" nocase ascii wide
		$q = "opendir" nocase ascii wide
		$r = "readdir" nocase ascii wide
		$s = "readdir64" nocase ascii wide
	condition:
		($a or $b) and 5 of them
}

Offline

#41 2024-04-23 09:17:51

Koatao
Member
Registered: 2018-08-30
Posts: 98

Re: Have I been hacked?

For libsystemd-shared-255.4-2.so, there is still nothing that has been showed hinting towards malicious behavior.
The Hybrid Analysis report is based on 3 indicators (1 malicious and 2 suspicious) which are false positive.
- 1 Yara rule matching for Mirai: it is very very very unlikely that an APT infected libsystemd-shared with Mirai (do your research on what Mirai is).
- 1 Yara rule matching for LDPREOLOAD Backdoor: I believe it is the rule that @logs is referring to, and according to the source code of Systemd, you cannot use this rule as indicator It will always match Systemd.
- 1 suspicious domain which is "archive.ubuntu.com": No comment

VirusTotal is not proof. Someone commented on the VT with this link: https://tria.ge/240417-v89s1sac5x.
They use the fact that tria.ge detected it as malicious on a Windows 11 VM to vote the file as malicious. They have no clue about what the file is and the context around it.

I see that some guys here a jumping to conclusion as soon as there is anything indicating it is malicious (without any proof).
But ignoring all the things indicating that it is sane.
The weird investigation going on here is biased from the beginning.

There is no strange behavior suggesting Systemd (as a package) is compromised, there is no logs showing compromission, there is no analysis showing malicious code.
There is literally nothing.

The community cannot spend hours on every file triggering detection on VT or other similar platform.

Last edited by Koatao (2024-04-23 09:20:21)

Offline

#42 2024-04-23 09:37:08

Mrkd1904
Member
Registered: 2023-11-08
Posts: 63

Re: Have I been hacked?

Koatao wrote:

For libsystemd-shared-255.4-2.so, there is still nothing that has been showed hinting towards malicious behavior.
The Hybrid Analysis report is based on 3 indicators (1 malicious and 2 suspicious) which are false positive.
- 1 Yara rule matching for Mirai: it is very very very unlikely that an APT infected libsystemd-shared with Mirai (do your research on what Mirai is).
- 1 Yara rule matching for LDPREOLOAD Backdoor: I believe it is the rule that @logs is referring to, and according to the source code of Systemd, you cannot use this rule as indicator It will always match Systemd.
- 1 suspicious domain which is "archive.ubuntu.com": No comment

VirusTotal is not proof. Someone commented on the VT with this link: https://tria.ge/240417-v89s1sac5x.
They use the fact that tria.ge detected it as malicious on a Windows 11 VM to vote the file as malicious. They have no clue about what the file is and the context around it.

I see that some guys here a jumping to conclusion as soon as there is anything indicating it is malicious (without any proof).
But ignoring all the things indicating that it is sane.
The weird investigation going on here is biased from the beginning.

There is no strange behavior suggesting Systemd (as a package) is compromised, there is no logs showing compromission, there is no analysis showing malicious code.
There is literally nothing.

The community cannot spend hours on every file triggering detection on VT or other similar platform.

The ldpreload_backdoor is a rule from malpedia and different from the ldpreload yara rule on the yara-rules git.

 	Address 	Registrar 	Country
a978.i6g1.akamai.net
	- 	Akamai Technologies, INC.
Organization: Akamai Technologies, inc.
Name Server: NS1-1.AKAMAITECH.NET
Creation Date: 1999-03-03T00:00:00 	-
ag.gbc.criteo.com
	- 	Ascio Technologies, Inc
Organization: Criteo SA
Name Server: NS1.CRITEO.COM
Creation Date: 2005-06-17T00:00:00 	-
api.snapcraft.io
	- 	- 	-
gem.gbc.criteo.com
	- 	Ascio Technologies, Inc
Organization: Criteo SA
Name Server: NS1.CRITEO.COM
Creation Date: 2005-06-17T00:00:00 	-
ipv6.msftncsi.com.edgesuite.net
	- 	Akamai Technologies, INC.
Organization: Akamai Technologies, inc.
Name Server: A12-64.AKAM.NET
Creation Date: 2001-04-02T00:00:00 	-
staging.to-do.officeppe.com
	- 	MarkMonitor, Inc.
Organization: Microsoft Corporation
Name Server: NS1.MSFT.NET
Creation Date: 2013-04-22T17:26:12 	-

https://hybrid-analysis.com/sample/ff42 … ee9c063e29

And that's because the file *runs* on Windows, macosx, android. And linux.

Last edited by Mrkd1904 (2024-04-23 10:22:11)

Offline

#43 2024-04-23 10:27:52

MS-DTYP
Member
Registered: 2020-05-01
Posts: 30

Re: Have I been hacked?

There is no reason to blindly grab files from Arch Linux repositories and upload them to VirusTotal. This can continue forever; you'll find such false positives every day, and there is nothing you can do about it. Similarly, running a scanner like Nmap without deeply understanding its input and output can lead to misinterpretations of security risks, potentially overlooking real threats or chasing non-existent ones.

Last edited by MS-DTYP (2024-04-23 10:32:30)

Offline

#44 2024-04-23 10:38:02

Mrkd1904
Member
Registered: 2023-11-08
Posts: 63

Re: Have I been hacked?

MS-DTYP wrote:

There is no reason to blindly grab files from Arch Linux repositories and upload them to VirusTotal. This can continue forever; you'll find such false positives every day, and there is nothing you can do about it. Similarly, running a scanner like Nmap without deeply understanding its input and output can lead to misinterpretations of security risks, potentially overlooking real threats or chasing non-existent ones.

If your post was directed at me - the snippet above are the dns requests from the sample run on hybrid-analysis. Which is why i linked it. Take a look yourself.

Offline

#45 2024-04-23 18:18:40

loqs
Member
Registered: 2014-03-06
Posts: 17,974

Re: Have I been hacked?

Mrkd1904 wrote:

The ldpreload_backdoor is a rule from malpedia and different from the ldpreload yara rule on the yara-rules git.

From that rule which functions are connected to the flagging? Have you contacted the rules author about the match? Have you on your system detected libsystemd-shared-255.4-2.so contacting any of those domains? Have you on your system detected libsystemd-shared-255.4-2.so performing any malicious activity consistent with any of the malware that has been identified as infecting it?

Offline

#46 2024-04-23 20:26:52

Mrkd1904
Member
Registered: 2023-11-08
Posts: 63

Re: Have I been hacked?

loqs wrote:
Mrkd1904 wrote:

The ldpreload_backdoor is a rule from malpedia and different from the ldpreload yara rule on the yara-rules git.

From that rule which functions are connected to the flagging? Have you contacted the rules author about the match? Have you on your system detected libsystemd-shared-255.4-2.so contacting any of those domains? Have you on your system detected libsystemd-shared-255.4-2.so performing any malicious activity consistent with any of the malware that has been identified as infecting it?

How soon we forget i made an entire thread about libsystemd being malicious. Which, isn't this one. Also, how soon we forget that this question encompasses at least five other files that are being detected as malicious with the same brand of malwares. The focus of these threads isn't to interrogate what i have or have not done. Its to figure out what the hell is going on in regards to the larger why are off the shelf Arch Linux files coming frok Arch Linux mirrors seemingly infected with malware.

But alas, i'll add malpedia to my list of emails as well to ask. Would you mind also sending an email?

Offline

#47 2024-04-23 20:43:41

seth
Member
Registered: 2012-09-03
Posts: 57,935

Re: Have I been hacked?

Its to figure out what the hell is going on in regards to the larger why are off the shelf Arch Linux files coming frok Arch Linux mirrors seemingly infected with malware.

You do still not understand how those static virus checks work and what happens when files are "scanned for virus signatures"?

Looking for random byte sequences that have randomly shown up in random binaries that some rando has flagged as malicious and then cross-referencing that with your eternally growing whitelist of false positives is the security of https://en.wikipedia.org/wiki/Deferent_and_epicycle and  the natural consequence of this charade was once aptly described https://en.wikipedia.org/wiki/The_Boy_Who_Cried_Wolf

ie. those virus checks are and always have been a scam.
They *pretend* effective action to make you feel good, like, you've done some. And you're safe, because the "virus scanner" didn't find anything.

Read up https://research.swtch.com/xz-script and then tell me whether you seriously believe those "virus scans" would have done jack shit in that case.
They're just good at generating false positives and paying any attention to that is a complete waste of time.

As last remark on this entire post-xz hysteria, I'll prove to you that there's no malware in those files:
-----------------------------------------------------
1. The malware author has access to the very same tools as you do (at least)
2. Padding the source or even the binary or tweaking compiler flags or optimizations to avoid those hits is rather trivial, https://bbs.archlinux.org/viewtopic.php … 8#p2166668

my laptops must run Fortinet by contract. Fortinet reports the aforementioned libraries as malware; I needed to recompile my version of systemd slightly patched to change the checksum

3. The malware author doesn't want their stuff to be detected, so they'll take those trivial counter measures to evade the detection.
=> The files in the repos that do NOT light up in the static virus scan are way more suspicious than the ones that do.
-- qed

Offline

#48 2024-04-23 20:52:43

loqs
Member
Registered: 2014-03-06
Posts: 17,974

Re: Have I been hacked?

As I have not seen any evidence of malicious activity I will not be contacting anyone about the issue.  You may as well ask hybrid-analysis about those domains as http://ping.archlinux.org/nm-check.txt used as Arch's network connectivity tester by NetworkManager has been raised multiple times by people asking why is their system connecting to that domain and its related IP.  api.snapcraft.io has multiple hits for traces involving snap while staging.to-do.officeppe.com / ipv6.msftncsi.com.edgesuite.net / gem.gbc.criteo.com only match this thread.  The doman names are not in the systemd source,  the Arch PKGBUILD or the strings extracted from the binary.
https://github.com/systemd/systemd/issu … 2071653514

poettering  wrote:

I am sorry, but this is not actionable for us. I don't now those websites in question and we are not providing any built binaries. Please contact your distro for help, and verify those websites aren't just making stuff up.

Emphasis added.

Offline

#49 2024-04-23 22:11:54

Mrkd1904
Member
Registered: 2023-11-08
Posts: 63

Re: Have I been hacked?

seth wrote:

Its to figure out what the hell is going on in regards to the larger why are off the shelf Arch Linux files coming frok Arch Linux mirrors seemingly infected with malware.

You do still not understand how those static virus checks work and what happens when files are "scanned for virus signatures"?

Looking for random byte sequences that have randomly shown up in random binaries that some rando has flagged as malicious and then cross-referencing that with your eternally growing whitelist of false positives is the security of https://en.wikipedia.org/wiki/Deferent_and_epicycle and  the natural consequence of this charade was once aptly described https://en.wikipedia.org/wiki/The_Boy_Who_Cried_Wolf

ie. those virus checks are and always have been a scam.
They *pretend* effective action to make you feel good, like, you've done some. And you're safe, because the "virus scanner" didn't find anything.

Read up https://research.swtch.com/xz-script and then tell me whether you seriously believe those "virus scans" would have done jack shit in that case.
They're just good at generating false positives and paying any attention to that is a complete waste of time.

As last remark on this entire post-xz hysteria, I'll prove to you that there's no malware in those files:
-----------------------------------------------------
1. The malware author has access to the very same tools as you do (at least)
2. Padding the source or even the binary or tweaking compiler flags or optimizations to avoid those hits is rather trivial, https://bbs.archlinux.org/viewtopic.php … 8#p2166668

my laptops must run Fortinet by contract. Fortinet reports the aforementioned libraries as malware; I needed to recompile my version of systemd slightly patched to change the checksum

3. The malware author doesn't want their stuff to be detected, so they'll take those trivial counter measures to evade the detection.
=> The files in the repos that do NOT light up in the static virus scan are way more suspicious than the ones that do.
-- qed

First off - i appreciate your insight. That's genuine. Not being a smartass

Secondly, is your consensus the same if the analysis is dynamic. Not static? Does that make any difference to you, and why?

Third, you seem to be speaking from experience. Can you point me to other points in time where such an important piece of software was so widely reported as malicious?

Lastly, still ticking the wrong direction. With now 18 detections on libsystemd-shared. And now anywhere between that, and 62 detections in my upload from last week.

https://otx.alienvault.com/pulse/66207a … 6c618c5239

Stix 2.1 JSON: https://otx.alienvault.com/otxapi/pulse … at=stix2.1- heads up, as this downloads the JSON.

Lastly, lastly; i'm not trying to be nor do not want to be some crusader. But dude, you have to admit it is at least peculiar. Particularly given the timing.

Offline

#50 2024-04-23 22:34:51

seth
Member
Registered: 2012-09-03
Posts: 57,935

Re: Have I been hacked?

What is a "dynamic" analysis?
But it's obviously different if there're behavioral analysis leading to the conclusion that something's wrong with the executable that's constantly trying to reach the servers of the ccpd.
Which is what loqs has asked for multiple times, I think.

Then your premise is false - systemd or archlinux or any linux are not "an important piece of software" - certainly not to AV companies.
Here's from 2009 why "OMG the windows explorer (actually relevant to them because it's to the VAST majority of their clients) was falsely detected as virus" doesn't happen (and to give you an idea that this is, at all, not a new problem)
https://blog.nirsoft.net/2009/05/17/ant … evelopers/
And from 2008 where there was a massive problem in critical software and no AV vendor cared, https://www.schneier.com/blog/archives/ … ber_b.html

And lastly, your premise is false again. Twice.

it is at least peculiar. Particularly given the timing

1. the timing would mandate that malicious actors go silent, you'd expect to see the exact opposite except if a bunch of trolls and freaked out users would randomly flag malware with a shotgun
2. this still hinges on the misconception that the virustotal results would provide any relevance

VT runs security checks like phoronix runs benchmarks: semi-opaque, hence not reproducible and with no explanation beyond an aggregated result.
It's (afaict, feel free to prove me wrong) not disclosed what exact scanners (versions, configurations, databases, patches) were used nor what patterns were concerned (the latter being an inherited problem and systematic, as that's "business secret", the former just bad style)
A *literal* result "virus scanner foo says it's bad but virus scanner bar says it's ok" would provide the exact same amount of information: none.

Offline

Board footer

Powered by FluxBB