Do I have malware?

Inditium · 2016-09-16 19:46:50

Hi. I updated ClamAVs signatures database and scanned with sudo permission. These files show up:

/var/cache/pacman/pkg/libxkbcommon-0.6.1-1-x86_64.pkg.tar.xz: PUA.Html.Exploit.CVE_2014_0322-1 FOUND
/var/cache/pacman/pkg/openjpeg2-2.1.1-2-x86_64.pkg.tar.xz: PUA.Html.Exploit.CVE_2014_0322-1 FOUND
/var/cache/pacman/pkg/graphite-1:1.3.8-1-x86_64.pkg.tar.xz: PUA.Html.Exploit.CVE_2014_0322-1 FOUND
/usr/share/doc/libxkbcommon/jquery.js: PUA.Html.Exploit.CVE_2014_0322-1 FOUND
/usr/lib/ruby/gems/2.3.0/cache/yard-0.8.7.6.gem: PUA.Win.Tool.Packed-178 FOUND
/usr/share/doc/libxkbcommon/jquery.js: PUA.Html.Exploit.CVE_2014_0322-1 FOUND
PUA.Win.Exploit.CVE_2012_0110-1 FOUND

Thanks.

olive · 2016-09-16 20:07:06

That's strange. I never heard of a malware that would target Archlinux packages specifically. To be sure check if the packages are the same as the ones you get from a trusted mirror (for the *.pkg.tar.xz). For the files in your filesystem do a "pacman -Qo /usr/share/doc/libxkbcommon/jquery.js" (for example) to see to what package the file belong then check if it is the same as the one you get by extracting it from the official package (you can extract them with tar -axvf <package>.tar.xz in a separate directory). If you are really paranoid; do that from a boot CD. But I am pretty sure it is a clamav bug.

Last edited by olive (2016-09-16 20:07:32)

smirky · 2016-09-16 20:17:22

Let me give you a hint.
You have doubts in X number of files.
In this scenario, you know what are the files and even better... you know their original content checksums.
Open up the archlinux repositories, check their signatures and compare to yours.
If they are the same, then you have nothing to worry about.

loafer · 2016-09-16 20:27:19

You're running clamscan with "--detect-pua=yes" which is disabled by default. So it telling you which files it thinks are potentially unwanted. As pointed out above you can check the files in question.

ngoonee · 2016-09-17 02:01:56

I'm not sure why the previous respondents are making the leap from 'signature verifies with repository' to 'the files are okay'. At least for libxkbcommon its fairly clear that the 'issue', if any, is from an upstream provided file, and its entirely possible for upstream to have been compromised at some point. In fact jquery.js is likely not even from libxkbcommon, probably imported in from jquery sources....

Which is not to say there IS an issue, just that repo signing ONLY verifies that what you have is the same as what the arch developers put up. They're not infallible, and they're not checking every line of code or every file, that's upstream's job.

The conclusion being, please ask upstream.

SteveK · 2016-09-17 02:46:07

ngoonee wrote:

The conclusion being, please ask upstream.

Exactly. https://www.clamav.net/reports/fp

mpan · 2016-09-17 05:57:06

@Inditium:
Don’t panic! A 2-year old exploit for MSIE only, suddenly used in an attack on Linux and in a form of a file in docs? Quite improbable.

I can confirm that I have the same results and mine jquery.js seems to contain nothing related to that vulnerability. Note: “seems” — it’s minimified, so it’s pretty hard to examine it well. However this may also be the key to why it has been detected in the first place: minimified code is very often causing false positives. Also nothing is detected by ClamAV if the file is split, which in the case of scriptborne malware reinforces hypothesis of an FP. A multiengine scan also detects nothing.

I would follow SteveK’s advice: report this to ClamAV and don’t bother poking xkbcommon, OpenJPEG or Graphite devs until ClamAV confirms there really is a problem with the file.

loafer · 2016-09-17 06:31:22

You'll always get this type of result using the "--detect-pua=yes" option at the moment. If you choose to use it you'll have to check the files yourself.

https://www.clamav.net/documents/miscellaneous-faq

What is PUA? I get a lot of false positives named PUA.

With the release of ClamAV 0.91.2 we introduce the option to scan for Potentially Unwanted Applications.

The PUA database contains detection for applications that are not malicious by itself but can be used in a malicious or unwanted context. As an example: A tool to retrieve passwords from a system can be useful as long as the person who uses it, is authorized to do so. However, the same tool can be used to steal passwords from a system. To make use of the PUA database you can use the –detect-pua switch for clamscan or enable it in the config file for clamd (add: DetectPUA yes).

At this point we DO NOT recommend using it in production environments, because the detection may be too aggressive and lead to false positives. In one of the next releases we will provide additional features for fine-tuning allowing better adjustments to different setups. NOTE: A detection as PUA does NOT tell if an application is good or bad. All it says is, that a file MAY BE unwanted or MAYBE could compromise your system security and it MAY BE a good idea to check it twice.

djalel · 2016-09-17 13:41:55

hello
PUA feature on clamav is broken and give a lot of false positive alert.

i think you are fine.

Arch Linux

#1 2016-09-16 19:46:50

Do I have malware?

#2 2016-09-16 20:07:06

Re: Do I have malware?

#3 2016-09-16 20:17:22

Re: Do I have malware?

#4 2016-09-16 20:27:19

Re: Do I have malware?

#5 2016-09-17 02:01:56

Re: Do I have malware?

#6 2016-09-17 02:46:07

Re: Do I have malware?

#7 2016-09-17 05:57:06

Re: Do I have malware?

#8 2016-09-17 06:31:22

Re: Do I have malware?

#9 2016-09-17 13:41:55

Re: Do I have malware?

Board footer