[SOLVED]: Chromium fails after Clamscan removes Mirai Trojan

tron · 2017-09-25 15:00:23

Ran Clamscan yesterday, it removed this from my system:

 /usr/share/metasploit/vendor/bundle/ruby/2.3.0/gems/metasploit-payloads-1.1.11/data/meterpreter/metsrv.x86.dll: Win.Tool.MeterPreter-6294292-0 FOUND
/usr/share/metasploit/vendor/bundle/ruby/2.3.0/gems/metasploit-payloads-1.1.11/data/meterpreter/metsrv.x86.dll: Removed.
/usr/lib/chromium/chromium: Unix.Trojan.Mirai-5932143-0 FOUND
/usr/lib/chromium/chromium: Removed.
/var/cache/pacman/pkg/chromium-61.0.3163.91-1-x86_64.pkg.tar.xz: Unix.Trojan.Mirai-5932143-0 FOUND
/var/cache/pacman/pkg/chromium-61.0.3163.91-1-x86_64.pkg.tar.xz: Removed.
/var/cache/pacman/pkg/chromium-61.0.3163.100-1-x86_64.pkg.tar.xz: Unix.Trojan.Mirai-5932143-0 FOUND
/var/cache/pacman/pkg/chromium-61.0.3163.100-1-x86_64.pkg.tar.xz: Removed.
/var/cache/pacman/pkg/chromium-61.0.3163.79-1-x86_64.pkg.tar.xz: Unix.Trojan.Mirai-5932143-0 FOUND
/var/cache/pacman/pkg/chromium-61.0.3163.79-1-x86_64.pkg.tar.xz: Removed.

After this Chromium would not start, so I reinstalled it using pacman then reran Clamscan and it remived this from my system...again:

 /usr/lib/chromium/chromium: Unix.Trojan.Mirai-5932143-0 FOUND
/usr/lib/chromium/chromium: Removed.
/var/cache/pacman/pkg/chromium-61.0.3163.100-1-x86_64.pkg.tar.xz: Unix.Trojan.Mirai-5932143-0 FOUND
/var/cache/pacman/pkg/chromium-61.0.3163.100-1-x86_64.pkg.tar.xz: Removed.

Now Chromium will not start again and I have not reinstalled it this time.
Has anyone had this same issue or know why this is happening?...Checked bug reports and there's nothing there...Any suggestions on how to handle this or where to better report it so it is solved?

Last edited by tron (2017-09-25 17:55:04)

ewaller · 2017-09-25 15:08:34

Now Chromium will not start again and I have not reinstalled it this time.

Well there's your problem...

/usr/lib/chromium/chromium: Removed.

My firm belief is that this is a false positive. I could be wrong. As clamav seems to have cleaned out the executable and the cache, I would do a reinstall of chrome. I am not sure if pacman will complain about the files missing from the cache when its database says they should be there. If it is a false positive, I would expect clamav to do the same thing all over again. If it doesn't, then something compromised your system by changing, at the very least, chromium. I doubt that; especially since it also flagged the cache files. That would mean the attack would have to Arch specific.

loqs · 2017-09-25 15:27:58

$ clamscan -V
ClamAV 0.99.2/23871/Mon Sep 25 09:44:09 2017
$ clamscan /var/cache/pacman/pkg/chromium-61.0.3163.100-1-x86_64.pkg.tar.xz 
/var/cache/pacman/pkg/chromium-61.0.3163.100-1-x86_64.pkg.tar.xz: OK

----------- SCAN SUMMARY -----------
Known viruses: 6303734
Engine version: 0.99.2
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 0.00 MB
Data read: 55.75 MB (ratio 0.00:1)
Time: 6.688 sec (0 m 6 s)
$ sha256sum /var/cache/pacman/pkg/chromium-61.0.3163.100-1-x86_64.pkg.tar.xz 
5d4380308b3d5c2bc6e13d77090688ba00f0828f2777d83376d44038a6d0e2dd  /var/cache/pacman/pkg/chromium-61.0.3163.100-1-x86_64.pkg.tar.xz

tron · 2017-09-25 17:17:52

@ewaller
Maybe you can answer a question that I have wondered about on this subject....How does a scanner turn up a false positive?....I ask, not only for this issue, but, also for another distro that had a lot of removals in Metasploit and Mimikatz....I guess I will have to remove the -r from Clamscan script so I can investigate further....I know this might not be the right place to ask this question and I apologize if it violates forum rules...but, if you could indulge me this once it might help to solve the 'why' of many problems..

tron · 2017-09-25 17:20:17

Also I will take your suggestion to reinstall, but, I am going to scrub all current Chromium associated files from my system...Thanks for your assistance with this issue....

ewaller · 2017-09-25 17:32:42

I am not familiar with the internal workings of Clamav or other programs of the genre, but they often use "signatures" (essentially a hash) of some code snippet. As to how the code defines the boundaries of those snippets, I've not a clue. But, if a chunk of legitimate code has a signature that matches a known vector, that legitimate code could be flagged. It has happened before .... https://www.theregister.co.uk/2010/04/2 … _positive/

seth · 2017-09-25 18:32:29

a) DO NOT LET "VIRUS SCANNERS" AUTOMATICALLY DELETE DATA!
This time it's been a generic binary, next time it's your master thesis.
Same btw. goes for disc scrubbers.

b) In doubt, *never* trust a single "virus scanner" - esp. not if this is an unaltered file out of an official repo ("pacman -Qk <package-name>").
You can upload data for more inspection here: https://www.virustotal.com/

c) When you *really* suspect some stock arch provided binary to be virus infected, you should raise this to at least the package maintainer.

Arch Linux

#1 2017-09-25 15:00:23

[SOLVED]: Chromium fails after Clamscan removes Mirai Trojan

#2 2017-09-25 15:08:34

Re: [SOLVED]: Chromium fails after Clamscan removes Mirai Trojan

#3 2017-09-25 15:27:58

Re: [SOLVED]: Chromium fails after Clamscan removes Mirai Trojan

#4 2017-09-25 17:17:52

Re: [SOLVED]: Chromium fails after Clamscan removes Mirai Trojan

#5 2017-09-25 17:20:17

Re: [SOLVED]: Chromium fails after Clamscan removes Mirai Trojan

#6 2017-09-25 17:32:42

Re: [SOLVED]: Chromium fails after Clamscan removes Mirai Trojan

#7 2017-09-25 18:32:29

Re: [SOLVED]: Chromium fails after Clamscan removes Mirai Trojan

Board footer