chkrootkit gives false positive Linux/Ebury - Operation Windigo

Bug #1508248 reported by sleek on 2015-10-20
70
This bug affects 14 people
Affects Status Importance Assigned to Milestone
chkrootkit
Undecided
auto-nelson
chkrootkit (Debian)
Fix Released
Unknown
chkrootkit (Fedora)
Fix Released
Undecided
chkrootkit (Ubuntu)
Low
Unassigned
Declined for Wily by Steve Beattie
Xenial
Low
Unassigned

Bug Description

I tried from ubuntuforums.org:

sudo netstat -nap | grep "@/proc/udevd" returns nothing
sudo find /lib* -type f -name libns2.so returns nothing either

ProblemType: Bug
DistroRelease: Ubuntu 15.10
Package: chkrootkit 0.50-3.1ubuntu1
ProcVersionSignature: Ubuntu 4.2.0-16.19-generic 4.2.3
Uname: Linux 4.2.0-16-generic x86_64
ApportVersion: 2.19.1-0ubuntu3
Architecture: amd64
CurrentDesktop: Unity
Date: Tue Oct 20 17:31:49 2015
InstallationDate: Installed on 2015-10-17 (3 days ago)
InstallationMedia: Ubuntu 15.04 "Vivid Vervet" - Release amd64 (20150422)
SourcePackage: chkrootkit
UpgradeStatus: Upgraded to wily on 2015-10-20 (0 days ago)

Description of problem:
chkrootkit always reports:

Possible Linux/Ebury - Operation Windigo installetd

Version-Release number of selected component (if applicable):
chkrootkit-0.50-4.fc22.x86_64
openssh-6.8p1-8.fc22.x86_64

How reproducible:
Always.

Steps to Reproduce:
1.
2.
3.

Actual results:

Expected results:

Additional info:
The test uses $(ssh -G) (print configuration and exit) and looks for signatures in the output. ssh -G now requires a host argument.

ssh -G
prints usage and exit 255, triggering report.

ssh -G localhost
prints configuration and exit 0.

I assume that openssh has changed recently.

After a little investigation....

The Linux/Ebury root-kit infects ssh and can be identified by the way it handles illegal or unknown command-line options, not printing an information line before usage: ...

Accepted wisdom is to invoke ssh with an illegal option and check that the expected extra line is there (clean) or missing (infected).

chkrootkit uses $(ssh -G) as it's illegal invocation but OpenSSH added the '-G' option to print configuration back in 2014.

Long story short - chkrootkit needs to pick a different illegal option.

Currently unused options include djruzBHJUZ.

Changing the script (2 places) appears to work (I used -H, $(rpm -Vv openssh-clients) to check).

...
Searching for Linux/Ebury - Operation Windigo ssh... nothing found
...

sleek (sillypeople139) wrote :
Seth Arnold (seth-arnold) wrote :

I had the impression that chkrootkit hadn't been maintained for many years the last time I looked at it; it may require significant work to make it functional.

Thanks

information type: Private Security → Public
Robie Basak (racb) wrote :

Thank you for taking the time to report this bug and helping to make Ubuntu better.

chkrootkit is in universe in Wily so will not receive much attention now. But I don't really understand your bug report either - you have not provided steps to reproduce the bug or detailed the difference between what you expect and what actually happens, so I'm marking this bug as Incomplete. Once you have provided a complete bug report, please change the bug status back to New. Then although the Ubuntu Server Team won't pay much attention to this bug, other volunteers are welcome to use this bug as a rallying point to try and get to a fix.

Changed in chkrootkit (Ubuntu):
status: New → Incomplete
sleek (sillypeople139) on 2015-10-22
Changed in chkrootkit (Ubuntu):
status: Incomplete → New
sleek (sillypeople139) wrote :
Download full text (4.0 KiB)

there is not much have to do to produce this error other than install the program and type : sudo chkrootkit
according to relevent websites i found this error occurs because ssh didn't use implement -g so chkrootkits method of this rootkit is no longer valid. par the following conversation on the ubuntu forums:

    Thread Tools
    Display

    August 24th, 2015 #1
    fthx
    fthx is offline Spilled the Beans

    Join Date
        Jul 2015
    Beans
        14

    Heartbreaking chkrootkit 'operation windigo' positive warning

        Hi,

        Was raining today but suddenly I got the sun in my face :

        Code:

        sudo chkrootkit

        Searching for Linux/Ebury - Operation Windigo ssh... Possible Linux/Ebury - Operation Windigo installetd

        (original typo...)

        Well... after some search I think it's a false positive. (I do not play with fishy PPAs and do not use my system as a server.)
        Sources :
        http://www.eset.com/int/about/press/...net-uncovered/
        https://www.cert-bund.de/ebury-faq
        http://ubuntuforums.org/showthread.p...ration+windigo
        https://bbs.archlinux.org/viewtopic.php?id=195395
        https://github.com/openssh/openssh-p...75ab3b9cc84cba

        If you run the "ssh -G" test in above links, you could be scared. But the commit (link to github) seems to show that a new ssh option has been introduced since the testing command line :
        Code:

        ssh -G 2>&1 | grep -e illegal -e unknown > /dev/null && echo "System clean" || echo "System infected"

        So this command does not return any error message, so you should get "System infected" in your terminal...

        I checked the sizes of the libraries (2nd link), ran ipcs commands and everything seemed to be ok.

        What do you think about this stuff ? Should I run some additional tests ?

    Advanced reply Adv Reply Reply With Quote Reply With Quote
    August 24th, 2015 #2
    runrickus's Avatar
    runrickus
    runrickus is offline Iced Almond Soy Ubuntu, No Foam

    Join Date
        Jun 2005
    Location
        The Front 9
    Beans
        Hidden!
    Distro
        Ubuntu Mate Development Release

    Re: Heartbreaking chkrootkit 'operation windigo' positive warning

        I would think you would be safe if you did not show "System infected"

        Also there is this to show if infected.
        Code:

        # netstat -nap | grep "@/proc/udevd"

        Ebury version 1.5
        On Linux-based systems, an additional shared library file 'libns2.so' is installed and the existing libkeyutils file is patched to link against this library instead of libc6. The malicious 'libns2.so' file can be located by running the following command, which should not return any results on clean systems.
        # find /lib* -type f -name libns2.so
        /lib64/libns2.so Ebury now uses Unix domain sockets instead of shared memory segments for interprocess communication. The malicious socket can be located using 'netstat' as follows. Again, this command should not return any results on clean systems.
        Do antivirus products or other security tools detect Ebury?Some antivirus pro...

Read more...

sleek (sillypeople139) wrote :

please i am using the newest version of chkrootkit 0.50-3.1 not 0.49 exchange discusses and it is supposed to correct detect the rootkit

chkrootkit scan on Ubuntu 15.10 live DVD results infected by Ebury, then in my opinion it is clear that this is not a real infection, but only a false positive. Chkrootkit should be corrected as soon as possible.

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in chkrootkit (Ubuntu):
status: New → Confirmed
Changed in chkrootkit (Ubuntu):
importance: Undecided → Low
no longer affects: chkrootkit
Changed in chkrootkit (Ubuntu):
status: Confirmed → Triaged
Changed in chkrootkit:
status: New → Confirmed

chkrootkit-0.50-7.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-a5f68c1854

chkrootkit-0.50-7.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-afc728e85d

chkrootkit-0.50-7.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2016-37fa8f9d3a

*** Bug 1279170 has been marked as a duplicate of this bug. ***

chkrootkit-0.50-8.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-b93b991ea4

chkrootkit-0.50-8.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-6c1a60982e

chkrootkit-0.50-8.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2016-533e10ae24

chkrootkit-0.50-8.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-533e10ae24

chkrootkit-0.50-8.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-b93b991ea4

chkrootkit-0.50-8.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-6c1a60982e

The fix implemented in Fedora is to change the invocation of "$ssh -G" to instead use "$ssh -H". See e.g.
  http://pkgs.fedoraproject.org/cgit/rpms/chkrootkit.git/commit/?h=f23&id=82dd537b2fd88850eb4327a80b2c9acb7dbcf2ab

summary: - chkrootkit gives false positive ebury
+ chkrootkit gives false positive Linux/Ebury - Operation Windigo
Changed in chkrootkit (Debian):
status: Unknown → Confirmed

chkrootkit-0.50-8.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.

chkrootkit-0.50-8.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

chkrootkit-0.50-8.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.

axel (axel334) wrote :

Still valid on xenial 64-bit

Searching for Linux/Ebury - Operation Windigo ssh... Possible Linux/Ebury - Operation Windigo installetd
ssh -G 2>&1 | grep -e illegal -e unknown > /dev/null && echo "System clean" || echo "System infected"
System infected

There are topics on forum about it:
http://ubuntuforums.org/showthread.php?t=2291968
http://ubuntuforums.org/showthread.php?t=2304660

Chris Silva (cds60601) wrote :

Wish to confirm that this is still an issue.
xenial 65/bit server

ssh -G 2>&1 | grep -e illegal -e unknown > /dev/null && echo "System clean" || echo "System infected"
System infected

OpenSSH_7.2p2 Ubuntu-4ubuntu2.1, OpenSSL 1.0.2g-fips 1 Mar 2016
chkrootkit version 0.50

Changed in chkrootkit (Debian):
status: Confirmed → Fix Released

This remains unfixed in Linux Mint 18.1.

Konstantin Boyandin (7-det-g) wrote :

Still affects Ubuntu 16.04. 'ssh -G' is a valid command; 'ssh -Z' (or any remaining unused option) should be used.

See
https://askubuntu.com/questions/709545/chkrootkit-says-searching-for-linux-ebury-operation-windigo-ssh-possible-l

for a script to check for 'Operation Windigo' presence.

Changed in chkrootkit (Fedora):
importance: Unknown → Undecided
status: Unknown → Fix Released
Changed in chkrootkit (Ubuntu):
assignee: nobody → Adhar Maheshwari (addy-m)
assignee: Adhar Maheshwari (addy-m) → nobody
Andreas Hasenack (ahasenack) wrote :

Artful and Bionic are fine, since this was fixed in debian's 0.50-4:
chkrootkit (0.50-4) unstable; urgency=low

  * [132754e] Fix windigo false positive (Closes:#796599)

The patch debian is using is https://salsa.debian.org/pkg-security-team/chkrootkit/blob/debian/master/debian/patches/19_openssh.diff

This should be an easy SRU to xenial if someone wants to pick a low hanging fruit:

https://wiki.ubuntu.com/StableReleaseUpdates

Changed in chkrootkit (Ubuntu):
status: Triaged → Fix Released
Changed in chkrootkit (Ubuntu Xenial):
status: New → Confirmed
importance: Undecided → Low
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.