Malware found in /usr/lib/keepass2/KeePass.exe

From 'hateball' on IRC:
https://www.virustotal.com/sv/file/9456ba3236c05afa7e9d744207fe90420315caa7af4cc77f9f6c4159fb4fba39/analysis/1468410882/

Shows that many AV scanners pick it up as infected.

Just to add to this, the Debian Jessie package (slightly older, 2.28) installs without any malware detected:
https://packages.debian.org/jessie/keepass2

Yes, installing a Debian package on Ubuntu is not best practice but it does appear to work.

Just some quick checks.
The SHA256 sum of the KeePass.exe from the keepass2_2.32+dfsg-1_all.deb package:
9456ba3236c05afa7e9d744207fe90420315caa7af4cc77f9f6c4159fb4fba39 KeePass.exe
File size: 2,756,672
Date: 9th March 2016

From the official Windows package for 2.32: http://tenet.dl.sourceforge.net/project/keepass/KeePass%202.x/2.32/KeePass-2.32.zip
36257bf87edca2680da792772de1f311b4ce2dac65299bb4dc7687be469085c8 KeePass.exe
File size: 2,744,832
Date: 19th April 2016

It may not mean much as the file date is different, as is the size, I don't know if the file is somehow processed either, or if this is the same release (despite the version numbers being the same)

Another multi-AV scanning service also shows many hits as well. Looks like 2.34-1 is infected in both ubuntu and debian (ubuntu syncs the keepass2 source package unmodified from debian). Here's the results I'm seeing

  2.32-1 (ubuntu/xenial): https://virusscan.jotti.org/en-US/filescanjob/6123yjndot (infected)
  2.29-1 (ubuntu/wily): https://virusscan.jotti.org/en-US/filescanjob/lf3vpa6ifv (not infected)
  2.34-1 (ubuntu/yakkety): https://virusscan.jotti.org/en-US/filescanjob/rj0f47grle (infected)
  2.34-1 (debian/testing): https://virusscan.jotti.org/en-US/filescanjob/34rse0hkq5 (infected)

So it looks like xenial and yakkety are infected, along with debian unstable and testing.

It looks like this issue may also be public: http://itprofesionales.blogspot.com/2016/07/virus-en-linux.html

Hi Steve,
Does this look like it may not be a false positive then?
Regards,
Tom

I've reported this to the Debian security group.
Regards,
Tom

Following up on this, I went through and pulled the interim releases from launchpad and submitted the keepass.exe binaries to the anti-virus services, and they start getting triggered by the 2.31+dfsg-1 version:

2.31+dfsg-1 (https://launchpad.net/ubuntu/+source/keepass2/2.31+dfsg-1/+build/8829631) result:
  https://virusscan.jotti.org/en-US/filescanjob/2f4uejsje3
  https://www.virustotal.com/sv/file/ed1d3f21be70feaf850f175c29fa28d07a453800ba0abcb3c44cf402db8ea5eb/analysis/

2.30+dfsg-2 (https://launchpad.net/ubuntu/+source/keepass2/2.30+dfsg-2/+build/8797566) results:
  https://virusscan.jotti.org/en-US/filescanjob/dp4fnv25a3
  https://www.virustotal.com/sv/file/be94faa8e306c825a604b358e2985f2698c7298408a18ead36dd6123437ad129/analysis/1468453778/

2.30_dfsg-1 (https://launchpad.net/ubuntu/+source/keepass2/2.30+dfsg-1/+build/8178398) results:
  https://virusscan.jotti.org/en-US/filescanjob/1vfl96j3ib
  https://www.virustotal.com/sv/file/93bc870427b59ee741731db11651d475deb7e9b1c8ef892a8b1e1efec644167a/analysis/1468453545/

Julian Taylor also found similar results rebuilding those versions against current xenial and submitting the results for scanning.

The source orig tarball for both these versions scans clean:

  2.31 https://www.virustotal.com/sv/file/954986db5acb63c634bc9fd8496bb822461eb62147b10e054bb8e7662533db5d/analysis/1468563164/
  2.30 https://www.virustotal.com/sv/file/3c99953402b6987be8c04fb0955b3045371724df3cae19fe750e89a830e7b19a/analysis/1468563034/

I also note that Julian also retried building the 2.34+dfsg-1 version against precise (12.04), trusty (14.04), and xenial (16.04), using the mono toolchain from each release, and got the same triggered results for the xenial and trusty builds, but the precise build came out clean.

I also submitted some other pe32 binaries from the Banshee package in xenial (version 2.9.0+really2.6.2-7ubuntu2) and got no positive hits from those either.

I think this is still a false positive. Both Debian and Ubuntu build the keepass2 package from the upstream source using mono (whereas upstream builds with a windows compiler) -- I initially incorrectly thought a repackaged binary from upstream was what the keepass2 package contained.

If there is malware being injected, it would need to be in the toolchain or embedded libraries or some coordinated effort between them and the keepass, but then you would expect that either earlier versions of keepass rebuilt with the xenial toolchain would show evidence of it, or that it wouldn't show up when built with trusty's toolchain, and that it would possibly show up in other pe32 binaries (though the small sample that I tested is in no way comprehensive; more research on this would be appreciated).

I have not walked through all of keepass2's (mono) build dependencies, looking for a triggering malware, nor have I tried to decompile the keepass.exe binaries looking for embedded malware. If someone would like to take that on, that would be great.

I don't see a need to keep this bug report private, so I'm opening it up. Thanks!

Status changed to 'Confirmed' because the bug affects multiple users.

I've not seen any additional evidence that this is anything but a false positive. Based on that, I'm closing; however, please re-open if further investigation shows otherwise. Thanks.