Anti-virus threat detections in repo source packages

Bug #592871 reported by Thomas Mashos on 2010-06-11
18
This bug affects 2 people
Affects Status Importance Assigned to Milestone
nepenthes (Ubuntu)
Wishlist
André Luiz Lima Menezes
polygen (Ubuntu)
Wishlist
André Luiz Lima Menezes
pymilter-milters (Ubuntu)
Wishlist
André Luiz Lima Menezes

Bug Description

I have Symantec Antivirus 1.0.9 installed on my Ubuntu 10.04 machine. I also host a local mirror of the repos for local employees. During one of the scheduled scans, there were many detections on source packages in the repos. I've included attachments below with information on each quarantined file, as well as a comma seperated list of the scan logs from that day

Thomas Mashos (tgm4883) wrote :
Thomas Mashos (tgm4883) wrote :

Also, I should note that these could be false positives. Per a conversation with Kees on IRC, I have opened this bug for further investigation.

Kees Cook (kees) wrote :

Looks like pymilters is actually shipping viruses (as part of its test suite). They should probably be adjusted to only use EICAR.

visibility: private → public
affects: ubuntu → pymilter-milters (Ubuntu)
Changed in pymilter-milters (Ubuntu):
status: New → Confirmed
importance: Undecided → Wishlist
Kees Cook (kees) wrote :

nepenthes looks like an example/test too.

Changed in nepenthes (Ubuntu):
status: New → Confirmed
importance: Undecided → Wishlist
Kees Cook (kees) wrote :

I don't know OCaml, but the polygen hit seems like a false positive too. It's seems to be a joke, not actual code (I hope).

Changed in polygen (Ubuntu):
importance: Undecided → Wishlist
status: New → Confirmed
summary: - Threat detections in repo source packages
+ Anti-virus threat detections in repo source packages

El Vie 11 Jun 2010, Kees Cook escribió:
> nepenthes looks like an example/test too.

it's a doc file. I may remove it... But clearly is not a threat..

l.

Scott Kitterman (kitterman) wrote :

I emailed the pymilter upstream to get his feedback.

Scott Kitterman (kitterman) wrote :

Upstream feedback:

I understand where they are coming from, but EICAR does not work for
these test cases. The viruses are deactivated. Pymilter is not a
traditional antivirus that looks for signatures. It simply bans
executable content. Many viruses attempt to disguise their
executability, taking advantage of how malformed emails are handled.
That's what the test cases are about.

Scott Kitterman (kitterman) wrote :

I think that qualifies as a false positive, but I understand why it tripped a scan.

Scott Kitterman (kitterman) wrote :

Upstream for pymilter-milters is willing to work on better test cases that don't trip the A/V checks. It would be helpful to know which files caused the problems.

Changed in pymilter-milters (Ubuntu):
status: Confirmed → Incomplete
Thomas Mashos (tgm4883) wrote :
Download full text (3.2 KiB)

Running a manual scan on the downloaded orig.tar.gz from an apt-get source produces the following 7 alerts.

Scan Type: Manual Scan
Event: Threat Found!
Threat: VBS.LoveLetter.A
File: /home/thomas/code/pymilter-milters_0.8.13.orig.tar.gz>>/home/th...>>pymilter-milters-0.8.13/test/virus1
Location: Quarantine
Computer: earth
User: root
Action Taken: Quarantine succeeded
Date found: Thu 09 Sep 2010 02:02:47 PM PDT

Scan Type: Manual Scan
Event: Threat Found!
Threat: VBS.LoveLetter.A
File: /home/thomas/code/pymilter-milters_0.8.13.orig.tar.gz>>/home/th...>>pymilter...>>LOVE-LETTER-FOR-YOU.TXT.vbs
Location: Quarantine
Computer: earth
User: root
Action Taken: Quarantine succeeded
Date found: Thu 09 Sep 2010 02:02:47 PM PDT

Scan Type: Manual Scan
Event: Threat Found!
Threat: W32.Nimda.enc
File: /home/thomas/code/pymilter-milters_0.8.13.orig.tar.gz>>/home/th...>>pymilter-milters-0.8.13/test/virus4
Location: Quarantine
Computer: earth
User: root
Action Taken: Quarantine succeeded
Date found: Thu 09 Sep 2010 02:02:47 PM PDT

Scan Type: Manual Scan
Event: Threat Found!
Threat: W32.Nimda.enc
File: /home/thomas/code/pymilter-milters_0.8.13.orig.tar.gz>>/home/th...>>pymilter...>>Unknown0000002E.data
Location: Quarantine
Computer: earth
User: root
Action Taken: Quarantine succeeded
Date found: Thu 09 Sep 2010 02:02:47 PM PDT

Scan Type: Manual Scan
Event: Threat Found!
Threat: W32.Aliz.Worm
File: /home/thomas/code/pymilter-milters_0.8.13.orig.tar.gz>>/home/th...>>pymilter-milters-0.8.13/test/virus5
Location: Quarantine
Computer: earth
User: root
Action Taken: Quarantine succeeded
Date found: Thu 09 Sep 2010 02:02:47 PM PDT

Scan Type: Manual Scan
Event: Threat Found!
Threat: W32.Aliz.Worm
File: /home/thomas/code/pymilter-milters_0.8.13.orig.tar.gz>>/home/th...>>pymilter...>>Unknown0000002E.data
Location: Quarantine
Computer: earth
User: root
Action Taken: Quarantine succeeded
Date found: Thu 09 Sep 2010 02:02:47 PM PDT

Scan Type: Manual Scan
Event: Threat Found!
Threat:
File: /home/thomas/code/pymilter-milters_0.8.13.orig.tar.gz
Location: Quarantine
Computer: earth
User: root
Action Taken: Quarantine succeeded
Date found: Thu 09 Sep 2010 02:02:47 PM PDT

Interestingly enough, when I run it on the pymilter-milters directory, I only get the following 3 alerts

Scan Type: Manual Scan
Event: Threat Found!
Threat: W32.Aliz.Worm
File: /home/thomas/code/pymilter-milters-0.8.13/test/virus5
Location: Quarantine
Computer: earth
User: root
Action Taken: Quarantine succeeded
Date found: Thu 09 Sep 2010 02:06:34 PM PDT

Scan Type: Manual Scan
Event: Threat Found!
Threat: VBS.LoveLetter.A
File: /home/thomas/code/pymilter-milters-0.8.13/test/virus1
Location: Quarantine
Computer: earth
User: root
Action Taken: Quarantine succeeded
Date found: Thu 09 Sep 2010 02:06:34 PM PDT

Scan Type: Manual Scan
Event: Threat Found!
Threat: W32.Nimda.enc
File: /home/thomas/code/pymilter-milters-0.8.13/test/virus4
Location: Quarantine
Computer: earth
User: root
Action Taken: Quarantine succeeded
Date found: Thu 09 Sep 2010 02:06:34 PM PDT

As these are Symantec detections, and threat names vary between different AV vendors information for these threats can be found at
http://www.sym...

Read more...

security vulnerability: yes → no
Kees Cook (kees) on 2011-06-01
Changed in pymilter-milters (Ubuntu):
status: Incomplete → Confirmed
status: Confirmed → Won't Fix
Kees Cook (kees) wrote :

The logs don't contain any path details for the following packages, so I haven't been able to check them:

dbacl
amavis-ng
amavisd-new
kcmpureftpd
boxbackup

Changed in nepenthes (Ubuntu):
assignee: nobody → André Luiz Lima Menezes (andre201820)
Changed in polygen (Ubuntu):
assignee: nobody → André Luiz Lima Menezes (andre201820)
Changed in pymilter-milters (Ubuntu):
assignee: nobody → André Luiz Lima Menezes (andre201820)
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers