Clamav detects Trojans

I have just scanned my system and clamav has detected a few suspect files:

File: .cahe/mozilla/firefox/jqxk4r44.default/cache2/entries/750B6E2F1286....
Status: PUA.Win.Exploit.CVE_2012_1461-1

File: .cahe/mozilla/firefox/jqxk4r44.default/cache2/entries/F099C33HJ45J....
Status: PUA.Win.Exploit.CVE_2012_1461-1

File: .config/libreoffice/4/user/basic/Standard/Module1.xba
Status: PUA.Doc.Tool.LibreOfficeMacro-2

File: Downloads/nodejs/node-v8.9.4-linux-x64/lib/node_modules/imurmurhash/imurmurhash.min.js
Status: PUA.Win.Trojan.Xored-1

How likely is it that these files are real threats / trojans?


Solution 1:

PUA.Win.Exploit.CVE_2012_1461-1

  • PUA means "potential unwanted application". PUA are not virusses, those are claims by clamav that there is an application they consider "unwanted" because that file or extension have been proven to be abused in Windows
  • Win as 2nd part means it is a Windows related notice.
  • clamav has an option to not scan for PUA's.

My conclusion: nothing to worry about.

That leaves ...

PUA.Doc.Tool.LibreOfficeMacro-2

.config/libreoffice/4/user/basic/Standard/Module1.xba has an extension clamav trips on. They believe xba, visual basic macro's, are considered "unwanted". See Clamtk reports these LibreOffice files as possible threats. Are they safe? for a more complete list, the answers and comments.

ClamAV is notoriously flawed software: basing you scans and warnings on Windows and then apply them to Linux does not and will never work.

When you see a notice like this, and you really believe clamav is the tool to use, the next step is to check with a 2nd source: for instance upload the file to an site like virustotal or use a 2nd virusscan software together with clamav (where when both claim the same problem you investigate and otherwise consider them false positives).

But I would ditch clamav altogether and follow a Linux based method: use debsum (link to man page) to check packages (link to a howto).

And when you are really paranoid (here's looking at you Panda) use all of the above ;)

Solution 2:

I wouldn't dismiss this warning so lightly, it says PUA

Module1.xba: PUA.Doc.Tool.LibreOfficeMacro-2 FOUND
dotjoshjohnson.xml-2.5.1: PUA.Win.Trojan.Xored-1 FOUND
ms-azuretools.vscode-docker-1.8.1: PUA.Win.Trojan.Xored-1 FOUND
file-downloader-PUA.Win.Adware.Qjwmonkey-6892535-0 FOUND
BouncyCastle.Crypto.dll: PUA.Win.Adware.Qjwmonkey-6892535-0 FOUND
BouncyCastle.Crypto.dll: PUA.Win.Adware.Qjwmonkey-6892535-0 FOUND
jquery-ui.min.js: PUA.Win.Trojan.Generic-6888382-0 FOUND

So IMHO, you can dismiss the LibreOffice macro because it detects is as a libre office macro, Though I might remove them anyway, I would have to test it and see if it is something I use. the file downloader and adware is just crapware, but potential risk. The others concern me because they detect as a trojan. Now the reason I have some concern here is:

: # ifconfig |grep inet
inet 10.0.0.58 netmask 255.0.0.0 broadcast 10.255.255.255
inet6 xxx prefixlen 64 scopeid 0x20
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10

Now I have suricata as a IDS, and looking at the fast.log

12/11/2020-11:42:30.052835 [] [1:2025331:3] ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) [] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.0.0.58:56692 -> 216.239.36.21:443

Doing a whois on 216.239.36.21 shows that it is a google server however we don't know if it is a Google service or a customer of the cloud services or a compromised server. Going to the site it appears that it is on a content server because it 404s, trying to go to HTTPS shows that it cannot provide a secure connection. Looking deeper at it, the file doesn't appear to be provided by a package.

dpkg -S /usr/share/javascript/jquery-ui/jquery-ui.min.js
libjs-jquery-ui: /usr/share/javascript/jquery-ui/jquery-ui.min.js

This is a borderline case at this point because there is a package that provides it, looking at the package it shows that it is installed from the Ubuntu archives

apt-cache policy libjs-jquery-ui libjs-jquery-ui: Installed: 1.12.1+dfsg-5 Candidate: 1.12.1+dfsg-5 Version table: *** 1.12.1+dfsg-5 500 500 http://us.archive.ubuntu.com/ubuntu focal/universe amd64 Packages 500 http://us.archive.ubuntu.com/ubuntu focal/universe i386 Packages 100 /var/lib/dpkg/status

Now I can uninstall the package and reinstall it and scan it again and see if it is coming from the repository. If it is from the repository, then I would lean more towards a false positive. Otherwise, if it isn't from the repository I would lean more towards a potential threat.

Looking deeper as to how this could have gotten on the system in the first I look at my firewall

Chain OUTPUT (policy DROP)
target     prot opt source               destination         
KUBE-SERVICES  all  --  anywhere             anywhere             ctstate NEW /* kubernetes service portals */
KUBE-FIREWALL  all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     udp  --  anywhere             anywhere             udp dpt:443
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https
ACCEPT     udp  --  anywhere             anywhere             udp dpt:80
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:domain
ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain
ACCEPT     udp  --  anywhere             anywhere             udp dpt:8080
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http-alt
ACCEPT     udp  --  anywhere             anywhere             udp dpt:8443
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:8443
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:67
ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootps
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:whois
ACCEPT     udp  --  anywhere             anywhere             udp dpt:43
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     icmp --  anywhere             anywhere  

Chain INPUT (policy DROP)
target     prot opt source               destination         
KUBE-SERVICES  all  --  anywhere             anywhere             ctstate NEW /* kubernetes service portals */
KUBE-EXTERNAL-SERVICES  all  --  anywhere             anywhere             ctstate NEW /* kubernetes externally-visible service portals */
KUBE-FIREWALL  all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere         

Verified by Kali scan that shows all ports as filtered, so I know the threat could not have entered my system from any source but one of the programs that have been allowed access to my system. Now Chrome and firefox run in the user-space so they shouldn't have access to that file location. This leaves it down to apt which would have access to the HTTPS port. That all said, my first task will be moving the file to another location to store it, typically making a copy to document it, then uninstall/reinstall the package and see if its is triggered again.

Here I would document the entire process the IP addresses associated and why I made the decisions I did. This would be the standard procedure for documenting a compromised system. In a SOC, you might want to take an image of the entire disk at this point, since I am fairly confident in my other security measures I am going to proceed and monitor the system for further signs of being compromised.

Now I have had problems with system errors popping up so I am starting to lean more towards wiping the entire system and reloading from scratch after taking a careful backup and mean the windows and Linux side.

Now if I had a SIEM active I would probably correlate the various security log warning beyond the baseline, IE sort by commonality from baseline, and correlate a security event like this from the IDS log to the server logs. I would go further if I was getting paid to look into it, but this is my workstation and I can do without a feature or two to just not deal with having to dig that deep.

So continuing the statement above I then

apt remove libjs-jquery-ui

then

clamscan -r --bell --infected --detect-pua=yes --scan-elf=yes --scan-mail=yes --algorithmic-detection=yes --scan-pe=yes --scan-ole2=yes --scan-pdf=yes --scan-html=yes --scan-archive=yes --max-filesize=20000000 --max-scansize=20000000 /usr/share/javascript/

----------- SCAN SUMMARY -----------
Known viruses: 8964095
Engine version: 0.102.4
Scanned directories: 1619
Scanned files: 2733
Infected files: 0
Data scanned: 140.98 MB
Data read: 38.02 MB (ratio 3.71:1)
Time: 53.914 sec (0 m 53 s)

Then

rm -rf /directoriesToOtherFilesListedAsTrojan/

The two directories that had the other JS files, so I will rerun the entire scan over again and see if the alerts during the scan stop. They were plugins so I just deleted the entire directory, but if they were in system locations I would have probably removed them the same way that I did with jquery.

Now time to install it again and rescan:

apt install  libjs-jquery-ui
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following packages were automatically installed and are no longer required:
  gir1.2-ges-1.0 libges-1.0-0 python-matplotlib-data python3-cycler python3-kiwisolver
Use 'sudo apt autoremove' to remove them.
Suggested packages:
  libjs-jquery-ui-docs
The following NEW packages will be installed:
  libjs-jquery-ui
0 upgraded, 1 newly installed, 0 to remove and 17 not upgraded


clamscan -r --bell --infected --detect-pua=yes --scan-elf=yes --scan-mail=yes --algorithmic-detection=yes --scan-pe=yes --scan-ole2=yes --scan-pdf=yes --scan-html=yes --scan-archive=yes --max-filesize=20000000 --max-scansize=20000000 /usr/share/javascript/
/usr/share/javascript/jquery-ui/jquery-ui.min.js: PUA.Win.Trojan.Generic-6888382-0 FOUND

----------- SCAN SUMMARY -----------
Known viruses: 8964095
Engine version: 0.102.4
Scanned directories: 1628
Scanned files: 3050
Infected files: 1
Data scanned: 146.57 MB
Data read: 39.68 MB (ratio 3.69:1)
Time: 55.278 sec (0 m 55 s)

So this clearly shows that the library listed here is coming from the ubuntu repository, now I could get a static code analysis tool, I will use a linter to see if there is anything terribly obvious the result is :

eslint usr/share/javascript/jquery-ui/jquery-ui.min.js|grep -v "Missing semicolon"

/usr/share/javascript/jquery-ui/jquery-ui.min.js
   1:47     error  'define' is not defined                                          no-undef
   1:58     error  'define' is not defined                                          no-undef
   1:93     error  'jQuery' is not defined                                          no-undef
   1:4240   error  Empty block statement                                            no-empty
   1:16358  error  Unnecessary escape character: \+                                 no-useless-escape
   1:16360  error  Unnecessary escape character: \-                                 no-useless-escape
   1:25753  error  'undefined' is defined but never used                            no-unused-vars
   1:26638  error  Unnecessary escape character: \-                                 no-useless-escape
   1:26888  error  Unnecessary escape character: \%                                 no-useless-escape
   1:26912  error  Unnecessary escape character: \%                                 no-useless-escape
   1:26936  error  Unnecessary escape character: \%                                 no-useless-escape
   1:27495  error  Unnecessary escape character: \%                                 no-useless-escape
   1:27519  error  Unnecessary escape character: \%                                 no-useless-escape
   2:1      error  Expected indentation of 1 tab but found 0                        indent
   2:1864   error  Empty block statement                                            no-empty
   2:2023   error  Empty block statement                                            no-empty
   3:1      error  Expected indentation of 1 tab but found 0                        indent
   3:36     error  Unnecessary escape character: \/                                 no-useless-escape
   3:22586  error  Unnecessary escape character: \-                                 no-useless-escape
   3:22588  error  Unnecessary escape character: \[                                 no-useless-escape
   3:22603  error  Unnecessary escape character: \^                                 no-useless-escape
   3:31806  error  Unnecessary escape character: \-                                 no-useless-escape
   3:31808  error  Unnecessary escape character: \[                                 no-useless-escape
   3:31823  error  Unnecessary escape character: \^                                 no-useless-escape
   4:1      error  Expected indentation of 1 tab but found 0                        indent
   4:16597  error  Unnecessary escape character: \-                                 no-useless-escape
   4:27742  error  Empty block statement                                            no-empty
   5:11073  error  Empty block statement                                            no-empty
   5:11243  error  Unnecessary escape character: \-                                 no-useless-escape
   5:22972  error  Unnecessary escape character: \-                                 no-useless-escape
   5:23036  error  Unnecessary escape character: \-                                 no-useless-escape
   5:25812  error  Unnecessary escape character: \-                                 no-useless-escape
   5:25866  error  Unnecessary escape character: \-                                 no-useless-escape
   6:1      error  Expected indentation of 1 tab but found 0                        indent
   7:1      error  Expected indentation of 1 tab but found 0                        indent
   9:7372   error  Unnecessary escape character: \-                                 no-useless-escape
  10:1      error  Expected indentation of 1 tab but found 0                        indent
  10:996    error  'Globalize' is not defined                                       no-undef
  10:1171   error  'Globalize' is not defined                                       no-undef
  10:3398   error  Empty block statement                                            no-empty
  10:3460   error  Empty block statement                                            no-empty
  10:7130   error  Unnecessary escape character: \/                                 no-useless-escape
  10:7139   error  Unnecessary escape character: \[                                 no-useless-escape
  10:7143   error  Unnecessary escape character: \^                                 no-useless-escape
  10:10481  error  Expected a conditional expression and instead saw an assignment  no-cond-assign
  10:20588  error  Expected a conditional expression and instead saw an assignment  no-cond-assign

✖ 1167 problems (1167 errors, 0 warnings)
  1127 errors, 0 warnings potentially fixable with the `--fix` option.

I would have run the fix option and see if that helps at all but that isn't going to fix the detection.

This shows the following

cat usr/share/javascript/jquery-ui/jquery-ui.min.js |tail -n1 -c100
tooltipClass&&tooltipData.tooltip.addClass(this.options.tooltipClass),tooltipData}});$.ui.tooltip});root@master-node

The problem here is that the entire js file has had all formatting removed to try and obfuscate the code, this alone should be a reason to delete the file and not use it. I am going to give the Ubuntu team the benefit of the doubt here and just assume this is a false positive since the linter shows common and low priority issues. One example is the - escape, this is very common, since it is used in a regex to imply a range such as [a-zA-Z] to my knowledge it is a special character in the regex statement and people often escape it to be sure.