Clamav detects Trojans
I have just scanned my system and clamav has detected a few suspect files:
File: .cahe/mozilla/firefox/jqxk4r44.default/cache2/entries/750B6E2F1286....
Status: PUA.Win.Exploit.CVE_2012_1461-1
File: .cahe/mozilla/firefox/jqxk4r44.default/cache2/entries/F099C33HJ45J....
Status: PUA.Win.Exploit.CVE_2012_1461-1
File: .config/libreoffice/4/user/basic/Standard/Module1.xba
Status: PUA.Doc.Tool.LibreOfficeMacro-2
File: Downloads/nodejs/node-v8.9.4-linux-x64/lib/node_modules/imurmurhash/imurmurhash.min.js
Status: PUA.Win.Trojan.Xored-1
How likely is it that these files are real threats / trojans?
Solution 1:
PUA.Win.Exploit.CVE_2012_1461-1
- PUA means "potential unwanted application". PUA are not virusses, those are claims by clamav that there is an application they consider "unwanted" because that file or extension have been proven to be abused in Windows
- Win as 2nd part means it is a Windows related notice.
- clamav has an option to not scan for PUA's.
My conclusion: nothing to worry about.
That leaves ...
PUA.Doc.Tool.LibreOfficeMacro-2
.config/libreoffice/4/user/basic/Standard/Module1.xba has an extension clamav trips on. They believe xba, visual basic macro's, are considered "unwanted". See Clamtk reports these LibreOffice files as possible threats. Are they safe? for a more complete list, the answers and comments.
ClamAV is notoriously flawed software: basing you scans and warnings on Windows and then apply them to Linux does not and will never work.
When you see a notice like this, and you really believe clamav is the tool to use, the next step is to check with a 2nd source: for instance upload the file to an site like virustotal or use a 2nd virusscan software together with clamav (where when both claim the same problem you investigate and otherwise consider them false positives).
But I would ditch clamav altogether and follow a Linux based method: use debsum (link to man page) to check packages (link to a howto).
And when you are really paranoid (here's looking at you Panda) use all of the above ;)
Solution 2:
I wouldn't dismiss this warning so lightly, it says PUA
Module1.xba: PUA.Doc.Tool.LibreOfficeMacro-2 FOUND
dotjoshjohnson.xml-2.5.1: PUA.Win.Trojan.Xored-1 FOUND
ms-azuretools.vscode-docker-1.8.1: PUA.Win.Trojan.Xored-1 FOUND
file-downloader-PUA.Win.Adware.Qjwmonkey-6892535-0 FOUND
BouncyCastle.Crypto.dll: PUA.Win.Adware.Qjwmonkey-6892535-0 FOUND
BouncyCastle.Crypto.dll: PUA.Win.Adware.Qjwmonkey-6892535-0 FOUND
jquery-ui.min.js: PUA.Win.Trojan.Generic-6888382-0 FOUND
So IMHO, you can dismiss the LibreOffice macro because it detects is as a libre office macro, Though I might remove them anyway, I would have to test it and see if it is something I use. the file downloader and adware is just crapware, but potential risk. The others concern me because they detect as a trojan. Now the reason I have some concern here is:
: # ifconfig |grep inet
inet 10.0.0.58 netmask 255.0.0.0 broadcast 10.255.255.255
inet6 xxx prefixlen 64 scopeid 0x20
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10
Now I have suricata as a IDS, and looking at the fast.log
12/11/2020-11:42:30.052835 [] [1:2025331:3] ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) [] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.0.0.58:56692 -> 216.239.36.21:443
Doing a whois on 216.239.36.21 shows that it is a google server however we don't know if it is a Google service or a customer of the cloud services or a compromised server. Going to the site it appears that it is on a content server because it 404s, trying to go to HTTPS shows that it cannot provide a secure connection. Looking deeper at it, the file doesn't appear to be provided by a package.
dpkg -S /usr/share/javascript/jquery-ui/jquery-ui.min.js
libjs-jquery-ui: /usr/share/javascript/jquery-ui/jquery-ui.min.js
This is a borderline case at this point because there is a package that provides it, looking at the package it shows that it is installed from the Ubuntu archives
apt-cache policy libjs-jquery-ui libjs-jquery-ui: Installed: 1.12.1+dfsg-5 Candidate: 1.12.1+dfsg-5 Version table: *** 1.12.1+dfsg-5 500 500 http://us.archive.ubuntu.com/ubuntu focal/universe amd64 Packages 500 http://us.archive.ubuntu.com/ubuntu focal/universe i386 Packages 100 /var/lib/dpkg/status
Now I can uninstall the package and reinstall it and scan it again and see if it is coming from the repository. If it is from the repository, then I would lean more towards a false positive. Otherwise, if it isn't from the repository I would lean more towards a potential threat.
Looking deeper as to how this could have gotten on the system in the first I look at my firewall
Chain OUTPUT (policy DROP)
target prot opt source destination
KUBE-SERVICES all -- anywhere anywhere ctstate NEW /* kubernetes service portals */
KUBE-FIREWALL all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT udp -- anywhere anywhere udp dpt:443
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT udp -- anywhere anywhere udp dpt:80
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:8080
ACCEPT tcp -- anywhere anywhere tcp dpt:http-alt
ACCEPT udp -- anywhere anywhere udp dpt:8443
ACCEPT tcp -- anywhere anywhere tcp dpt:8443
ACCEPT tcp -- anywhere anywhere tcp dpt:67
ACCEPT udp -- anywhere anywhere udp dpt:bootps
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:whois
ACCEPT udp -- anywhere anywhere udp dpt:43
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
Chain INPUT (policy DROP)
target prot opt source destination
KUBE-SERVICES all -- anywhere anywhere ctstate NEW /* kubernetes service portals */
KUBE-EXTERNAL-SERVICES all -- anywhere anywhere ctstate NEW /* kubernetes externally-visible service portals */
KUBE-FIREWALL all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
Verified by Kali scan that shows all ports as filtered, so I know the threat could not have entered my system from any source but one of the programs that have been allowed access to my system. Now Chrome and firefox run in the user-space so they shouldn't have access to that file location. This leaves it down to apt which would have access to the HTTPS port. That all said, my first task will be moving the file to another location to store it, typically making a copy to document it, then uninstall/reinstall the package and see if its is triggered again.
Here I would document the entire process the IP addresses associated and why I made the decisions I did. This would be the standard procedure for documenting a compromised system. In a SOC, you might want to take an image of the entire disk at this point, since I am fairly confident in my other security measures I am going to proceed and monitor the system for further signs of being compromised.
Now I have had problems with system errors popping up so I am starting to lean more towards wiping the entire system and reloading from scratch after taking a careful backup and mean the windows and Linux side.
Now if I had a SIEM active I would probably correlate the various security log warning beyond the baseline, IE sort by commonality from baseline, and correlate a security event like this from the IDS log to the server logs. I would go further if I was getting paid to look into it, but this is my workstation and I can do without a feature or two to just not deal with having to dig that deep.
So continuing the statement above I then
apt remove libjs-jquery-ui
then
clamscan -r --bell --infected --detect-pua=yes --scan-elf=yes --scan-mail=yes --algorithmic-detection=yes --scan-pe=yes --scan-ole2=yes --scan-pdf=yes --scan-html=yes --scan-archive=yes --max-filesize=20000000 --max-scansize=20000000 /usr/share/javascript/
----------- SCAN SUMMARY -----------
Known viruses: 8964095
Engine version: 0.102.4
Scanned directories: 1619
Scanned files: 2733
Infected files: 0
Data scanned: 140.98 MB
Data read: 38.02 MB (ratio 3.71:1)
Time: 53.914 sec (0 m 53 s)
Then
rm -rf /directoriesToOtherFilesListedAsTrojan/
The two directories that had the other JS files, so I will rerun the entire scan over again and see if the alerts during the scan stop. They were plugins so I just deleted the entire directory, but if they were in system locations I would have probably removed them the same way that I did with jquery.
Now time to install it again and rescan:
apt install libjs-jquery-ui
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages were automatically installed and are no longer required:
gir1.2-ges-1.0 libges-1.0-0 python-matplotlib-data python3-cycler python3-kiwisolver
Use 'sudo apt autoremove' to remove them.
Suggested packages:
libjs-jquery-ui-docs
The following NEW packages will be installed:
libjs-jquery-ui
0 upgraded, 1 newly installed, 0 to remove and 17 not upgraded
clamscan -r --bell --infected --detect-pua=yes --scan-elf=yes --scan-mail=yes --algorithmic-detection=yes --scan-pe=yes --scan-ole2=yes --scan-pdf=yes --scan-html=yes --scan-archive=yes --max-filesize=20000000 --max-scansize=20000000 /usr/share/javascript/
/usr/share/javascript/jquery-ui/jquery-ui.min.js: PUA.Win.Trojan.Generic-6888382-0 FOUND
----------- SCAN SUMMARY -----------
Known viruses: 8964095
Engine version: 0.102.4
Scanned directories: 1628
Scanned files: 3050
Infected files: 1
Data scanned: 146.57 MB
Data read: 39.68 MB (ratio 3.69:1)
Time: 55.278 sec (0 m 55 s)
So this clearly shows that the library listed here is coming from the ubuntu repository, now I could get a static code analysis tool, I will use a linter to see if there is anything terribly obvious the result is :
eslint usr/share/javascript/jquery-ui/jquery-ui.min.js|grep -v "Missing semicolon"
/usr/share/javascript/jquery-ui/jquery-ui.min.js
1:47 error 'define' is not defined no-undef
1:58 error 'define' is not defined no-undef
1:93 error 'jQuery' is not defined no-undef
1:4240 error Empty block statement no-empty
1:16358 error Unnecessary escape character: \+ no-useless-escape
1:16360 error Unnecessary escape character: \- no-useless-escape
1:25753 error 'undefined' is defined but never used no-unused-vars
1:26638 error Unnecessary escape character: \- no-useless-escape
1:26888 error Unnecessary escape character: \% no-useless-escape
1:26912 error Unnecessary escape character: \% no-useless-escape
1:26936 error Unnecessary escape character: \% no-useless-escape
1:27495 error Unnecessary escape character: \% no-useless-escape
1:27519 error Unnecessary escape character: \% no-useless-escape
2:1 error Expected indentation of 1 tab but found 0 indent
2:1864 error Empty block statement no-empty
2:2023 error Empty block statement no-empty
3:1 error Expected indentation of 1 tab but found 0 indent
3:36 error Unnecessary escape character: \/ no-useless-escape
3:22586 error Unnecessary escape character: \- no-useless-escape
3:22588 error Unnecessary escape character: \[ no-useless-escape
3:22603 error Unnecessary escape character: \^ no-useless-escape
3:31806 error Unnecessary escape character: \- no-useless-escape
3:31808 error Unnecessary escape character: \[ no-useless-escape
3:31823 error Unnecessary escape character: \^ no-useless-escape
4:1 error Expected indentation of 1 tab but found 0 indent
4:16597 error Unnecessary escape character: \- no-useless-escape
4:27742 error Empty block statement no-empty
5:11073 error Empty block statement no-empty
5:11243 error Unnecessary escape character: \- no-useless-escape
5:22972 error Unnecessary escape character: \- no-useless-escape
5:23036 error Unnecessary escape character: \- no-useless-escape
5:25812 error Unnecessary escape character: \- no-useless-escape
5:25866 error Unnecessary escape character: \- no-useless-escape
6:1 error Expected indentation of 1 tab but found 0 indent
7:1 error Expected indentation of 1 tab but found 0 indent
9:7372 error Unnecessary escape character: \- no-useless-escape
10:1 error Expected indentation of 1 tab but found 0 indent
10:996 error 'Globalize' is not defined no-undef
10:1171 error 'Globalize' is not defined no-undef
10:3398 error Empty block statement no-empty
10:3460 error Empty block statement no-empty
10:7130 error Unnecessary escape character: \/ no-useless-escape
10:7139 error Unnecessary escape character: \[ no-useless-escape
10:7143 error Unnecessary escape character: \^ no-useless-escape
10:10481 error Expected a conditional expression and instead saw an assignment no-cond-assign
10:20588 error Expected a conditional expression and instead saw an assignment no-cond-assign
✖ 1167 problems (1167 errors, 0 warnings)
1127 errors, 0 warnings potentially fixable with the `--fix` option.
I would have run the fix option and see if that helps at all but that isn't going to fix the detection.
This shows the following
cat usr/share/javascript/jquery-ui/jquery-ui.min.js |tail -n1 -c100
tooltipClass&&tooltipData.tooltip.addClass(this.options.tooltipClass),tooltipData}});$.ui.tooltip});root@master-node
The problem here is that the entire js file has had all formatting removed to try and obfuscate the code, this alone should be a reason to delete the file and not use it. I am going to give the Ubuntu team the benefit of the doubt here and just assume this is a false positive since the linter shows common and low priority issues. One example is the - escape, this is very common, since it is used in a regex to imply a range such as [a-zA-Z] to my knowledge it is a special character in the regex statement and people often escape it to be sure.