Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bug#1051235: aircrack-ng: package file and binary reported as malware/mirai by 3 different malware scanners
101 views
Skip to first unread message
Hugues Hiegel
Sep 4, 2023, 3:40:04 PM9/4/23
to
Package: aircrack-ng
Version: 1.7-5_amd64
Severity: normal
Tags: security
X-Debbugs-Cc: hug...@hiegel.fr, Debian Security Team <te...@security.debian.org>
Hello,
scanning an entire mirror of binary (amd64) packages from Debian stable
using a white station led to consistent alerts raised by three different
scanners (out of ~10) with aircrack-ng package. Following are the exact
alert messages:
file: aircrack-ng/aircrack-ng_1.7-5_amd64.deb
sha256: 2c128adb6fef5864952205dab30ca361fdc677ea1d3cfce4424790f7cc69bfc6
- bitdefender : Trojan.Linux.Generic.274536
- avira : SPR/ANDR.Mirai.A
- fsecure : PrivacyRisk.SPR/ANDR.Mirai.A (6, 1, 1)
I obtain almost the same results with a subtle variant (Mirai.A ->
Mirai.qahkj) while scanning the aircrack-ng binary itself, which I
extracted directly from the .deb package:
file: aircrack-ng/aircrack-ng_1.7-5_amd64/usr/bin/aircrack-ng
sha256: d58a36fa6360bac0419650786e690f4691a3ba62f3710eb7db24d6d5d90e7c71
- bitdefender : Trojan.Linux.Generic.274536
- avira : SPR/ANDR.Mirai.qahkj
- fsecure : PrivacyRisk.SPR/ANDR.Mirai.qahkj (6, 1, 1)
I struggle finding evidences of a possible false alert, making me
considering this as a potentially credible issue. I would gladly help
investigate this further on, if you need so.
With best regards,
Hugues.
-- System Information:
Debian Release: 12.0
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 5.19.0-50-generic (SMP w/8 CPU threads; PREEMPT)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=C, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: unable to detect
Version: 1.7-5_amd64
Severity: normal
Tags: security
X-Debbugs-Cc: hug...@hiegel.fr, Debian Security Team <te...@security.debian.org>
Hello,
scanning an entire mirror of binary (amd64) packages from Debian stable
using a white station led to consistent alerts raised by three different
scanners (out of ~10) with aircrack-ng package. Following are the exact
alert messages:
file: aircrack-ng/aircrack-ng_1.7-5_amd64.deb
sha256: 2c128adb6fef5864952205dab30ca361fdc677ea1d3cfce4424790f7cc69bfc6
- bitdefender : Trojan.Linux.Generic.274536
- avira : SPR/ANDR.Mirai.A
- fsecure : PrivacyRisk.SPR/ANDR.Mirai.A (6, 1, 1)
I obtain almost the same results with a subtle variant (Mirai.A ->
Mirai.qahkj) while scanning the aircrack-ng binary itself, which I
extracted directly from the .deb package:
file: aircrack-ng/aircrack-ng_1.7-5_amd64/usr/bin/aircrack-ng
sha256: d58a36fa6360bac0419650786e690f4691a3ba62f3710eb7db24d6d5d90e7c71
- bitdefender : Trojan.Linux.Generic.274536
- avira : SPR/ANDR.Mirai.qahkj
- fsecure : PrivacyRisk.SPR/ANDR.Mirai.qahkj (6, 1, 1)
I struggle finding evidences of a possible false alert, making me
considering this as a potentially credible issue. I would gladly help
investigate this further on, if you need so.
With best regards,
Hugues.
-- System Information:
Debian Release: 12.0
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 5.19.0-50-generic (SMP w/8 CPU threads; PREEMPT)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=C, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: unable to detect
Samuel Henrique
Sep 4, 2023, 5:40:05 PM9/4/23
to
Hello Hugues,
> I obtain almost the same results with a subtle variant (Mirai.A ->
> Mirai.qahkj) while scanning the aircrack-ng binary itself, which I
> extracted directly from the .deb package:
>
> file: aircrack-ng/aircrack-ng_1.7-5_amd64/usr/bin/aircrack-ng
> sha256: d58a36fa6360bac0419650786e690f4691a3ba62f3710eb7db24d6d5d90e7c71
>
> - bitdefender : Trojan.Linux.Generic.274536
> - avira : SPR/ANDR.Mirai.qahkj
> - fsecure : PrivacyRisk.SPR/ANDR.Mirai.qahkj (6, 1, 1)
Considering aircrack-ng is open source (and our aircrack-ng packaging
too), this seems very unlikely, it would have been caught much earlier
by other people.
It's also common for scanners to trigger false-positives on security
related tools.
> I struggle finding evidences of a possible false alert, making me
> considering this as a potentially credible issue. I would gladly help
> investigate this further on, if you need so.
What did you look for when investigating this as a false positive?
Do you get the same finding when scanning the package's source code?
https://salsa.debian.org/pkg-security-team/aircrack-ng
Thank you for the report,
--
Samuel Henrique <samueloph>
> I obtain almost the same results with a subtle variant (Mirai.A ->
> Mirai.qahkj) while scanning the aircrack-ng binary itself, which I
> extracted directly from the .deb package:
>
> file: aircrack-ng/aircrack-ng_1.7-5_amd64/usr/bin/aircrack-ng
> sha256: d58a36fa6360bac0419650786e690f4691a3ba62f3710eb7db24d6d5d90e7c71
>
> - bitdefender : Trojan.Linux.Generic.274536
> - avira : SPR/ANDR.Mirai.qahkj
> - fsecure : PrivacyRisk.SPR/ANDR.Mirai.qahkj (6, 1, 1)
too), this seems very unlikely, it would have been caught much earlier
by other people.
It's also common for scanners to trigger false-positives on security
related tools.
> I struggle finding evidences of a possible false alert, making me
> considering this as a potentially credible issue. I would gladly help
> investigate this further on, if you need so.
Do you get the same finding when scanning the package's source code?
https://salsa.debian.org/pkg-security-team/aircrack-ng
Thank you for the report,
--
Samuel Henrique <samueloph>
Hugues Hiegel
Sep 5, 2023, 4:40:05 AM9/5/23
to
Hi Samuel,
Le 04-09-2023 23:28, Samuel Henrique a écrit :
> Hello Hugues,
>
>> I obtain almost the same results with a subtle variant (Mirai.A ->
>> Mirai.qahkj) while scanning the aircrack-ng binary itself, which I
>> extracted directly from the .deb package:
>>
>> file: aircrack-ng/aircrack-ng_1.7-5_amd64/usr/bin/aircrack-ng
>> sha256:
>> d58a36fa6360bac0419650786e690f4691a3ba62f3710eb7db24d6d5d90e7c71
>>
>> - bitdefender : Trojan.Linux.Generic.274536
>> - avira : SPR/ANDR.Mirai.qahkj
>> - fsecure : PrivacyRisk.SPR/ANDR.Mirai.qahkj (6, 1, 1)
>
> Considering aircrack-ng is open source (and our aircrack-ng packaging
> too), this seems very unlikely, it would have been caught much earlier
> by other people.
However, that is not sufficient to prove my client this package is
harmless, hence my researches and this bugreport.
> It's also common for scanners to trigger false-positives on security
> related tools.
information about *why* they consider such binary as potentially
dangerous.
In a sense, I guess they are obfuscating the way they are detecting such
malwares, but that's pretty annoying in our case.
>> I struggle finding evidences of a possible false alert, making me
>> considering this as a potentially credible issue. I would gladly help
>> investigate this further on, if you need so.
>
> What did you look for when investigating this as a false positive?
aircrack-ng and mirai keywords, with absolutely no results.
Then, I rebuilt the aircrack-ng package with git-buildpackage from a
docker container based on debian bookworm, the result is completely
clean after scanning.
Comparing the hexdump of both binaries (the official Debian, and mine)
shown
very few differences, apart from the embedded build informations. But
it’s
always hard to tell whether they are or aren’t meaningful...
I didn’t went really far.
> Do you get the same finding when scanning the package's source code?
> https://salsa.debian.org/pkg-security-team/aircrack-ng
scanning.
(And yes, I did checkout the "debian/1%1.7-5" git tag)
I may try in a couple hours with the contents from 'apt source
aircrack-ng'
from the same repository, if you want to.
> Thank you for the report,
Br, Hugues.
0 new messages