1853414 – EPEL8 libemu: could contain malware

Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1853414 - EPEL8 libemu: could contain malware

Summary: EPEL8 libemu: could contain malware

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora EPEL
Classification:	Fedora
Component:	libemu
Sub Component:
Version:	epel8
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Michal Ambroz
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2020-07-02 15:23 UTC by Stephan
Modified:	2023-09-12 03:45 UTC (History)
CC List:	1 user (show)
Fixed In Version:	libemu-0.2.0-19.20130410gitab48695.fc33 libemu-0.2.0-19.20130410gitab48695.el8 libemu-0.2.0-19.20130410gitab48695.el7
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2021-04-28 02:44:06 UTC
Type:	Bug
Embargoed:

Attachments	(Terms of Use)

Description Stephan 2020-07-02 15:23:36 UTC

Description of problem:

Malware detected in EPEL8 package

Version-Release number of selected component (if applicable): 8


How reproducible:

Always


Steps to Reproduce:
1. Enable EPEL8 as repo
2. Sync
3. Wait for error in satellite

Actual results:

Get error from zscaler for trojan.YVCM-7

Expected results:

Additional info:

Pkg link: http://ftp.nluug.nl/pub/os/Linux/distr/epel/8/Everything/x86_64/Packages/l/libemu-0.2.0-13.20130410gitab48695.el8.x86_64.rpm. Get the same result with other mirrors.

Comment 1 Fedora Admin user for bugzilla script actions 2020-11-22 14:55:34 UTC

This package has changed maintainer in the Fedora.
Reassigning to the new maintainer of this component.

Comment 2 Fedora Admin user for bugzilla script actions 2021-04-18 00:34:02 UTC

This package has changed maintainer in Fedora. Reassigning to the new maintainer of this component.

Comment 3 Michal Ambroz 2021-04-19 00:23:41 UTC

Please can you be more specific which antivirus engine did this detection? 
Which file? The library itself (libemu.so.2.0.0) or the shell code test (sctest)?

Libemu is focused on analyzing binary shell codes - such as exploit payloads.
I can imagine that some AV might mis-fire on the procedure names being looked for.

But the binary package is not containing not even the examples.
So I guess this is false positive.

Comment 4 Michal Ambroz 2021-04-19 01:33:50 UTC

RPM package 16/60
https://www.virustotal.com/gui/file/b3cb077b2fa42773369df37c52f42fbec3bf238cb11cc5f45936ce80cc570b1e/detection

The library and shell-code profiler seems to be OK 0/60
https://www.virustotal.com/gui/file/dd1448f427c7023abae6f2f218f51fd51bf393a442e7d39b02087d03b8a443e7/detection
https://www.virustotal.com/gui/file/266bd6e867c8088fca95b22f2da16fa8f1398f0d0a300a7215fc0d6ce240417a/details

The binary detected as malware is the sctest 18/60
https://www.virustotal.com/gui/file/fadbc6f0f5d486b1179982068e17fa155d47d9455265d624890c1f25bcda144d/detection

I believe this is false positive detection, probably just based on the strings od function calls.

Comment 5 Michal Ambroz 2021-04-19 01:41:45 UTC

Binaries included in the rpm packages from mirror and from the koji package are binary the same do it was no compromise on the distribution:

$ sha256sum mirror/* koji/* |sort
266bd6e867c8088fca95b22f2da16fa8f1398f0d0a300a7215fc0d6ce240417a  koji/libemu.so.2.0.0
266bd6e867c8088fca95b22f2da16fa8f1398f0d0a300a7215fc0d6ce240417a  mirror/libemu.so.2.0.0

dd1448f427c7023abae6f2f218f51fd51bf393a442e7d39b02087d03b8a443e7  koji/scprofiler
dd1448f427c7023abae6f2f218f51fd51bf393a442e7d39b02087d03b8a443e7  mirror/scprofiler

fadbc6f0f5d486b1179982068e17fa155d47d9455265d624890c1f25bcda144d  koji/sctest
fadbc6f0f5d486b1179982068e17fa155d47d9455265d624890c1f25bcda144d  mirror/sctest

Comment 6 Michal Ambroz 2021-04-19 02:12:09 UTC

The sctest indeed contains various shell codes for testing.

libemu/tools/sctest/tests.c

$ sctest -l
0 ) win32_bind -  EXITFUNC=seh LPORT=4444 Size=317 Encoder=None http://metasploit.com
1 ) win32_bind -  EXITFUNC=seh LPORT=4444 Size=344 Encoder=Pex http://metasploit.com
2 ) win32_bind -  EXITFUNC=seh LPORT=4444 Size=709 Encoder=PexAlphaNum http://metasploit.com
3 ) win32_bind -  EXITFUNC=seh LPORT=4444 Size=344 Encoder=PexFnstenvSub http://metasploit.com
4 ) win32_bind -  EXITFUNC=seh LPORT=4444 Size=344 Encoder=ShikataGaNai http://metasploit.com
5 ) win32_bind -  EXITFUNC=seh LPORT=4444 Size=349 Encoder=JmpCallAdditive http://metasploit.com
6 ) win32_reverse -  EXITFUNC=seh LHOST=216.75.15.231 LPORT=4321 Size=287 Encoder=None http://metasploit.com
7 ) win32_downloadexec -  URL=http://nepenthes.mwcollect.org/bad.exe Size=378 Encoder=None http://metasploit.com
8 ) win32_exec -  EXITFUNC=seh CMD=cmd -c ftp.exe -s foo.scripted_sequence; echo der fox hat die gans gezogen  Size=205 Encoder=None http://metasploit.com
9 ) some old dcom shellcode
10) brihgtstor discovery
11) amberg
12) lindau - linkbot connectback version
13) bremen - linkbot bind version
14) halle - filetransferr via csend
15) tills neuer
16) win32_bind pex & ./clet -S win32_bind_pex -b 50 -t -B -c -f ../spectrum/stat2 -a -n 123
17) clet decoded nop slide (144 0x90 decoded with ./clet -S 144nop -b 50 -t -B -c -f ../spectrum/stat2 -a -n 123) 
18) the hackers choice realplayer 8 exploit
19) win32_bind_vncinject -  VNCDLL=/home/opcode/msfweb/framework/data/vncdll.dll EXITFUNC=seh AUTOVNC=1 VNCPORT=5900 LPORT=4444 Size=287 Encoder=None http://metasploit.com
20) windows/vncinject/reverse_tcp - 177 bytes (stage 1) http://www.metasploit.com DisableCourtesyShell=false, VNCHOST=127.0.0.1, VNCPORT=5900, EXITFUNC=seh, DLL=/tmp/framework-3.0/data/vncdll.dll, LPORT=4444, LHOST=192.168.53.20, AUTOVNC=true
21) till sein lsass dump
22) bindshell::schoenborn
23) sqlslammer
24) linux bindshell
25) Windows bindshell 0.0.0.0:8594 - tried exploit PNP_QueryResConfList/MS05-39
26) Windows bind filetransfer 0.0.0.0:38963 - tried to exploit DsRolerUpgradeDownlevelServer/MS04-11
27) libemu dos
28) windows/shell_bind_tcp AutoRunScript=, EXITFUNC=process, InitialAutoRunScript=, LPORT=4444, RHOST= http://www.metasploit.com
29) crash in loadlibrary
30) crash in fwrite
31) crash in lwrite/hwrite
32) crash in malloc
33) crash in send
34) crash in execve


It can be used to test the libemu solution like:
# Generate test case #10 to stdout
sctest -vvv -d 10 | \
# Process the shell-code buffer with libemu ad flag suspicious calls.
sctest -gvS -s 10000000

Sample output:
verbose = 1
success offset = 0x0000001a
Hook me Captain Cook!
userhooks.c:132 user_hook_ExitThread
ExitThread(4712)
stepcount 271867
HMODULE LoadLibraryA (
     LPCTSTR lpFileName = 0x00416fc6 => 
           = "ws2_32";
) = 0x71a10000;
int WSAStartup (
     WORD wVersionRequested = 257;
     LPWSADATA lpWSAData = 4288054;
) =  0;
SOCKET WSASocket (
     int af = 2;
     int type = 1;
     int protocol = 0;
     LPWSAPROTOCOL_INFO lpProtocolInfo = 0;
     GROUP g = 0;


...

     DWORD dwFlags = 0;
) =  66;
int connect (

Comment 7 Fedora Update System 2021-04-19 23:53:25 UTC

FEDORA-2021-02f075bee0 has been submitted as an update to Fedora 33. https://bodhi.fedoraproject.org/updates/FEDORA-2021-02f075bee0

Comment 8 Fedora Update System 2021-04-19 23:54:20 UTC

FEDORA-EPEL-2021-947be1db28 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2021-947be1db28

Comment 9 Fedora Update System 2021-04-19 23:57:18 UTC

FEDORA-EPEL-2021-2af4b80a8d has been submitted as an update to Fedora EPEL 8. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2021-2af4b80a8d

Comment 10 Michal Ambroz 2021-04-20 00:05:24 UTC

Package rebuild without the test-cases, which kind of cripples the sctest utility, on the another hand it should clear off the false positive detections of being trojan.
In case somebody needs the test-cases it is possible to download the srpm from koji and rebuild locally with the testcases:
wget https://kojipkgs.fedoraproject.org//packages/libemu/0.2.0/19.20130410gitab48695.el8/src/libemu-0.2.0-19.20130410gitab48695.el8.src.rpm
rpmbuild --rebuild libemu-0.2.0-19.20130410gitab48695.el8.src.rpm --with testcases

Antivirus scan of the disabled package should be fine:
https://www.virustotal.com/gui/url/0457b6a2b7248078639f4adaa2109fcf08074b170a940ea7092ecca2e0b690ea/detection

Best regards
Michal Ambroz

Comment 11 Fedora Update System 2021-04-20 15:37:25 UTC

FEDORA-2021-02f075bee0 has been pushed to the Fedora 33 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-02f075bee0`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-02f075bee0

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 12 Fedora Update System 2021-04-20 15:52:29 UTC

FEDORA-EPEL-2021-947be1db28 has been pushed to the Fedora EPEL 7 testing repository.

You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2021-947be1db28

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 13 Fedora Update System 2021-04-20 15:54:09 UTC

FEDORA-EPEL-2021-2af4b80a8d has been pushed to the Fedora EPEL 8 testing repository.

You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2021-2af4b80a8d

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 14 Fedora Update System 2021-04-28 02:44:06 UTC

FEDORA-2021-02f075bee0 has been pushed to the Fedora 33 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 15 Fedora Update System 2021-05-05 02:29:28 UTC

FEDORA-EPEL-2021-2af4b80a8d has been pushed to the Fedora EPEL 8 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 16 Fedora Update System 2021-05-05 02:33:03 UTC

FEDORA-EPEL-2021-947be1db28 has been pushed to the Fedora EPEL 7 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 17 Red Hat Bugzilla 2023-09-12 03:45:20 UTC

The needinfo request[s] on this closed bug have been removed as they have been unresolved for 500 days

Note You need to log in before you can comment on or make changes to this bug.