Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. ClamAV>
  3. win32
[clamav-users] More FP: Unix.Dropper.Mirai-7540607-0
mikael.bak at techteamer
Feb 5, 2020, 5:59 AM
Post #1 of 5 (191 views)
Permalink
Hi list,

I found another signature in the daily.ldb that needs to be removed, I think.

Scan results on all our servers running Netdata:
/opt/netdata/bin/srv/netdata: Unix.Dropper.Mirai-7540607-0 FOUND

Found it in daily.ldb like this:
Unix.Dropper.Mirai-7540607-0;Engine:51-255,Target:6;0&1&2&3&4;557365722d4167656e743a2025732f2573;4e6f206368696c642070726f63657373;436f6e6e656374696f6e207265736574206279206e6574776f726b;4e6f74206120736f636b6574;536f636b6574206e6f7420636f6e6e6563746564

Searching the netdata binary for the above hex values give me these strings:

User-Agent: %s/%s
No child process
Connection reset by network
Not a socket
Socket not connected

I think this rule should also be removed.

Best regards,
Mikael Bak

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: [clamav-users] More FP: Unix.Dropper.Mirai-7540607-0 [ In reply to ]
demonduck at sourcefire
Feb 5, 2020, 6:29 AM
Post #2 of 5 (190 views)
Permalink
Mikael can you provide the hash and/or virustotal link for the
`/opt/netdata/bin/srv/netdata` sample?

Thanks,
demonduck


On Wed, Feb 5, 2020 at 9:01 AM Mikael Bak <mikael.bak@techteamer.com> wrote:

> Hi list,
>
> I found another signature in the daily.ldb that needs to be removed, I
> think.
>
> Scan results on all our servers running Netdata:
> /opt/netdata/bin/srv/netdata: Unix.Dropper.Mirai-7540607-0 FOUND
>
> Found it in daily.ldb like this:
>
> Unix.Dropper.Mirai-7540607-0;Engine:51-255,Target:6;0&1&2&3&4;557365722d4167656e743a2025732f2573;4e6f206368696c642070726f63657373;436f6e6e656374696f6e207265736574206279206e6574776f726b;4e6f74206120736f636b6574;536f636b6574206e6f7420636f6e6e6563746564
>
> Searching the netdata binary for the above hex values give me these
> strings:
>
> User-Agent: %s/%s
> No child process
> Connection reset by network
> Not a socket
> Socket not connected
>
> I think this rule should also be removed.
>
> Best regards,
> Mikael Bak
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
Re: [clamav-users] More FP: Unix.Dropper.Mirai-7540607-0 [ In reply to ]
mikael.bak at techteamer
Feb 5, 2020, 7:01 AM
Post #3 of 5 (190 views)
Permalink
Hi,

Here is the Virustotal link:
https://www.virustotal.com/gui/file/6ef626c4b3ab696027156ce41c7325f691931ac609ac487b19926794752a701e/detection

And a hash:
$ sha512sum netdata
eaeef4f8f9dbb5b4fd2dff5a8eebac9f7a2bdbb4b661e62bf5ec4be863a3f182f2702d837bb9974ce16fb91fe7f264ec22ab6a6a42dc68458d4136bfadcff4e3
netdata

On Wed, 5 Feb 2020 at 15:30, demonduck <demonduck@sourcefire.com> wrote:
>
> Mikael can you provide the hash and/or virustotal link for the `/opt/netdata/bin/srv/netdata` sample?
>
> Thanks,
> demonduck
>
>
> On Wed, Feb 5, 2020 at 9:01 AM Mikael Bak <mikael.bak@techteamer.com> wrote:
>>
>> Hi list,
>>
>> I found another signature in the daily.ldb that needs to be removed, I think.
>>
>> Scan results on all our servers running Netdata:
>> /opt/netdata/bin/srv/netdata: Unix.Dropper.Mirai-7540607-0 FOUND
>>
>> Found it in daily.ldb like this:
>> Unix.Dropper.Mirai-7540607-0;Engine:51-255,Target:6;0&1&2&3&4;557365722d4167656e743a2025732f2573;4e6f206368696c642070726f63657373;436f6e6e656374696f6e207265736574206279206e6574776f726b;4e6f74206120736f636b6574;536f636b6574206e6f7420636f6e6e6563746564
>>
>> Searching the netdata binary for the above hex values give me these strings:
>>
>> User-Agent: %s/%s
>> No child process
>> Connection reset by network
>> Not a socket
>> Socket not connected
>>
>> I think this rule should also be removed.
>>
>> Best regards,
>> Mikael Bak
>>
>> _______________________________________________
>>
>> clamav-users mailing list
>> clamav-users@lists.clamav.net
>> https://lists.clamav.net/mailman/listinfo/clamav-users
>>
>>
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>>
>> http://www.clamav.net/contact.html#ml
>
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: [clamav-users] More FP: Unix.Dropper.Mirai-7540607-0 [ In reply to ]
mikael.bak at techteamer
Feb 5, 2020, 7:04 AM
Post #4 of 5 (190 views)
Permalink
Sorry. I sent sha512sum. Here is a sha256 hash:

$ sha256sum netdata
6ef626c4b3ab696027156ce41c7325f691931ac609ac487b19926794752a701e netdata

On Wed, 5 Feb 2020 at 16:01, Mikael Bak <mikael.bak@techteamer.com> wrote:
>
> Hi,
>
> Here is the Virustotal link:
> https://www.virustotal.com/gui/file/6ef626c4b3ab696027156ce41c7325f691931ac609ac487b19926794752a701e/detection
>
> And a hash:
> $ sha512sum netdata
> eaeef4f8f9dbb5b4fd2dff5a8eebac9f7a2bdbb4b661e62bf5ec4be863a3f182f2702d837bb9974ce16fb91fe7f264ec22ab6a6a42dc68458d4136bfadcff4e3
> netdata
>
> On Wed, 5 Feb 2020 at 15:30, demonduck <demonduck@sourcefire.com> wrote:
> >
> > Mikael can you provide the hash and/or virustotal link for the `/opt/netdata/bin/srv/netdata` sample?
> >
> > Thanks,
> > demonduck
> >
> >
> > On Wed, Feb 5, 2020 at 9:01 AM Mikael Bak <mikael.bak@techteamer.com> wrote:
> >>
> >> Hi list,
> >>
> >> I found another signature in the daily.ldb that needs to be removed, I think.
> >>
> >> Scan results on all our servers running Netdata:
> >> /opt/netdata/bin/srv/netdata: Unix.Dropper.Mirai-7540607-0 FOUND
> >>
> >> Found it in daily.ldb like this:
> >> Unix.Dropper.Mirai-7540607-0;Engine:51-255,Target:6;0&1&2&3&4;557365722d4167656e743a2025732f2573;4e6f206368696c642070726f63657373;436f6e6e656374696f6e207265736574206279206e6574776f726b;4e6f74206120736f636b6574;536f636b6574206e6f7420636f6e6e6563746564
> >>
> >> Searching the netdata binary for the above hex values give me these strings:
> >>
> >> User-Agent: %s/%s
> >> No child process
> >> Connection reset by network
> >> Not a socket
> >> Socket not connected
> >>
> >> I think this rule should also be removed.
> >>
> >> Best regards,
> >> Mikael Bak
> >>
> >> _______________________________________________
> >>
> >> clamav-users mailing list
> >> clamav-users@lists.clamav.net
> >> https://lists.clamav.net/mailman/listinfo/clamav-users
> >>
> >>
> >> Help us build a comprehensive ClamAV guide:
> >> https://github.com/vrtadmin/clamav-faq
> >>
> >> http://www.clamav.net/contact.html#ml
> >
> >
> > _______________________________________________
> >
> > clamav-users mailing list
> > clamav-users@lists.clamav.net
> > https://lists.clamav.net/mailman/listinfo/clamav-users
> >
> >
> > Help us build a comprehensive ClamAV guide:
> > https://github.com/vrtadmin/clamav-faq
> >
> > http://www.clamav.net/contact.html#ml

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: [clamav-users] More FP: Unix.Dropper.Mirai-7540607-0 [ In reply to ]
demonduck at sourcefire
Feb 5, 2020, 7:15 AM
Post #5 of 5 (190 views)
Permalink
The offending signature will be dropped in the next daily.cvd and revised.
Until then, I'd suggest adding it to your local ignore database (.ign2).
See https://www.clamav.net/documents/whitelist-databases for
more information.

Thanks,
demonduck


On Wed, Feb 5, 2020 at 10:05 AM Mikael Bak <mikael.bak@techteamer.com>
wrote:

> Sorry. I sent sha512sum. Here is a sha256 hash:
>
> $ sha256sum netdata
> 6ef626c4b3ab696027156ce41c7325f691931ac609ac487b19926794752a701e netdata
>
> On Wed, 5 Feb 2020 at 16:01, Mikael Bak <mikael.bak@techteamer.com> wrote:
> >
> > Hi,
> >
> > Here is the Virustotal link:
> >
> https://www.virustotal.com/gui/file/6ef626c4b3ab696027156ce41c7325f691931ac609ac487b19926794752a701e/detection
> >
> > And a hash:
> > $ sha512sum netdata
> >
> eaeef4f8f9dbb5b4fd2dff5a8eebac9f7a2bdbb4b661e62bf5ec4be863a3f182f2702d837bb9974ce16fb91fe7f264ec22ab6a6a42dc68458d4136bfadcff4e3
> > netdata
> >
> > On Wed, 5 Feb 2020 at 15:30, demonduck <demonduck@sourcefire.com> wrote:
> > >
> > > Mikael can you provide the hash and/or virustotal link for the
> `/opt/netdata/bin/srv/netdata` sample?
> > >
> > > Thanks,
> > > demonduck
> > >
> > >
> > > On Wed, Feb 5, 2020 at 9:01 AM Mikael Bak <mikael.bak@techteamer.com>
> wrote:
> > >>
> > >> Hi list,
> > >>
> > >> I found another signature in the daily.ldb that needs to be removed,
> I think.
> > >>
> > >> Scan results on all our servers running Netdata:
> > >> /opt/netdata/bin/srv/netdata: Unix.Dropper.Mirai-7540607-0 FOUND
> > >>
> > >> Found it in daily.ldb like this:
> > >>
> Unix.Dropper.Mirai-7540607-0;Engine:51-255,Target:6;0&1&2&3&4;557365722d4167656e743a2025732f2573;4e6f206368696c642070726f63657373;436f6e6e656374696f6e207265736574206279206e6574776f726b;4e6f74206120736f636b6574;536f636b6574206e6f7420636f6e6e6563746564
> > >>
> > >> Searching the netdata binary for the above hex values give me these
> strings:
> > >>
> > >> User-Agent: %s/%s
> > >> No child process
> > >> Connection reset by network
> > >> Not a socket
> > >> Socket not connected
> > >>
> > >> I think this rule should also be removed.
> > >>
> > >> Best regards,
> > >> Mikael Bak
> > >>
> > >> _______________________________________________
> > >>
> > >> clamav-users mailing list
> > >> clamav-users@lists.clamav.net
> > >> https://lists.clamav.net/mailman/listinfo/clamav-users
> > >>
> > >>
> > >> Help us build a comprehensive ClamAV guide:
> > >> https://github.com/vrtadmin/clamav-faq
> > >>
> > >> http://www.clamav.net/contact.html#ml
> > >
> > >
> > > _______________________________________________
> > >
> > > clamav-users mailing list
> > > clamav-users@lists.clamav.net
> > > https://lists.clamav.net/mailman/listinfo/clamav-users
> > >
> > >
> > > Help us build a comprehensive ClamAV guide:
> > > https://github.com/vrtadmin/clamav-faq
> > >
> > > http://www.clamav.net/contact.html#ml
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal