That's the only thing I can think of. I had node 18.6.0 and I'm running
ClamAV 0.105.0. That detected the node binary as having the same virus.
However, when I upload and scan the binary with VirusTotal, their install
of ClamAV does not detect it.
Similarly, after I upgraded to node 18.7.0, my local install of ClamAV
still detected it with the same virus. And, again, when I uploaded it to
VirusTotal, it came back as clean.
Running clamscan with --leave-temps and setting a --tempdir, I get no
temporary files left behind.
Additionally, using the 'strings' command to get any/all ASCII strings from
the binary (yes, I know it doesn't always help) doesn't show anything...
That being said, the signature does seem to be poorly written and likely to
catch lots of false positives...
It's looking for more than one occurrence of "/usr/bin/pkexec" *and*
CMDTOEXECUTE=
*and* NOTTY= *and* NOTTY_PORT= *and* GCONV_PATH= ...
OR more than 3 occurrences of the "Unable to" messages (any of them) ...
OR more than 1 occurrence of the woody paths or 'payload.so'
VIRUS NAME: Osx.Exploit.CVE_2021_4034-9951522-1
TDB: Engine:91-255,Target:9
LOGICAL EXPRESSION: (0&1&2&3&4)>1|(5|6|7|8)>3|(9|10|11)>1
* SUBSIG ID 0
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
/usr/bin/pkexec
* SUBSIG ID 1
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
CMDTOEXECUTE=
* SUBSIG ID 2
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
NOTTY=
* SUBSIG ID 3
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
NOTTY_PORT=
* SUBSIG ID 4
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
GCONV_PATH=
* SUBSIG ID 5
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
Unable to execute pkexec
* SUBSIG ID 6
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
Unable to write payload
* SUBSIG ID 7
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
Unable to make tmp dir
* SUBSIG ID 8
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
Unable to write gconv module
* SUBSIG ID 9
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
/Users/woody/Downloads/vul/poc-cve-2021-4034-main/exploit.go
* SUBSIG ID 10
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
/Users/woody/Downloads/vul/poc-cve-2021-4034-main/payload/payload.go
* SUBSIG ID 11
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
payload.so
And it's that last one that is triggering the virus detection...
lothlorien:~$ grep -a payload.so node
ArrayPrototypeIndexOf(payload.sources, originalSourcePath);
if (payload.sourcesContent?.[sourceContentIndex]) {
source = payload.sourcesContent[sourceContentIndex];
There are no occurrences of sub-signatures 0 through 10... but there are 3
occurrences of sub-signature 11 and the way that the logical expression is
written, that's enough to trigger the detection.
--Maarten
On Tue, Aug 2, 2022 at 4:12 PM Viktor Rosenfeld via clamav-users <
clamav-users@lists.clamav.net> wrote:
> Hi,
>
> Is it possible that the infected file is only found in arm64 versions?
> When I go to https://nodejs.org/en/, it prompts me to download files for
> x64. However, I am on an Apple Air M1 and I just verified that the
> installed node binary is an arm64 executable.
>
> Cheers,
> Viktor
>
> Am 01.08.2022 um 15:24 schrieb Al Varnell <alvarn...@mac.com>:
>
> I downloaded and installed both current versions of Node.js 16.16.0 LTS &
> 18.7.0 from <https://nodejs.org/en/> and no infected files were found.
>
> -Al-
> --
> ClamXAV user
>
> On Mon, Aug 01, 2022 at 02:50 AM, Viktor Rosenfeld via clamav-users wrote:
>
> Hi,
>
> about a month ago I reported a possible false positive on nodejs
> executables and related files [1]. After checking with Jotti’s Virus Scan
> and Virustotal, I also (twice) submitted the files to the ClamAV website as
> false positives [2].
>
> I haven’t received a notification after the false positive submissions
> and, meanwhile, newer versions of nodejs are still reported as being
> infected.
>
> What else can I do to verify that this is indeed a false positive?
>
> Best,
> Viktor
>
> [1] https://lists.clamav.net/pipermail/clamav-users/2022-June/012717.html
> [2] https://www.clamav.net/reports/fp
>
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/Cisco-Talos/clamav-documentation
>
> https://docs.clamav.net/#mailing-lists-and-chat
>
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation
https://docs.clamav.net/#mailing-lists-and-chat
