Re: Bug#726393: general: Possible malware infections in source packages

[Kevin Chadwick]

> You can disagree with this approach. However, in my 10+ experience
> setting up security gateways for Internet traffic (mostly for
> HTTP/FTP/SMTP) I've seen only a few vulnerabilities in the gateways
> themselves. Many of the gateways I have deployed are either network
> appliances with a Common Criteria certification (see

So you have had vulnerabilities for 10 years in systems exposing all
users to them for ten years and guess what, you still have. In my 10+
years I haven't.

I shall stick to disagreeing along with snort.org but admit this is
widely done even on firewalls themselves. I do some scanning for
exploits even but for information in an isolated way as snort.org
strongly recommends and not active re-action.

P.s. That's not defense in depth. If you had defence in depth worth
mentioning then you wouldn't need Antivirus. Of course I am sure those
decisions are out of your hands and so I am not criticising you and I
am sure your network is more secure than most, just stressing my
opinion.

The part about hacking tools was mentioned in case the whole server was
blocked rather then a few packages.

> In my organisation (and I know we are not alone here),

Many run polkit, sudo, dbus-launcher, Windows.

Some like me run just sudo.

I'm not alone either. I read just the other day that Cambridge Uni's
production policy is to only allow sudo for priviledge granting.


-- 
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/25401.28226...@smtp130.mail.ir2.yahoo.com

Re: Bug#726393: general: Possible malware infections in source packages

[Javier Fernandez-Sanguino]

On 18 October 2013 12:41, Kevin Chadwick  wrote:
>> I have to join Marc here and say "me too". In my organisation we
>> actually have those controls in place (antivirus/antimalware) in the
>> Internet gateways and we do not disable them for specific traffic
>> flows unless a detailed risk analysis has been done (and approved).
>
> Personally I disagree with this approach as you are making the gateways
> themselves more open to attack adding risk to all rather than the
> targetted,

You can disagree with this approach. However, in my 10+ experience
setting up security gateways for Internet traffic (mostly for
HTTP/FTP/SMTP) I've seen only a few vulnerabilities in the gateways
themselves. Many of the gateways I have deployed are either network
appliances with a Common Criteria certification (see
http://www.commoncriteriaportal.org/), or are deployed using specific
software running in a hardened (again, Common Criteria certified)
operating system configuration. So I'd say the risk of exposing "all"
by running a properly setup gateway is rather low.

In my organisation (and I know we are not alone here), we do not just
rely on the antivirus running on the desktops. We also do rutinary
anti-virus/anti-malware checks on gateways running in a DMZ and block
suspicious files that cannot be analysed (e.g. encrypted files not
using corporate encryption, such as a ZIP file with a password). It's
not just us, it is a common approach followed by many organisations
and is based on the "defence-in-depth" principle.

> especially when antivirus are so easy to fool anyway.

That's also why we analyse incoming files with more than one antivirus
engine. And that's also why we do behavioral analysis (i.e. run
downloaded software in a sanbox) to detect malicious files.

> There are many perfectly legitimate hacking tools that may hit the repo
> that AV will pickup (backtrack distro has many) but also is their any
> danger of av browser plugins and google even blocking debian.org.

If somebody in my organisation is downloading and running hacking
tools, I (with my network/security admin hat on) want to know it.
These tools are only allowed for a specific group of individuals and
under specific conditions, and I expect our gateways to block these
downloads too.

Regards

Javier


-- 
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/cab9b7usbptbv4belvars_wketn_3uyd1g7hody+o4kazcox...@mail.gmail.com

Bug#726393: general: Possible malware infections in source packages

[Henrique de Moraes Holschuh]

On Fri, 18 Oct 2013, Thorsten Glaser wrote:
> On Tue, 15 Oct 2013, Thijs Kinkhorst wrote:
> > I'm still not sure why the virus contained in the source could not be
> > replaced by the EICAR test signature.
> 
> Because it’s not testing a virus scanner, but because the
> specific RFC822 message in question exhibited multiple problems
> in the code, due to the way it’s written/structured.

Then we could just defang it for good, replacing most of the virus
code with crap while preserving the "malformedness".

-- 
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh


-- 
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20131019140539.gc18...@khazad-dum.debian.net

Re: Bug#726393: general: Possible malware infections in source packages

[Jonathan Dowland]

> 
> It's not difficult if you reject the requirement of being DOS[0] executable:

I meant ending up with something byte-for-byte identical.

--
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/9dd2d829-ccd8-4173-8f66-a30260894...@debian.org

Re: Bug#726393: general: Possible malware infections in source packages

[Jakub Wilk]

* Jonathan Dowland , 2013-10-18, 08:55:
Someone should reimplement eicar under a clear license using clean room 
techniques. I may do so if I find time.


It's not difficult if you reject the requirement of being DOS[0] executable:

echo$IFS'Free-Antivirus-Test-File'|tr$IFS'-'$IFS"$IFS"

The hard part is convincing AV vendors that they should support another test 
file. .oO( It might be easier to develop an actual DFSG-free virus, so that AV 
software will _have_ to detect it... )



[0] Seriously? http://i.imgur.com/D6PfW.jpg

--
Jakub Wilk


--
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20131018113104.ga4...@jwilk.net

Bug#726393: general: Possible malware infections in source packages

[Thorsten Glaser]

On Tue, 15 Oct 2013, Thijs Kinkhorst wrote:

> I'm still not sure why the virus contained in the source could not be
> replaced by the EICAR test signature.

Because it’s not testing a virus scanner, but because the
specific RFC822 message in question exhibited multiple problems
in the code, due to the way it’s written/structured.

At least this is how I read the relevant comments.

@Natureshadow: this isn’t exactly code, and it’s even in the
preferred form of modification (an RFC822-format message)…

bye,
//mirabilos
-- 
15:41⎜ Somebody write a testsuite for helloworld :-)


--
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/alpine.deb.2.10.1310181309520.4...@tglase.lan.tarent.de

Re: Bug#726393: general: Possible malware infections in source packages

[Kevin Chadwick]

> I have to join Marc here and say "me too". In my organisation we
> actually have those controls in place (antivirus/antimalware) in the
> Internet gateways and we do not disable them for specific traffic
> flows unless a detailed risk analysis has been done (and approved).

Personally I disagree with this approach as you are making the gateways
themselves more open to attack adding risk to all rather than the
targetted, especially when antivirus are so easy to fool anyway. A
mistake Blackberry has made whilst their devices weren't bad security
wise.

However this is in no way a reflection on whether I think it should be
allowed but I will throw in that.

There are many perfectly legitimate hacking tools that may hit the repo
that AV will pickup (backtrack distro has many) but also is their any
danger of av browser plugins and google even blocking debian.org.

-- 
___

'Write programs that do one thing and do it well. Write programs to work
together. Write programs to handle text streams, because that is a
universal interface'

(Doug McIlroy)

In Other Words - Don't design like polkit or systemd
___


-- 
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/217794.98687...@smtp110.mail.ir2.yahoo.com

Re: Bug#726393: general: Possible malware infections in source packages

[Jonathan Dowland]

On 17 Oct 2013, at 19:21, Javier Fernandez-Sanguino  wrote:

>> eicar.com does not have a distributable license.
> 
> Neither does the virus discussed in this thread (Win32.Worm.Mytob.EF)
> included in libmail-deliverystatus-bounceparser-perl.

Good point, I agree it should be removed on that basis.

Someone should reimplement eicar under a clear license using clean room 
techniques. I may do so if I find time.

--
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/225d572e-374c-4dd7-b26c-bcff1af13...@debian.org

Re: Bug#726393: general: Possible malware infections in source packages

[Javier Fernandez-Sanguino]

On 16 October 2013 10:56, Marc Haber  wrote:
> On Tue, 15 Oct 2013 13:19:38 +0200, "Thijs Kinkhorst"
>  wrote:
>>I'm missing why the package cannot use the EICAR test virus signature for
>>its purposes.
>
> eicar.com does not have a distributable license.

Neither does the virus discussed in this thread (Win32.Worm.Mytob.EF)
included in libmail-deliverystatus-bounceparser-perl.

What's more, I guess (actually, I hope) the package probably does not
include the source code of this virus which means that it should be
removed from the package or it should go to non-free.

Regards

Javier


-- 
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/cab9b7ut5sejttda5a4a59g9ktcaoarwuqaj4ki8b2tfrj8d...@mail.gmail.com

Re: Bug#726393: general: Possible malware infections in source packages

[Javier Fernandez-Sanguino]

On 16 October 2013 11:12, Marc Haber  wrote:
> On Tue, 15 Oct 2013 12:54:36 +0200, Dominik George 
> wrote:
>>> Some of the source packages were caught on a gateway anti-virus scanner 
>>> while
>>> downloading.
>>
>>Using a gateway anti-virus scanner for downloads from the Debian archive
>>seems a bit inappropriate, well, paranoid. Checking the signed hashsums
>>would seem a lot better to verify the downloads; if Debian's
>>infrastructure were compromised so viruses could get in *and* be signed,
>>we and you have other problems.
>
> In many organisations it would be a _huge_ hassle to be allowed to
> Download Debian packages directly while bypassing the gateway scanner.
> It might even lead to a knee-jerk reaction like "This Debian thingy
> keeps setting off our security alerts, let's ban it and use a
> supported enterprise distro".

I have to join Marc here and say "me too". In my organisation we
actually have those controls in place (antivirus/antimalware) in the
Internet gateways and we do not disable them for specific traffic
flows unless a detailed risk analysis has been done (and approved).

Following a defence-in-depth approach, we don't rely in a single
control as Domink proposes (check signed hashsums and you are done)
but also inspect any incoming data from the Internet. From my point of
view this is not being paranoid, it is implementing best security
practices.

Regards

Javier


-- 
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/cab9b7ut0vokr53svvasbeugendknegkqcpsmpku2wqahizq...@mail.gmail.com

Re: Bug#726393: general: Possible malware infections in source packages

[Thijs Kinkhorst]

On Wed, October 16, 2013 10:56, Marc Haber wrote:
> On Tue, 15 Oct 2013 13:19:38 +0200, "Thijs Kinkhorst"
>  wrote:
>>I'm missing why the package cannot use the EICAR test virus signature for
>>its purposes.
>
> eicar.com does not have a distributable license.

I doubt that's relevant, because the current virus samples, although their
authors no doubt intended their code to be distributed as widely as
possible, would be considered DFSG free either.


Thijs


-- 
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/087c442fec9a9de8ea02862d1098142d.squir...@aphrodite.kinkhorst.nl

Re: Bug#726393: general: Possible malware infections in source packages

[Marc Haber]

On Wed, 16 Oct 2013 20:17:53 +, "Andrew M.A. Cater"
 wrote:
>On Wed, Oct 16, 2013 at 11:12:47AM +0200, Marc Haber wrote:
>> On Tue, 15 Oct 2013 12:54:36 +0200, Dominik George 
>> wrote:
>> >> Some of the source packages were caught on a gateway anti-virus scanner 
>> >> while
>> >> downloading.
>> >
>> >Using a gateway anti-virus scanner for downloads from the Debian archive
>> >seems a bit inappropriate, well, paranoid. Checking the signed hashsums
>> >would seem a lot better to verify the downloads; if Debian's
>> >infrastructure were compromised so viruses could get in *and* be signed,
>> >we and you have other problems.
>> 
>> In many organisations it would be a _huge_ hassle to be allowed to
>> Download Debian packages directly while bypassing the gateway scanner.
>> It might even lead to a knee-jerk reaction like "This Debian thingy
>> keeps setting off our security alerts, let's ban it and use a
>> supported enterprise distro".
>
>You have _NO_ idea just how close to the truth you are

I think I know.

>- but even enterprise distributions
>trigger anti-virus programs. Pretty much all false positives, but still ..

Yes, but that's enterprise software with support that we have paid
$AMOUNT of $CURRENCY for. That can't be bad, or our decision would be
wrong, which is not possible with regard to the career of the people
who had taken that decision.

Greetings
Marc
-- 
-- !! No courtesy copies, please !! -
Marc Haber |   " Questions are the | Mailadresse im Header
Mannheim, Germany  | Beginning of Wisdom " | http://www.zugschlus.de/
Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fon: *49 621 72739834


--
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/e1vwyha-7p...@swivel.zugschlus.de

Re: Bug#726393: general: Possible malware infections in source packages

[Andrew M.A. Cater]

On Wed, Oct 16, 2013 at 11:12:47AM +0200, Marc Haber wrote:
> On Tue, 15 Oct 2013 12:54:36 +0200, Dominik George 
> wrote:
> >> Some of the source packages were caught on a gateway anti-virus scanner 
> >> while
> >> downloading.
> >
> >Using a gateway anti-virus scanner for downloads from the Debian archive
> >seems a bit inappropriate, well, paranoid. Checking the signed hashsums
> >would seem a lot better to verify the downloads; if Debian's
> >infrastructure were compromised so viruses could get in *and* be signed,
> >we and you have other problems.
> 
> In many organisations it would be a _huge_ hassle to be allowed to
> Download Debian packages directly while bypassing the gateway scanner.
> It might even lead to a knee-jerk reaction like "This Debian thingy
> keeps setting off our security alerts, let's ban it and use a
> supported enterprise distro".
> 
> Greetings
> Marc
> -- 
> -- !! No courtesy copies, please !! -
> Marc Haber |   " Questions are the | Mailadresse im Header
> Mannheim, Germany  | Beginning of Wisdom " | http://www.zugschlus.de/
> Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fon: *49 621 72739834
> 
> 
> -- 
> To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
> Archive: http://lists.debian.org/e1vwn9r-0004kh...@swivel.zugschlus.de

You have _NO_ idea just how close to the truth you are - but even enterprise 
distributions
trigger anti-virus programs. Pretty much all false positives, but still ..

All the best,

AndyC


-- 
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20131016201753.gb4...@galactic.demon.co.uk

Re: Bug#726393: general: Possible malware infections in source packages

[Marc Haber]

On Wed, 16 Oct 2013 12:59:33 +0200, Dominik George 
wrote:
>Marc Haber  schrieb:
>>On Tue, 15 Oct 2013 13:19:38 +0200, "Thijs Kinkhorst"
>> wrote:
>>>I'm missing why the package cannot use the EICAR test virus signature
>>for
>>>its purposes.
>>
>>eicar.com does not have a distributable license.
>
>
>I do not think it is actually copyrightable software. It is a string that was 
>agreed in to trigger antivirus scanners, so it is more or less a protocol. 
>Consider the downloads at eicar.com reference implementations.
>
>TINLA, IANAL.

Obviously. German copyright law was changed in the 1990ies to
explicitly include even the most trivial programming work ("kleine
Münze").

Eicar.com is undoubtedly programming work, and given it being short, a
working DOS program _and_ printable at the same time I do not have any
doubt that the program would pass as a "Schöpfung" in a court of law.
Maybe even as a work of art instead of a work of programming.

Greetings
Marc
-- 
-- !! No courtesy copies, please !! -
Marc Haber |   " Questions are the | Mailadresse im Header
Mannheim, Germany  | Beginning of Wisdom " | http://www.zugschlus.de/
Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fon: *49 621 72739834


--
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/e1vwxdq-0008ci...@swivel.zugschlus.de

Re: Bug#726393: general: Possible malware infections in source packages

[Jonathan Dowland]

On Wed, Oct 16, 2013 at 01:11:01PM +0200, Dominik George wrote:
> Looking at it as code, it is a 16-bit DOS Hello world-program. Not
> copyrightable, I suppose.

I do not want EICAR to be copywritable, but I reckon it probably is.
A surprising amount of work went into developing EICAR: it's a valid
16 bit DOS program as you point out, it's also composed entirely of
printable characters and uses self-modification to ensure it does
something useful when actually executed. As such it's clearly a
creative work, and an original creation at that.

Mark H has done a fair bit of work in this area.¹

¹ 
  I'm now considering, tongue slightly in cheek, whether to add
  EICAR support to game-data-packager.


-- 
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20131016132818.ga23...@bryant.redmars.org

Bug#726393: general: Possible malware infections in source packages

[Florian Weimer]

* Dominik George:

> It isn't a false positive in that regard that the package *does* in fact
> contain the virus sample.

That's non-free code and not suitable for main, so it must be removed
from the source tarball anyway.


-- 
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/87fvs18p4q@mid.deneb.enyo.de

Re: Bug#726393: general: Possible malware infections in source packages

[Dominik George]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Dominik George  schrieb:

>I do not think it is actually copyrightable software. It is a string
>that was agreed in to trigger antivirus scanners, so it is more or less
>a protocol. Consider the downloads at eicar.com reference
>implementations.

Looking at it as code, it is a 16-bit DOS Hello world-program. Not 
copyrightable, I suppose.

- -nik
-BEGIN PGP SIGNATURE-
Version: APG v1.0.8-fdroid

iQFNBAEBCgA3BQJSXnREMBxEb21pbmlrIEdlb3JnZSAobW9iaWxlIGtleSkgPG5p
a0BuYXR1cmFsbmV0LmRlPgAKCRAvLbGk0zMOJawsB/9AxDQcsOijrNCcesFuvZPT
bmpopMgUvSpqE4m3tsIAw/MI7V8mk/UAOEJ2DANKl3xcZOEvdTILshgFMOEGObJD
/u6qiF59nab3z2XrUnxiKijMn/0bDUSVSU/GRVJYRC8nCTvWuzqliTknDS3k5MpL
fmpPQb28Sdc/JDayB4950KBxxFSNhKjGK7Th96NAiEmDjkN96L8KnbzRML9+Gk93
6hbGDnditAETvpWH1Y4EiNlrDAcCaH0/l+1b1Y8rdbnjKYVzhnOQmj8UxdweZLOV
5P/VlwzlLoQH99Fg6QcPRUBkooNbiVp730kDjzKbLBtirF3VkwdvgpbIfA8KTRXc
=8U8Y
-END PGP SIGNATURE-


-- 
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/33eb8d3b-b2ac-410c-82ac-68b903ac9...@email.android.com

Re: Bug#726393: general: Possible malware infections in source packages

[Dominik George]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Marc Haber  schrieb:
>On Tue, 15 Oct 2013 13:19:38 +0200, "Thijs Kinkhorst"
> wrote:
>>I'm missing why the package cannot use the EICAR test virus signature
>for
>>its purposes.
>
>eicar.com does not have a distributable license.


I do not think it is actually copyrightable software. It is a string that was 
agreed in to trigger antivirus scanners, so it is more or less a protocol. 
Consider the downloads at eicar.com reference implementations.

TINLA, IANAL.

- -nik
-BEGIN PGP SIGNATURE-
Version: APG v1.0.8-fdroid

iQFNBAEBCgA3BQJSXnGVMBxEb21pbmlrIEdlb3JnZSAobW9iaWxlIGtleSkgPG5p
a0BuYXR1cmFsbmV0LmRlPgAKCRAvLbGk0zMOJX3/CACovs5UhI4gb9s02gWLzqL2
wC+wi+3ccQXJ91cnMUT+BSRHRjWRtvi/lC3cUYPzG1n1TNVzZDxIU5thdsg450Ok
Eu0HhDGPoO8VrmC4LF8ygQsYjRRoKVM8JxOsRhFcyS7vxgfTdicfq7sAQ5sXKUEx
Yl1uUGWgEKT5/6fP4+RF2lcvLVruJMj5+8Vv/1ryXBL0/tB78vZEl4h6pQkW98Oz
vRBRL6JbfcUZ2GMOKs9d6pbpJxERv2pfq3TsP8o0Iu4Asb+AQ91PTpJCsy5I1h9G
5VMcctfvGjrjBY3AJJJU01AOlv801hRmsyebB0D1M9hZsbeQ56wf2lkymTVhIyCM
=LkAR
-END PGP SIGNATURE-


-- 
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/e1dfb869-8575-4346-b10f-deecac597...@email.android.com

Re: Bug#726393: general: Possible malware infections in source packages

[Marc Haber]

On Tue, 15 Oct 2013 13:19:38 +0200, "Thijs Kinkhorst"
 wrote:
>I'm missing why the package cannot use the EICAR test virus signature for
>its purposes.

eicar.com does not have a distributable license.

Greetings
Marc
-- 
-- !! No courtesy copies, please !! -
Marc Haber |   " Questions are the | Mailadresse im Header
Mannheim, Germany  | Beginning of Wisdom " | http://www.zugschlus.de/
Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fon: *49 621 72739834


--
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/e1vwmtf-0004iw...@swivel.zugschlus.de

Re: Bug#726393: general: Possible malware infections in source packages

[Marc Haber]

On Tue, 15 Oct 2013 12:54:36 +0200, Dominik George 
wrote:
>> Some of the source packages were caught on a gateway anti-virus scanner while
>> downloading.
>
>Using a gateway anti-virus scanner for downloads from the Debian archive
>seems a bit inappropriate, well, paranoid. Checking the signed hashsums
>would seem a lot better to verify the downloads; if Debian's
>infrastructure were compromised so viruses could get in *and* be signed,
>we and you have other problems.

In many organisations it would be a _huge_ hassle to be allowed to
Download Debian packages directly while bypassing the gateway scanner.
It might even lead to a knee-jerk reaction like "This Debian thingy
keeps setting off our security alerts, let's ban it and use a
supported enterprise distro".

Greetings
Marc
-- 
-- !! No courtesy copies, please !! -
Marc Haber |   " Questions are the | Mailadresse im Header
Mannheim, Germany  | Beginning of Wisdom " | http://www.zugschlus.de/
Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fon: *49 621 72739834


--
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/e1vwn9r-0004kh...@swivel.zugschlus.de

Bug#726393: Info received (Bug#726393: general: Possible malware infections in source packages)

[Scott Kitterman]

Scott Kitterman  wrote:
>Boots fine if the image is not persistent. 

Sorry. Wrong bug.


-- 
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/2fe29cdf-969b-4298-ae9f-8a986f6d0...@email.android.com

Bug#726393: Info received (Bug#726393: general: Possible malware infections in source packages)

[Scott Kitterman]

Boots fine if the image is not persistent. 


-- 
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/0c081e4b-992d-4c1e-8eb4-6b3884e5b...@email.android.com

Re: Bug#726393: general: Possible malware infections in source packages

[Thorsten Glaser]

Jarkko Palviainen  f-secure.com> writes:

> I looked into one of these, libmail-deliverystatus-bounceparser-
> perl_1.531.orig.tar.gz, and found multipart email file containing zip
> attachment. Inside this archive is a .pif file (PE32 executable for MS
Windows)
> which is detected as Win32.Worm.Mytob.EF.
> 
> This doesn't look like a false positive.

And yet, it’s totally legit: the file in question is an eMail archive
of a mail containing such virus for other platform, in order to test
against it so that the Perl script in question doesn’t exhibit any
bugs wrt. that.

> I hope that the source packages would
> be sanitized from any actual malware samples.

It’s not Malware if you’re running Debian.

bye,
//mirabilos


-- 
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/loom.20131015t172545-...@post.gmane.org

Bug#726393: general: Possible malware infections in source packages

[Adam D. Barratt]

On 2013-10-15 11:54, Dominik George wrote:
[Jarkko Palviainen; attribution lost in quoted mail]

http://ftp.fi.debian.org/[...]


If you suspect an issue with the Debian archive, please test against
ftp.debian.org.


That's not particularly great advice. ftp.debian.org is just another 
mirror[tm]; see the "where to mirror from" section of 
http://www.debian.org/mirror/ftpmirror


Regards,

Adam


--
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/d97887fdf723e27757a7885d369c9...@mail.adsl.funky-badger.org

Bug#726393: general: Possible malware infections in source packages

[Jarkko Palviainen]

On 10/15/2013 03:09 PM, Dominique Dumont wrote:

On Tuesday 15 October 2013 13:19:38 Thijs Kinkhorst wrote:

It isn't a false positive in that regard that the package *does* in fact
contain the virus sample. However, it *is* a false positive, as the
sample is there intentionally, and no virus scanner can guess the reason
why it is there. It does no harm in the location where it is, it will
not spread, so is it in fact a virus? No, it isn't.


I'm missing why the package cannot use the EICAR test virus signature for
its purposes.


In libmail-deliverystatus-bounceparser-perl case, the virus is used on the
non-regressions test which are shipped in the original tarball (and in Debian
*source* package). This virus is *not* shipped in Debian binary package.

HTH



OK, you have already closed the ticket. I was expecting to find a 
general policy of "maintainers should not allow malware from upstream" 
but apparently this not desired or the discussion belongs to somewhere else.


It doesn't really matter what is the intention; you are still allowing 
spreading malware and potentially infecting users as they are publicly 
accessible. Just fetching the source package will give you this nice 
surprise.


In most cases, samples can be replaced with EICAR or equivalent to 
trigger the expected result, or tested with unit tests and proper mocking.



--
Jarkko Palviainen
Software Engineer, Linux Team
F-Secure Corporation


--
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/525d3ab6.4050...@f-secure.com

Re: Bug#726393: general: Possible malware infections in source packages

[Thijs Kinkhorst]

On Tue, October 15, 2013 14:09, Dominique Dumont wrote:
> In libmail-deliverystatus-bounceparser-perl case, the virus is used on the
> non-regressions test which are shipped in the original tarball (and in
> Debian *source* package). This virus is *not* shipped in Debian binary
> package.

I'm still not sure why the virus contained in the source could not be
replaced by the EICAR test signature.

Setting off false positive alarms masks true positives so should be
avoided as much as possible.

The EICAR test signature exists exactly for the purpose of tests. I would
consider any other virus sample shipped by Debian, beit source or binary,
a bug and I invite Jarkko to report them as such against the respective
packages, so they can be solved in coordination with their upstreams.


Cheers,
Thijs


-- 
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/feddfe6413aac40df1f273906a8e30a2.squir...@aphrodite.kinkhorst.nl

Re: Bug#726393: general: Possible malware infections in source packages

[Dominique Dumont]

On Tuesday 15 October 2013 13:19:38 Thijs Kinkhorst wrote:
> > It isn't a false positive in that regard that the package *does* in fact
> > contain the virus sample. However, it *is* a false positive, as the
> > sample is there intentionally, and no virus scanner can guess the reason
> > why it is there. It does no harm in the location where it is, it will
> > not spread, so is it in fact a virus? No, it isn't.
> 
> I'm missing why the package cannot use the EICAR test virus signature for
> its purposes.

In libmail-deliverystatus-bounceparser-perl case, the virus is used on the 
non-regressions test which are shipped in the original tarball (and in Debian 
*source* package). This virus is *not* shipped in Debian binary package.

HTH

-- 
 https://github.com/dod38fr/   -o- http://search.cpan.org/~ddumont/
http://ddumont.wordpress.com/  -o-   irc: dod at irc.debian.org


-- 
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/2288634.F14KR057Sc@ylum

Bug#726393: general: Possible malware infections in source packages

[Thijs Kinkhorst]

On Tue, October 15, 2013 12:54, Dominik George wrote:
>> I looked into one of these, libmail-deliverystatus-bounceparser-
>> perl_1.531.orig.tar.gz, and found multipart email file containing zip
>> attachment. Inside this archive is a .pif file (PE32 executable for MS
>> Windows)
>> which is detected as Win32.Worm.Mytob.EF.
>
> Yes, and the package carries it because it needs it in its operation.
> Have you read the README file?

I have in fact read the README and it doesn't seem to mention anything
about this, it doesn't even have the word "virus" at all.

>> This doesn't look like a false positive.
>
> It isn't a false positive in that regard that the package *does* in fact
> contain the virus sample. However, it *is* a false positive, as the
> sample is there intentionally, and no virus scanner can guess the reason
> why it is there. It does no harm in the location where it is, it will
> not spread, so is it in fact a virus? No, it isn't.

I'm missing why the package cannot use the EICAR test virus signature for
its purposes.


Thijs


-- 
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/54f73ee1a529788f845b9918870d74b3.squir...@aphrodite.kinkhorst.nl

Bug#726393: general: Possible malware infections in source packages

[Scott Kitterman]

Pymilter is a false positive. 


-- 
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/fe0156c2-4f46-448c-b585-6323a1778...@email.android.com

Bug#726393: general: Possible malware infections in source packages

[Dominik George]

Hi,

I have looked into this a bit.

> Some of the source packages were caught on a gateway anti-virus scanner while
> downloading.

Using a gateway anti-virus scanner for downloads from the Debian archive
seems a bit inappropriate, well, paranoid. Checking the signed hashsums
would seem a lot better to verify the downloads; if Debian's
infrastructure were compromised so viruses could get in *and* be signed,
we and you have other problems.

> http://ftp.fi.debian.org/[...]

If you suspect an issue with the Debian archive, please test against 
ftp.debian.org.

> I looked into one of these, libmail-deliverystatus-bounceparser-
> perl_1.531.orig.tar.gz, and found multipart email file containing zip
> attachment. Inside this archive is a .pif file (PE32 executable for MS 
> Windows)
> which is detected as Win32.Worm.Mytob.EF.

Yes, and the package carries it because it needs it in its operation.
Have you read the README file?

> This doesn't look like a false positive.

It isn't a false positive in that regard that the package *does* in fact
contain the virus sample. However, it *is* a false positive, as the
sample is there intentionally, and no virus scanner can guess the reason
why it is there. It does no harm in the location where it is, it will
not spread, so is it in fact a virus? No, it isn't.

> I hope that the source packages would be sanitized from any actual
> malware samples.

If a package has to contain virus samples for its operation, then how
should anyone sanitize it?

You just found one more reason why anti-virus sucks.

(JM2C, I am not a Debian release engineer or DD.)

Cheers,
Nik

-- 
 Ein Jabber-Account, sie alle zu finden; ins Dunkel zu treiben
und ewig zu binden; im NaturalNet, wo die Schatten droh'n ;)!

PGP-Fingerprint: 3C9D 54A4 7575 C026 FB17  FD26 B79A 3C16 A0C4 F296


signature.asc
Description: Digital signature

Bug#726393: general: Possible malware infections in source packages

[Jarkko Palviainen]

Package: general
Severity: normal

Some of the source packages were caught on a gateway anti-virus scanner while
downloading.

These are the exact downloads:

http://ftp.fi.debian.org/debian/pool/main/libm/libmime-explode-perl/libmime-
explode-perl_0.39.orig.tar.gz
http://ftp.fi.debian.org/debian/pool/main/p/pymilter/pymilter_0.9.5.orig.tar.gz
http://ftp.fi.debian.org/debian/pool/main/libm/libmail-deliverystatus-
bounceparser-perl/libmail-deliverystatus-bounceparser-perl_1.531.orig.tar.gz
http://ftp.fi.debian.org/debian/pool/main/l/linkchecker/linkchecker_7.9.orig.tar.bz2

I also uploaded the archives to virustotal.com for scanning with multiple
vendors:
https://www.virustotal.com/en/file/2403530b352c591464b96b37173031749c993967ed6e1375b6d295ef84576ac9/analysis/
https://www.virustotal.com/en/file/2edb67ca8b8831991d7ba24092829e775355e5a35aeae61cac52de0dc82b2fd5/analysis/
https://www.virustotal.com/en/file/af45514ed8ad5491c8dd1d682a5061c79f624e1789abef3f27e92bcd3653c052/analysis/
https://www.virustotal.com/en/file/7bb478a4f9512e1dfe77c658f0410d62d9af91cedc35ee7aaaff6bc9a56d7f85/analysis/

I looked into one of these, libmail-deliverystatus-bounceparser-
perl_1.531.orig.tar.gz, and found multipart email file containing zip
attachment. Inside this archive is a .pif file (PE32 executable for MS Windows)
which is detected as Win32.Worm.Mytob.EF.

This doesn't look like a false positive. I hope that the source packages would
be sanitized from any actual malware samples.



-- System Information:
Debian Release: 7.2
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash


-- 
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/20131015102815.23380.68872.report...@debian.f-secure.com