Dr.Web for linux finds one trojan and one exploit

[mm5375]

I'm running Jessie testing and have the latest Dr.Web anti virus for Linux running on top of it. After full system scan Dr.Web is reporting that it found trojan in texlive-latex-base_2015.20150823-1_all.deb. It also reports that it has found exploit Exploit:Win32/CVE-2015-2426 in /usr/share/fonts/truetype/dejavu/DejaVuSerif.ttf. Both of these things seem to be packaged for Windows systems but I dont like seeing reports like this on my Debian.

Infected archive
Isolated: 02:16 18/09/2015
Quarantine type: System quarantine

Object name: texlive-latex-base_2015.20150823-1_all.deb
Owner: root
Modified: 08:30 23/08/2015
Size: 961.52 KB

Origin path:
/var/cache/apt/archives/texlive-latex-base_2015.20150823-1_all.deb

Detected threats:
texlive-latex-base_2015.20150823-1_all.deb/data.tar.xz/xz/./usr/share/texlive/texmf-dist/scripts/context/stubs/mswin/mptopdf.exe - infected with Trojan.Click3.14982


Threat name: Exploit.CVE-2015-2426.1
Isolated: 15:21 28/07/2015
Quarantine type: System quarantine

Object name: DejaVuSerif.ttf
Owner: root
Modified: 11:46 25/08/2013
Size: 358.65 KB

Origin path:
/usr/share/fonts/truetype/dejavu/DejaVuSerif.ttf

[michapma]

False positives?

1) It would be hard to put malware in texlive-latex-base, it contains mostly LaTeX packages made of text files. You should extract the deb file and let it scan the individual files to see where precisely it thinks the problem is. The threat is supposed to be Trojan.Click3.14982—what exactly do they said it is? I couldn’t find anything in a search engine.

2) The DejaVu fonts are from Bitstream and are in main, they’ve been distributed for quite a while. https://en.wikipedia.org/wiki/DejaVu_fonts
The thread is called Exploit.CVE-2015-2426.1. Running this link http://forum.drweb.com/index.php?showtopic=322037 from a July 2015 thread through an online translator indicates that the issue has been fixed—as in, it was a false positive.

I don’t at all see how either of these two should seem to be packaged for Windows.

It is good for business for these things to turn up stuff on your system that “could be dangerous.”
http://products.drweb.com/linux/?lng=en (Emphasis is in the original.)

Many people believe that:

• Linux and its software are impregnable to infection due to its perfect design and open-source nature.
• Malware can get on a machine only through user carelessness and negligence.

This is a fallacy! And such attitudes result in the loss of control over an unprotected machine which turns into a safe haven for malware.

Btw, Jessie has been the stable release for some time now.

[NFT5]

Hmmmm.

Brand new machine and Jessie only just loaded.



False positives? Maybe.....

[tomazzi]

What is this "Doctor WEB"??? - another shitty soft made to frighten the user about how "potentially" he could be attacked?
"Doctor Web" has literally *zero* hits in an anti-virus databases - therefore it seems that the guy, who mentioned this is a stupid troll, nothing more...

Hmmmm.

Brand new machine and Jessie only just loaded.



False positives? Maybe.....

Are You stupid or what?
You're showing a problem in a mono / Win32 "packer" ...

???

Besides, whether this java or mono - it doesn't change much - both are leaking and are suboptimal...

[dasein]

Besides, whether this java or mono - it doesn't change much - both are leaking and are suboptimal...

+1 If a Linux user chooses to run Windows malware using Wine or mono, then that's hardly the fault of Linux.

[NFT5]

Are You stupid or what?
You're showing a problem in a mono / Win32 "packer" ...

Just concerned. This was the result of a clamav scan on a brand new installation.

I don't use Wine or mono and have never experienced this in Wheezy. The files would have come from the Debian repos which, until I understand more about why they showed up in the scan, would seem, to me, to justify some concern. That was the reason I posted up - to get more knowledge and feedback from those who might have it. Not to be insulted by being called "stupid".

If you'd care to enlighten me then I'd be happy to take the knowledge on board.

[geoaraujo]

I don't use Wine or mono [...].

Pinta uses mono.

[tomazzi]

Are You stupid or what?
You're showing a problem in a mono / Win32 "packer" ...

Just concerned. This was the result of a clamav scan on a brand new installation.

I don't use Wine or mono and have never experienced this in Wheezy. The files would have come from the Debian repos which, until I understand more about why they showed up in the scan, would seem, to me, to justify some concern. That was the reason I posted up - to get more knowledge and feedback from those who might have it. Not to be insulted by being called "stupid".

If you'd care to enlighten me then I'd be happy to take the knowledge on board.

I'm sorry if I didn't understood You well, but as an a excuse I can tell that literally hundreds of trolls are attacking Linux today... - therefore my replies may be biased....

Anyway, just in the moment, I'll have to write an "unbiased" report about how the guys are dealing with the "community"...

[NFT5]

I don't use Wine or mono [...].

Pinta uses mono.

OK, thanks. I didn't know that. Explains part of it.

I'm sorry if I didn't understood You well, but as an a excuse I can tell that literally hundreds of trolls are attacking Linux today... - therefore my replies may be biased....

Anyway, just in the moment, I'll have to write an "unbiased" report about how the guys are dealing with the "community"...

No problem. I'll look forward to it.

[pcalvert]

What is this "Doctor WEB"??? - another shitty soft made to frighten the user about how "potentially" he could be attacked?
"Doctor Web" has literally *zero* hits in an anti-virus databases - therefore it seems that the guy, who mentioned this is a stupid troll, nothing more...

Dr. Web is well-known antivirus software -- amongst those who have an interest in such things. For example, you can find people discussing the software at the Wilders Security Forums.

See: Dr. Web discussions on the Wilders Security Forums (Google link)

Phil

[GarryRicketson]

I don't know about this "dr web" , it is commercial software, and obviously they would make attempts to boost sales , by spreading FUD .
Yes I also agree, it is very "naive" for any one to be thinking that just because they use linux, they can not get exploited , hacked or also host and spread viruses that infect windows,
If anyone is concerned, and they should be, about keeping their system clean, maintained, up to date and secure, learning enough about their system and using what is available in the debian repos , is the best way to go (in my opinion).
There is "clamav" also "bleach bit" is very use full, if a GUI is needed, and I recommend
it with "clamav", ClamTK is needed.
It is true, that the "false sense" of security, and thinking one never needs to be concerned about keeping their linux system secure,

Malware can get on a machine only through user carelessness and negligence.

Is a false statement, all though user carelessness and negligence is probably one of the most common ways, neglect as well. But I honestly have my doubts ,that this DR. Web, is much of a solution either,..it is a "gimmick", and probably is responsible for
many people having a "false sense of security",.."Oh , I don't have to do anything , I have Linux with Dr.Web protecting my system"
Here are some links that should be helpful in understanding what really is needed to maintain a Debian system and keep it secure.
https://www.debian.org/doc/manuals/secu ... 12.en.html
Same documents, different chapter:
https://www.debian.org/doc/manuals/secu ... 10.en.html
And then this, it is from a different forum, but a pretty good article:
http://www.linux.org/threads/malware-an ... inux.4455/

Learning about your Debian system, on your home PC, or server, and being familiar, with all the programs it is using, what files they use, etc ,.and monitoring the system is the best security.

A very use full program, and it should be in your system by default, but if not, it is available in the Debian repos, "TOP"
To start it simply type:

Code: Select all

top

Code: Select all

$ man top
 

DESCRIPTION
The top program provides a dynamic real-time view of a running system.
It can display system summary information as well as a list of pro‐
cesses or threads currently being managed by the Linux kernel. The
types of system summary information shown and the types, order and
size of information displayed for processes are all user configurable
and that configuration can be made persistent across restarts.

"TOP" does not block anything nor keep any virus or mal ware , out, but if there is something active, messing with your system, there is a good chance you will see it, when looking what is going on on your system,.. Watch out for the "zombies",..

Code: Select all

Tasks: 176 total,   1 running, 175 sleeping,   0 stopped,   0 zombie
 

It is not as "easy" as buying "Dr.Web", and does take some time to read and study, but in the long run worth much more then some "gimmick" created by software manufactures.
I can not prove it , but I am convinced that many so called "viruses", are written,or "created" by the same programmers , working for these companies, paid by them, then distributed to various sites on the internet, thus creating a need for this kind of software. If I could prove it, I probably would be "assassinated" before I was able to publish any real proof. Some people would/will say that is ridicules, and maybe it is, but it does not change my suspicions.



I check all the links posted, this is part of making sure it is not spam, well that sometimes leads to me looking at websites I shouldn't have, I usually check the web site, before I actually look at it, via some site scanning services, or "Mywot.com", often at "mywot.com the questionable website is all ready reported and listed, many have reports of mal ware and viruses having been detected all ready on those sites, obviously , I don't go and follow a link to a site that is all ready reported and know to be a source of mal-ware, viruses, etc,.. usually the sites that spammers post links to also are "scams", as well, Any way, to make a all ready to long of a post, a little shorter,
I do scans on my computer regularly, at least once a week, sometimes sooner, and it is not unusual to get 2 or 3 hits, of "viruses that target windows ", often just false/positives, others very real, I stopped checking them out a long time ago, I just delete them, usually they get into the system via sites that require using "cookies", and are in the "chromium" caches.

[NFT5]

All very good advice, Garry, but the point of my post was not about Dr Web but the fact that clamav found 3 (possible) infections on a brand new installation. Probably should have started a new thread but, regardless of the application used the results were similar to OPs so I posted in here.

I don't have Chromium (or Chrome) installed (yet) and hadn't actually used the machine on the web when I did the scan. All software came from Debian repos so that could be the only point of origin. Does that mean that files in the repos are infected? Or are they actually infected? I don't know, yet. Was kinda hoping someone would jump on and say "Yep, false positive, don't worry about them", but that hasn't happened, yet.

[edbarx]

Many people believe that:

Linux and its software are impregnable to infection due to its perfect design and open-source nature.
Malware can get on a machine only through user carelessness and negligence.

This is a fallacy! And such attitudes result in the loss of control over an unprotected machine which turns into a safe haven for malware.

This is from an entity interested in monetary gain. Think again.

[thanatos_incarnate]

Sounds like this programme also thinks that on a Linux machine every .exe file is malware.
At first thought, yeah, why would a Linux user have exe files? But in this case, Pinta is probably
just packaged badly and includes the Windows binary as well.

Weird that it shows signed packages of LaTeX files and fonts as malware.

[edbarx]

Weird that it shows signed packages of LaTeX files and fonts as malware.

LaTeX can be used to create professional documents and even to publish books. That 'malware' is better kept at bay as it is a nasty competitor for commercial alternatives.

[thanatos_incarnate]

Weird that it shows signed packages of LaTeX files and fonts as malware.

LaTeX can be used to create professional documents and even to publish books. That 'malware' is better kept at bay as it is a nasty competitor for commercial alternatives.

[tomazzi]

Anyway, just in the moment, I'll have to write an "unbiased" report about how the guys are dealing with the "community"...
...
No problem. I'll look forward to it.

I'm running Jessie testing and have the latest Dr.Web anti virus for Linux running on top of it. After full system scan Dr.Web is reporting that it found trojan in texlive-latex-base_2015.20150823-1_all.deb. It also reports that it has found exploit Exploit:Win32/CVE-2015-2426 in

http://www.microsoft.com/security/porta ... -2015-2426
This CVE is not related to Debian - it is related to Winblows... In other words, Dr. Web is just a stupid malware, which is unable to recognize what platform it is running on... Oh, crap...

But, what's even more funny, when You'll search for that particular CVE number, then it shows up that it is *not* related to LateX, but to a "Windows Adobe Type Manager Library":
http://www.cvedetails.com/cve/CVE-2015-2426/

... conclusion:

Dr. Web is a malware itself - it is trying to cheat the users, and I suppose that not only GNU/Linux users...

Regards.

[NFT5]

Except that I didn't use Dr. Web. I used clamav.

[tomazzi]

Perhaps You should read more about clamAV - it's main purpose is to clear the e-mails from *WIN* viruses when running on a GNU/Linux servers...

[GarryRicketson]

Perhaps You should read more about clamAV - it's main purpose is to clear the e-mails from *WIN* viruses when running on a GNU/Linux servers...

All though that is the "main purpose", it is very help full in scanning the entire system, even if it is not a "mail server" or even a public server, but any way, like everything,
reading docs, manuals , etc. does lead to knowing a lot more about using a program ,as well as a OS, clamav does have some mailing lists, and a lot of info available,
The main reason I use and like it, is it helps me scan my system, quickly and semi-automatically, I am aware that there it is possible (very unlikely though") "things" that have not even made it into the clamav data bases, and would not even show up in the scans done. Most of the "detected" stuff, is probably "false/positive", but the thing is, the files it detects, are files that get into my system, via internet, and they are not files I want or need, clamav makes it easy to locate, and delete those kind of files, I don't really even care if they are false positive or not, and stopped checking that a long time ago, just delete them, and forget it.
To get a complete understanding, (I probably only "scratch the surface",) but any way to understand more about what is going on:
http://www.clamav.net/
http://www.clamav.net/contact
http://www.clamav.net/documents/installing-clamav
Then more:

Code: Select all

 $ man -k clam
clamtk (1)           - Graphical user interface (gui) for Clam AntiVirus
clamav-unofficial-sigs (8) - Download, test, and install third-party ClamAV ...
clambc (1)           - Bytecode Analysis and Testing Tool
clamconf (1)         - Clam AntiVirus configuration utility
clamd (8)            - an anti-virus daemon
clamd.conf (5)       - Configuration file for Clam AntiVirus Daemon
clamdscan (1)        - scan files and directories for viruses using Clam Ant...
clamdtop (1)         - monitor the Clam AntiVirus Daemon
clamscan (1)         - scan files and directories for viruses
clamsubmit (1)       - File submission utility for ClamAV
freshclam (1)        - update virus databases
freshclam.conf (5)   - Configuration file for Clam AntiVirus database update...
garry@debian:~$ man clamd
garry@debian:~$ man clamscan
garry@debian:~$ man clamtop
No manual entry for clamtop
garry@debian:~$ man clamdtop
garry@debian:~$ man clamtk

There is enough information in the above, even if I had the time, it would take a week, or more, studying it all day, every day, for me to completely understand most of it, others may be able to grasp the concepts,and how to do things faster.
Another "free open source" tool, and many are going to say "How can that be use full to
detect viruses or mal-ware ?",
But any way, "ImageMacick" is a important "tool", why ?
Some of the biggest sources of "mal-ware" or virus type things are images , downloaded form unclean, infected sites, imagemacick , can be very use full in determining if a image is safe, and clean.
The image can be "disinfected", or cleaned, with out damaging the image, but generally it is easier just to delete the infected image, and , find a clean one. For more details on that, some good searches, and research would be productive.
This has a bunch of stuff I find interesting, I don't know if others will , but any way
here it is:
How to use imagemagick to find embedded malware or viruses in images

http://www.perlmonks.org/?node_id=798222
And
http://security.stackexchange.com/quest ... -and-virus
I kind of "scratched the surface" on this, but the first time I heard of the problems infected images can cause, was at another forum, a website/forum admin was having a lot of problems,with spam, and the "spammers" kept coming back, when I looked at the site, it turned out it was full of infected images, none of which were detected by various, "anti-virus" scanners, a lot of images had "hidden code" that actually was helping even more spam bots access the site.