I think I found malware in a repo package

Project Discussion Security
,
1

Hi there,
I’m getting repeated hits for Win.Malware.Cerbu-9950095-0 in the files associated with the libwine-development package.

$ clamscan -i -l clamscan_wine.log -r /usr/lib/x86_64-linux-gnu/wine-development
/usr/lib/x86_64-linux-gnu/wine-development/sc.exe: Win.Malware.Cerbu-9950095-0 FOUND
/usr/lib/x86_64-linux-gnu/wine-development/cabarc.exe: Win.Malware.Cerbu-9950095-0 FOUND
/usr/lib/x86_64-linux-gnu/wine-development/dism.exe: Win.Malware.Cerbu-9950095-0 FOUND
/usr/lib/x86_64-linux-gnu/wine-development/regsvcs.exe: Win.Malware.Cerbu-9950095-0 FOUND
/usr/lib/x86_64-linux-gnu/wine-development/cmd.exe: Win.Malware.Cerbu-9950095-0 FOUND
/usr/lib/x86_64-linux-gnu/wine-development/netsh.exe: Win.Malware.Cerbu-9950095-0 FOUND
/usr/lib/x86_64-linux-gnu/wine-development/whoami.exe: Win.Malware.Cerbu-9950095-0 FOUND
/usr/lib/x86_64-linux-gnu/wine-development/conhost.exe: Win.Malware.Cerbu-9950095-0 FOUND
/usr/lib/x86_64-linux-gnu/wine-development/svchost.exe: Win.Malware.Cerbu-9950095-0 FOUND
/usr/lib/x86_64-linux-gnu/wine-development/powershell.exe: Win.Malware.Cerbu-9950095-0 FOUND
/usr/lib/x86_64-linux-gnu/wine-development/servicemodelreg.exe: Win.Malware.Cerbu-9950095-0 FOUND
/usr/lib/x86_64-linux-gnu/wine-development/iexplore.exe: Win.Malware.Cerbu-9950095-0 FOUND
/usr/lib/x86_64-linux-gnu/wine-development/cscript.exe: Win.Malware.Cerbu-9950095-0 FOUND
/usr/lib/x86_64-linux-gnu/wine-development/wevtutil.exe: Win.Malware.Cerbu-9950095-0 FOUND
/usr/lib/x86_64-linux-gnu/wine-development/ngen.exe: Win.Malware.Cerbu-9950095-0 FOUND
/usr/lib/x86_64-linux-gnu/wine-development/reg.exe: Win.Malware.Cerbu-9950095-0 FOUND
/usr/lib/x86_64-linux-gnu/wine-development/extrac32.exe: Win.Malware.Cerbu-9950095-0 FOUND
/usr/lib/x86_64-linux-gnu/wine-development/regedit.exe: Win.Malware.Cerbu-9950095-0 FOUND
/usr/lib/x86_64-linux-gnu/wine-development/tasklist.exe: Win.Malware.Cerbu-9950095-0 FOUND
/usr/lib/x86_64-linux-gnu/wine-development/rundll32.exe: Win.Malware.Cerbu-9950095-0 FOUND
/usr/lib/x86_64-linux-gnu/wine-development/winemine.exe: Win.Malware.Cerbu-9950095-0 FOUND
/usr/lib/x86_64-linux-gnu/wine-development/sdbinst.exe: Win.Malware.Cerbu-9950095-0 FOUND
/usr/lib/x86_64-linux-gnu/wine-development/find.exe: Win.Malware.Cerbu-9950095-0 FOUND
/usr/lib/x86_64-linux-gnu/wine-development/arp.exe: Win.Malware.Cerbu-9950095-0 FOUND
/usr/lib/x86_64-linux-gnu/wine-development/msinfo32.exe: Win.Malware.Cerbu-9950095-0 FOUND
/usr/lib/x86_64-linux-gnu/wine-development/chcp.com: Win.Malware.Cerbu-9950095-0 FOUND
/usr/lib/x86_64-linux-gnu/wine-development/taskkill.exe: Win.Malware.Cerbu-9950095-0 FOUND
/usr/lib/x86_64-linux-gnu/wine-development/start.exe: Win.Malware.Cerbu-9950095-0 FOUND
/usr/lib/x86_64-linux-gnu/wine-development/wscript.exe: Win.Malware.Cerbu-9950095-0 FOUND
/usr/lib/x86_64-linux-gnu/wine-development/net.exe: Win.Malware.Cerbu-9950095-0 FOUND
/usr/lib/x86_64-linux-gnu/wine-development/xcopy.exe: Win.Malware.Cerbu-9950095-0 FOUND
/usr/lib/x86_64-linux-gnu/wine-development/findstr.exe: Win.Malware.Cerbu-9950095-0 FOUND
/usr/lib/x86_64-linux-gnu/wine-development/winmgmt.exe: Win.Malware.Cerbu-9950095-0 FOUND
/usr/lib/x86_64-linux-gnu/wine-development/dpnsvr.exe: Win.Malware.Cerbu-9950095-0 FOUND
/usr/lib/x86_64-linux-gnu/wine-development/uninstaller.exe: Win.Malware.Cerbu-9950095-0 FOUND
/usr/lib/x86_64-linux-gnu/wine-development/rpcss.exe: Win.Malware.Cerbu-9950095-0 FOUND
/usr/lib/x86_64-linux-gnu/wine-development/winedevice.exe: Win.Malware.Cerbu-9950095-0 FOUND
/usr/lib/x86_64-linux-gnu/wine-development/msidb.exe: Win.Malware.Cerbu-9950095-0 FOUND
/usr/lib/x86_64-linux-gnu/wine-development/regsvr32.exe: Win.Malware.Cerbu-9950095-0 FOUND
/usr/lib/x86_64-linux-gnu/wine-development/fsutil.exe: Win.Malware.Cerbu-9950095-0 FOUND
/usr/lib/x86_64-linux-gnu/wine-development/schtasks.exe: Win.Malware.Cerbu-9950095-0 FOUND
/usr/lib/x86_64-linux-gnu/wine-development/aspnet_regiis.exe: Win.Malware.Cerbu-9950095-0 FOUND
/usr/lib/x86_64-linux-gnu/wine-development/presentationfontcache.exe: Win.Malware.Cerbu-9950095-0 FOUND
/usr/lib/x86_64-linux-gnu/wine-development/netstat.exe: Win.Malware.Cerbu-9950095-0 FOUND
/usr/lib/x86_64-linux-gnu/wine-development/dxdiag.exe: Win.Malware.Cerbu-9950095-0 FOUND
/usr/lib/x86_64-linux-gnu/wine-development/winemsibuilder.exe: Win.Malware.Cerbu-9950095-0 FOUND
/usr/lib/x86_64-linux-gnu/wine-development/mofcomp.exe: Win.Malware.Cerbu-9950095-0 FOUND
/usr/lib/x86_64-linux-gnu/wine-development/explorer.exe: Win.Malware.Cerbu-9950095-0 FOUND
/usr/lib/x86_64-linux-gnu/wine-development/fc.exe: Win.Malware.Cerbu-9950095-0 FOUND
/usr/lib/x86_64-linux-gnu/wine-development/attrib.exe: Win.Malware.Cerbu-9950095-0 FOUND
/usr/lib/x86_64-linux-gnu/wine-development/plugplay.exe: Win.Malware.Cerbu-9950095-0 FOUND
/usr/lib/x86_64-linux-gnu/wine-development/wusa.exe: Win.Malware.Cerbu-9950095-0 FOUND
/usr/lib/x86_64-linux-gnu/wine-development/regasm.exe: Win.Malware.Cerbu-9950095-0 FOUND
/usr/lib/x86_64-linux-gnu/wine-development/wmplayer.exe: Win.Malware.Cerbu-9950095-0 FOUND
/usr/lib/x86_64-linux-gnu/wine-development/termsv.exe: Win.Malware.Cerbu-9950095-0 FOUND
/usr/lib/x86_64-linux-gnu/wine-development/shutdown.exe: Win.Malware.Cerbu-9950095-0 FOUND
/usr/lib/x86_64-linux-gnu/wine-development/wmic.exe: Win.Malware.Cerbu-9950095-0 FOUND
/usr/lib/x86_64-linux-gnu/wine-development/regini.exe: Win.Malware.Cerbu-9950095-0 FOUND
/usr/lib/x86_64-linux-gnu/wine-development/subst.exe: Win.Malware.Cerbu-9950095-0 FOUND
/usr/lib/x86_64-linux-gnu/wine-development/systeminfo.exe: Win.Malware.Cerbu-9950095-0 FOUND

I get the same result after apt remove libwine-development --purge && apt install libwine-development.

Is this ordinary?

1 Like
2

It is likely this is a false positive - signature-based malware detection (such as used by ClamAV and other AV tools) is known for this kind of issue. There are also other similar false-positives from other packages within the ubuntu archive - an incomplete list can be see at https://git.launchpad.net/ubuntu-cve-tracker/tree/README.virus

Can you provide more details on what Ubuntu version you are running? Thanks.

1 Like
3

Out of interest - as a sample, I uploaded this file from libwine-development in both Ubuntu 22.04 and Ubuntu 20.04 to VirusTotal

I suspect you are running 20.04 due to the ClamAV detection in that result - but even in this case there is only 3 vendors which detect this so again this seems to suggest it is a false-positive.

1 Like
4

This is in Ubuntu 20.04.5, good sleuthing.
So if I present to someone at ClamAV, any chance they will investigate and address the false positive?

5

It would definitely be worth a try.

7

The couple that were posted are threats because of the sigma rule. I am not sure if ClamAV takes those and makes static definitions out of them. In the process reaching out to the creator of the signature turns out he found a bug in it so, that is good… I will try to reproduce if I get a sec.