[clamav-users] Lots of FP: Unix.Trojan.Mirai-5932143-0
Mikael Bak
mikael.bak at techteamer.com
Wed Feb 5 13:15:18 UTC 2020
Hi list,
Seem to me that the signature for this virus have to be reworked
somehow. It is throwing lots of FP on Linux developer workstations.
Here's the output from last nights scan:
/snap/code/23/usr/share/code/code: Unix.Trojan.Mirai-5932143-0 FOUND
/snap/spotify/36/usr/share/spotify/libcef.so: Unix.Trojan.Mirai-5932143-0 FOUND
/snap/bitwarden/21/bitwarden: Unix.Trojan.Mirai-5932143-0 FOUND
/snap/slack/21/usr/lib/slack/slack: Unix.Trojan.Mirai-5932143-0 FOUND
/opt/google/chrome-beta/chrome: Unix.Trojan.Mirai-5932143-0 FOUND
/opt/google/chrome/chrome: Unix.Trojan.Mirai-5932143-0 FOUND
Microsoft Visual Code (snap version)
Spotify (snap version)
Bitwarden (snap version)
Slack (snap version)
Google Chrome stable and beta from Google repository.
I unpacked the daily database and searched for this virs and found
this in daily.ldb:
Unix.Trojan.Mirai-5932143-0;Engine:51-255,Target:6;0&1&(2>1)&(3>1);75726c3d;2f63646e2d6367692f;504f5354;7761746368646f67
I opened up one of the "infected" files in a hexeditor and searched
for the above patterns. Here are the clear text of what this signature
searches for to trigger alert:
url=
/cdn-cgi/
POST
watchdog
Personally I think it's unreasonable to trigger virus alert just
because you can find the above strings in a binary. I think this rule
should be deleted until it's fixed.
Best regards,
Mikael Bak
More information about the clamav-users
mailing list