[clamav-users] Question about Urlhaus.Malware.452652-9766253-0
Lilia Gonzalez Medina
liligonz at sourcefire.com
Mon Feb 8 17:39:01 UTC 2021
Hi Orion,
Apologies for taking too long to respond. After some tests I was able to
reproduce the FPs and target type 3 LDB signatures for Urlhaus have been
updated and published and should not alert on legitimate files anymore.
Please update your ClamAV database and if you still have some issues please
let me know.
Best regards,
Lilia Gonzalez
Malware Research Team
Cisco Talos
On Tue, Jan 12, 2021 at 12:54 PM Orion Poplawski <orion at nwra.com> wrote:
> Lilia -
>
> Odd, I see it:
>
> # https_proxy= curl -o ublock_origin-1.32.4-an+fx.xpi
> '
> https://addons.cdn.mozilla.net/user-media/addons/607454/ublock_origin-1.32.4-an+fx.xpi?filehash=sha256%3A5b94fd7f749319a6ff6d83dd20b05b29e733446465aff2ab7669499a3e8fb9cc
> '
> # clamscan ublock_origin-1.32.4-an+fx.xpi
> ublock_origin-1.32.4-an+fx.xpi: Urlhaus.Malware.364328-9787819-0 FOUND
>
> # clamscan --version
> ClamAV 0.103.0/26046/Mon Jan 11 05:34:14 2021
>
> # clamscan urlhaus-filter-online.txt
> urlhaus-filter-online.txt: Urlhaus.Malware.364328-9787819-0 FOUND
>
> ----------- SCAN SUMMARY -----------
> Known viruses: 8799521
> Engine version: 0.103.0
> Scanned directories: 0
> Scanned files: 1
> Infected files: 1
> Data scanned: 0.29 MB
> Data read: 0.14 MB (ratio 2.11:1)
> Time: 21.911 sec (0 m 21 s)
> Start Date: 2021:01:12 10:37:52
> End Date: 2021:01:12 10:38:14
>
> Other URLs:
>
> Virus Urlhaus.Malware.364328-9787819-0:
> https://curben.gitlab.io/malware-filter/urlhaus-filter-online.txt:
> 2
> Time(s)
>
>
> https://raw.githubusercontent.com/curbengh/urlhaus-filter/master/urlhaus-filter-online.txt
> :
> 2 Time(s)
>
>
> https://gitcdn.xyz/cdn/curbengh/urlhaus-filter/14db9cf6ad7bfff32779d68d12b869e6f7e8ec1a/urlhaus-filter-online.txt
> :
> 1 Time(s)
>
>
> https://cdn.jsdelivr.net/gh/curbengh/urlhaus-filter/urlhaus-filter-online.txt
> :
> 1 Time(s)
>
>
> https://cdn.statically.io/gl/curben/urlhaus-filter/master/urlhaus-filter-online.txt
> :
> 1 Time(s)
>
>
> https://cdn.statically.io/gl/curben/urlhaus-filter/master/urlhaus-filter-online.txt
> :
> 1 Time(s)
>
>
> https://gitcdn.xyz/cdn/curbengh/urlhaus-filter/14db9cf6ad7bfff32779d68d12b869e6f7e8ec1a/urlhaus-filter-online.txt
> :
> 1 Time(s)
>
>
> https://cdn.jsdelivr.net/gh/curbengh/urlhaus-filter/urlhaus-filter-online.txt
> :
> 1 Time(s)
>
> I've attached copies.
>
> Orion
>
> On 1/8/21 9:18 PM, Lilia Gonzalez Medina wrote:
> > Orion, I haven't been able to reproduce the FP with
> >
> https://addons.cdn.mozilla.net/user-media/addons/607454/ublock_origin-1.32.4-an+fx.xpi?filehash=sha256%3A5b94fd7f749319a6ff6d83dd20b05b29e733446465aff2ab7669499a3e8fb9cc
> .
> >
> > <
> https://addons.cdn.mozilla.net/user-media/addons/607454/ublock_origin-1.32.4-an+fx.xpi?filehash=sha256%3A5b94fd7f749319a6ff6d83dd20b05b29e733446465aff2ab7669499a3e8fb9cc
> >
> >
> > If you could send me the file that alerts with
> > Urlhaus.Malware.364328-9787819-0 I could look into it.
> >
> > Best regards,
> >
> > Lilia Gonzalez
> > Malware Research Team
> > Cisco Talos
> >
> > On Thu, Jan 7, 2021 at 12:00 PM Orion Poplawski <orion at nwra.com
> > <mailto:orion at nwra.com>> wrote:
> >
> > Lilia -
> >
> > Virus database is updated daily and updated last night. Still
> seeing one
> > this morning:
> >
> > Virus Urlhaus.Malware.364328-9787819-0:
> >
> >
> https://addons.cdn.mozilla.net/user-media/addons/607454/ublock_origin-1.32.4-an+fx.xpi?filehash=sha256%3A5b94fd7f749319a6ff6d83dd20b05b29e733446465aff2ab7669499a3e8fb9cc
> > <
> https://addons.cdn.mozilla.net/user-media/addons/607454/ublock_origin-1.32.4-an+fx.xpi?filehash=sha256%3A5b94fd7f749319a6ff6d83dd20b05b29e733446465aff2ab7669499a3e8fb9cc
> >:
> > 1 Time(s)
> >
> > Though that is a different signature.
> >
> > Orion
> >
> > On 1/7/21 7:56 AM, Lilia Gonzalez Medina wrote:
> > > Hi Orion!
> > >
> > > Those NBD signatures were updated at the beginning of the week and
> > should not
> > > FP anymore. Please update your ClamAV db and let us know if the
> issue
> > persists.
> > >
> > > Best regards,
> > >
> > > Lilia Gonzalez
> > > Malware Research Team
> > > Cisco Talos
> > >
> > >
> > > On Wed, Jan 6, 2021 at 4:59 PM Orion Poplawski <orion at nwra.com
> > <mailto:orion at nwra.com>
> > > <mailto:orion at nwra.com <mailto:orion at nwra.com>>> wrote:
> > >
> > > Lilia -
> > >
> > > Thanks for the response. We're seeing some others getting
> > triggered as
> > > well:
> > >
> > > Virus Urlhaus.Malware.490516-9766015-0:
> > > 10.21.2.5
> > >
> https://curben.gitlab.io/malware-filter/urlhaus-filter-online.txt
> > <https://curben.gitlab.io/malware-filter/urlhaus-filter-online.txt>
> > > <
> https://curben.gitlab.io/malware-filter/urlhaus-filter-online.txt
> > <https://curben.gitlab.io/malware-filter/urlhaus-filter-online.txt>>:
> 2
> > Time(s)
> > > 10.21.2.5
> > >
> >
> https://raw.githubusercontent.com/curbengh/urlhaus-filter/master/urlhaus-filter-online.txt
> > <
> https://raw.githubusercontent.com/curbengh/urlhaus-filter/master/urlhaus-filter-online.txt
> >
> > >
> > <
> https://raw.githubusercontent.com/curbengh/urlhaus-filter/master/urlhaus-filter-online.txt
> > <
> https://raw.githubusercontent.com/curbengh/urlhaus-filter/master/urlhaus-filter-online.txt
> >>:
> > > 2 Time(s)
> > > 10.21.2.5
> > >
> >
> https://cdn.statically.io/gl/curben/urlhaus-filter/master/urlhaus-filter-online.txt
> > <
> https://cdn.statically.io/gl/curben/urlhaus-filter/master/urlhaus-filter-online.txt
> >
> > >
> > <
> https://cdn.statically.io/gl/curben/urlhaus-filter/master/urlhaus-filter-online.txt
> > <
> https://cdn.statically.io/gl/curben/urlhaus-filter/master/urlhaus-filter-online.txt
> >>:
> > > 1 Time(s)
> > > 10.21.2.5
> > >
> >
> https://cdn.jsdelivr.net/gh/curbengh/urlhaus-filter/urlhaus-filter-online.txt
> > <
> https://cdn.jsdelivr.net/gh/curbengh/urlhaus-filter/urlhaus-filter-online.txt
> >
> > >
> > <
> https://cdn.jsdelivr.net/gh/curbengh/urlhaus-filter/urlhaus-filter-online.txt
> > <
> https://cdn.jsdelivr.net/gh/curbengh/urlhaus-filter/urlhaus-filter-online.txt
> >>:
> > > 1 Time(s)
> > > 10.21.2.5
> > >
> >
> https://gitcdn.xyz/cdn/curbengh/urlhaus-filter/10be1f3fc35ff760fb57a10ab7a4ba7feed5d037/urlhaus-filter-online.txt
> > <
> https://gitcdn.xyz/cdn/curbengh/urlhaus-filter/10be1f3fc35ff760fb57a10ab7a4ba7feed5d037/urlhaus-filter-online.txt
> >
> > >
> > <
> https://gitcdn.xyz/cdn/curbengh/urlhaus-filter/10be1f3fc35ff760fb57a10ab7a4ba7feed5d037/urlhaus-filter-online.txt
> > <
> https://gitcdn.xyz/cdn/curbengh/urlhaus-filter/10be1f3fc35ff760fb57a10ab7a4ba7feed5d037/urlhaus-filter-online.txt
> >>:
> > > 1 Time(s)
> > >
> > > Virus Urlhaus.Malware.161756-8797115-0:
> > > 10.10.20.7
> > >
> >
> https://addons.cdn.mozilla.net/user-media/addons/607454/ublock_origin-1.32.4-an+fx.xpi?filehash=sha256%3A5b94fd7f749319a6ff6d83dd20b05b29e733446465aff2ab7669499a3e8fb9cc
> > <
> https://addons.cdn.mozilla.net/user-media/addons/607454/ublock_origin-1.32.4-an+fx.xpi?filehash=sha256%3A5b94fd7f749319a6ff6d83dd20b05b29e733446465aff2ab7669499a3e8fb9cc
> >
> > >
> > <
> https://addons.cdn.mozilla.net/user-media/addons/607454/ublock_origin-1.32.4-an+fx.xpi?filehash=sha256%3A5b94fd7f749319a6ff6d83dd20b05b29e733446465aff2ab7669499a3e8fb9cc
> > <
> https://addons.cdn.mozilla.net/user-media/addons/607454/ublock_origin-1.32.4-an+fx.xpi?filehash=sha256%3A5b94fd7f749319a6ff6d83dd20b05b29e733446465aff2ab7669499a3e8fb9cc
> >>:
> > > 1 Time(s)
> > > 10.11.1.3
> > >
> >
> https://addons.cdn.mozilla.net/user-media/addons/607454/ublock_origin-1.32.4-an+fx.xpi?filehash=sha256%3A5b94fd7f749319a6ff6d83dd20b05b29e733446465aff2ab7669499a3e8fb9cc
> > <
> https://addons.cdn.mozilla.net/user-media/addons/607454/ublock_origin-1.32.4-an+fx.xpi?filehash=sha256%3A5b94fd7f749319a6ff6d83dd20b05b29e733446465aff2ab7669499a3e8fb9cc
> >
> > >
> > <
> https://addons.cdn.mozilla.net/user-media/addons/607454/ublock_origin-1.32.4-an+fx.xpi?filehash=sha256%3A5b94fd7f749319a6ff6d83dd20b05b29e733446465aff2ab7669499a3e8fb9cc
> > <
> https://addons.cdn.mozilla.net/user-media/addons/607454/ublock_origin-1.32.4-an+fx.xpi?filehash=sha256%3A5b94fd7f749319a6ff6d83dd20b05b29e733446465aff2ab7669499a3e8fb9cc
> >>:
> > > 1 Time(s)
> > >
> > >
> > > Orion
> > >
> > > On 1/4/21 8:43 AM, Lilia Gonzalez Medina wrote:
> > > > Hi Orion!
> > > >
> > > > Thank you for reporting this. URLhaus is a partner that
> generates
> > a list of
> > > > ClamAV signatures to target malicious URLs. Signature
> > > > Urlhaus.Malware.452652-9766253-0 looks for a malicious URL
> inside HTML
> > > > files, which is why it is alerting on the URLs you
> mentioned. We
> > found these
> > > > FPs some weeks ago and added an extra check on new ClamAV
> > signatures to
> > > > prevent them from alerting on legitimate URLhaus content. We
> are
> > currently
> > > > updating older ClamAV signatures to ensure they don't FP on
> > non-malicious
> > > > HTML files.
> > > >
> > > > Best regards,
> > > >
> > > > Lilia Gonzalez
> > > > Malware Research Team
> > > > Cisco Talos
> > > >
> > > > On Wed, Dec 23, 2020 at 1:11 PM Orion Poplawski <
> orion at nwra.com
> > <mailto:orion at nwra.com>
> > > <mailto:orion at nwra.com <mailto:orion at nwra.com>>
> > > > <mailto:orion at nwra.com <mailto:orion at nwra.com>
> > <mailto:orion at nwra.com <mailto:orion at nwra.com>>>> wrote:
> > > >
> > > > Can anyone give me some details about the
> > > Urlhaus.Malware.452652-9766253-0
> > > > signature? We're seeing following URLs trigger it:
> > > >
> > > >
> > https://curben.gitlab.io/malware-filter/urlhaus-filter-online.txt
> > <https://curben.gitlab.io/malware-filter/urlhaus-filter-online.txt>
> > > <
> https://curben.gitlab.io/malware-filter/urlhaus-filter-online.txt
> > <https://curben.gitlab.io/malware-filter/urlhaus-filter-online.txt>>
> > > >
> > <https://curben.gitlab.io/malware-filter/urlhaus-filter-online.txt
> > <https://curben.gitlab.io/malware-filter/urlhaus-filter-online.txt>
> > > <
> https://curben.gitlab.io/malware-filter/urlhaus-filter-online.txt
> > <https://curben.gitlab.io/malware-filter/urlhaus-filter-online.txt
> >>>
> > > >
> > >
> >
> https://raw.githubusercontent.com/curbengh/urlhaus-filter/master/urlhaus-filter-online.txt
> > <
> https://raw.githubusercontent.com/curbengh/urlhaus-filter/master/urlhaus-filter-online.txt
> >
> > >
> > <
> https://raw.githubusercontent.com/curbengh/urlhaus-filter/master/urlhaus-filter-online.txt
> > <
> https://raw.githubusercontent.com/curbengh/urlhaus-filter/master/urlhaus-filter-online.txt
> >>
> > > >
> > >
> > <
> https://raw.githubusercontent.com/curbengh/urlhaus-filter/master/urlhaus-filter-online.txt
> > <
> https://raw.githubusercontent.com/curbengh/urlhaus-filter/master/urlhaus-filter-online.txt
> >
> > >
> > <
> https://raw.githubusercontent.com/curbengh/urlhaus-filter/master/urlhaus-filter-online.txt
> > <
> https://raw.githubusercontent.com/curbengh/urlhaus-filter/master/urlhaus-filter-online.txt
> >>>
> > > >
> > >
> >
> https://gitcdn.xyz/cdn/curbengh/urlhaus-filter/c499fcbe5e95f61bbe889f4e3a19d5d2e877e120/urlhaus-filter-online.txt
> > <
> https://gitcdn.xyz/cdn/curbengh/urlhaus-filter/c499fcbe5e95f61bbe889f4e3a19d5d2e877e120/urlhaus-filter-online.txt
> >
> > >
> > <
> https://gitcdn.xyz/cdn/curbengh/urlhaus-filter/c499fcbe5e95f61bbe889f4e3a19d5d2e877e120/urlhaus-filter-online.txt
> > <
> https://gitcdn.xyz/cdn/curbengh/urlhaus-filter/c499fcbe5e95f61bbe889f4e3a19d5d2e877e120/urlhaus-filter-online.txt
> >>
> > > >
> > >
> > <
> https://gitcdn.xyz/cdn/curbengh/urlhaus-filter/c499fcbe5e95f61bbe889f4e3a19d5d2e877e120/urlhaus-filter-online.txt
> > <
> https://gitcdn.xyz/cdn/curbengh/urlhaus-filter/c499fcbe5e95f61bbe889f4e3a19d5d2e877e120/urlhaus-filter-online.txt
> >
> > >
> > <
> https://gitcdn.xyz/cdn/curbengh/urlhaus-filter/c499fcbe5e95f61bbe889f4e3a19d5d2e877e120/urlhaus-filter-online.txt
> > <
> https://gitcdn.xyz/cdn/curbengh/urlhaus-filter/c499fcbe5e95f61bbe889f4e3a19d5d2e877e120/urlhaus-filter-online.txt
> >>>
> > > >
> > >
> >
> https://cdn.statically.io/gl/curben/urlhaus-filter/master/urlhaus-filter-online.txt
> > <
> https://cdn.statically.io/gl/curben/urlhaus-filter/master/urlhaus-filter-online.txt
> >
> > >
> > <
> https://cdn.statically.io/gl/curben/urlhaus-filter/master/urlhaus-filter-online.txt
> > <
> https://cdn.statically.io/gl/curben/urlhaus-filter/master/urlhaus-filter-online.txt
> >>
> > > >
> > >
> > <
> https://cdn.statically.io/gl/curben/urlhaus-filter/master/urlhaus-filter-online.txt
> > <
> https://cdn.statically.io/gl/curben/urlhaus-filter/master/urlhaus-filter-online.txt
> >
> > >
> > <
> https://cdn.statically.io/gl/curben/urlhaus-filter/master/urlhaus-filter-online.txt
> > <
> https://cdn.statically.io/gl/curben/urlhaus-filter/master/urlhaus-filter-online.txt
> >>>
> > > >
> > >
> >
> https://cdn.jsdelivr.net/gh/curbengh/urlhaus-filter/urlhaus-filter-online.txt
> > <
> https://cdn.jsdelivr.net/gh/curbengh/urlhaus-filter/urlhaus-filter-online.txt
> >
> > >
> > <
> https://cdn.jsdelivr.net/gh/curbengh/urlhaus-filter/urlhaus-filter-online.txt
> > <
> https://cdn.jsdelivr.net/gh/curbengh/urlhaus-filter/urlhaus-filter-online.txt
> >>
> > > >
> > >
> > <
> https://cdn.jsdelivr.net/gh/curbengh/urlhaus-filter/urlhaus-filter-online.txt
> > <
> https://cdn.jsdelivr.net/gh/curbengh/urlhaus-filter/urlhaus-filter-online.txt
> >
> > >
> > <
> https://cdn.jsdelivr.net/gh/curbengh/urlhaus-filter/urlhaus-filter-online.txt
> > <
> https://cdn.jsdelivr.net/gh/curbengh/urlhaus-filter/urlhaus-filter-online.txt
> >>>
> > > >
> > > > Which seems to be the online update URLs for the urlhaus
> > filter. Does
> > > > ClamAV
> > > > deem urlhaus a bad actor?
> > > >
> > > > Thanks,
> > > > Orion
> > > >
> > > > --
> > > > Orion Poplawski
> > > > Manager of NWRA Technical Systems 720-772-5637
> > > > NWRA, Boulder/CoRA Office FAX: 303-415-9702
> > > > 3380 Mitchell Lane orion at nwra.com
> > <mailto:orion at nwra.com>
> > > <mailto:orion at nwra.com <mailto:orion at nwra.com>>
> > > > <mailto:orion at nwra.com <mailto:orion at nwra.com>
> > <mailto:orion at nwra.com <mailto:orion at nwra.com>>>
> > > > Boulder, CO 80301 https://www.nwra.com/
> > <https://www.nwra.com/>
> > > <https://www.nwra.com/ <https://www.nwra.com/>>
> > > > <https://www.nwra.com/ <https://www.nwra.com/>
> > <https://www.nwra.com/ <https://www.nwra.com/>>>
> > > >
> > > > _______________________________________________
> > > >
> > > > clamav-users mailing list
> > > > clamav-users at lists.clamav.net
> > <mailto:clamav-users at lists.clamav.net>
> > <mailto:clamav-users at lists.clamav.net <mailto:
> clamav-users at lists.clamav.net>>
> > > <mailto:clamav-users at lists.clamav.net
> > <mailto:clamav-users at lists.clamav.net>
> > <mailto:clamav-users at lists.clamav.net <mailto:
> clamav-users at lists.clamav.net>>>
> > > > https://lists.clamav.net/mailman/listinfo/clamav-users
> > <https://lists.clamav.net/mailman/listinfo/clamav-users>
> > > <https://lists.clamav.net/mailman/listinfo/clamav-users
> > <https://lists.clamav.net/mailman/listinfo/clamav-users>>
> > > > <https://lists.clamav.net/mailman/listinfo/clamav-users
> > <https://lists.clamav.net/mailman/listinfo/clamav-users>
> > > <https://lists.clamav.net/mailman/listinfo/clamav-users
> > <https://lists.clamav.net/mailman/listinfo/clamav-users>>>
> > > >
> > > >
> > > > Help us build a comprehensive ClamAV guide:
> > > > https://github.com/vrtadmin/clamav-faq
> > <https://github.com/vrtadmin/clamav-faq>
> > > <https://github.com/vrtadmin/clamav-faq
> > <https://github.com/vrtadmin/clamav-faq>>
> > > > <https://github.com/vrtadmin/clamav-faq
> > <https://github.com/vrtadmin/clamav-faq>
> > > <https://github.com/vrtadmin/clamav-faq
> > <https://github.com/vrtadmin/clamav-faq>>>
> > > >
> > > > http://www.clamav.net/contact.html#ml
> > <http://www.clamav.net/contact.html#ml>
> > > <http://www.clamav.net/contact.html#ml
> > <http://www.clamav.net/contact.html#ml>>
> > > > <http://www.clamav.net/contact.html#ml
> > <http://www.clamav.net/contact.html#ml>
> > > <http://www.clamav.net/contact.html#ml
> > <http://www.clamav.net/contact.html#ml>>>
> > > >
> > > >
> > > > _______________________________________________
> > > >
> > > > clamav-users mailing list
> > > > clamav-users at lists.clamav.net
> > <mailto:clamav-users at lists.clamav.net>
> > <mailto:clamav-users at lists.clamav.net <mailto:
> clamav-users at lists.clamav.net>>
> > > > https://lists.clamav.net/mailman/listinfo/clamav-users
> > <https://lists.clamav.net/mailman/listinfo/clamav-users>
> > > <https://lists.clamav.net/mailman/listinfo/clamav-users
> > <https://lists.clamav.net/mailman/listinfo/clamav-users>>
> > > >
> > > >
> > > > Help us build a comprehensive ClamAV guide:
> > > > https://github.com/vrtadmin/clamav-faq
> > <https://github.com/vrtadmin/clamav-faq>
> > > <https://github.com/vrtadmin/clamav-faq
> > <https://github.com/vrtadmin/clamav-faq>>
> > > >
> > > > http://www.clamav.net/contact.html#ml
> > <http://www.clamav.net/contact.html#ml>
> > > <http://www.clamav.net/contact.html#ml
> > <http://www.clamav.net/contact.html#ml>>
> > >
> > >
> > > --
> > > Orion Poplawski
> > > Manager of NWRA Technical Systems 720-772-5637
> > > NWRA, Boulder/CoRA Office FAX: 303-415-9702
> > > 3380 Mitchell Lane orion at nwra.com
> > <mailto:orion at nwra.com>
> > > <mailto:orion at nwra.com <mailto:orion at nwra.com>>
> > > Boulder, CO 80301 https://www.nwra.com/
> > <https://www.nwra.com/>
> > > <https://www.nwra.com/ <https://www.nwra.com/>>
> > >
> > >
> >
> >
> > --
> > Orion Poplawski
> > Manager of NWRA Technical Systems 720-772-5637
> > NWRA, Boulder/CoRA Office FAX: 303-415-9702
> > 3380 Mitchell Lane orion at nwra.com
> > <mailto:orion at nwra.com>
> > Boulder, CO 80301 https://www.nwra.com/
> > <https://www.nwra.com/>
> >
>
>
> --
> Orion Poplawski
> Manager of NWRA Technical Systems 720-772-5637
> NWRA, Boulder/CoRA Office FAX: 303-415-9702
> 3380 Mitchell Lane orion at nwra.com
> Boulder, CO 80301 https://www.nwra.com/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20210208/87bc87f6/attachment.htm>
More information about the clamav-users
mailing list