[clamav-users] Question about Urlhaus.Malware.452652-9766253-0

Lilia Gonzalez Medina liligonz at sourcefire.com
Thu Jan 7 14:57:27 UTC 2021 

 Hi Orion!

Those NBD signatures were updated at the beginning of the week and should
not FP anymore. Please update your ClamAV db and let us know if the issue
persists.

Best regards,

Lilia Gonzalez
Malware Research Team
Cisco Talos

On Wed, Jan 6, 2021 at 4:59 PM Orion Poplawski <orion at nwra.com> wrote:

> Lilia -
>
>   Thanks for the response.   We're seeing some others getting triggered as
> well:
>
>     Virus Urlhaus.Malware.490516-9766015-0:
>        10.21.2.5
> https://curben.gitlab.io/malware-filter/urlhaus-filter-online.txt: 2
> Time(s)
>        10.21.2.5
>
> https://raw.githubusercontent.com/curbengh/urlhaus-filter/master/urlhaus-filter-online.txt
> :
> 2 Time(s)
>        10.21.2.5
>
> https://cdn.statically.io/gl/curben/urlhaus-filter/master/urlhaus-filter-online.txt
> :
> 1 Time(s)
>        10.21.2.5
>
> https://cdn.jsdelivr.net/gh/curbengh/urlhaus-filter/urlhaus-filter-online.txt
> :
> 1 Time(s)
>        10.21.2.5
>
> https://gitcdn.xyz/cdn/curbengh/urlhaus-filter/10be1f3fc35ff760fb57a10ab7a4ba7feed5d037/urlhaus-filter-online.txt
> :
> 1 Time(s)
>
>     Virus Urlhaus.Malware.161756-8797115-0:
>        10.10.20.7
> https://addons.cdn.mozilla.net/user-media/addons/607454/ublock_origin-1.32.4-an+fx.xpi?filehash=sha256%3A5b94fd7f749319a6ff6d83dd20b05b29e733446465aff2ab7669499a3e8fb9cc:
> 1 Time(s)
>        10.11.1.3
> https://addons.cdn.mozilla.net/user-media/addons/607454/ublock_origin-1.32.4-an+fx.xpi?filehash=sha256%3A5b94fd7f749319a6ff6d83dd20b05b29e733446465aff2ab7669499a3e8fb9cc:
> 1 Time(s)
>
>
> Orion
>
> On 1/4/21 8:43 AM, Lilia Gonzalez Medina wrote:
> > Hi Orion!
> >
> > Thank you for reporting this. URLhaus is a partner that generates a list
> of
> > ClamAV signatures to target malicious URLs. Signature
> > Urlhaus.Malware.452652-9766253-0 looks for a malicious URL inside HTML
> > files, which is why it is alerting on the URLs you mentioned. We found
> these
> > FPs some weeks ago and added an extra check on new ClamAV signatures to
> > prevent them from alerting on legitimate URLhaus content. We are
> currently
> > updating older ClamAV signatures to ensure they don't FP on non-malicious
> > HTML files.
> >
> > Best regards,
> >
> > Lilia Gonzalez
> > Malware Research Team
> > Cisco Talos
> >
> > On Wed, Dec 23, 2020 at 1:11 PM Orion Poplawski <orion at nwra.com
> > <mailto:orion at nwra.com>> wrote:
> >
> >     Can anyone give me some details about the
> Urlhaus.Malware.452652-9766253-0
> >     signature?  We're seeing following URLs trigger it:
> >
> >     https://curben.gitlab.io/malware-filter/urlhaus-filter-online.txt
> >     <https://curben.gitlab.io/malware-filter/urlhaus-filter-online.txt>
> >
> https://raw.githubusercontent.com/curbengh/urlhaus-filter/master/urlhaus-filter-online.txt
> >     <
> https://raw.githubusercontent.com/curbengh/urlhaus-filter/master/urlhaus-filter-online.txt
> >
> >
> https://gitcdn.xyz/cdn/curbengh/urlhaus-filter/c499fcbe5e95f61bbe889f4e3a19d5d2e877e120/urlhaus-filter-online.txt
> >     <
> https://gitcdn.xyz/cdn/curbengh/urlhaus-filter/c499fcbe5e95f61bbe889f4e3a19d5d2e877e120/urlhaus-filter-online.txt
> >
> >
> https://cdn.statically.io/gl/curben/urlhaus-filter/master/urlhaus-filter-online.txt
> >     <
> https://cdn.statically.io/gl/curben/urlhaus-filter/master/urlhaus-filter-online.txt
> >
> >
> https://cdn.jsdelivr.net/gh/curbengh/urlhaus-filter/urlhaus-filter-online.txt
> >     <
> https://cdn.jsdelivr.net/gh/curbengh/urlhaus-filter/urlhaus-filter-online.txt
> >
> >
> >     Which seems to be the online update URLs for the urlhaus filter.
> Does
> >     ClamAV
> >     deem urlhaus a bad actor?
> >
> >     Thanks,
> >       Orion
> >
> >     --
> >     Orion Poplawski
> >     Manager of NWRA Technical Systems          720-772-5637
> >     NWRA, Boulder/CoRA Office             FAX: 303-415-9702
> >     3380 Mitchell Lane                       orion at nwra.com
> >     <mailto:orion at nwra.com>
> >     Boulder, CO 80301                 https://www.nwra.com/
> >     <https://www.nwra.com/>
> >
> >     _______________________________________________
> >
> >     clamav-users mailing list
> >     clamav-users at lists.clamav.net <mailto:clamav-users at lists.clamav.net>
> >     https://lists.clamav.net/mailman/listinfo/clamav-users
> >     <https://lists.clamav.net/mailman/listinfo/clamav-users>
> >
> >
> >     Help us build a comprehensive ClamAV guide:
> >     https://github.com/vrtadmin/clamav-faq
> >     <https://github.com/vrtadmin/clamav-faq>
> >
> >     http://www.clamav.net/contact.html#ml
> >     <http://www.clamav.net/contact.html#ml>
> >
> >
> > _______________________________________________
> >
> > clamav-users mailing list
> > clamav-users at lists.clamav.net
> > https://lists.clamav.net/mailman/listinfo/clamav-users
> >
> >
> > Help us build a comprehensive ClamAV guide:
> > https://github.com/vrtadmin/clamav-faq
> >
> > http://www.clamav.net/contact.html#ml
>
>
> --
> Orion Poplawski
> Manager of NWRA Technical Systems          720-772-5637
> NWRA, Boulder/CoRA Office             FAX: 303-415-9702
> 3380 Mitchell Lane                       orion at nwra.com
> Boulder, CO 80301                 https://www.nwra.com/
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20210107/7bf0e20a/attachment.htm>

More information about the clamav-users mailing list