[clamav-users] Question about Urlhaus.Malware.452652-9766253-0
Lilia Gonzalez Medina
liligonz at sourcefire.com
Sat Jan 9 04:18:18 UTC 2021
Orion, I haven't been able to reproduce the FP with
https://addons.cdn.mozilla.net/user-media/addons/607454/ublock_origin-1.32.4-an+fx.xpi?filehash=sha256%3A5b94fd7f749319a6ff6d83dd20b05b29e733446465aff2ab7669499a3e8fb9cc.
<https://addons.cdn.mozilla.net/user-media/addons/607454/ublock_origin-1.32.4-an+fx.xpi?filehash=sha256%3A5b94fd7f749319a6ff6d83dd20b05b29e733446465aff2ab7669499a3e8fb9cc>
If you could send me the file that alerts with
Urlhaus.Malware.364328-9787819-0 I could look into it.
Best regards,
Lilia Gonzalez
Malware Research Team
Cisco Talos
On Thu, Jan 7, 2021 at 12:00 PM Orion Poplawski <orion at nwra.com> wrote:
> Lilia -
>
> Virus database is updated daily and updated last night. Still seeing one
> this morning:
>
> Virus Urlhaus.Malware.364328-9787819-0:
>
>
> https://addons.cdn.mozilla.net/user-media/addons/607454/ublock_origin-1.32.4-an+fx.xpi?filehash=sha256%3A5b94fd7f749319a6ff6d83dd20b05b29e733446465aff2ab7669499a3e8fb9cc
> :
> 1 Time(s)
>
> Though that is a different signature.
>
> Orion
>
> On 1/7/21 7:56 AM, Lilia Gonzalez Medina wrote:
> > Hi Orion!
> >
> > Those NBD signatures were updated at the beginning of the week and
> should not
> > FP anymore. Please update your ClamAV db and let us know if the issue
> persists.
> >
> > Best regards,
> >
> > Lilia Gonzalez
> > Malware Research Team
> > Cisco Talos
> >
> >
> > On Wed, Jan 6, 2021 at 4:59 PM Orion Poplawski <orion at nwra.com
> > <mailto:orion at nwra.com>> wrote:
> >
> > Lilia -
> >
> > Thanks for the response. We're seeing some others getting
> triggered as
> > well:
> >
> > Virus Urlhaus.Malware.490516-9766015-0:
> > 10.21.2.5
> > https://curben.gitlab.io/malware-filter/urlhaus-filter-online.txt
> > <https://curben.gitlab.io/malware-filter/urlhaus-filter-online.txt>:
> 2 Time(s)
> > 10.21.2.5
> >
> https://raw.githubusercontent.com/curbengh/urlhaus-filter/master/urlhaus-filter-online.txt
> > <
> https://raw.githubusercontent.com/curbengh/urlhaus-filter/master/urlhaus-filter-online.txt
> >:
> > 2 Time(s)
> > 10.21.2.5
> >
> https://cdn.statically.io/gl/curben/urlhaus-filter/master/urlhaus-filter-online.txt
> > <
> https://cdn.statically.io/gl/curben/urlhaus-filter/master/urlhaus-filter-online.txt
> >:
> > 1 Time(s)
> > 10.21.2.5
> >
> https://cdn.jsdelivr.net/gh/curbengh/urlhaus-filter/urlhaus-filter-online.txt
> > <
> https://cdn.jsdelivr.net/gh/curbengh/urlhaus-filter/urlhaus-filter-online.txt
> >:
> > 1 Time(s)
> > 10.21.2.5
> >
> https://gitcdn.xyz/cdn/curbengh/urlhaus-filter/10be1f3fc35ff760fb57a10ab7a4ba7feed5d037/urlhaus-filter-online.txt
> > <
> https://gitcdn.xyz/cdn/curbengh/urlhaus-filter/10be1f3fc35ff760fb57a10ab7a4ba7feed5d037/urlhaus-filter-online.txt
> >:
> > 1 Time(s)
> >
> > Virus Urlhaus.Malware.161756-8797115-0:
> > 10.10.20.7
> >
> https://addons.cdn.mozilla.net/user-media/addons/607454/ublock_origin-1.32.4-an+fx.xpi?filehash=sha256%3A5b94fd7f749319a6ff6d83dd20b05b29e733446465aff2ab7669499a3e8fb9cc
> > <
> https://addons.cdn.mozilla.net/user-media/addons/607454/ublock_origin-1.32.4-an+fx.xpi?filehash=sha256%3A5b94fd7f749319a6ff6d83dd20b05b29e733446465aff2ab7669499a3e8fb9cc
> >:
> > 1 Time(s)
> > 10.11.1.3
> >
> https://addons.cdn.mozilla.net/user-media/addons/607454/ublock_origin-1.32.4-an+fx.xpi?filehash=sha256%3A5b94fd7f749319a6ff6d83dd20b05b29e733446465aff2ab7669499a3e8fb9cc
> > <
> https://addons.cdn.mozilla.net/user-media/addons/607454/ublock_origin-1.32.4-an+fx.xpi?filehash=sha256%3A5b94fd7f749319a6ff6d83dd20b05b29e733446465aff2ab7669499a3e8fb9cc
> >:
> > 1 Time(s)
> >
> >
> > Orion
> >
> > On 1/4/21 8:43 AM, Lilia Gonzalez Medina wrote:
> > > Hi Orion!
> > >
> > > Thank you for reporting this. URLhaus is a partner that generates
> a list of
> > > ClamAV signatures to target malicious URLs. Signature
> > > Urlhaus.Malware.452652-9766253-0 looks for a malicious URL inside
> HTML
> > > files, which is why it is alerting on the URLs you mentioned. We
> found these
> > > FPs some weeks ago and added an extra check on new ClamAV
> signatures to
> > > prevent them from alerting on legitimate URLhaus content. We are
> currently
> > > updating older ClamAV signatures to ensure they don't FP on
> non-malicious
> > > HTML files.
> > >
> > > Best regards,
> > >
> > > Lilia Gonzalez
> > > Malware Research Team
> > > Cisco Talos
> > >
> > > On Wed, Dec 23, 2020 at 1:11 PM Orion Poplawski <orion at nwra.com
> > <mailto:orion at nwra.com>
> > > <mailto:orion at nwra.com <mailto:orion at nwra.com>>> wrote:
> > >
> > > Can anyone give me some details about the
> > Urlhaus.Malware.452652-9766253-0
> > > signature? We're seeing following URLs trigger it:
> > >
> > >
> https://curben.gitlab.io/malware-filter/urlhaus-filter-online.txt
> > <https://curben.gitlab.io/malware-filter/urlhaus-filter-online.txt>
> > > <
> https://curben.gitlab.io/malware-filter/urlhaus-filter-online.txt
> > <https://curben.gitlab.io/malware-filter/urlhaus-filter-online.txt>>
> > >
> >
> https://raw.githubusercontent.com/curbengh/urlhaus-filter/master/urlhaus-filter-online.txt
> > <
> https://raw.githubusercontent.com/curbengh/urlhaus-filter/master/urlhaus-filter-online.txt
> >
> > >
> > <
> https://raw.githubusercontent.com/curbengh/urlhaus-filter/master/urlhaus-filter-online.txt
> > <
> https://raw.githubusercontent.com/curbengh/urlhaus-filter/master/urlhaus-filter-online.txt
> >>
> > >
> >
> https://gitcdn.xyz/cdn/curbengh/urlhaus-filter/c499fcbe5e95f61bbe889f4e3a19d5d2e877e120/urlhaus-filter-online.txt
> > <
> https://gitcdn.xyz/cdn/curbengh/urlhaus-filter/c499fcbe5e95f61bbe889f4e3a19d5d2e877e120/urlhaus-filter-online.txt
> >
> > >
> > <
> https://gitcdn.xyz/cdn/curbengh/urlhaus-filter/c499fcbe5e95f61bbe889f4e3a19d5d2e877e120/urlhaus-filter-online.txt
> > <
> https://gitcdn.xyz/cdn/curbengh/urlhaus-filter/c499fcbe5e95f61bbe889f4e3a19d5d2e877e120/urlhaus-filter-online.txt
> >>
> > >
> >
> https://cdn.statically.io/gl/curben/urlhaus-filter/master/urlhaus-filter-online.txt
> > <
> https://cdn.statically.io/gl/curben/urlhaus-filter/master/urlhaus-filter-online.txt
> >
> > >
> > <
> https://cdn.statically.io/gl/curben/urlhaus-filter/master/urlhaus-filter-online.txt
> > <
> https://cdn.statically.io/gl/curben/urlhaus-filter/master/urlhaus-filter-online.txt
> >>
> > >
> >
> https://cdn.jsdelivr.net/gh/curbengh/urlhaus-filter/urlhaus-filter-online.txt
> > <
> https://cdn.jsdelivr.net/gh/curbengh/urlhaus-filter/urlhaus-filter-online.txt
> >
> > >
> > <
> https://cdn.jsdelivr.net/gh/curbengh/urlhaus-filter/urlhaus-filter-online.txt
> > <
> https://cdn.jsdelivr.net/gh/curbengh/urlhaus-filter/urlhaus-filter-online.txt
> >>
> > >
> > > Which seems to be the online update URLs for the urlhaus
> filter. Does
> > > ClamAV
> > > deem urlhaus a bad actor?
> > >
> > > Thanks,
> > > Orion
> > >
> > > --
> > > Orion Poplawski
> > > Manager of NWRA Technical Systems 720-772-5637
> > > NWRA, Boulder/CoRA Office FAX: 303-415-9702
> > > 3380 Mitchell Lane orion at nwra.com
> > <mailto:orion at nwra.com>
> > > <mailto:orion at nwra.com <mailto:orion at nwra.com>>
> > > Boulder, CO 80301 https://www.nwra.com/
> > <https://www.nwra.com/>
> > > <https://www.nwra.com/ <https://www.nwra.com/>>
> > >
> > > _______________________________________________
> > >
> > > clamav-users mailing list
> > > clamav-users at lists.clamav.net <mailto:
> clamav-users at lists.clamav.net>
> > <mailto:clamav-users at lists.clamav.net <mailto:
> clamav-users at lists.clamav.net>>
> > > https://lists.clamav.net/mailman/listinfo/clamav-users
> > <https://lists.clamav.net/mailman/listinfo/clamav-users>
> > > <https://lists.clamav.net/mailman/listinfo/clamav-users
> > <https://lists.clamav.net/mailman/listinfo/clamav-users>>
> > >
> > >
> > > Help us build a comprehensive ClamAV guide:
> > > https://github.com/vrtadmin/clamav-faq
> > <https://github.com/vrtadmin/clamav-faq>
> > > <https://github.com/vrtadmin/clamav-faq
> > <https://github.com/vrtadmin/clamav-faq>>
> > >
> > > http://www.clamav.net/contact.html#ml
> > <http://www.clamav.net/contact.html#ml>
> > > <http://www.clamav.net/contact.html#ml
> > <http://www.clamav.net/contact.html#ml>>
> > >
> > >
> > > _______________________________________________
> > >
> > > clamav-users mailing list
> > > clamav-users at lists.clamav.net <mailto:
> clamav-users at lists.clamav.net>
> > > https://lists.clamav.net/mailman/listinfo/clamav-users
> > <https://lists.clamav.net/mailman/listinfo/clamav-users>
> > >
> > >
> > > Help us build a comprehensive ClamAV guide:
> > > https://github.com/vrtadmin/clamav-faq
> > <https://github.com/vrtadmin/clamav-faq>
> > >
> > > http://www.clamav.net/contact.html#ml
> > <http://www.clamav.net/contact.html#ml>
> >
> >
> > --
> > Orion Poplawski
> > Manager of NWRA Technical Systems 720-772-5637
> > NWRA, Boulder/CoRA Office FAX: 303-415-9702
> > 3380 Mitchell Lane orion at nwra.com
> > <mailto:orion at nwra.com>
> > Boulder, CO 80301 https://www.nwra.com/
> > <https://www.nwra.com/>
> >
> >
>
>
> --
> Orion Poplawski
> Manager of NWRA Technical Systems 720-772-5637
> NWRA, Boulder/CoRA Office FAX: 303-415-9702
> 3380 Mitchell Lane orion at nwra.com
> Boulder, CO 80301 https://www.nwra.com/
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20210108/4c885caa/attachment.htm>
More information about the clamav-users
mailing list