That's the only thing I can think of. I had node 18.6.0 and I'm running ClamAV 0.105.0. That detected the node binary as having the same virus. However, when I upload and scan the binary with VirusTotal, their install of ClamAV does not detect it.
Similarly, after I upgraded to node 18.7.0, my local install of ClamAV still detected it with the same virus. And, again, when I uploaded it to VirusTotal, it came back as clean.
Running clamscan with --leave-temps and setting a --tempdir, I get no temporary files left behind.
Additionally, using the 'strings' command to get any/all ASCII strings from the binary (yes, I know it doesn't always help) doesn't show anything...
That being said, the signature does seem to be poorly written and likely to catch lots of false positives...
It's looking for more than one occurrence of "/usr/bin/pkexec" and CMDTOEXECUTE= and NOTTY= and NOTTY_PORT= and GCONV_PATH= ...
OR more than 3 occurrences of the "Unable to" messages (any of them) ...
OR more than 1 occurrence of the woody paths or 'payload.so'
VIRUS NAME: Osx.Exploit.CVE_2021_4034-9951522-1
TDB: Engine:91-255,Target:9
LOGICAL EXPRESSION: (0&1&2&3&4)>1|(5|6|7|8)>3|(9|10|11)>1
* SUBSIG ID 0
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
/usr/bin/pkexec
* SUBSIG ID 1
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
CMDTOEXECUTE=
* SUBSIG ID 2
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
NOTTY=
* SUBSIG ID 3
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
NOTTY_PORT=
* SUBSIG ID 4
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
GCONV_PATH=
* SUBSIG ID 5
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
Unable to execute pkexec
* SUBSIG ID 6
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
Unable to write payload
* SUBSIG ID 7
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
Unable to make tmp dir
* SUBSIG ID 8
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
Unable to write gconv module
* SUBSIG ID 9
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
/Users/woody/Downloads/vul/poc-cve-2021-4034-main/exploit.go
* SUBSIG ID 10
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
/Users/woody/Downloads/vul/poc-cve-2021-4034-main/payload/payload.go
* SUBSIG ID 11
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
payload.so
And it's that last one that is triggering the virus detection...
lothlorien:~$ grep -a payload.so node
ArrayPrototypeIndexOf(payload.sources, originalSourcePath);
if (payload.sourcesContent?.[sourceContentIndex]) {
source = payload.sourcesContent[sourceContentIndex];
There are no occurrences of sub-signatures 0 through 10... but there are 3 occurrences of sub-signature 11 and the way that the logical expression is written, that's enough to trigger the detection.
--Maarten