Guest Additions contains Trojan?

[dhinge]

ClamWin just pointed out this:

C:\Program Files\Oracle\VirtualBox\VBoxGuestAdditions.iso: Win.Trojan.Iparmor-6136596-0 FOUND

"This trojan contacts a remote server and works as a backdoor giving the attacker full access on the victim machine by binding on a given port on the target computer. Additionally, it may employ anti-vm and anti-debugging techniques to hinder the analysis and may inject on other processes." - http://blog.talosintelligence.com/2017/ ... -0324.html

A VirusTotal scan of the file (~58MB) shows a Worm exploit found through anti-virus program Zoner: I-Worm.AutoRun.Autoit.P

https://virustotal.com/en/file/29fa0af6 ... /analysis/

Microsoft considers this Worm as a threat level of "severe": https://www.microsoft.com/en-us/securit ... count=true

Summary: "Worms automatically spread to other PCs. They can do this in a number of ways, including by copying themselves to removable drives, network folders, or spreading through email."

So why does VirtualBox Guest Additions contain a Trojan and/or a Worm? I use VirtualBox sometimes just to test software to avoid trojans and worms...

[socratis]

So why does VirtualBox Guest Additions contain a Trojan and/or a Worm?

Are you sure about that? Because the analysis says that out of 55 vendors only 1 (one) gave a positive result. Do you know what's that called? A false positive.

See also: viewtopic.php?f=2&t=82551

[CTI]

Trojan confirmation using clamav:

# time clamscan -ria --max-filesize=4095M --max-scansize=4095M /usr/share/virtualbox/VBoxGuestAdditions.iso
/usr/share/virtualbox/VBoxGuestAdditions.iso!ISO9660:Readme.txt!(2)ISO9660:VBoxControl.exe: Win.Trojan.Iparmor-6136596-0 FOUND
/usr/share/virtualbox/VBoxGuestAdditions.iso: Win.Trojan.Iparmor-6136596-0 FOUND

----------- SCAN SUMMARY -----------
Known viruses: 6263517
Engine version: 0.99.2
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 58.20 MB
Data read: 56.63 MB (ratio 1.03:1)
Time: 9.378 sec (0 m 9 s)

real 0m9.388s
user 0m9.188s
sys 0m0.201s

The signature of these codes is sufficiently unique not to be a "false positive"

Notes from the web: e.g. from william-largent

Win.Trojan.Iparmor-6136596-0
This trojan contacts a remote server and works as a backdoor giving the attacker full access on the victim machine by binding on a given port on the target computer. Additionally, it may employ anti-vm and anti-debugging techniques to hinder the analysis and may inject on other processes.

[socratis]

The signature of these codes is sufficiently unique not to be a "false positive"

You really don't know what a false positive is, right?

False positive: a test result which wrongly indicates that a particular condition or attribute is present.

Just like your ClamAV.

And, it's not a "confirmation" if you use the exact same engine to verify the previous result. That was wrong. If it's confirming anything is that ClamAV uses the same engine across platforms. Good to know...

[scottgus1]

Not hoping to add too much to the fire, I run ClamAV on Windows on my Antispam filter guest. Mounting the 5.1.18 GAs ISO in the guest CD drive, I ran the contents and get this:

D:\OS2\VBoxControl.exe: Win.Trojan.Iparmor-6136596-0 FOUND
D:\OS2\VBoxService.exe: Win.Trojan.Iparmor-6136596-0 FOUND

----------- SCAN SUMMARY -----------

Known viruses: 6266600
Engine version: 0.98.5
Scanned directories: 5
Scanned files: 28
Infected files: 2

However, with MS Security Essentials and Threattrack Vipre I get clean no-virus reports on the mounted ISO.

Likely a false positive, but it's only in the OS2 additions. Not going to head for the hills on this one myself...

[CTI]

Q: How do you know when something is a false positive vs. the "true" positive?

Have you looked at the length of the signature of the Trojan? I am curious to know the signature used in clamscan.

A problem may be that a new virus compilation may be slightly different - especially when the test pattern used by the AV software is known. In this way one program may catch the virus while another does not.

On my RHEL 7.3 (SE) I have in the neighborhood of 20GB of systems, document files, libraries, program files, etc. but I do not get a single "false" positive. The only virus reports come from obvious flake files, typically in the Inbox, and typically phishing attempts.

Concepts to improve virus detection? (i) A multiplicity of approaches; (ii) shorter but more test strings; (iii) a "probability" indicator may be appropriate; (iv) and short copies of neighborhoods of suspect regions might help developers (get a better understanding of statistical variability).

In any event, I will try to identify the method clamscan used.

Regards,
CTI

[socratis]

Q: How do you know when something is a false positive vs. the "true" positive?

A: You try it with a variety of antivirus engines. If you have 1 hit, that's a false positive. By definition:

SHA256:     f2951b49f48a560fbc1afe9d135d1f3f82a3e158b9002278d05d978428adca8a
File name:  VBoxGuestAdditions.iso
Detection:  1 / 56 (Zoner: I-Worm.AutoRun.Autoit.P )

SHA256:     a8339d9b61e6dd5f720b36e4f992dd255703e84ee3df1091540dc8d7dfe4eb40
File name:  VBoxControl.exe
Detection:  0 / 58

SHA256:     ad5e846a134009795db6ae96dd86826cab6c80a1945692df77022d3e3b93bebe
File name:  VBoxService.exe
Detection:  1 / 59 (ClamAV: Win.Trojan.Iparmor-6136596-0 )

One of them "accuses" the ISO for having an Autorun feature? Seriously now? How do you spell "scareware" again? And the other detected an OS2 app for being an ancient Win(16?) port opener. Which provides services. It's in the freaking name!

Can we give it a rest already? Or at least continue this discussion in the antivirus forums? When we have more than 4-5 antivirus engines coming with something positive, I'm sure that Oracle has a big enough infrastructure to investigate whether someone hacked in their servers and polluted their OS2 guest additions.

[CTI]

Let's be careful about the judgement of "false" positive. Those many that do not discover does not mean that something does not exist in life - or software. For those few that do, we need, for example, a patent office (just as the smartest virus scanner).

Speculating wildly on my part, a virus code feature that implies a particular type of reporting, may very well be contained in Oracle's software. Oracle may, for example, like to get some form of feedback about the use of their software. Such a feature may be assigned (possibly incorrectly) to a particular Trojan. So we may all be wrong and right ...

I am trying to get in touch with Oracle ... I agree - they should be able to sort this out and let us know...

[mpack]

This isn't rocket science. The test may be positive or negative - it indicates (or not) the presence of a virus.

The indication can be right or wrong, i.e. it can be a false positive or false negative.

If it indicated a virus in VirtualBox then it's wrong. That makes it a false positive.

However, nobody is forcing you to use VirtualBox if you don't believe this.

[scottgus1]

And since this is a user forum which the developers, who could fix a virus presence, don't peruse often, a virus catch won't get fixed here. If you are really worried about the one positive catch, let the devs know on the Bugtracker.

[mpack]

I would rather we didn't pester the devs with nonsense. A virus checker producing false positives is not their concern unless it's raised by someone with a support contract.

[socratis]

Who wants to make a bet here that in the next revision/update of the ClamAV virus definitions, VirtualBox OS/2 executables are going to be virus free? I'm up...