Closed Bug 518825 Opened 16 years ago Closed 15 years ago

report of a malware infected file on dm-download03

Categories

(mozilla.org Graveyard :: Server Operations, task)

Product:
mozilla.org Graveyard
Component:
Server Operations
Platform:
x86
macOS
Type:
task
Priority:
Not set
Severity:
major

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: bhearsum, Assigned: justdave)

Details

Someone in #firefox reported a file on dm-download03 being infected with a malware. Specifically: http://dm-download03.mozilla.org/pub/mozilla.org/firefox/releases/3.5.1-09/win32 /en-US/Firefox%20Setup%203.5.1.exe Reported to be infected with, "Tjojan horse Downloader.Banload.AOOE" He said his filesize is 8080568, which is different than the real 3.5.1 (which has filesize 8117208).
(In reply to comment #0) > He said his filesize is 8080568, which is different than the real 3.5.1 (which > has filesize 8117208). That's not surprising, considering this is for 3.5.1-09, which is a funnelcake build.
Ran this from my personal machine... $ clamscan Firefox\ Setup\ 3.5.1.exe Firefox Setup 3.5.1.exe: Trojan.Downloader-77265 FOUND ----------- SCAN SUMMARY ----------- Known viruses: 1502679 Engine version: 0.95.2 Scanned directories: 0 Scanned files: 1 Infected files: 1 Data scanned: 7.70 MB Data read: 7.70 MB (ratio 1.00:1) Time: 10.440 sec (0 m 10 s)
Tracking bug for that funnelcake run was bug 503609. The original files are at https://people.mozilla.com/files/partners/mozilla09/3.5.1/. Should check to see if those files are the same as the one on dm-download03.
Filesize matches: [bhearsum@dm-peep01 en-US]$ pwd /var/www/html/files/partners/mozilla09/3.5.1/win32/en-US [bhearsum@dm-peep01 en-US]$ ls -l total 7908 -rw-r--r-- 1 simford 513 8080568 Jul 22 14:27 Firefox Setup 3.5.1.exe md5sum is: b44b1a0c51863acba40558b979659668 Firefox Setup 3.5.1.exe Can someone check the sum against dm-download03?
(In reply to comment #4) > md5sum is: > b44b1a0c51863acba40558b979659668 Firefox Setup 3.5.1.exe > > Can someone check the sum against dm-download03? $ md5sum */*.exe b44b1a0c51863acba40558b979659668 dm-download03/Firefox Setup 3.5.1.exe b44b1a0c51863acba40558b979659668 dm-download04/Firefox Setup 3.5.1.exe How is a funnelcake build created? It's just a repack of a real build, right, not a new build? Could that be influenced somehow by a virus changing files during the process? It's also possible it's just a false positive -- we've had that happen before.
(In reply to comment #6) > (In reply to comment #4) > > md5sum is: > > b44b1a0c51863acba40558b979659668 Firefox Setup 3.5.1.exe > > > > Can someone check the sum against dm-download03? > > $ md5sum */*.exe > b44b1a0c51863acba40558b979659668 dm-download03/Firefox Setup 3.5.1.exe > b44b1a0c51863acba40558b979659668 dm-download04/Firefox Setup 3.5.1.exe > > How is a funnelcake build created? It's just a repack of a real build, right, > not a new build? Could that be influenced somehow by a virus changing files > during the process? It's also possible it's just a false positive -- we've had > that happen before. It's repacked, and the installer is resigned. We hit false positives with 3.5.2 because of either an NSIS version change, or a change in the flags we used during the resigning. The 3.5.1 funnelcake build likely had the same changes. I don't think a virus crept in during the repack.
Dropping the sev, re-up please if this is really critical.
Severity: critical → major
Is there an IT action here?
(In reply to comment #9) > Is there an IT action here? Looks like the files all check out. Someone should contact clamscan about a possible false-positive virus alert. Dont know who normally does that - IT? RapidResponse group?
justdave, is that still being flagged?
Assignee: server-ops → justdave
Security Group usually handles contact with anti-virus companies. clamscan is still indeed flagging this file. ClamAV 0.95.2/9876/Thu Oct 8 15:07:17 2009 main.cvd is up to date (version: 51, sigs: 545035, f-level: 42, builder: sven) daily.cld is up to date (version: 9876, sigs: 83897, f-level: 43, builder: ccordes)
dveditz, any update from ClamAV? As of right now, comment 12 still stands.
Assignee: justdave → dveditz
Assignee: dveditz → clyon
Assignee: clyon → dveditz
dan, any updates?
dave - please followup with dveditz. this bug is growing old for no good reason.
Assignee: dveditz → justdave
[root@dm-download03 en-US]# freshclam ClamAV update process started at Tue Dec 1 20:10:32 2009 main.cvd is up to date (version: 51, sigs: 545035, f-level: 42, builder: sven) daily.cvd is up to date (version: 10103, sigs: 116635, f-level: 44, builder: guitar) [root@dm-download03 en-US]# clamscan --version ClamAV 0.95.3/10103/Tue Dec 1 19:59:01 2009 [root@dm-download03 en-US]# clamscan Firefox\ Setup\ 3.5.1.exe Firefox Setup 3.5.1.exe: Trojan.Downloader-77265 FOUND
I haven't gotten any reponse from the security group after a couple attempts to get them involved in resolving this. I'm guessing at this point that we must not care. The following email was send to security@mozilla.org immediately after I posted comment 16: ----8<---- Discussion on this bug indicates that everyone had decided this was a false positive. The bug is waiting on someone getting with the antivirus vendor to work out why it's getting reported as a virus. To the best of my knowledge, the security group folks already have contacts in those places and would probably be the best people to make said contact (as stated on the bug), and it's been sitting there for a few months waiting for someone to do so. If someone could look into it, I'd appreciate it. Thanks! ----8<---- (bugmail for comment 16 was attached)
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → INCOMPLETE
dveditz didn't give any indication above that he has a contact at ClamAV. Nor do I, but I will contact them through the email address they have published on their website to find out about the false positive.
Thanks. What was worrying me is I didn't get any ack at all, even to say "we don't have contacts with them".
Tomasz Kojm from ClamAV says the signatures have been updated as of today to allow this package. justdave, can you verify that clamscan no longer reports an infection?
[root@dm-download03 en-US]# freshclam ClamAV update process started at Wed Dec 9 16:28:46 2009 main.cvd is up to date (version: 51, sigs: 545035, f-level: 42, builder: sven) daily.cld is up to date (version: 10142, sigs: 122685, f-level: 44, builder: arnaud) [root@dm-download03 en-US]# clamscan --version ClamAV 0.95.3/10142/Wed Dec 9 10:53:54 2009 94 Jul 22 14:27 Firefox Setup 3.5.1.exe.asc [root@dm-download03 en-US]# clamscan Firefox\ Setup\ 3.5.1.exe Firefox Setup 3.5.1.exe: OK
Resolution: INCOMPLETE → FIXED
Product: mozilla.org → mozilla.org Graveyard
You need to log in before you can comment on or make changes to this bug.