ClamAV detects irc-unrealircd-backdoor.nse as Unix.Trojan.MSShellcode-21

[Daniel Miller <bonsaiviking () gmail com>]

List,

I've seen a couple reports today on Twitter that ClamAV is detecting
irc-unrealircd-backdoor.nse as a virus, Unix.Trojan.MSShellcode-21. I went
digging for the cause and here's what I found:

$ wget http://database.clamav.net/daily.cvd
$ dd if=daily.cvd of=clam.tgz bs=512 skip=1 #
http://superuser.com/a/367716/127590
67054+1 records in
67054+1 records out
34331716 bytes (34 MB) copied, 0.421675 s, 81.4 MB/s
$ mkdir clam-tmp
$ cd clam-tmp/
$ tar -xf ../clam.tgz
tar: COPYING: implausibly old time stamp 1969-12-31 18:00:00
tar: daily.info: implausibly old time stamp 1969-12-31 18:00:00
tar: daily.cfg: implausibly old time stamp 1969-12-31 18:00:00
tar: daily.ign: implausibly old time stamp 1969-12-31 18:00:00
tar: daily.ign2: implausibly old time stamp 1969-12-31 18:00:00
tar: daily.ftm: implausibly old time stamp 1969-12-31 18:00:00
tar: daily.db: implausibly old time stamp 1969-12-31 18:00:00
tar: daily.hdb: implausibly old time stamp 1969-12-31 18:00:00
tar: daily.hdu: implausibly old time stamp 1969-12-31 18:00:00
tar: daily.mdb: implausibly old time stamp 1969-12-31 18:00:00
tar: daily.mdu: implausibly old time stamp 1969-12-31 18:00:00
tar: daily.ndb: implausibly old time stamp 1969-12-31 18:00:00
tar: daily.ndu: implausibly old time stamp 1969-12-31 18:00:00
tar: daily.ldb: implausibly old time stamp 1969-12-31 18:00:00
tar: daily.ldu: implausibly old time stamp 1969-12-31 18:00:00
tar: daily.zmd: implausibly old time stamp 1969-12-31 18:00:00
tar: daily.rmd: implausibly old time stamp 1969-12-31 18:00:00
tar: daily.idb: implausibly old time stamp 1969-12-31 18:00:00
tar: daily.fp: implausibly old time stamp 1969-12-31 18:00:00
tar: daily.pdb: implausibly old time stamp 1969-12-31 18:00:00
tar: daily.wdb: implausibly old time stamp 1969-12-31 18:00:00
tar: daily.crtdb: implausibly old time stamp 1969-12-31 18:00:00
$ chmod +r *
$ grep MSShellcode-21 *
daily.ndb:Linux.Trojan.MSShellcode-21:0:*:31db5389e66a40b70a53565389e186fb66ff016a6658cd80813e5136704e75f05ffcadffe6
daily.ndb:Unix.Trojan.MSShellcode-21:0:*:6e63202d6c202d702034343434202d65202f62696e2f7368
daily.ndb:Win.Trojan.MSShellcode-21:0:*:0a202020202866756e6374696f6e28297b0a20202020202077696e646f77203d20746869733b0a202020202020436f6d706f6e656e74732e7574696c732e696d
$ python
Python 2.7.3 (default, Dec 18 2014, 19:10:20)
[GCC 4.6.3] on linux2
Type "help", "copyright", "credits" or "license" for more information.
> > > "6e63202d6c202d702034343434202d65202f62696e2f7368".decode("hex")
'nc -l -p 44<editorial insertion to avoid detection>44 -e /bin/sh'
> > >

So simply because we include that particular invocation of netcat (which I
had to modify just to get past the dev list's filters!), we're being
flagged as a virus. I was going to go in and change it, but I don't feel
that it's worthwhile for a few reasons:

1. The offending line has been in place since version 5.35DC1 in July of
2010, so there are lots of old installations that will continue to be
detected.

2. The signature is incredibly broad, since this is one of the most common
examples of a remote shell used in security training.

3. Whatever we change it to has just as good a chance of being caught by a
more broad or intelligent signature in the future.

So this post is just to serve as a warning and explanation. I've already
reported it via ClamAV's online false-positive form.

Dan

_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/