Nmap Development mailing list archives
ClamAV detects irc-unrealircd-backdoor.nse as Unix.Trojan.MSShellcode-21
From: Daniel Miller <bonsaiviking () gmail com>
Date: Thu, 16 Apr 2015 10:21:36 -0500
List, I've seen a couple reports today on Twitter that ClamAV is detecting irc-unrealircd-backdoor.nse as a virus, Unix.Trojan.MSShellcode-21. I went digging for the cause and here's what I found: $ wget http://database.clamav.net/daily.cvd $ dd if=daily.cvd of=clam.tgz bs=512 skip=1 # http://superuser.com/a/367716/127590 67054+1 records in 67054+1 records out 34331716 bytes (34 MB) copied, 0.421675 s, 81.4 MB/s $ mkdir clam-tmp $ cd clam-tmp/ $ tar -xf ../clam.tgz tar: COPYING: implausibly old time stamp 1969-12-31 18:00:00 tar: daily.info: implausibly old time stamp 1969-12-31 18:00:00 tar: daily.cfg: implausibly old time stamp 1969-12-31 18:00:00 tar: daily.ign: implausibly old time stamp 1969-12-31 18:00:00 tar: daily.ign2: implausibly old time stamp 1969-12-31 18:00:00 tar: daily.ftm: implausibly old time stamp 1969-12-31 18:00:00 tar: daily.db: implausibly old time stamp 1969-12-31 18:00:00 tar: daily.hdb: implausibly old time stamp 1969-12-31 18:00:00 tar: daily.hdu: implausibly old time stamp 1969-12-31 18:00:00 tar: daily.mdb: implausibly old time stamp 1969-12-31 18:00:00 tar: daily.mdu: implausibly old time stamp 1969-12-31 18:00:00 tar: daily.ndb: implausibly old time stamp 1969-12-31 18:00:00 tar: daily.ndu: implausibly old time stamp 1969-12-31 18:00:00 tar: daily.ldb: implausibly old time stamp 1969-12-31 18:00:00 tar: daily.ldu: implausibly old time stamp 1969-12-31 18:00:00 tar: daily.zmd: implausibly old time stamp 1969-12-31 18:00:00 tar: daily.rmd: implausibly old time stamp 1969-12-31 18:00:00 tar: daily.idb: implausibly old time stamp 1969-12-31 18:00:00 tar: daily.fp: implausibly old time stamp 1969-12-31 18:00:00 tar: daily.pdb: implausibly old time stamp 1969-12-31 18:00:00 tar: daily.wdb: implausibly old time stamp 1969-12-31 18:00:00 tar: daily.crtdb: implausibly old time stamp 1969-12-31 18:00:00 $ chmod +r * $ grep MSShellcode-21 * daily.ndb:Linux.Trojan.MSShellcode-21:0:*:31db5389e66a40b70a53565389e186fb66ff016a6658cd80813e5136704e75f05ffcadffe6 daily.ndb:Unix.Trojan.MSShellcode-21:0:*:6e63202d6c202d702034343434202d65202f62696e2f7368 daily.ndb:Win.Trojan.MSShellcode-21:0:*:0a202020202866756e6374696f6e28297b0a20202020202077696e646f77203d20746869733b0a202020202020436f6d706f6e656e74732e7574696c732e696d $ python Python 2.7.3 (default, Dec 18 2014, 19:10:20) [GCC 4.6.3] on linux2 Type "help", "copyright", "credits" or "license" for more information.
"6e63202d6c202d702034343434202d65202f62696e2f7368".decode("hex")
'nc -l -p 44<editorial insertion to avoid detection>44 -e /bin/sh'
So simply because we include that particular invocation of netcat (which I had to modify just to get past the dev list's filters!), we're being flagged as a virus. I was going to go in and change it, but I don't feel that it's worthwhile for a few reasons: 1. The offending line has been in place since version 5.35DC1 in July of 2010, so there are lots of old installations that will continue to be detected. 2. The signature is incredibly broad, since this is one of the most common examples of a remote shell used in security training. 3. Whatever we change it to has just as good a chance of being caught by a more broad or intelligent signature in the future. So this post is just to serve as a warning and explanation. I've already reported it via ClamAV's online false-positive form. Dan
_______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- ClamAV detects irc-unrealircd-backdoor.nse as Unix.Trojan.MSShellcode-21 Daniel Miller (Apr 16)
- Re: ClamAV detects irc-unrealircd-backdoor.nse as Unix.Trojan.MSShellcode-21 Daniel Miller (Apr 24)