Apologies... when I said that 'strings' didn't show anything, I meant that
it didn't show anything related to the signature... the only thing I found
in the strings output was the presence of "payload.sources":
$ strings node | grep payload.so
ArrayPrototypeIndexOf(payload.sources, originalSourcePath);
if (payload.sourcesContent?.[sourceContentIndex]) {
source = payload.sourcesContent[sourceContentIndex];
None of the other substrings from the signature were found in the node
binary.
Unfortunately, the way the signature is written *any* presence of
"payload.so" will trigger the signature...
--Maarten
On Wed, Aug 3, 2022 at 9:32 AM G.W. Haywood via clamav-users <
clamav-users@lists.clamav.net> wrote:
> Hi Viktor,
>
> On Tue, 2 Aug 2022, Viktor Rosenfeld via clamav-users wrote:
>
> > 22:51 hesk@kenny:~ $ clamscan /opt/homebrew/Cellar/node/18.7.0/bin/node
> > Loading: 7s, ETA: 0s [========================>] 8.62M/8.62M
> sigs
> > Compiling: 2s, ETA: 0s [========================>] 41/41 tasks
> >
> > /opt/homebrew/Cellar/node/18.7.0/bin/node:
> Osx.Exploit.CVE_2021_4034-9951522-1 FOUND
> > ...
>
> > On Tue, 2 Aug 2022, G.W.Haywood via clamav-users wrote:
> > ...
> > > If you can post ... a link to where you got the file, AND the MD5 ...
> >
> > I’m using Homebrew to install nodejs. Below is the curl command that
> downloads ...
>
> After several attempts using variations of your curl command I failed
> to grab the file, so I took the tarballs (like Al - in fact I grabbed
> three, the 16.x ARM and X64 versions and the 18.x ARM version) from
> https://nodejs.org and simply unpacked them to a scratch directory to
> scan them. The results are different from yours, see below.
>
> On Tue, 2 Aug 2022, Viktor Rosenfeld via clamav-users wrote:
>
> > MD5 (node/18.7.0/bin/node) = bd689141b74bf1c9d897d25aa6878a85
>
> I didn't get the same MD5 for the file
>
> 6b8627f0b1327ffee606314125862e27 node-v18.7.0-darwin-arm64/bin/node
>
> so I wonder what's up there. As it isn't the same file that you have
> I didn't bother to scan it, but see below for 'strings' etc.
>
> On Tue, 2 Aug 2022, Maarten Broekman via clamav-users wrote:
>
> > Additionally, using the 'strings' command to get any/all ASCII
> > strings from the binary (yes, I know it doesn't always help) doesn't
> > show anything...
>
> I don't see the same result at all:
>
> 8<----------------------------------------------------------------------
> $ strings ./node-v18.7.0-darwin-arm64/bin/node | perl -ne
> 'if(/[a-zA-Z]{5,}/){print;}' | head -n 10
> __PAGEZERO
> __stubs
> __stub_helper
> __cstring
> __const
> __ustring
> __oslogstring
> __unwind_info
> __eh_frame
> __DATA_CONST
> 8<----------------------------------------------------------------------
>
> Lots of strings in there.
>
> A clamd scan of the entire directory tree found this:
>
> node-v16.16.0-darwin-arm64/lib/node_modules/npm/node_modules/imurmurhash/imurmurhash.min.js:
> PUA.Win.Trojan.Xored-1 FOUND
> node-v16.16.0-darwin-x64/lib/node_modules/npm/node_modules/imurmurhash/imurmurhash.min.js:
> PUA.Win.Trojan.Xored-1 FOUND
> node-v18.7.0-darwin-arm64/lib/node_modules/npm/node_modules/imurmurhash/imurmurhash.min.js:
> PUA.Win.Trojan.Xored-1 FOUND
>
> As you can see we run with 'PUA' signatures enabled, see
>
>
> https://docs.clamav.net/faq/faq-misc.html?highlight=false%20positive#what-is-pua-i-get-a-lot-of-false-positives-named-pua
>
> and e.g. the clamscan and clamd.conf 'man' pages for more about PUAs.
>
> This is PUA.Win.Trojan.Xored-1 (it's in 'daily'):
>
> 8<----------------------------------------------------------------------
> $ sigtool --find-sigs 'PUA.Win.Trojan.Xored-1' | sigtool --decode-sigs
> VIRUS NAME: PUA.Win.Trojan.Xored-1
> TARGET TYPE: HTML
> OFFSET: *
> DECODED SIGNATURE:
> charcodeat({WILDCARD_ANY_STRING(LENGTH<=5)})^
> 8<----------------------------------------------------------------------
>
> It's just looking for the string 'charcodeat(X)' where X is a string
> of 5 or fewer characters. Pretty generic, I'm amazed that we don't
> see more FPs than we do from that source.
>
> The three files in which this is found are identical in the three archives:
>
> 8<----------------------------------------------------------------------
> $ md5sum .../*/imurmurhash.min.js
> 52d2eb410de1c9e0758ef562289289fa
> node-v16.16.0-darwin-arm64/lib/node_modules/npm/node_modules/imurmurhash/imurmurhash.min.js
> 52d2eb410de1c9e0758ef562289289fa
> node-v16.16.0-darwin-x64/lib/node_modules/npm/node_modules/imurmurhash/imurmurhash.min.js
> 52d2eb410de1c9e0758ef562289289fa
> node-v18.7.0-darwin-arm64/lib/node_modules/npm/node_modules/imurmurhash/imurmurhash.min.js
>
> $ grep -ci charcodeat
> ./node-v18.7.0-darwin-arm64/lib/node_modules/npm/node_modules/imurmurhash/imurmurhash.min.js
> 1
> 8<----------------------------------------------------------------------
>
> You can easily create your own FP entries in the database, see the
> documentation at
>
> https://docs.clamav.net/manual/Signatures/AllowLists.html
>
> When I scanned a tree using vanilla 'clamscan', nothing was found:
>
> $ ./clamscan -ro node-v18.7.0-darwin-arm64
> node-v18.7.0-darwin-arm64/bin/npm: Symbolic link
> node-v18.7.0-darwin-arm64/bin/npx: Symbolic link
> node-v18.7.0-darwin-arm64/bin/corepack: Symbolic link
> node-v18.7.0-darwin-arm64/lib/node_modules/npm/node_modules/node-gyp/gyp/pylib/gyp/generator/__init__.py:
> Empty file
> node-v18.7.0-darwin-arm64/lib/node_modules/npm/node_modules/smart-buffer/docs/ROADMAP.md:
> Empty file
> node-v18.7.0-darwin-arm64/lib/node_modules/npm/.npmrc: Empty file
>
> ----------- SCAN SUMMARY -----------
> Known viruses: 8812460
> Engine version: 0.103.7
> Scanned directories: 954
> Scanned files: 4118
> Infected files: 0
> ...
>
> These archives are from 100 to 150 megabytes of code and other junk.
>
> As the PUA signature is so generic, it would almost be surprising if
> something was NOT found. If the archive comes from a reliable source,
> and it's been checked to make sure that it hasn't been tampered with,
> and it's more than a few days old, scans will already have been done
> all over the world, with at least a dozen scanners other than ClamAV.
> So unless you have your own speciality signatures I think scanning it
> again will most likely be pointless. In any case the probability of
> finding something really nasty is small, because if the bad actor is
> the least bit competent it will be very well hidden. One example of
> the sort of threat you might want to worry about:
>
> https://www.theregister.com/2022/07/25/nodejs_prototype_pollution/
>
> If I were going to use this stuff, that would give me pause.
>
> HTH
>
> --
>
> 73,
> Ged.
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/Cisco-Talos/clamav-documentation
>
> https://docs.clamav.net/#mailing-lists-and-chat
>
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation
https://docs.clamav.net/#mailing-lists-and-chat
