Hi Samuel,
Le 04-09-2023 23:28, Samuel Henrique a écrit :
Hello Hugues,
I obtain almost the same results with a subtle variant (Mirai.A ->
Mirai.qahkj) while scanning the aircrack-ng binary itself, which I
extracted directly from the .deb package:
file: aircrack-ng/aircrack-ng_1.7-5_amd64/usr/bin/aircrack-ng
sha256:
d58a36fa6360bac0419650786e690f4691a3ba62f3710eb7db24d6d5d90e7c71
- bitdefender : Trojan.Linux.Generic.274536
- avira : SPR/ANDR.Mirai.qahkj
- fsecure : PrivacyRisk.SPR/ANDR.Mirai.qahkj (6, 1, 1)
Considering aircrack-ng is open source (and our aircrack-ng packaging
too), this seems very unlikely, it would have been caught much earlier
by other people.
That’s also my guess :-)
However, that is not sufficient to prove my client this package is
harmless, hence my researches and this bugreport.
It's also common for scanners to trigger false-positives on security
related tools.
The problem appears when none of these scanners are providing any
information about *why* they consider such binary as potentially
dangerous.
In a sense, I guess they are obfuscating the way they are detecting such
malwares, but that's pretty annoying in our case.
I struggle finding evidences of a possible false alert, making me
considering this as a potentially credible issue. I would gladly help
investigate this further on, if you need so.
What did you look for when investigating this as a false positive?
At first, I did some search around the web (qwant + google) with the
aircrack-ng and mirai keywords, with absolutely no results.
Then, I rebuilt the aircrack-ng package with git-buildpackage from a
docker container based on debian bookworm, the result is completely
clean after scanning.
Comparing the hexdump of both binaries (the official Debian, and mine)
shown
very few differences, apart from the embedded build informations. But
it’s
always hard to tell whether they are or aren’t meaningful...
I didn’t went really far.
Do you get the same finding when scanning the package's source code?
https://salsa.debian.org/pkg-security-team/aircrack-ng
Absolutely not. The source code is completely clean after the same
scanning.
(And yes, I did checkout the "debian/1%1.7-5" git tag)
I may try in a couple hours with the contents from 'apt source
aircrack-ng'
from the same repository, if you want to.
Thank you for the report,
You are welcome !
Br, Hugues.
