#1051235 aircrack-ng: package file and binary reported as malware/mirai by 3 different malware scanners #1051235
- Package:
- aircrack-ng
- Source:
- aircrack-ng
- Description:
- wireless WEP/WPA cracking utilities
- Submitter:
- Hugues Hiegel
- Date:
- 2023-09-05 08:33:04 UTC
- Severity:
- normal
- Tags:
Hello, scanning an entire mirror of binary (amd64) packages from Debian stable using a white station led to consistent alerts raised by three different scanners (out of ~10) with aircrack-ng package. Following are the exact alert messages: file: aircrack-ng/aircrack-ng_1.7-5_amd64.deb sha256: 2c128adb6fef5864952205dab30ca361fdc677ea1d3cfce4424790f7cc69bfc6 - bitdefender : Trojan.Linux.Generic.274536 - avira : SPR/ANDR.Mirai.A - fsecure : PrivacyRisk.SPR/ANDR.Mirai.A (6, 1, 1) I obtain almost the same results with a subtle variant (Mirai.A -> Mirai.qahkj) while scanning the aircrack-ng binary itself, which I extracted directly from the .deb package: file: aircrack-ng/aircrack-ng_1.7-5_amd64/usr/bin/aircrack-ng sha256: d58a36fa6360bac0419650786e690f4691a3ba62f3710eb7db24d6d5d90e7c71 - bitdefender : Trojan.Linux.Generic.274536 - avira : SPR/ANDR.Mirai.qahkj - fsecure : PrivacyRisk.SPR/ANDR.Mirai.qahkj (6, 1, 1) I struggle finding evidences of a possible false alert, making me considering this as a potentially credible issue. I would gladly help investigate this further on, if you need so. With best regards, Hugues.
Hello Hugues, Considering aircrack-ng is open source (and our aircrack-ng packaging too), this seems very unlikely, it would have been caught much earlier by other people. It's also common for scanners to trigger false-positives on security related tools. What did you look for when investigating this as a false positive? Do you get the same finding when scanning the package's source code? https://salsa.debian.org/pkg-security-team/aircrack-ng Thank you for the report,
Hello Hugues, Considering aircrack-ng is open source (and our aircrack-ng packaging too), this seems very unlikely, it would have been caught much earlier by other people. It's also common for scanners to trigger false-positives on security related tools. What did you look for when investigating this as a false positive? Do you get the same finding when scanning the package's source code? https://salsa.debian.org/pkg-security-team/aircrack-ng Thank you for the report,
Hi Samuel, Le 04-09-2023 23:28, Samuel Henrique a écrit : That’s also my guess :-) However, that is not sufficient to prove my client this package is harmless, hence my researches and this bugreport. The problem appears when none of these scanners are providing any information about *why* they consider such binary as potentially dangerous. In a sense, I guess they are obfuscating the way they are detecting such malwares, but that's pretty annoying in our case. At first, I did some search around the web (qwant + google) with the aircrack-ng and mirai keywords, with absolutely no results. Then, I rebuilt the aircrack-ng package with git-buildpackage from a docker container based on debian bookworm, the result is completely clean after scanning. Comparing the hexdump of both binaries (the official Debian, and mine) shown very few differences, apart from the embedded build informations. But it’s always hard to tell whether they are or aren’t meaningful... I didn’t went really far. Absolutely not. The source code is completely clean after the same scanning. (And yes, I did checkout the "debian/1%1.7-5" git tag) I may try in a couple hours with the contents from 'apt source aircrack-ng' from the same repository, if you want to. You are welcome ! Br, Hugues.
Hi Samuel, Le 04-09-2023 23:28, Samuel Henrique a écrit : That’s also my guess :-) However, that is not sufficient to prove my client this package is harmless, hence my researches and this bugreport. The problem appears when none of these scanners are providing any information about *why* they consider such binary as potentially dangerous. In a sense, I guess they are obfuscating the way they are detecting such malwares, but that's pretty annoying in our case. At first, I did some search around the web (qwant + google) with the aircrack-ng and mirai keywords, with absolutely no results. Then, I rebuilt the aircrack-ng package with git-buildpackage from a docker container based on debian bookworm, the result is completely clean after scanning. Comparing the hexdump of both binaries (the official Debian, and mine) shown very few differences, apart from the embedded build informations. But it’s always hard to tell whether they are or aren’t meaningful... I didn’t went really far. Absolutely not. The source code is completely clean after the same scanning. (And yes, I did checkout the "debian/1%1.7-5" git tag) I may try in a couple hours with the contents from 'apt source aircrack-ng' from the same repository, if you want to. You are welcome ! Br, Hugues.