25

Windows Defender 8 Dec 2019 reports Win64/Longage severe Trojan malware in Ubuntu 18.04.3 live server, file: 

ubuntu-18.04.3-live-server-amd64.iso->
pool\main\l\linux\linux-modules-4.15.0-55-generic_4.15.0-55.60_amd64.deb->data.tar.xz->(xz)->
./lib/modules/4.15.0-55-generic/kernel/drivers/md/raid456.ko

enter image description here

Jonas Czech
  • 3,997
  • 21
  • 40
Harvey
  • 281
  • 1
  • 3
  • 5
  • 4
    Probably a false positive result – PonJar Dec 08 '19 at 22:54
  • 3
    I would verify the ISO is valid (ie. checksum or https://tutorials.ubuntu.com/tutorial/tutorial-how-to-verify-ubuntu#0), if it shows invalid I'd purge asap. If it shows as valid; I'd concur likely false positive (*heuristic scans are fast but false positives are the side-effect*) – guiverc Dec 08 '19 at 22:58
  • Could you extract the file in question and upload it to the likes of VirusTotal: https://www.virustotal.com/gui/home/upload – blade19899 Dec 10 '19 at 08:29
  • If this issue screwed up `apt` in your WSL installation, here is a [working fix](https://askubuntu.com/q/1194884/1023833) for it – Salvioner Dec 12 '19 at 09:30

1 Answers1

33

I have received the exact same message today. I've downloaded the .iso again to a separate Ubuntu machine and verified the checksum:

$ echo "b9beac143e36226aa8a0b03fc1cbb5921cff80123866e718aaeba4edb81cfa63 *ubuntu-18.04.3-live-server-amd64.iso" | shasum -a 256 --check
ubuntu-18.04.3-live-server-amd64.iso: OK

After that, I've extracted the file in question (raid456.ko) and uploaded to virustotal.com: https://www.virustotal.com/gui/file/9443cd40874b29cf452a7af3a033fc72f5afff26e2bfd43ca0dfcf81c5a9127f/detection

It was last analyzed a month ago and it was fine. I've reanalyzed it again and it seems that now Microsoft is the only one detecting this as Trojan:Win64/Longage: Screenshot

I would say new Microsoft Defender signatures triggered a false positive here. Even in the very unlikely event that Ubuntu would have embedded a trojan in .iso, Windows machine itself does not / should not execute Linux (ELF) binaries and there's nothing to worry about on Windows side. However, if that were the case we would, of course, have a whole lot bigger issue to worry about.

I have submitted this file to Microsoft and flagged it as false positive, using this link: https://www.microsoft.com/en-us/wdsi/filesubmission

I'll update this answer when/if I receive a response from Microsoft analyst.

UPDATE: No response from Microsoft yet, but their engine no longer detects this. TrendMicro does now though. The likelihood that this is a false positive is extremely high.

UPDATE 2: I have also submitted the file to TrendMicro yesterday (no reply yet - will not follow up). I consider this case closed. Reply from Microsoft:

We have removed the detection. Please follow the steps below to clear cached detection and obtain the latest malware definitions.

  1. Open command prompt as administrator and change directory to c:\Program Files\Windows Defender
  2. Run “MpCmdRun.exe -removedefinitions -dynamicsignatures”
  3. Run "MpCmdRun.exe -SignatureUpdate"

Alternatively, the latest definition is available for download here: https://www.microsoft.com/en-us/wdsi/definitions

Thank you for contacting Microsoft.

shawlees
  • 431
  • 3
  • 6
  • 1
    Actually, since this is a RAID driver, there is at least a faint possibility of this making sense: the driver could try and detect when it is handling an NTFS file system and inject its payload into a system file. That would be a *very* convoluted attack, but then again, so was Stuxnet. (The main argument against this is that someone who is capable of constructing such a complex attack vector would probably not use an existing off-the-shelf trojan whose signatures are already known to AV programs.) – Jörg W Mittag Dec 09 '19 at 14:31
  • 1
    I just followed your link to VirusTotal. It now shows 2 engines detected this file. GData detects it as Linux.Trojan.Agent.KDAUKI and TrendMicro-HouseCall detects it as TROJ_GEN.R002H01L919. Microsoft does not detect it anymore! – user68186 Dec 09 '19 at 15:04
  • 2
    A few hours later only TrendMicro-HouseCall is detecting this file as a Trojan. – user68186 Dec 09 '19 at 20:25
  • Well, someone screwed up somewhere. Interested to see who did where. – Mast Dec 09 '19 at 20:31
  • @JörgWMittag great thinking! I did not think of this vector. I do, however, agree it's a really convoluted one, especially keeping in mind that source code for this is available, which would mean the attacker would have to get his code not only to Ubuntu, but most likely main Linux kernel source - which is highly unlikely to happen. Source code for this driver is available in "linux" package: https://packages.ubuntu.com/bionic-updates/linux-modules-4.15.0-55-generic – shawlees Dec 09 '19 at 22:39
  • 2
    @user68186 thanks for keeping us updated! It does seem like a false positive and vendors seem to be fixing their signatures. – shawlees Dec 09 '19 at 22:41