Trojan horse in "clamav" source package???

Asked by newkt on 2011-04-07

Hey there,

Absolute complete newbie to Ubuntu here, although I have 10 years of experience (1986-1996) writing custom kernel device drivers for proprietary "real-time Unix" (NOT Linux) systems ... Perhaps this "question" should have been directed elsewhere -- bug reports? -- but this venue seemed to be the quickest and easiest way for an Ubuntu newbie like me ...

I installed Ubuntu 10.04.2 LTS (lucid) onto a 16 GB USB flash drive (HP v125w), using an "alternate installation CD" (i386) that I burned from the corresponding official Ubuntu ISO image, and I immediately upgraded all of the installed Ubuntu packages (including the kernel) to the latest (supported) 10.04.2 downloads available -- from "lucid/main", "lucid-updates/main", and "lucid-security/main" ... No packages are installed from any of the "restricted", "universe", or "multiverse" sources -- EXCEPT for "apt-src" from "lucid/universe" ... I've not experienced any problems whatsoever running this bootable-from-USB system ...

HOWEVER, I wrote a script using "apt-src" (unsupported by Canonical, I know) to download/install ALL of the available "main" and "restricted" (i.e., supported by Canonical) source packages on the 2.0 TB RAID 0 hard drive[s] on my Dell Studio XPS 8100 box (Core i7-860) ... I knew that this massive source download would be far too large for my 16 GB USB drive, which is why I used the massive drive on my Windows 7 Ultimate Edition system ... (But I forgot that "apt-src" ALSO automatically downloads/installs all of the binary packages needed for the build dependencies of the source packages, and of course, it does that in the root file system on the USB drive ... So this unattended installation of all source packages took a LOT longer than I expected, and it also used up a nice chunk of my USB drive as well ... Shoulda just used the supported "apt-get source", I guess ... SUB-QUESTION: Any way to identify/download/install source packages using Synaptic Package Manager???)

Anyway -- that whole process went about as well as I could expect (I think a few source packages failed to install somehow) ... BUT, shortly after I shutdown Ubuntu and booted to Windows, my Norton 360 Premier v4.0 notified me that a "quick scan" of my (NTFS) file system had detected a dangerous TROJAN HORSE file in the installed "clamav" source package, to wit:

clamav-0.96.5+dfsg\test\.split\split.clam-pespin.exeaa

Was this file actually downloaded from the source archives? (I still have the tar.gz file) ... Also, I should point out that the signatures for all of the source packages couldn't be verified, for some reason, but I assume the checksum(s) were OK? I believe Norton 360 would have protected my Windows system, but is it possible that this file got "planted" on my RAID 0 hard drive[s] while I was running Ubuntu off the USB drive? My RAID 0 volume was, of course, mounted at the time because I was using it for the download/install of source packages ...

My concern, obviously, is that this infected file is actually in the source archives, and could be downloaded by anyone fetching the "clamav" source package (at least) ... Any idea how this Trojan horse got imbedded in my installed source packages???

Thanks,
Kevin

Question information

Language:
English Edit question
Status:
Solved
For:
Ubuntu clamav Edit question
Assignee:
No assignee Edit question
Solved by:
Federico Tello Gentile
Solved:
2011-04-08
Last query:
2011-04-08
Last reply:
2011-04-08
newkt (newkt) said : #1

OK, I did in fact do a cursory search -- for "trojan horse source" -- before posting the above, but a little more searching shows that "clamav" is itself a virus scanner? And since Norton 360 found the infected file in a "test" directory, is it possible that a "clamav" developer using a real "test" virus forgot to exclude that virus from the source package to be archived? My sincere apologies if this has been addressed already and I STILL haven't searched enough yet ...

Kevin

This is a false positive on norton. Clamav is a virus scanner and its code not surprisingly in mistaken by norton to be a trojan. This happens all the time when one antivirus detects another antivirus as a virus or trojan based on heuristics.

newkt (newkt) said : #3

Thanks so much ... Actually, I was thinking earlier of adding another question to the effect of: "OR, is it possible that Norton 360 is somehow mistaken in its assertion that this file is a threat to a Windows 7 system?" But I wouldn't have known why without your answer ...

Kevin