Sophos Antivirus claims port 'zlib' ships a Virus/Spyware called "iPh/WireLurk-G"...

Langer, Stephen A. stephen.langer at
Wed Sep 9 10:55:04 PDT 2015

On 9/4/15, 8:51 PM, "macports-users-bounces at on behalf
of Ryan Schmidt" <macports-users-bounces at on behalf of
ryandesign at> wrote:

>On Sep 4, 2015, at 5:27 PM, Brandon Allbery wrote:
>> Others have reported this. Unfortunately, there is no guarantee that
>>some random chunk of code or data won't hash to the same value as a
>>virus; it's statistically unlikely, but over time the probability of a
>>false positive will tend toward unity. And in fact false positives are
>>rare but known to happen, as one would expect.
>The whole point of hash algorithms is to provide something very close to
>that guarantee. Some hash algorithms are broken, so they can no longer
>provide that guarantee; md5 is an example of a broken hash algorithm.
>Tools exist to let you craft two different files that hash to the same
>md5 sum. But newer algorithms like sha256 and rmd160 are not yet broken
>and still provide sufficiently strong assurances that if the hash of a
>file is the expected value, then the contents of the file are the
>expected contents as well. That's why we use sha256 and rmd160 checksums
>to verify the integrity of the files MacPorts ports download.
>I assume the Sophos claim of iPh/WireLurk-G in zlib is a false positive
>and refer concerned users to Sophos.

I had this problem and reported it to our IT staff, who reported it to
sophos, who confirmed that there was a problem with the virus definitions.
 They say that it’s been fixed now.

 — Steve

More information about the macports-users mailing list