possible malware in db48 port

Ryan Schmidt ryandesign at macports.org
Wed Jan 22 00:48:24 UTC 2020 


On Jan 21, 2020, at 17:11, Artemio González López wrote:

> Bitdefender has flagged two files from the db48 MacPorts port installed in my Mac, namely
> 
> /opt/local/lib/db48/libdb_cxx-4.8.dylib
> /opt/local/var/macports/software/db48/db48-4.8.30_4.darwin_17.x86_64.tbz2

db48-4.8.30_4.darwin_17.x86_64.tbz2 contains everything installed by the db48 port, which includes libdb_cxx-4.8.dylib.

> which seem to be infected by something called
> 
> Gen:Variant.Application.MAC.Koiot.575
> 
> Does this sound plausible, or is it more likely a false positive?

It seems unlikely to me. If you got the binary of this port from our server (which I think you did; see below), then that would mean that our server is infected, and I find that unlikely. If on the other hand MacPorts built it for you on your own computer, I guess it's possible that an existing virus infection on your computer was copied into this file. I'm not familiar with this virus or how it works or what it does. A third possibility is that db 4.8.30 as distributed by its developers contains this virus. That too seems unlikely.


> In any case, I am thinking of reinstalling the port. Is this possible, and how should I proceed? (uninstall first, perhaps, but what about dependents?).

You can rebuild the port with:

sudo port -n upgrade --force db48

If you want to be sure that you receive a binary from us, you would use:

sudo port -nb upgrade --force db48

If on the other hand you want to ensure a build from source, to rule out a problem with our binary, you would use:

sudo port -ns upgrade --force db48


> Here’s what ls reports about this files:
> 
> -rwxr-xr-x  1 macports  admin  1302356 Sep 27  2017 /opt/local/lib/db48/libdb_cxx-4.8.dylib
> -rw-r--r--  1 macports  wheel  19951871 Mar 15  2018 /opt/local/var/macports/software/db48/db48-4.8.30_4.darwin_17.x86_64.tbz2


Those are the exact sizes and, in the case of libdb_cxx-4.8.dylib, the exact date of those files as distributed by our server. As such, I expect that reinstalling the port from our binary will change nothing. You can build from source to see if that changes anything.

More information about the macports-users mailing list