possible malware in db48 port

[Bill Cole]

On 21 Jan 2020, at 18:11, Artemio González López via macports-users 
wrote:

> Bitdefender has flagged two files from the db48 MacPorts port 
> installed in my Mac, namely
>
> /opt/local/lib/db48/libdb_cxx-4.8.dylib
> /opt/local/var/macports/software/db48/db48-4.8.30_4.darwin_17.x86_64.tbz2
>
> which seem to be infected by something called
>
> Gen:Variant.Application.MAC.Koiot.575

The is not an indication of a specific 'infection' but rather a generic 
heuristic match with characteristics seen in known malware. This is NOT 
a match with any specific known malware.

> Does this sound plausible,

I believe Bitdefender flagged it. I don't believe it is worth concern. I 
have no reason to believe that a Bitdefender generic match it worth 
anything. Do you?

> or is it more likely a false positive?

It's nothing. It's not a 'positive' of any sort, it's an almost random 
assertion that a file has some vague characteristics in common with 
unspecified malware.

Generic matches by "antivirus" programs that do not document those 
patterns are worse than worthless. Your use of Bitdefender has wasted 
your valuable time.

> In any case, I am thinking of reinstalling the port. Is this possible, 
> and how should I proceed? (uninstall first, perhaps, but what about 
> dependents?).

You can't make Bitdefender worthwhile software by reinstalling Berkeley 
DB 4.8.

I have machines with these local source builds of the db48 port, 
v4.8.30_4:

Darwin10/i386
Darwin15/x86_64
Darwin17/x86_64
Darwin18/x86_64

All of these now show the same 5 junk hits at VirusTotal on their 
libdb_cxx-4.8.dylib. The first 2 did not show any hits in years-old 
tests, but they hit when rescanned in the last few hours. I also have 
downloaded the pristine source from Oracle, patched it to fix naming 
conflicts, and built it without using anything from MacPorts. That 
libdb_cxx-4.8.dylib hits at VT identically to the 4 other builds I have.

It is certainly possible that the source code of BerkeleyDB v4.8.30 has 
been compromised at its definitive repository by some 
as-yet-unidentified MacOS X malware which has unspecified similarities 
to some unspecified  known malware which is only known to 5 3rd-rate AV 
tools, 4 of which give it the same name which is unreferenced anywhere.

It is more likely that those junk AV packages have detected the use of 
BerkeleyDB v4.8.30 (one of the most ubiquitous open source libraries in 
existence) by some malware and have deemed some of its characteristics 
as being indicative of malware, incorrectly.

If you are a paying customer of Bitdefender, I urge you to ask them what 
this detection actually means and ask that they justify the waste of 
your time over this apparently pointless "detection." They owe you an 
explanation.

-- 
Bill Cole
bill at scconsult.com or billcole at apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not For Hire (currently)