possible malware in db48 port

Wed Jan 22 23:04:47 UTC 2020

On Wed, Jan 22, 2020 at 12:34 AM Bill Cole <
macportsusers-20171215 at billmail.scconsult.com> wrote:

> On 21 Jan 2020, at 18:11, Artemio González López via macports-users
> wrote:
>
> > Bitdefender has flagged two files from the db48 MacPorts port
> > installed in my Mac, namely
> >
> > /opt/local/lib/db48/libdb_cxx-4.8.dylib
> > /opt/local/var/macports/software/db48/db48-4.8.30_4.darwin_17.x86_64.tbz2
> >
> > which seem to be infected by something called
> >
> > Gen:Variant.Application.MAC.Koiot.575
>
> The is not an indication of a specific 'infection' but rather a generic
> heuristic match with characteristics seen in known malware. This is NOT
> a match with any specific known malware.
>
> > Does this sound plausible,
>
> I believe Bitdefender flagged it. I don't believe it is worth concern. I
> have no reason to believe that a Bitdefender generic match it worth
> anything. Do you?
>
> > or is it more likely a false positive?
>
> It's nothing. It's not a 'positive' of any sort, it's an almost random
> assertion that a file has some vague characteristics in common with
> unspecified malware.
>
> Generic matches by "antivirus" programs that do not document those
> patterns are worse than worthless. Your use of Bitdefender has wasted
> your valuable time.
>
> > In any case, I am thinking of reinstalling the port. Is this possible,
> > and how should I proceed? (uninstall first, perhaps, but what about
> > dependents?).
>
> You can't make Bitdefender worthwhile software by reinstalling Berkeley
> DB 4.8.
>
> I have machines with these local source builds of the db48 port,
> v4.8.30_4:
>
> Darwin10/i386
> Darwin15/x86_64
> Darwin17/x86_64
> Darwin18/x86_64
>
> All of these now show the same 5 junk hits at VirusTotal on their
> libdb_cxx-4.8.dylib. The first 2 did not show any hits in years-old
> tests, but they hit when rescanned in the last few hours. I also have
> downloaded the pristine source from Oracle, patched it to fix naming
> conflicts, and built it without using anything from MacPorts. That
> libdb_cxx-4.8.dylib hits at VT identically to the 4 other builds I have.
>
> It is certainly possible that the source code of BerkeleyDB v4.8.30 has
> been compromised at its definitive repository by some
> as-yet-unidentified MacOS X malware which has unspecified similarities
> to some unspecified  known malware which is only known to 5 3rd-rate AV
> tools, 4 of which give it the same name which is unreferenced anywhere.
>
> It is more likely that those junk AV packages have detected the use of
> BerkeleyDB v4.8.30 (one of the most ubiquitous open source libraries in
> existence) by some malware and have deemed some of its characteristics
> as being indicative of malware, incorrectly.
>
> If you are a paying customer of Bitdefender, I urge you to ask them what
> this detection actually means and ask that they justify the waste of
> your time over this apparently pointless "detection." They owe you an
> explanation.
>

 Thanks Bill and Ryan for your perspectives and additional testing.  I am
inclined to agree with your skepticism.

The comedy of errors is expanding.  This morning, the number of hits via
virustotal.com had increased from the original 5 to 9.  I suppose that
scanners are industriously sharing their patterns.

For fun I dragged out the analogous library file from one of our linux
systems, /usr/lib64/libdb_cxx-4.7.so.  It is more than three years old, not
even the same code version.  Yet this morning, one of those VT reported
scanners had flagging this linux file.  The "engine" was Trapdoor, which
has not been responding for the past few hours.
https://www.virustotal.com/gui/file/e2746e958da892cd2485d9264bb0470b04159b63f5580a487d9b06c83fbf7780

( I added a single trailing line feed to preserve the state of the previous
original VT scan report; more than a year ago, and no hits.)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.macports.org/pipermail/macports-users/attachments/20200122/6da1e839/attachment.html>