#48756 closed defect (invalid)
zlib @1.2.8 Infected with iPhone WireLurker malware
Reported by: | bhavinhasmail@… | Owned by: | landonf (Landon Fuller) |
---|---|---|---|
Priority: | Normal | Milestone: | |
Component: | ports | Version: | 2.3.3 |
Keywords: | Cc: | ryandesign (Ryan Carsten Schmidt), mkae (Marko Käning) | |
Port: | zlib |
Description
When upgrading my ports installation my anti-virus software (Sophos Home Edition v 9.2.7) detected the iPhone/WireLurk malware.
Infected file: /opt/local/lib/libz.1.2.8.dylib
Attachments (1)
Change History (10)
Changed 9 years ago by bhavinhasmail@…
Attachment: | macports-libz-wirelurk.jpg added |
---|
comment:1 Changed 9 years ago by ryandesign (Ryan Carsten Schmidt)
Cc: | ryandesign@… added |
---|---|
Owner: | changed from macports-tickets@… to landonf@… |
Port: | zlib added |
Summary: | libz @1.2.8 Infected with iPhone WireLurker malware → zlib @1.2.8 Infected with iPhone WireLurker malware |
I don't see how the zlib port could be infected with anything. For one thing, the port hasn't been updated in any way in over 2 years; if there were a problem, it would have been reported long before now. So either your local copy of zlib on your machine was replaced with an infected copy (by something outside of MacPorts), or your virus scanner is giving you a false positive. To check whether it is the former, you could force a reinstallation of zlib by running:
sudo port -n upgrade --force zlib
Then run your virus scanner again. If it no longer says the file is infected, then something replaced your zlib with a corrupted copy, and you should try to figure out how that happened. If it still says it is infected, I suspect a false positive, and you should report it to the maker of your antivirus software.
comment:2 Changed 9 years ago by bhavinhasmail@…
I force reinstalled zlib as you described and Sophos is STILL detecting it as malware.
I have submitted the file to Sophos and reported it as a possible false-positive.
For the record, the MD5 of the file on my system (OSX 10.9.5) after a force reinstall:
3c7c50ef664fcdc089776f11d269a9dc /opt/local/lib/libz.1.2.8.dylib
comment:3 Changed 9 years ago by Ionic (Mihai Moldovan)
33d63b553961919e9a7f28b1386f5a1e /opt/local/lib/libz.1.2.8.dylib
On my 10.9 box.
comment:4 Changed 9 years ago by neverpanic (Clemens Lang)
https://www.virustotal.com/en/file/469d43ee371af72619b446c55020eefe6eca24a2b3684fca61376dcb3518ea09/analysis/ Very likely false positive.
comment:6 Changed 9 years ago by JDLH (Jim DeLaHunt)
For what it's worth, on my system (Mac OS X 10.10.5):
% ls -l /opt/local/lib/libz.1.2.8.dylib -rwxr-xr-x 1 root admin 161884 19 Nov 2014 /opt/local/lib/libz.1.2.8.dylib % md5 -r /opt/local/lib/libz.1.2.8.dylib e2a778e45a1d89993fa4b576966e94de /opt/local/lib/libz.1.2.8.dylib
This differs from either bh...'s or ionic's checksums above.
After rebuilding zlib, I got:
% sudo port -n upgrade --force zlib ... [lots of response omitted] ... ---> Scanning binaries for linking errors ---> No broken files found. % ls -l /opt/local/lib/libz.1.2.8.dylib -rwxr-xr-x 1 root admin 161884 19 Nov 2014 /opt/local/lib/libz.1.2.8.dylib % md5 -r /opt/local/lib/libz.1.2.8.dylib e2a778e45a1d89993fa4b576966e94de /opt/local/lib/libz.1.2.8.dylib
This looks pretty much unchanged.
comment:7 Changed 9 years ago by ryandesign (Ryan Carsten Schmidt)
You'll get a different checksum for Mach-O files like dylibs every time you rebuild. The fact that you got the same checksum and the same timestamp on the file tells us you happened to get a binary from our server, rather than actually rebuilding the port on your computer. Binaries are specific to each version of OS X, so even two users who both got the files from our build server will get different checksums if they are on different OS X versions. You're on 10.10 and bh and ionic are on 10.9.
comment:8 Changed 9 years ago by ryandesign (Ryan Carsten Schmidt)
Resolution: | → invalid |
---|---|
Status: | new → closed |
I'm going to close this ticket now since as far as I can tell there is no MacPorts bug here.
comment:9 Changed 9 years ago by mf2k (Frank Schima)
Keywords: | libz iPhone WireLurker WIreLurk malware removed |
---|
Screen capture of Sophos malware detection of WireLurker