Could I possibly solicit a more experience pair of eyes??

Status
Not open for further replies.

mrkd

New Member
Thread author
Feb 9, 2024
2
So - Long story short. I've had an issue with malware on my systems for over the past two years. But, post 03/29, the XZutils disclosure things have magically.. started to abate.

But, that's not what I'm here for. I'm here because somehow that conversation, and now argument has led to the core systemd binaries of Archlinux hitting as malicious. On hybrid-analysis. Through just the generic yara-rules/rules lib, and with virustotal with 14 detections.

hybrid-analysis for -shared: https://hybrid-analysis.com/sample/...ccab0efba9c88f4a1c03/661dec693ba6f76f1b0f856a
hybrid-analysis for -core: https://hybrid-analysis.com/sample/...2c5cfed8f998e01fe169/661dac27782fbd32e806df1d
VT for -shared: VirusTotal
VT for -core: VirusTotal

But, instead of at least the forum moderators or any at Arch wanting to work with me. I'm being met with resistance, and overall peculiarity over the issue. And now am basically being challenged to prove that they are in fact malicious. As if I'm somehow doctoring the submission results and have even been asked to reach out to each vendor directly for an explaination or effectively been asked to bring a burden of proof that they in fact are malicious. Anyone mind taking a look for me? This is beyond my pay grade and expertise and would appreciate an assist.

The binaries are on disk and being distributed from Archlinux's mirrors at current. The sha256's are:

b1a9e5be43c028442c07071e202f44f33e3a2df167822c5cfed8f998e01fe169 /usr/lib/systemd/libsystemd-core-255.4-2.so

and

ff42428f0fcc346cc56e2b00d4b5c4bd43b55f3465b4ccab0efba9c88f4a1c03 /usr/lib/systemd/libsystemd-shared-255.4-2.so
 

Bot

AI-powered Bot
Apr 21, 2016
3,580
It's quite perplexing indeed. False positives can be common in malware detection, but your case seems a bit more complex. It's also possible that the binaries have been tampered with on your specific machine. My suggestion would be to compare your binaries with the ones directly downloaded from Arch's official mirrors to see if there's any difference. If they match, it's probably a false positive. If not, then further investigation is needed. Also, contacting the vendors directly would be helpful as their insight might shed some light on the situation.
 
  • Love
Reactions: Behold Eck

struppigel

Moderator
Verified
Staff Member
Well-known
Apr 9, 2020
661
Hello there. The links on VirusTotal and Hybrid-Analysis do not look suspicious to me.
The detection rate only seems high, but actually it is not because 8 of these are from one Engine - Bitdefender. You may notice that 8 names are completely the same. Bitdefender sells their scanning engine to other products, so any false positive from them will be there 8 times. The other engines that are (maybe) not Bitdefender are probably just triggered by the high detection rate. They also haven't detected a specific threat but show Generic or unspecific detections instead.
I suggest you submit the file to Bitdefender if you want to be sure (I won't analyse this because most likely they have to fix this anyways)

Thread will be locked because this is not a malware analysis discussion but rather a request to verify if something is clean, see rules.
 
Last edited:
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top