[MacPorts] #48756: libz @1.2.8 Infected with iPhone WireLurker malware
#48756: libz @1.2.8 Infected with iPhone WireLurker malware -------------------------------------------------+------------------------- Reporter: bhavinhasmail@… | Owner: macports- Type: defect | tickets@… Priority: Normal | Status: new Component: ports | Milestone: Keywords: libz iPhone WireLurker WIreLurk | Version: 2.3.3 malware | Port: -------------------------------------------------+------------------------- When upgrading my ports installation my anti-virus software (Sophos Home Edition v 9.2.7) detected the iPhone/WireLurk malware. Infected file: /opt/local/lib/libz.1.2.8.dylib -- Ticket URL: <https://trac.macports.org/ticket/48756> MacPorts <https://www.macports.org/> Ports system for OS X
#48756: zlib @1.2.8 Infected with iPhone WireLurker malware -------------------------+------------------------------------------------- Reporter: | Owner: landonf@… bhavinhasmail@… | Status: new Type: defect | Milestone: Priority: Normal | Version: 2.3.3 Component: ports | Keywords: libz iPhone WireLurker WIreLurk Resolution: | malware Port: zlib | -------------------------+------------------------------------------------- Changes (by ryandesign@…): * cc: ryandesign@… (added) * owner: macports-tickets@… => landonf@… * port: => zlib Comment: I don't see how the zlib port could be infected with anything. For one thing, the port hasn't been updated in any way in over 2 years; if there were a problem, it would have been reported long before now. So either your local copy of zlib on your machine was replaced with an infected copy (by something outside of MacPorts), or your virus scanner is giving you a false positive. To check whether it is the former, you could force a reinstallation of zlib by running: {{{ sudo port -n upgrade --force zlib }}} Then run your virus scanner again. If it no longer says the file is infected, then something replaced your zlib with a corrupted copy, and you should try to figure out how that happened. If it still says it is infected, I suspect a false positive, and you should report it to the maker of your antivirus software. -- Ticket URL: <https://trac.macports.org/ticket/48756#comment:1> MacPorts <https://www.macports.org/> Ports system for OS X
#48756: zlib @1.2.8 Infected with iPhone WireLurker malware -------------------------+------------------------------------------------- Reporter: | Owner: landonf@… bhavinhasmail@… | Status: new Type: defect | Milestone: Priority: Normal | Version: 2.3.3 Component: ports | Keywords: libz iPhone WireLurker WIreLurk Resolution: | malware Port: zlib | -------------------------+------------------------------------------------- Comment (by bhavinhasmail@…): I force reinstalled zlib as you described and Sophos is STILL detecting it as malware. I have submitted the file to Sophos and reported it as a possible false- positive. For the record, the MD5 of the file /opt/local/lib/libz.1.2.8.dylib on my system, after a force reinstall, is 3c7c50ef664fcdc089776f11d269a9dc. -- Ticket URL: <https://trac.macports.org/ticket/48756#comment:2> MacPorts <https://www.macports.org/> Ports system for OS X
#48756: zlib @1.2.8 Infected with iPhone WireLurker malware -------------------------+------------------------------------------------- Reporter: | Owner: landonf@… bhavinhasmail@… | Status: new Type: defect | Milestone: Priority: Normal | Version: 2.3.3 Component: ports | Keywords: libz iPhone WireLurker WIreLurk Resolution: | malware Port: zlib | -------------------------+------------------------------------------------- Comment (by ionic@…): {{{ 33d63b553961919e9a7f28b1386f5a1e /opt/local/lib/libz.1.2.8.dylib }}} On my 10.9 box. -- Ticket URL: <https://trac.macports.org/ticket/48756#comment:3> MacPorts <https://www.macports.org/> Ports system for OS X
#48756: zlib @1.2.8 Infected with iPhone WireLurker malware -------------------------+------------------------------------------------- Reporter: | Owner: landonf@… bhavinhasmail@… | Status: new Type: defect | Milestone: Priority: Normal | Version: 2.3.3 Component: ports | Keywords: libz iPhone WireLurker WIreLurk Resolution: | malware Port: zlib | -------------------------+------------------------------------------------- Comment (by cal@…): https://www.virustotal.com/en/file/469d43ee371af72619b446c55020eefe6eca24a2b... Very likely false positive. -- Ticket URL: <https://trac.macports.org/ticket/48756#comment:4> MacPorts <https://www.macports.org/> Ports system for OS X
#48756: zlib @1.2.8 Infected with iPhone WireLurker malware -------------------------+------------------------------------------------- Reporter: | Owner: landonf@… bhavinhasmail@… | Status: new Type: defect | Milestone: Priority: Normal | Version: 2.3.3 Component: ports | Keywords: libz iPhone WireLurker WIreLurk Resolution: | malware Port: zlib | -------------------------+------------------------------------------------- Comment (by from.macports@…): For what it's worth, on my system (Mac OS X 10.10.5): % ls -l /opt/local/lib/libz.1.2.8.dylib -rwxr-xr-x 1 root admin 161884 19 Nov 2014 /opt/local/lib/libz.1.2.8.dylib % md5 -r /opt/local/lib/libz.1.2.8.dylib e2a778e45a1d89993fa4b576966e94de /opt/local/lib/libz.1.2.8.dylib This differs from either bh...'s or ionic's checksums above. After rebuilding zlib, I got: % sudo port -n upgrade --force zlib ... [lots of response omitted] ... ---> Scanning binaries for linking errors ---> No broken files found. % ls -l /opt/local/lib/libz.1.2.8.dylib -rwxr-xr-x 1 root admin 161884 19 Nov 2014 /opt/local/lib/libz.1.2.8.dylib % md5 -r /opt/local/lib/libz.1.2.8.dylib e2a778e45a1d89993fa4b576966e94de /opt/local/lib/libz.1.2.8.dylib This looks pretty much unchanged. -- Ticket URL: <https://trac.macports.org/ticket/48756#comment:6> MacPorts <https://www.macports.org/> Ports system for OS X
#48756: zlib @1.2.8 Infected with iPhone WireLurker malware -------------------------+------------------------------------------------- Reporter: | Owner: landonf@… bhavinhasmail@… | Status: new Type: defect | Milestone: Priority: Normal | Version: 2.3.3 Component: ports | Keywords: libz iPhone WireLurker WIreLurk Resolution: | malware Port: zlib | -------------------------+------------------------------------------------- Comment (by ryandesign@…): You'll get a different checksum for Mach-O files like dylibs every time you rebuild. The fact that you got the same checksum and the same timestamp on the file tells us you happened to get a binary from our server, rather than actually rebuilding the port on your computer. Binaries are specific to each version of OS X, so even two users who both got the files from our build server will get different checksums if they are on different OS X versions. You're on 10.10 and bh and ionic are on 10.9. -- Ticket URL: <https://trac.macports.org/ticket/48756#comment:7> MacPorts <https://www.macports.org/> Ports system for OS X
#48756: zlib @1.2.8 Infected with iPhone WireLurker malware -------------------------+------------------------------------------------- Reporter: | Owner: landonf@… bhavinhasmail@… | Status: closed Type: defect | Milestone: Priority: Normal | Version: 2.3.3 Component: ports | Keywords: libz iPhone WireLurker WIreLurk Resolution: invalid | malware Port: zlib | -------------------------+------------------------------------------------- Changes (by ryandesign@…): * status: new => closed * resolution: => invalid Comment: I'm going to close this ticket now since as far as I can tell there is no MacPorts bug here. -- Ticket URL: <https://trac.macports.org/ticket/48756#comment:8> MacPorts <https://www.macports.org/> Ports system for OS X
#48756: zlib @1.2.8 Infected with iPhone WireLurker malware ------------------------------+----------------------- Reporter: bhavinhasmail@… | Owner: landonf@… Type: defect | Status: closed Priority: Normal | Milestone: Component: ports | Version: 2.3.3 Resolution: invalid | Keywords: Port: zlib | ------------------------------+----------------------- Changes (by mf2k@…): * keywords: libz iPhone WireLurker WIreLurk malware => -- Ticket URL: <https://trac.macports.org/ticket/48756#comment:9> MacPorts <https://www.macports.org/> Ports system for OS X
participants (1)
-
MacPorts