Virus in Live CD?

penipol

I recently did a virus scan of my machine using Clamav. It reported that there was a virus in a Ubuntu Live CD I downloaded using bittorrent. I got the .torrent for it through an official Ubuntu download mirror. Can anyone tell me if the virus is real or if it is a false alarm?
The following is a piece of the output from the virus scan:
warty-release-live-i386.iso: Trojan.URLspoof.gen FOUND

scp

Weird, I see the same thing (see below.) But I also scanned my iso with f-prot and got nothing. I am hoping/guessing it is a false-positive.

CLAMSCAN
================
$ clamscan warty-release-live-i386.iso
warty-release-live-i386.iso: Trojan.URLspoof.gen FOUND

----------- SCAN SUMMARY -----------
Known viruses: 25657
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 263.38 MB
I/O buffer size: 131072 bytes
Time: 64.087 sec (1 m 4 s)

F-PROT Scan
================
$ f-prot -ai warty-release-live-i386.iso
Virus scanning report - 28 November 2004 @ 15:06

F-PROT ANTIVIRUS
Program version: 4.4.8
Engine version: 3.14.13

VIRUS SIGNATURE FILES
SIGN.DEF created 24 November 2004
SIGN2.DEF created 24 November 2004
MACRO.DEF created 22 November 2004

Search: warty-release-live-i386.iso
Action: Report only
Files: "Dumb" scan of all files
Switches: -ARCHIVE -PACKED -SERVER -AI

Results of virus scanning:

Files: 1
MBRs: 0
Boot sectors: 0
Objects scanned: 1

Time: 0:00

No viruses or suspicious files/boot sectors were found.

MD5
================
$ md5sum warty-release-live-i386.iso
dac84a3abf5a1a104d768d569a62579e warty-release-live-i386.iso

$ links -dump http://releases.ubuntu.com/warty/MD5SUMS | grep live
dac84a3abf5a1a104d768d569a62579e warty-release-live-i386.iso

scp

Just as a sidenote here, this if from McAfee's Virus Profile on this trojan:

"Indications of Infection:

There are no obvious symptoms of this exploit. Files detected as Exploit-URLSpoof are benign themselves. No system changes or damage occurs from accessing an Expliot-URLSpoof file. However, following an exploited hyperlink within a detected file can result in users being tricked to divulge personal information, install malicious software, etc."

Taken from: http://us.mcafee.com/virusInfo/defau...virus_k=100927

(Also note that their own engine has been getting false positives on this Trojan as well

)

I am not an expert on how Clam identifies viruses, but I am pretty certain this isn't something to worry over. Especially since this is something that exploits IE.

jdong

Must be a coincidental magic string in the ISO.

Try extracting the ISO and scanning all the files inside. Do any of the files get flagged?

khad

Not to be a jerk or anything, but can a virus do much damage on a LiveCD? This thread seems kind of pointless. The CD filesystem is read-only. It seems like a false positive, but even if a virus existed if it wanted to destroy anything, it can't really corrupt the operating system as it is on a CD and therefore cannot be changed. One of the reasons that Devil Linux is a LiveCD distribution is for that very security feature.

jdong

Yes. The Ubuntu LiveCD does have some Windows components -- an autorun, some Windows installers for Openoffice, Firefox, etc. It's perfectly possible that a virus slipped in with these components, which could cause SERIOUS trouble.

And since ISO's don't compress/encode data, it's perfectly possible that an AV could pick up a virus's signature from inside an ISO.

November 28th, 2004	#1
penipol First Cup of Ubuntu Join Date: Oct 2004 Beans: 4	Virus in Live CD? I recently did a virus scan of my machine using Clamav. It reported that there was a virus in a Ubuntu Live CD I downloaded using bittorrent. I got the .torrent for it through an official Ubuntu download mirror. Can anyone tell me if the virus is real or if it is a false alarm? The following is a piece of the output from the virus scan: warty-release-live-i386.iso: Trojan.URLspoof.gen FOUND

November 28th, 2004	#2
scp 5 Cups of Ubuntu Join Date: Nov 2004 Beans: 16	Re: Virus in Live CD? Weird, I see the same thing (see below.) But I also scanned my iso with f-prot and got nothing. I am hoping/guessing it is a false-positive. CLAMSCAN ================ $ clamscan warty-release-live-i386.iso warty-release-live-i386.iso: Trojan.URLspoof.gen FOUND ----------- SCAN SUMMARY ----------- Known viruses: 25657 Scanned directories: 0 Scanned files: 1 Infected files: 1 Data scanned: 263.38 MB I/O buffer size: 131072 bytes Time: 64.087 sec (1 m 4 s) F-PROT Scan ================ $ f-prot -ai warty-release-live-i386.iso Virus scanning report - 28 November 2004 @ 15:06 F-PROT ANTIVIRUS Program version: 4.4.8 Engine version: 3.14.13 VIRUS SIGNATURE FILES SIGN.DEF created 24 November 2004 SIGN2.DEF created 24 November 2004 MACRO.DEF created 22 November 2004 Search: warty-release-live-i386.iso Action: Report only Files: "Dumb" scan of all files Switches: -ARCHIVE -PACKED -SERVER -AI Results of virus scanning: Files: 1 MBRs: 0 Boot sectors: 0 Objects scanned: 1 Time: 0:00 No viruses or suspicious files/boot sectors were found. MD5 ================ $ md5sum warty-release-live-i386.iso dac84a3abf5a1a104d768d569a62579e warty-release-live-i386.iso $ links -dump http://releases.ubuntu.com/warty/MD5SUMS \| grep live dac84a3abf5a1a104d768d569a62579e warty-release-live-i386.iso

November 28th, 2004	#3
scp 5 Cups of Ubuntu Join Date: Nov 2004 Beans: 16	Re: Virus in Live CD? Just as a sidenote here, this if from McAfee's Virus Profile on this trojan: "Indications of Infection: There are no obvious symptoms of this exploit. Files detected as Exploit-URLSpoof are benign themselves. No system changes or damage occurs from accessing an Expliot-URLSpoof file. However, following an exploited hyperlink within a detected file can result in users being tricked to divulge personal information, install malicious software, etc." Taken from: http://us.mcafee.com/virusInfo/defau...virus_k=100927 (Also note that their own engine has been getting false positives on this Trojan as well ) I am not an expert on how Clam identifies viruses, but I am pretty certain this isn't something to worry over. Especially since this is something that exploits IE.

December 4th, 2004	#4
jdong Ultimate Coffee Grinder Join Date: Oct 2004 Location: Cambridge. MA Beans: 5,063 Ubuntu 8.10 Intrepid Ibex	Re: Virus in Live CD? Must be a coincidental magic string in the ISO. Try extracting the ISO and scanning all the files inside. Do any of the files get flagged?

December 6th, 2004	#5
khad First Cup of Ubuntu Join Date: Nov 2004 Beans: 5	Re: Virus in Live CD? Not to be a jerk or anything, but can a virus do much damage on a LiveCD? This thread seems kind of pointless. The CD filesystem is read-only. It seems like a false positive, but even if a virus existed if it wanted to destroy anything, it can't really corrupt the operating system as it is on a CD and therefore cannot be changed. One of the reasons that Devil Linux is a LiveCD distribution is for that very security feature.

December 6th, 2004	#6
jdong Ultimate Coffee Grinder Join Date: Oct 2004 Location: Cambridge. MA Beans: 5,063 Ubuntu 8.10 Intrepid Ibex	Re: Virus in Live CD? Yes. The Ubuntu LiveCD does have some Windows components -- an autorun, some Windows installers for Openoffice, Firefox, etc. It's perfectly possible that a virus slipped in with these components, which could cause SERIOUS trouble. And since ISO's don't compress/encode data, it's perfectly possible that an AV could pick up a virus's signature from inside an ISO.

Thread Tools
Show Printable Version Email this Page
Display Modes
Switch to Linear Mode Hybrid Mode Switch to Threaded Mode