Obfuskated Meta-Virus Discovered

Dear Developers,

There appears to be a virus on the Linux Open SUSE 11.0 version. The virus is common on Novell Networks and has found itsself into the kernel scsi modules. Here is an excerpt of an anti virus scan from commercial off the shelf virus scanning software AVG 7.5.51 virus database 270.3.0/1505. The Linux version I am running is a commercial beta SUSE 11.0 version of SUSE 11.0 on HP NX6325 security platform. My configuration is a -minimal- installation with only the operating system necessary to run- and install applications.

The focus of the installation is, click- and install the operating system with no interference or alternative configurations. Then configure the machine until it works without any problems. When that is completed, use the Control Panels to uninstall almost all software unless it is basic software for communication like Netscape, Mail, or other default software like Media Players or Configuration Software.

The order install>update>configure>create is very important because the live CD does not allow configuration before update. When all that is done, a commercial off the shelf virus scanner discovers the following viruses.

1> scsi_mod.ko Virus found Downloader.Obfuskated
2> scsi_transport_fc.ko Virus found Downloader.Obfuskated

If you need more information please don’t hesitate to reply to this thread, the list from the virus scanner is very long. I have found no search results yet on information how to delete or quarantine the Obfuskated virus. The AVG company does not supply the tools to remove the virus trojan downloader.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

While I haven’t tested this myself, all the reports of a virus with this
name online specify it is a W32 virus. If that is the case, I think AVG
is a bit psychotic. I suppose the code for the virus could be embedded
in a SCSI driver (in theory) but it probably wouldn’t work since we’re
not in windows.

Good luck.

herbievantetering wrote:
| Dear Developers,
|
| There appears to be a virus on the Linux Open SUSE 11.0 version. The
| virus is common on Novell Networks and has found itsself into the
| kernel scsi modules. Here is an excerpt of an anti virus scan from
| commercial off the shelf virus scanning software AVG 7.5.51 virus
| database 270.3.0/1505. The Linux version I am running is a commercial
| beta SUSE 11.0 version of SUSE 11.0 on HP NX6325 security platform. My
| configuration is a -minimal- installation with only the operating
| system necessary to run- and install applications.
|
| The focus of the installation is, click- and install the operating
| system with no interference or alternative configurations. Then
| configure the machine until it works without any problems. When that is
| completed, use the Control Panels to uninstall almost all software
| unless it is basic software for communication like Netscape, Mail, or
| other default software like Media Players or Configuration Software.
|
| The order install>update>configure>create is very important because the
| live CD does not allow configuration before update. When all that is
| done, a commercial off the shelf virus scanner discovers the following
| viruses.
|
| 1> scsi_mod.ko Virus found Downloader.Obfuskated
| 2> scsi_transport_fc.ko Virus found Downloader.Obfuskated
|
| If you need more information please don’t hesitate to reply to this
| thread, the list from the virus scanner is very long. I have found no
| search results yet on information how to delete or quarantine the
| Obfuskated virus. The AVG company does not supply the tools to remove
| the virus trojan downloader.
|
|
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFIVoDL3s42bA80+9kRAq0aAJ4jwsv6sq9KEjdkLiY828YO8fakoQCdHLHX
XRMwTzcduJuezLQg6qHw7i0=
=KDUB
-----END PGP SIGNATURE-----

I found this I agree it seems to be an avg thing [Haskell-cafe] Object Files Become Downloader.Obfuskated](http://www.haskell.org/pipermail/haskell-cafe/2007-May/025298.html)

Someone else would need to comment whether haskell is where it is claimed to be found though.

False positive.

lol, this is funny. Don’t you think that the SCSI subsystem kernel maintainers won’t discover/know if there was a virus in their subsystem? And if there really is one, don’t you think that the maintainers will remove it before inclusion into Linus’ main kernel tree? Even if the virus infiltrated the code after inclusion into the main tree, there should be at least a single report on LKML that there’s something wrong with these SCSI modules. The kernel people do code revisions all the time and will discover it pretty fast, if there’s something wrong that is.

so nothing to worry about right?

Yup
(…ten character limit…)

thanks (10 character limit) :slight_smile:

I found this topic to be funny for a few reasons, and while the topic poster did nothing wrong, You should have more faith in the Linux Development community, Just because we don’t get viruses doesn’t mean we don’t know what they look like. False, BTW send the report AVG so they can fix it.

…and in the extremely unlikely case it is a real virus, it wont run anyway :stuck_out_tongue:

  1. The company scanning for the virus has been certified by:
  • ICSA Labs Anti-Virus certification
  • 100% Virus Bulletin tests
  • West Coast Security Labs
  • West Coast Checkmark Level 1, Level 2
  • West Coast Trojan certifications
  • Certification by West Coast Labs
  • Antivirus certification by TÜV
  • United States Government check
  1. The AVG company develops Anti Spyware software for Linux.
  2. The current computer does not have windows installed.
  3. Embedded or wrapped SCSI is not genuine Linux.

The virus can also have discovered an entry point at the compiled binary of the Kernel and the virus does not have to be at the source of the kernel so I do trust the developers of Linux but I do not trust everyone who works with Linux. I also do trust commercial companies developing security software.

The question is why and how does the scanning software discover a virus on a commercial off the shelf ready version of SUSE Linux. Not whether a virus scanner is confused and that is beside the point because there are more than one virus on this machine and on Linux.

A few other questions remain:

  1. Why does one claim AVG software does not work?
  2. How do you remove the mentioned trojan?
  3. Why is it the Obfuskated virus on Novell?
  4. How do you remove viruses on Linux?
  5. What about commercial versions?

With very kind regards,

ing. E.H.A. van Tetering
Software Engineer.

Blah blah blah.

Type I and type II errors - Wikipedia, the free encyclopedia

You sound more like a spambot than a real person to me.

Congratulations, your virus scanner is broken:

File scsi_mod.ko received on 06.17.2008 12:47:46 (CET)
Current status: finished
Result: 0/33 (0%)
Virustotal. MD5: 1d9654c131eedee49c2d9e24f974ed4d

File scsi_transport_fc.ko received on 06.17.2008 12:48:43 (CET)
Current status: finished
Result: 0/33 (0%)
Virustotal. MD5: 4e029ac6401a0c2d21f29e2ea6fc0ae8

Change to a better antivirus or update your signatures / software to fix the false positive.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

  1. Irrelevant. Nobody is perfect.

  2. Irrelevant. See above. Windows-based viruses, unless very
    carefully written to be cross-platform (non-trivial… I’ve only heard
    of it in proof of concepts and they weren’t written in ‘C’ in those
    cases) this virus will not have any options for survival in Linux.

While your question is “why is there a virus in Linux” the fact remains
that your question doesn’t matter if there isn’t really a virus in
Linux. It may seem possible that a virus is in this driver but in
reality it isn’t likely. Just because they’re a security company that
even makes products for Linux doesn’t mean they are right. Viruses and
other malware are detected by looking for patterns in files… but
patterns can also match things incorrectly. The latter is what you’ve
found.

1a. It probably does work most of the time, but this appears to be a bug.
2a. If it were there you’d probably contact the vendor and have it
removed there. If it showed up outside the install media your AV
software would hopefully be able to clear things out. Alternatively you
could just replace the infected files with the originals.
3a. See above.
4a. See above.
5a. See above.

Good luck.

herbievantetering wrote:
| 1) The company scanning for the virus has been certified by:
|
| * ICSA Labs Anti-Virus certification
| * 100% Virus Bulletin tests
| * West Coast Security Labs
| * West Coast Checkmark Level 1, Level 2
| * West Coast Trojan certifications
| * Certification by West Coast Labs
| * Antivirus certification by TÜV
| * United States Government check
|
| 2) The AVG company develops Anti Spyware software for Linux.
| 3) The current computer does not have windows installed.
|
| The virus can also have discovered an entry point and the source binary
| of the Kernel and the virus does not have to be the source of the kernel
| so I do trust the developers of Linux but I do not trust everyone who
| works with Linux. I also do trust commercial companies developing
| security software.
|
| The question is why and how does the scanning software discover a virus
| on a commercial off the shelf ready version of linux. Not whether the
| virus scanner is confused and that is beside the point because there
| are more than one virus on this machine and on Linux.
|
| A few other questions remain:
|
| 1) Why does one claim AVG software does not work?
| 2) How do you remove the mentioned trojan?
| 3) Why is it the Obfuskated virus on Novell?
| 4) How do you remove viruses on Linux?
| 5) What about commercial versions?
|
| With very kind regards,
|
| ing. E.H.A. van Tetering
| Software Engineer.
|
|
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFIV7XO3s42bA80+9kRAgexAJ44wi1gwKNxqF8n2kGrCPr6+4WNFgCghFjO
/GE7daMVlrRVStaGU+N8V70=
=TtLR
-----END PGP SIGNATURE-----

Dear Developer,

A virus or spyware is defined as a hostile anomaly on a machine that interferes with normal functionality of a machine or -network. A virus can also steal information or in other ways damage a machine or -network on which it resides.

*Fact 1: A virus or spyware has been found on the machine by an internationally certified company.

Fact 2: The installed spyware software contains the latest updates and definition files.

Fact 3: There are more infected files and the anti spyware software is a commercial off the shelf anti virus software.

Fact 4: The fact that the virus is discovered in the mentioned modules does not mean that it cannot be discovered elsewhere.

Fact 5: The updates appear not to be related to the modular form of the virus and the virus is still resident on the machine.*

The virus is a meta virus because it appears to also infect installation in a generic manner and, from its definition, resides on different operating systems. The virus may very well be initiated from inside the developers community. I do not know how the virus functions and therefore also do not know how to remove it. There are more viruses under development and these will infect the operating system.

  • commercial usage of linux means less compilation means more vulnerabilities
  • certain open source developers do not wish commercial usage of linux
  • kernel development is unrelated to spyware or viruses resident on machines
  • separation of concerns of security-, antispyware-, antivirus development

http://i104.photobucket.com/albums/m176/telliecoin/dear-god-make-it-stop.jpg

Seriously. Please, stop - now.

herbievantetering wrote:
> Dear Developers,
>
> There appears to be a virus on the Linux Open SUSE 11.0 version. The
> virus is common on Novell Networks and has found itsself into the
> kernel scsi modules. Here is an excerpt of an anti virus scan from
> commercial off the shelf virus scanning software AVG 7.5.51 virus
> database 270.3.0/1505. The Linux version I am running is a commercial
> beta SUSE 11.0 version of SUSE 11.0 on HP NX6325 security platform. My
> configuration is a -minimal- installation with only the operating
> system necessary to run- and install applications.
>
> The focus of the installation is, click- and install the operating
> system with no interference or alternative configurations. Then
> configure the machine until it works without any problems. When that is
> completed, use the Control Panels to uninstall almost all software
> unless it is basic software for communication like Netscape, Mail, or
> other default software like Media Players or Configuration Software.
>
> The order install>update>configure>create is very important because the
> live CD does not allow configuration before update. When all that is
> done, a commercial off the shelf virus scanner discovers the following
> viruses.
>
> 1> scsi_mod.ko Virus found Downloader.Obfuskated
> 2> scsi_transport_fc.ko Virus found Downloader.Obfuskated
>
> If you need more information please don’t hesitate to reply to this
> thread, the list from the virus scanner is very long. I have found no
> search results yet on information how to delete or quarantine the
> Obfuskated virus. The AVG company does not supply the tools to remove
> the virus trojan downloader.
>
>
If this is true then it would not only affect openSUSE but every other
distro out there. If you believe this is the case and not a false
positive like already mentioned, I’d suggest signing up to the LKML and
bring this to the attention of the kernel devs and let them look at this.

Dude??? don’t you get it? your anti-virus program is identifying the kernel modules INCORRECTLY as virus infected!!! THIS IS THE FAULT OF YOUR PROGRAM, PLEASE UPDATE IT TO A MORE RECENT VERSION. THERE IS NO VIRUS ON YOUR SYSTEM!!

God verdomme, ge moet het al in uw kop zetten, er is geen virus on uw systeem. Upgrade uw anti-virus programma en ge zult zelf zien!!!

The VirusTotal website checks the file with over 30 scanners - not even AVG itself found anything wrong with the files.

If there’s a virus in it, I’ll kiss a Geeko.

That is one way of cencuring you text :wink: Keep it cool though!