Linux Lite Forums
Software - Support => Other => Topic started by: vagnerafonso on September 04, 2015, 02:44:03 PM
-
Greetings,
I recently downloaded Lite 2.6 32Bit and booted it up in Virtual Box. I grabbed all of the wallpapers located in /usr/share/backgrounds/xfce and created a .zip archive. When I went to email that archive to myself via Gmail, Google warned me that there was a virus detected. I wanted to bring this up with the community and hopefully someone would have an answer as to why this occurred.
Thank you
ScreenShots
(http://s1.postimg.org/nb42bck5r/wallpaperarchive.png)
-
You should probably include screenshots of the warning and of the actual archive.
-
Gmail gives false positives to err on the side of caution. They would not take zome zipped up text files of mine for Icewm folder in ~/.icewm that I tried to save.
Gmail is weird like that.
I am not saying there might be a virus embedded in the image since I do not know yet.
https://www.virustotal.com/
-
Greetings,
Thank you for this information. I've uploaded the wallpaper archive using my outlook.com account and it uploaded without issue. I appreciate the feedback and information.
Thanks
-
I have been able to verify this as being flagged by https://www.virustotal.com/en/
The file in question is : /usr/share/backgrounds/xfce/Entrance.jpg
it was identified by 7 of the 56 scans at virus total as the following:
AVware Trojan.Win32.Jpgiframe (v) 20150901
AhnLab-V3 HEUR/Iframe 20150904
Bkav W32.HfsJPEG.D0FF 20150904
Cyren HTML/IFRAME.gen 20150904
F-Prot HTML/IFRAME.gen 20150904
NANO-Antivirus Trojan.Html.Heuristic-script.cadouz 20150904
VIPRE Trojan.Win32.Jpgiframe (v) 20150904
more info at:
https://www.virustotal.com/en/file/650d430d3ce9d90784f88bbe8e1aa056631e67de66072d03e6331e51f0d9d6cb/analysis/1441406529/
-
Weird how comodo, AVG,Avast,ClamAV, Eset-Nod 32, among others give a green check and pass on that file.
Not being a virus expert myself.
With the r/h devel scale practically in the middle with 0 0 on the guage.
No wonder I only use Windows to tune Motorcycles and only for that purpose.
-
I have been able to verify this as being flagged by https://www.virustotal.com/en/ (https://www.virustotal.com/en/)
The file in question is : /usr/share/backgrounds/xfce/Entrance.jpg
it was identified by 7 of the 56 scans at virus total as the following:
AVware Trojan.Win32.Jpgiframe (v) 20150901
AhnLab-V3 HEUR/Iframe 20150904
Bkav W32.HfsJPEG.D0FF 20150904
Cyren HTML/IFRAME.gen 20150904
F-Prot HTML/IFRAME.gen 20150904
NANO-Antivirus Trojan.Html.Heuristic-script.cadouz 20150904
VIPRE Trojan.Win32.Jpgiframe (v) 20150904
more info at:
https://www.virustotal.com/en/file/650d430d3ce9d90784f88bbe8e1aa056631e67de66072d03e6331e51f0d9d6cb/analysis/1441406529/ (https://www.virustotal.com/en/file/650d430d3ce9d90784f88bbe8e1aa056631e67de66072d03e6331e51f0d9d6cb/analysis/1441406529/)
From that list I've heared about F-prot and VIPRE.
I'm not an expert on viruses. Could be false positive.
Did the check on LL 2.2 also.
https://www.virustotal.com/en/file/1dc15dfe32b6e563024a77cdd15a3de194d4756ce720d83b39417e19fa872b7f/analysis/1441398029/ (https://www.virustotal.com/en/file/1dc15dfe32b6e563024a77cdd15a3de194d4756ce720d83b39417e19fa872b7f/analysis/1441398029/)
-
If you click on the link I provided for more info, and then click on the "File detail" tab it states: The file being studied is an image file! More specifically, it is a JPEG. The image has been injected with malicious web content.
In the box right below that statement is what appears to be the code that was injected into the file.
-
Trying a different route with
http://scanthis.net/ (http://scanthis.net/)
which uses
ScanThis is powered by the open source and industry-recognised Clam AV software.
because the file info is not informative at all to me . There is no .exe in it just for starters.
Since the file in question is entrance.jpg.
I am only uploading that one to be scanned presently.
It is still scanning as I type this post out. So will wait to see what is what for sure.
That injected code the other site showed was just jumbled html code which I cannot decipher.
Sure is taking a long long time to scan one .jpg. Must be a zillion virus signatures to look for I guess.
(http://i.imgur.com/q5EdANC.png)
Ok. Got tired of waiting so went to
https://www.metascan-online.com/#!/results/file/c15d48726a80498490d8b8b1e8cfe6da/regular (https://www.metascan-online.com/#!/results/file/c15d48726a80498490d8b8b1e8cfe6da/regular)
(http://i.imgur.com/AJHvRRd.png)
So my uneducated conclusion is that entrance.jpg in /usr/share/backgrounds/xfce/entrance.jpg is tainted somehow since double checked on another site and I am going to delete it of all my boxes/installs.
It can't hurt to do so. Plus. If you look at my screenshots. I never use the default stuff anyways.
Up to the team to decide where to take this from here. I can only speak for myself.
Because. Even after all that. You still get
Only a few scan engines detected this file as a threat. If you think it might be a false positive, find out how to contact the engine vendor on our blog (https://www.opswat.com/blog/what-do-i-do-if-engine-detects-my-safe-file-threat)
Edit> I am closing the scan this tab open right now. It is still not done scanning and my patience aint what it used to be.
-
harry@harry-Latitude-XT2:~$ sudo -s
[sudo] password for harry:
root@harry-Latitude-XT2:~# cd /usr/share/backgrounds/xfce
root@harry-Latitude-XT2:/usr/share/backgrounds/xfce# ls
Car.jpg Linux-Lite-Bridge.png Lite-Coral.png Stadium.jpg
Cubes.jpg Linux-Lite-Coast.png Lite-Gold.png Thames.jpg
Entrance.jpg Linux-Lite.jpg Lite-Grey.png Winter.jpg
Gaming.jpeg Linux-Lite-Mountains-Gold.png Lite-Lite-2.2.jpg xfce-blue.jpg
Kids.jpg Linux-Lite-Sand-Feather.jpg Lite-Parchment.png
Landscape.jpg Linux-Lite-Simple-Gray.png River-Dock.jpg
Liberty.jpg Linux-Lite-Waves.png Sea-House.jpg
root@harry-Latitude-XT2:/usr/share/backgrounds/xfce# rm -f Entrance.jpg
root@harry-Latitude-XT2:/usr/share/backgrounds/xfce# ls
Car.jpg Linux-Lite.jpg Lite-Lite-2.2.jpg
Cubes.jpg Linux-Lite-Mountains-Gold.png Lite-Parchment.png
Gaming.jpeg Linux-Lite-Sand-Feather.jpg River-Dock.jpg
Kids.jpg Linux-Lite-Simple-Gray.png Sea-House.jpg
Landscape.jpg Linux-Lite-Waves.png Stadium.jpg
Liberty.jpg Lite-Coral.png Thames.jpg
Linux-Lite-Bridge.png Lite-Gold.png Winter.jpg
Linux-Lite-Coast.png Lite-Grey.png xfce-blue.jpg
root@harry-Latitude-XT2:/usr/share/backgrounds/xfce# exit
exit
harry@harry-Latitude-XT2:~$
-
If you click on the link I provided for more info, and then click on the "File detail" tab it states: The file being studied is an image file! More specifically, it is a JPEG. The image has been injected with malicious web content.
In the box right below that statement is what appears to be the code that was injected into the file.
Oh I see. It's in Entrance.jpg, that image is from LL 2.0 not sure about the previous ones.
Looking at the code. as far as I can see there is a code that opens a webpage. I don't see how would xfce or ristereto image viewer be affected.
Tested on Firefox and it it looks it is not affected. Could possibly target some vulnerability in windows applications.
It appears that the image originates from some website. Anyway the threat seems minimal as many major antiviruses neglect this.
I'll wait to see what Jerry has to say about this.
In the future I suggest that the images that are going to be added to distro be uploaded in Gimp's XCF image file format.
That way the images will be open source and easy to modify.
-
Firstly, thank you for reporting this vagnerafonso and thank you to everyone else in this thread for providing additional information and taking the time to look into this. I take reports like this very seriously. I'm going to analyse this at my end and let you know soon what will happen.
-
I've decided to err on the side of caution. Removing this wallpaper is the best solution despite the mixed results.
I've added a postinst script to lite-software that will remove Entrance.jpg.
Releases affected: 2.0, 2.2, 2.4, 2.6
Code of postinst:
#! /bin/sh
# A collection of postinst actions for Linux Lite
# postinst script for wallpaper removal
# Date: 04/09/15
# Time: 23:51 (EST)
# As reported here - https://www.linuxliteos.com/forums/other/virus-detected-on-lite-2-6-wallpapers/
set -e
cd /usr/share/backgrounds/xfce/
sudo rm -rf Entrance.jpg
This code will stay in LL until the end of Series 2.
Entrance.jpg will not appear in any more versions of LL and has been removed from the dev builds.
In future, all Wallpapers will be scanned before going into Linux Lite.
Social Media announcements have been placed informing the wider public.
Run Menu, Favorites, Install Updates and the wallpaper will be deleted.
-
I guess I'm going to test all of my pictures on VirusTotal now. ClamAV hasn't detect it. According to Microsoft website. MSE should detect it. But according to VirusTotal, Microsoft came up with clean file.
Malicious or not, there's a web injection for sure.
-
Hi,
You may already know this.?
If you visit the clamtk webpage: https://code.google.com/p/clamtk/ (https://code.google.com/p/clamtk/)
Scroll down to downloads
There is a Thunar add-on for Ubuntu "thunar-sendto-clamtk"
[/size]It gives you a Right Click > Sendto > ClamTK option
-
Greetings All,
Sophos has a free anti-virus program for Linux. I believe we should all have a good virus scanner for our systems. Especially if we intend on installing applications and downloading files, documents and pictures from outside of trusted repositories and websites. This is also important if we plan on sharing those files with Microsoft Windows users. We wouldn't want to unintentionally infect these users machines. Especially if they are our family, friends, etc. Matthew Moore uploaded a YouTube video demonstrating the use of Sohpos and verified that his Arch system had been infected with viruses. I've included links to Matthew Moore's YouTube video and Sophos for Linux. I hope this information is helpful.
Sophos For Linux
https://www.sophos.com/en-us/products/free-tools/sophos-antivirus-for-linux.aspx (https://www.sophos.com/en-us/products/free-tools/sophos-antivirus-for-linux.aspx)
Matthew Moore Sophos Demo
https://www.youtube.com/watch?v=y_lhqg_p21k&feature=youtu.be&t=2m42s (https://www.youtube.com/watch?v=y_lhqg_p21k&feature=youtu.be&t=2m42s)
-
Hi,
You may already know this.?
If you visit the clamtk webpage: https://code.google.com/p/clamtk/ (https://code.google.com/p/clamtk/)
Scroll down to downloads
There is a Thunar add-on for Ubuntu "thunar-sendto-clamtk"
[/size]It gives you a Right Click > Sendto > ClamTK option
Hi. I've done this weeks ago. But nothing is appearing in my right click menu. Am I missing something?
I guess I need ClamTK 5, I have a ClamTK 4.45 (from the official ubuntu repositories).
-
@Zead,
I will fire up my test pc and check again,
but it was under Right Click on a file/folder, then navigate through Send To, and it was at the Bottom of the options list "ClamTk"
Update, screen shot showing send to > clamtk
(http://i.imgur.com/yJyJXFB.png)
-
@Wirezfree
Thanks, I've found it. The problem was that I was clicking on the desktop files... It doesn't work on them sadly. I guess right clicking on any desktop icon doesn't count as Thunar.
Btw, I've heard that ClamTK includes right-click scan by default. Is that true? But that's probably only for Nautilus.
Anyway, I was searching for some info about ClamTK, but I'm confused about update options and scheduler.
There are 2 options for automatic definitions updates.
#1 is in "Advanced > Rerun Antivirus Setup Wizard (Antivirus Signature Options)"
#2 is in "Advanced > Scheduler"
You can enable both...
Do you have some information about this how it works? Why are there two options for automatic updates?
You can leave the scheduler disabled, and the Rerun Antivirus Setup Wizard automatic updates enabled. It will update itself anyway. I've kept it like this.
Maybe the scheduler is here to specify the time of automatic updates... And when it is disabled, it will use the default time for updates...
Anyway, I've set ClamTk updates to Manual, and scheduled automatic updates to 5PM. So I'll see if it updates or not.
-
Hi,
I'm still learning all the options, This may help you "ClamTK Virus Scanner (http://clamtk.sourceforge.net/help/index.html)"
I have the scheduled scan and updates shown below,
This can be verified if you install gnome-scheduler which is a gui to manage/add/edit "cron" task.
(http://i.imgur.com/lcqP8yA.png)
-
Not sure where we are heading here.
Should we now install anti-virus on all linux Distros....?.
Jocklad ::) ::)
-
Getting off topic here folks. Please keep it to the Wallpaper issue. I believe there is another thread on virus scanners in Linux in the Forums. Thanks :)
Sent from my Nexus 6 using Tapatalk
-
@Jocklad...
A good question... Ask 10 people, you will probably get 11 opinions... :)
If you watch the youtube video posted by vagnerafonso,
It appears that malware can impact Linux, but how often & what scenario created that situation in the demo..??
If you still run windows and share files across distros, you could vulnerable.
If you only run Linux, you could say "Well I'm O.K"...
BUT being a good citizen you don't want to pass anything on to a Windows user/friend from Linux do you..??
So, given it's a "almost" a "set it and forget" with ClamAV,
I'm tending to err on the side of caution and will probably use it.
UPDATED
Ooops, sorry Jerry, I see I posted within 10secs of you...
Yes move to Virus thread if required.
-
Greetings All,
I can safely say that the lessen learned from all this is that it's probably not a good idea to randomly download images/pictures and use them as wallpapers. Especially if we don't know the sources. A lot of these images/pictures are downloaded from different sources and are shared everywhere. It would be better to create our own wallpapers or take screen shots of the images/pictures that we like, save them to our computers and use those as wallpapers instead.