FS#71561 - Possible Malware in wine-staging.

Attached to Project: Community Packages
Opened by wz (Wizz) - Tuesday, 20 July 2021, 17:53 GMT
Last edited by Morten Linderud (Foxboron) - Tuesday, 27 July 2021, 20:48 GMT
Task Type Bug Report
Category Packages: Multilib
Status Closed
Assigned To No-one
Architecture x86_64
Severity High
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Description:
Clamav and VirusTotal report malware in some of the files in the wine-staging (6.12.1-1) package.

Is there any way to confirm whether these are false positives or not and if they are positive, what I should do next?

Pacman also provides some warnings when installing these packages.

Additional info:

The malware is apparently Win.Packed.Razy-9879251-0 and was added to the clamav virus database on the 17th of July 2021 according to the mailing list.

VirusTotal & Hybrid analysis provide different names for them.

/usr/lib32/wine/i386-windows/krnl386.exe16: Win.Packed.Razy-9879251-0 FOUND
/usr/lib32/wine/i386-windows/mmsystem.dll16: Win.Packed.Razy-9879251-0 FOUND
/usr/lib32/wine/i386-windows/rundll.exe16: Win.Packed.Razy-9879251-0 FOUND
/usr/lib32/wine/i386-windows/regedit.exe: Win.Packed.Razy-9879251-0 FOUND
/usr/lib32/wine/i386-windows/system.drv16: Win.Packed.Razy-9879251-0 FOUND
/usr/lib32/wine/i386-windows/wineps16.drv16: Win.Packed.Razy-9879251-0 FOUND
/usr/lib32/wine/i386-windows/winhelp.exe16: Win.Packed.Razy-9879251-0 FOUND
/usr/lib32/wine/i386-windows/wing.dll16: Win.Packed.Razy-9879251-0 FOUND
/usr/lib32/wine/i386-windows/winoldap.mod16: Win.Packed.Razy-9879251-0 FOUND

https://www.virustotal.com/gui/file/c386d928f8788dd620e45fef1d8ba77d86710b46a7e78d5666e1fbca8888c776/detection
https://www.virustotal.com/gui/file/1ce368458f1fbb002635f598bcf1231c8af5733914ce6ce7c4d42e6b71190691/detection
https://www.virustotal.com/gui/file/a7a43ada7d2b2c554f49c7befa05f67907716609c259b03b09bfc5eb6a1b56c3/detection
https://www.virustotal.com/gui/file/a5a42c7418c68ce7f93eb4d95679e944d9090c654a051396d6f4a3db1c150881/detection
https://www.virustotal.com/gui/file/e6c06262864f72d70f761a5bc24b35b4d0e047b47dddd31f58c19ca0f5d289b3/detection
https://www.virustotal.com/gui/file/73f8e423bd20da72fc0815e8aee47afc714cdf38e01df021e4fc9fe14358b7f4/detection
https://www.virustotal.com/gui/file/172fc2ce7f48a0d2a0b7337379c0e6aff7027ab34a8d43107ff7cc2b9a266bf4/detection
https://www.virustotal.com/gui/file/945462946336ad45ad79a14bc367930b206fa7dec0be318294c75c431883c1eb/detection
https://www.virustotal.com/gui/file/5e56f61d3c5718052050104073844c970ce94222098cac631305d6a0d0408d63/detection

I've also found similar issues in files elsewhere before using `pacman -S wine-staging`.
Sorry I know that isn't all that helpful but I'll list them here just in case they have been flagged before.

/usr/lib/wine/x86_64-windows/wineps.drv
/usr/lib32/wine/i386-windows/wineps.drv
/usr/lib/wine/x86_64-windows/regsvr32.exe
/usr/lib32/wine/i386-windows/regsvr32.exe

OS etc:
Linux <me> 5.10.49-1-MANJARO #1 SMP PREEMPT Sun Jul 11 12:59:43 UTC 2021 x86_64 GNU/Linux

Hybrid-analysis results for the potentially most dangerous files is here:
https://forum.manjaro.org/t/wine-staging-possible-malware-win-packed-razy-9879251-0/74525/3

Steps to reproduce:
sudo pacman -S wine-staging
sudo clamscan -r /usr/lib32/wine

Thanks loads for your help in advance!
This task depends upon

Closed by  Morten Linderud (Foxboron)
Tuesday, 27 July 2021, 20:48 GMT
Reason for closing:  Not a bug
Additional comments about closing:  False positives.
Comment by loqs (loqs) - Tuesday, 20 July 2021, 18:07 GMT
 FS#67474 
Comment by wz (Wizz) - Tuesday, 20 July 2021, 18:16 GMT
I took a look at  FS#67474 . I don't think it's the same issue.

The file paths are different and VirusTotal seems to be caught up reporting different potential malware types.
Comment by loqs (loqs) - Tuesday, 20 July 2021, 18:59 GMT
https://www.virustotal.com/gui/file/8f2174a06fc614305f078f26605e9474bc8b9a7bbca8387095c7a1014cb7886f/detection usr/lib32/wine/i386-windows/regedit.exe built locally in a clean chroot
https://www.virustotal.com/gui/file/7477095e37151f90e26d59446bf1527c8b86ebc0e17a052d737396c09949fbbb/detection usr/lib32/wine/i386-windows/regedit.exe built locally in a clean chroot without mingw-w64-gcc

13 detections down to 1 when not using mingw-w64-gcc, see the second comment in  FS#67474  by stanczew ( mingw-w64-gcc enables Wine builds in PE format ).
Comment by wz (Wizz) - Wednesday, 21 July 2021, 18:42 GMT
Ah ok I understand. Thank you so much for your help.

Is the last detection definitely just a red herring in this case then?

pacman throws warnings for those specific files but to be honest I don't know enough about how pacman works (or how to find out).
Are these warnings being thrown because those files should exist on disk (and have now been moved/deleted by clamav) or because something is missing from the content downloaded from the repo e.g. signatures/checksums/etc?

[me@me ~]$ sudo pacman -S wine-staging
warning: wine-staging-6.12.1-1 is up to date -- reinstalling
resolving dependencies...
looking for conflicting packages...

Packages (1) wine-staging-6.12.1-1

Total Installed Size: 464.68 MiB
Net Upgrade Size: 0.00 MiB

:: Proceed with installation? [Y/n] Y
:: Retrieving packages...
wine-staging-6.12.1-1-x86_64 is up to date
(1/1) checking keys in keyring [######################] 100%
(1/1) checking package integrity [######################] 100%
(1/1) loading package files [######################] 100%
(1/1) checking for file conflicts [######################] 100%
(1/1) checking available disk space [######################] 100%
warning: could not get file information for usr/lib32/wine/i386-windows/krnl386.exe16
warning: could not get file information for usr/lib32/wine/i386-windows/mmsystem.dll16
warning: could not get file information for usr/lib32/wine/i386-windows/regedit.exe
warning: could not get file information for usr/lib32/wine/i386-windows/rundll.exe16
warning: could not get file information for usr/lib32/wine/i386-windows/system.drv16
warning: could not get file information for usr/lib32/wine/i386-windows/wineps16.drv16
warning: could not get file information for usr/lib32/wine/i386-windows/wing.dll16
warning: could not get file information for usr/lib32/wine/i386-windows/winhelp.exe16
warning: could not get file information for usr/lib32/wine/i386-windows/winoldap.mod16
:: Processing package changes...
(1/1) reinstalling wine-staging [######################] 100%
:: Running post-transaction hooks...
(1/5) Registering binary formats...
(2/5) Arming ConditionNeedsUpdate...
(3/5) Updating fontconfig cache...
(4/5) Updating 32-bit fontconfig cache...
(5/5) Updating the desktop file MIME type cache...
Comment by loqs (loqs) - Wednesday, 21 July 2021, 19:28 GMT
The one detection remaining is from [1], which if I understand the blog correctly means it was flagged because it has a known good regedit.exe in its training set that is 100% different to this one.
67 tools detected no issues with the file. Wine providing compatibility requires it to use the same filenames. The content being different to the Microsoft originals is to be expected.

warning: could not get file information for usr/lib32/wine/i386-windows/krnl386.exe16
pacman could not locate the file at that location in the filesystem. If the file has been moved/deleted this is to be expected.

[1] https://blog.malwarebytes.com/detections/machinelearning-anomalous-100/

Loading...