[Qemu-devel] virus in colibriOS QEMU iso?

[Qemu-devel] virus in colibriOS QEMU iso?

[vilcadam]

[-- Attachment #1: Type: text/plain, Size: 303 bytes --]

Hi, just letting you know that Avira found some crypto-locker virus in ColibriOS iso that you featured in QEMU Advent Calendar 2016. Maybe you should look into that. I am not sure if it’s a false positive or not.. You can check the attachment for a screenshot  of the result.

Have a nice day!



[-- Attachment #2: 6CDE2142E16A484D94C64BF1A1C2185F.png --]
[-- Type: image/png, Size: 114526 bytes --]

Re: [Qemu-devel] virus in colibriOS QEMU iso?

[Thomas Huth]

On 22.12.2016 18:37, vilcadam@gmail.com wrote:
> Hi, just letting you know that Avira found some crypto-locker virus in ColibriOS iso that you featured in QEMU Advent Calendar 2016. Maybe you should look into that. I am not sure if it’s a false positive or not.. You can check the attachment for a screenshot  of the result.

That sounds ugly ... I think we just packaged the .iso from the official
KolibriOS website here (Kashyap, can you confirm?), so if this is not
just a false positive, the problem very likely comes from there.
If you've got some spare minutes, could you maybe check the download
from http://kolibrios.org/en/download , too?

As far as I can see, there should not be any real danger here unless you
put the .iso file onto a real CD-ROM or USB stick and start the .exe
files in there (which is of course not necessary for starting a VM with
the .iso file). But anyway, this needs some closer investigation, to see
whether it's a false positive or not, so I've disabled that download for
now. We'll let you know when we know more ... Thanks for reporting the
issue!

 Thomas

Re: [Qemu-devel] virus in colibriOS QEMU iso?

[Kashyap Chamarthy]

[...]

> On 22.12.2016 18:37, vilcadam@gmail.com wrote:
> > Hi, just letting you know that Avira found some crypto-locker virus in
> > ColibriOS iso that you featured in QEMU Advent Calendar 2016. Maybe you
> > should look into that. I am not sure if it’s a false positive or not.. You
> > can check the attachment for a screenshot  of the result.
> 
> That sounds ugly ... 

That sounds super ugly indeed :-(

> I think we just packaged the .iso from the official
> KolibriOS website here (Kashyap, can you confirm?),

Yes, I can confirm that I have downloaded the ISO from the 
official website -- it's a nightly build of their 
SVN revision 6766.

These are local notes on preparing sources from 
the day I made the image (where the SVN revision 
was at 6766):

============
$ svn checkout svn://kolibrios.org -r 6766

$ svn log | head -5
------------------------------------------------------------------------
r6766 | IgorA | 2016-11-26 23:57:24 +0100 (Sat, 26 Nov 2016) | 1 line

fix bugs

$ du -sh ../sources-kolibrios/
1.4G    ../sources-kolibrios/

$ du -sh .svn/
662M    .svn/

$ rm -rf .svn

$ du -sh ../sources-kolibrios-rev-6766/
691M    ../sources-kolibrios-rev-6766/

$ tar -cJf sources-kolibrios-rev-6766.tar.xz sources-kolibrios-rev-6766/

$ du -sh sources-kolibrios-rev-6766.tar.xz 
93M     sources-kolibrios-rev-6766.tar.xz
============

> so if this is not
> just a false positive, the problem very likely comes from there.

Indeed.

> If you've got some spare minutes, could you maybe check the download
> from http://kolibrios.org/en/download , too?
> 
> As far as I can see, there should not be any real danger here unless you
> put the .iso file onto a real CD-ROM or USB stick and start the .exe
> files in there (which is of course not necessary for starting a VM with
> the .iso file). 

Yes, exactly, but still this incident is not nice to hear.

> But anyway, this needs some closer investigation, to see
> whether it's a false positive or not, so I've disabled that download for
> now. We'll let you know when we know more ... Thanks for reporting the
> issue!

Yes, thanks for bringing it up. I'm afraid, I'm a little short 
on time, but will try to investigate later today.

Regards,
Kashyap

Re: [Qemu-devel] virus in colibriOS QEMU iso?

[Thomas Huth]

On 23.12.2016 10:20, Kashyap Chamarthy wrote:
> [...]
> 
>> On 22.12.2016 18:37, vilcadam@gmail.com wrote:
>>> Hi, just letting you know that Avira found some crypto-locker virus in
>>> ColibriOS iso that you featured in QEMU Advent Calendar 2016. Maybe you
>>> should look into that. I am not sure if it’s a false positive or not.. You
>>> can check the attachment for a screenshot  of the result.
>>
>> That sounds ugly ... 
> 
> That sounds super ugly indeed :-(
> 
>> I think we just packaged the .iso from the official
>> KolibriOS website here (Kashyap, can you confirm?),
> 
> Yes, I can confirm that I have downloaded the ISO from the 
> official website -- it's a nightly build of their 
> SVN revision 6766.

OK, as far as I can see, the issue comes from the setmbr.exe that is
contained in the iso for writing the KolibriOS to an USB stick.
According to http://board.kolibrios.org/viewtopic.php?t=2295 the report
from Avira is a false positive (likely caused because the program tries
to write to the MBR - which is also what some viruses / trojans are doing).

Anyway, since these Windows tools are not required for running KolibriOS
in a VM, I've now removed them from the iso image and uploaded a new
version to avoid future confusion:

 http://www.qemu-advent-calendar.org/2016/download/day09-v2.tar.xz

If you've got some spare minutes, it would be great if you could give
that new version another try to see whether the warning from Avira is
now properly gone (I don't have a Windows here to test this on my own).

 Thanks,
  Thomas

[Qemu-devel] [Resolved -- false positive] Re: virus in colibriOS QEMU iso?

[Kashyap Chamarthy]

On Fri, Dec 23, 2016 at 11:25:18AM +0100, Thomas Huth wrote:
> On 23.12.2016 10:20, Kashyap Chamarthy wrote:

[...]

> > Yes, I can confirm that I have downloaded the ISO from the 
> > official website -- it's a nightly build of their 
> > SVN revision 6766.
> 
> OK, as far as I can see, the issue comes from the setmbr.exe that is
> contained in the iso for writing the KolibriOS to an USB stick.
> According to http://board.kolibrios.org/viewtopic.php?t=2295 the report
> from Avira is a false positive (likely caused because the program tries
> to write to the MBR - which is also what some viruses / trojans are doing).

Phew, indeed it's a false positive.  To quote verbatim from the above
thread, for the record:

    "The program setmbr.exe modifies MBR of USB flash drives or
    (optionally) hard disks, to allow them load KolibriOS. Usually
    programs that modify MBR are viruses - that's why your [Avast]
    antivirus reported it."
 
> Anyway, since these Windows tools are not required for running
> KolibriOS in a VM, I've now removed them from the iso image and
> uploaded a new version to avoid future confusion:
> 
>  http://www.qemu-advent-calendar.org/2016/download/day09-v2.tar.xz

Thanks, Thomas, for the swift response while I was AFK.  Glad that we're
two people coordinating this. 

> If you've got some spare minutes, it would be great if you could give
> that new version another try to see whether the warning from Avira is
> now properly gone (I don't have a Windows here to test this on my own).

Yeah, I don't have Windows either to test.  But good that this is just a
false positive from an overly-paranoid tool.

-- 
/kashyap