10

Today clamAV scanned my AWS instances and detect 24 infected files on each. It looks like false positive due to several reasons:

  1. All these files are created in October 2022 (why were they detected only now?)
  2. SSH port for each instance is protected by MFA + password + VPN.

So, my question, what my next steps should be in this case? Should I remove these files, as I understood it can be system files that other apps can use.

2023-06-07T13:03:41.658+03:00   /snap/amazon-ssm-agent/6563/amazon-ssm-agent: Unix.Malware.Kaiji-10003916-0 FOUND

2023-06-07T13:03:42.909+03:00   /snap/amazon-ssm-agent/6563/ssm-agent-worker: Unix.Malware.Kaiji-10003916-0 FOUND


2023-06-07T13:03:44.659+03:00   /snap/amazon-ssm-agent/6563/ssm-cli: Unix.Malware.Kaiji-10003916-0 FOUND


2023-06-07T13:03:45.660+03:00   /snap/amazon-ssm-agent/6563/ssm-document-worker: Unix.Malware.Kaiji-10003916-0 FOUND


2023-06-07T13:03:46.910+03:00   /snap/amazon-ssm-agent/6563/ssm-session-logger: Unix.Malware.Kaiji-10003916-0 FOUND


2023-06-07T13:03:47.910+03:00   /snap/amazon-ssm-agent/6563/ssm-session-worker: Unix.Malware.Kaiji-10003916-0 FOUND


2023-06-07T13:03:49.411+03:00   /snap/amazon-ssm-agent/6312/amazon-ssm-agent: Unix.Malware.Kaiji-10003916-0 FOUND


2023-06-07T13:03:50.662+03:00   /snap/amazon-ssm-agent/6312/ssm-agent-worker: Unix.Malware.Kaiji-10003916-0 FOUND


2023-06-07T13:03:51.912+03:00   /snap/amazon-ssm-agent/6312/ssm-cli: Unix.Malware.Kaiji-10003916-0 FOUND


2023-06-07T13:03:52.912+03:00   /snap/amazon-ssm-agent/6312/ssm-document-worker: Unix.Malware.Kaiji-10003916-0 FOUND


2023-06-07T13:03:53.913+03:00   /snap/amazon-ssm-agent/6312/ssm-session-logger: Unix.Malware.Kaiji-10003916-0 FOUND


2023-06-07T13:03:55.413+03:00   /snap/amazon-ssm-agent/6312/ssm-session-worker: Unix.Malware.Kaiji-10003916-0 FOUND


2023-06-07T13:03:56.695+03:00   /snap/lxd/24061/bin/lxc: Unix.Malware.Kaiji-10003916-0 FOUND


2023-06-07T13:03:57.414+03:00   /snap/lxd/24061/bin/lxc-to-lxd: Unix.Malware.Kaiji-10003916-0 FOUND


2023-06-07T13:03:58.164+03:00   /snap/lxd/24061/bin/lxd-agent: Unix.Malware.Kaiji-10003916-0 FOUND


2023-06-07T13:03:58.915+03:00   /snap/lxd/24061/bin/lxd-benchmark: Unix.Malware.Kaiji-10003916-0 FOUND


2023-06-07T13:04:01.666+03:00   /snap/lxd/24061/bin/lxd-migrate: Unix.Malware.Kaiji-10003916-0 FOUND


2023-06-07T13:04:06.073+03:00   /snap/lxd/24061/bin/snap-query: Unix.Malware.Kaiji-10003916-0 FOUND


2023-06-07T13:04:12.420+03:00   /snap/lxd/23991/bin/lxc: Unix.Malware.Kaiji-10003916-0 FOUND


2023-06-07T13:04:13.170+03:00   /snap/lxd/23991/bin/lxc-to-lxd: Unix.Malware.Kaiji-10003916-0 FOUND


2023-06-07T13:04:13.920+03:00   /snap/lxd/23991/bin/lxd-agent: Unix.Malware.Kaiji-10003916-0 FOUND


2023-06-07T13:04:14.671+03:00   /snap/lxd/23991/bin/lxd-benchmark: Unix.Malware.Kaiji-10003916-0 FOUND


2023-06-07T13:04:16.171+03:00   /snap/lxd/23991/bin/lxd-migrate: Unix.Malware.Kaiji-10003916-0 FOUND


2023-06-07T13:04:21.073+03:00   /snap/lxd/23991/bin/snap-query: Unix.Malware.Kaiji-10003916-0 FOUND
Rougher
  • 203

4 Answers4

13

I submitted a false positive report to ClamAV at https://www.clamav.net/reports/fp

This was the description I submitted:

The attached "helper" file was retrieved by running:
docker cp "$(docker container create gcr.io/paketo-buildpacks/ca-certificates:3.6.2@sha256:87b389fa631c6d6bbdaef30b5b963b300a4cba87c0ab8e9d00e3e5c2496117d3 -d)":/cnb/buildpacks/paketo-buildpacks_ca-certificates/3.6.2/bin/helper .

clamscan run on that file outputs:
helper: Unix.Malware.Kaiji-10003916-0 FOUND


That docker image is from https://github.com/paketo-buildpacks/ca-certificates/releases/tag/v3.6.2


Unix.Malware.Kaiji-10003916-0 is being detected in many files - this is just one sample. This false positive, new today, was also raised on stackoverflow at https://serverfault.com/questions/1132808/clamav-detected-kaiji-malware-on-ubuntu-instance

I also ran the helper file through virustotal: https://www.virustotal.com/gui/file-analysis/NmUzNWM2MGVhZWVmNmU5ODAxYTExOWVhMTNkNGM1MGM6MTY4NjE0NzAzNg==

No scanners besides clamav detect a virus in this file.

An out of band update of the daily signature database was just published removing this signature: https://lists.clamav.net/pipermail/clamav-virusdb/2023-June/008315.html

With that, this false positive issue is now resolved.

The ClamAV project is also going to review its processes to prevent such false positives from occurring in the future.

I also reported this issue to ClamAV in their discord.

A.L
  • 126
Craig
  • 246
3

ClamAV for me this morning (June 7 2023) is reporting Unix.Malware.Kaiji-10003916 found in various cloudwatch-agent, ssm-agent, gitlab and docker files on Amazon Linux. False alarms or I have a lot of cleanup to do!

A.L
  • 126
Trevor
  • 31
2

All the "me too" posts suggest this is a false positive, however it would still be worthwhile to verify your checksums.

dpkg keeps a record of the md5 hashes of all the files it has installed at /var/lib/dpkg/info/.md5sums

To find the package which owns a file, use dpkg -S or search for its checksum above.

RPM also maintains a list a file hashes (see verify options).

symcbean
  • 23,767
  • 2
  • 38
  • 58
1

I'm also seeing this. I got some PHP webshell alerts from Sophos so was investigating and found this with clamav. Not sure it has anything to do with the alert from Sophos. Some of our instances used to run docker and my predecessor left it wide open and I cleaned all that up a long time ago but having googled kaiji I found something saying it was a botnet that exploited insecure docker installations. I ran one of the files through Virus Total and only ClamAV seems to think it's bad. I can't tell if it's a false positive or something new that only clam is picking up on right now

Ben
  • 11