search

Hackmanit / Web-Cache-Vulnerability-Scanner

Web Cache Vulnerability Scanner is a Go-based CLI tool for testing for web cache poisoning. It is developed by Hackmanit GmbH (http://hackmanit.de/).
Other
851 stars 126 forks source link

Malware detection. Binary and compiled hashes do not match #20

Closed Dave-0-0 closed 6 months ago

Dave-0-0 commented 6 months ago

Hello,

When running the binary contained in web-cache-vulnerability-scanner_1.2.0_windows_amd64.zip , it is detected as malware by Windows Defender as well as other engines on Virus Total. Also, when compiling directly from source, the hash value does not match the hash value of the binary. The source was compiled on a Windows 10 machine. The compiled executable does not raise any detections. Please provide some insight on this.

Binary hash SHA256 value: e2978db859ebcc0d8634deeb92a376a40d0d07c5ac386e678e9aed11fd906663 Compiled hash SHA256 value: fed1d256cbc2645bddbe17d8771f2c304ca270ee5c219b4312775e32aa94cd91

Malware Detection of Binary: https://www.virustotal.com/gui/file/e2978db859ebcc0d8634deeb92a376a40d0d07c5ac386e678e9aed11fd906663

Clean (Compiled from source) https://www.virustotal.com/gui/file/fed1d256cbc2645bddbe17d8771f2c304ca270ee5c219b4312775e32aa94cd91

Thanks,

Dave

m10x commented 6 months ago

Hello @Dave-0-0,

thanks for bringing this to our attention. The provided binaries are all cross-compiled from a Ubuntu host. That should be the reason for both the not matching hashes (not sure if the golang version etc. plays a role as well) as well as the AV detections. Golang is widely used among malware writers especially for its cross compilation features. I just cross compiled it from source from another ubuntu host and it got flagged by the same 4 AVs. We will check whether it's feasible to compile it on a windows host or to contact the AV vendors.

Dave-0-0 commented 6 months ago

Hello @m10x

Thank you for the quick response. I also thought it might be related to cross compiling, however when I compile the source using on an Ubuntu machine, I get a second different sha256 hash.

GOOS=windows GOARCH=amd64 go build web-cache-vulnerability-scanner.go 
sha256sum web-cache-vulnerability-scanner.exe 
3fc6293ac74442ec7cb1c9c56aca29c0ff59afc29336f80f0513db612df033b4  web-cache-vulnerability-scanner.exe

Can you share the version of Ubuntu and version of Go you are using to do the cross compilation? I'd like to see if I can reproduce the hash from the original binary from the source code.

Thanks,

Dave

m10x commented 6 months ago

Summary:

Some AV seem to not like cross compilation with go version 1.21.5 (on a PopOS Host)

Detailed:

This is from my current Ubuntu Host with go1.22.1 (0 positive)

GOOS=windows GOARCH=amd64 go build web-cache-vulnerability-scanner.go && sha256sum ./web-cache-vulnerability-scanner.exe:
03ac1b66a9c6a0ad44c6520415df31deab38d98c6d50aafa8329e3358031ce8a  ./web-cache-vulnerability-scanner.exe

VERSION="22.04.4 LTS (Jammy Jellyfish)"
go version go1.22.1 linux/amd64

virustotal (0 positive): https://www.virustotal.com/gui/file/03ac1b66a9c6a0ad44c6520415df31deab38d98c6d50aafa8329e3358031ce8a?nocache=1

This is from my PopOS Host (distro based on Ubuntu) with go1.21.5 (4 Positive)

GOOS=windows GOARCH=amd64 go build web-cache-vulnerability-scanner.go 
sha256sum web-cache-vulnerability-scanner.exe 
58620c66ee90dbdd287580dd66dab8ae322c2d381bef035b7bb41bbf3dff254b  web-cache-vulnerability-scanner.exe

ID_LIKE="ubuntu debian"
PRETTY_NAME="Pop!_OS 22.04 LTS"

go version
go version go1.21.5 linux/amd64

https://www.virustotal.com/gui/file/58620c66ee90dbdd287580dd66dab8ae322c2d381bef035b7bb41bbf3dff254b?nocache=1

After upgrading go from 1.21.5 to 1.22.1 it went down to 0 positive

go version
go version go1.22.1 linux/amd64
GOOS=windows GOARCH=amd64 go build web-cache-vulnerability-scanner.go 
sha256sum web-cache-vulnerability-scanner.exe 
98b3b115105c038bf0e4832ef693ae277191beeae616b87918c42d500fec5a69  web-cache-vulnerability-scanner.exe

https://www.virustotal.com/gui/file/98b3b115105c038bf0e4832ef693ae277191beeae616b87918c42d500fec5a69?nocache=1
m10x commented 6 months ago

My bet is that some malware was cross-compiled using go1.21.5 and therefore some AVs are throwing false positives. I'll create a new minor release soon and will use go 1.22.1 for cross-compilation. I hope that the AVs won't throw a FP again sometime in the future. When the latest release was created over a month ago, it wasn't flagged by any AV.

m10x commented 6 months ago

The new release was compiled with Ubuntu 22.04.4 LTS and go1.22.1 https://github.com/Hackmanit/Web-Cache-Vulnerability-Scanner/releases/tag/1.2.1 No FPs anymore. (The question is for how long...)

Dave-0-0 commented 6 months ago

I just compiled using the same OS/Go Version. No scanners detected it for me as well. Thank you for your help with this.