Backdoor/Trojan detected from Virustotal

[qdgithub323]

Hello,

Most likely a false positive, but it seems that the download for php_imagick-3.7.0-8.1-nts-vs16-x64.zip has a few detections on virus total. https://www.virustotal.com/gui/file/bc87e8a6bcd0e13b3b155f01ab4a8a13c5fe56b6e592b0857ebb1126b4d74e60

In particular, file IM_MOD_RLbmp.dll is thought to contain Backdoor.Grunt.f from Jiangmin. https://www.virustotal.com/gui/file/cf997f51229fd617ec6d91a11a4b44ea1735bfa283fec18a862006bfc510fd10/detection

IM_MOD_RLsgi.dll is thought to have Trojan.Malware.300983.susgen from MaxSecure. There might be a few other files detected from this one too... https://www.virustotal.com/gui/file/3dacde08b0a3e0c45a8900512fe70d1186ecb283d03c48905c590b1c3a994801/detection

Normally, I would disregard only one or two detections from these types of files, but with a recent suspected compromise to one of our servers, I'm being overly cautious with all the files on rebuild.

Thank you.

[macintoshplus]

Where have you downloaded the archive with DLLs?

[qdgithub323]

Sorry, I thought I had included that already. Downloaded the Windows version from the php.net website: https://windows.php.net/downloads/pecl/releases/imagick/3.7.0/php_imagick-3.7.0-8.1-nts-vs16-x64.zip

[macintoshplus]

The trojan is already detected on the Imagick Library sources used to build the extension. https://www.virustotal.com/gui/file/3684a58b0896e2a55995029fa92cc13bd1ac778e03cdf8682c4369bbef86be9e

I'm finding the script used to build the development library. If you have some idea.

The Imagigk version 7.1.1it's ok: https://www.virustotal.com/gui/file/3dfe41df29c239997205e19acf4e208149a8f178b020ad9e7525aadb00169f9d

[Danack]

Thanks for reporting this. A couple of notes in no particular order.

• I don't have the technical ability to evaluate this properly. One of the reasons why I don't distribute binaries (particularly Windows binaries) myself is that I don't have the skills to respond properly to security issues related to trojans.

• This looks quite a lot like a false positive, not only because only 2 / 63 companies are reporting an issue, but because one of those vendors seems to have a high rate of false positives, according to a quick internet search.

• I believe those files that are being reported as having a problem come from ImageMagick distribution rather than Imagick itself, as I think they're the files that contain the code for reading/writing BMP and SGI files. It would be interesting to compare the ones in the zip file to the ones they are built against.

• the Windows builds used to be done on a server and by a person that was sponsored by Microsoft, but they have withdrawn that funding. There is a project to replace the old PECL system with something created this millennium, but I'm not involved in that: https://externals.io/message/121927

I think that's a long way of saying, I'll keep an eye on this, but aren't planning to do anything just yet.

[macintoshplus]

@Danack I understand your point of view, and I respect it.

I initiated 2023 a website https://phpext.phptools.online/ to build and distribute AS IS the PHP Extension for Windows.

I use the libraries pre-built by the Windows PHP team. Sometimes, I want to build the latest version of the used library.

I searched the script (or instructions) used to build the deps used to build some PHP extensions.

Have you some information? Who contact?

PS: I have already written a message to the PHP Windows list.

[Danack]

I initiated 2023 a website https://phpext.phptools.online/ to build and distribute AS IS the PHP Extension for Windows.

Cool.

I searched the script (or instructions) used to build the deps used to build some PHP extensions.

Have you some information?

Er, not really? I mean, I can point you to some directories that might contain relevant info:

https://windows.php.net/downloads/pecl/deps/ https://windows.php.net/downloads/php-sdk/ https://github.com/cmb69/setup-php-sdk https://github.com/microsoft/php-sdk-binary-tools

But if you have a question about a specific extension, I might be able to point you in the right direction.

Who contact?

If you have a Stackoverflow account and at least 20 points, a few senior PHP people hang out at https://chat.stackoverflow.com/rooms/11/php

You could also contact Derick Rethans who is involved in the effort to modernise PECL and he's contactable through "derick at php.net".

[macintoshplus]

Thank you,

I have effectively a question about the library available at this URL https://windows.php.net/downloads/pecl/deps/

How to build it? Who makes these builds?

PS: Sorry for my English :-)