search

Security-Onion-Solutions / securityonion

Security Onion is a free and open platform for threat hunting, enterprise security monitoring, and log management. It includes our own interfaces for alerting, dashboards, hunting, PCAP, detections, and case management. It also includes other tools such as osquery, CyberChef, Elasticsearch, Logstash, Kibana, Suricata, and Zeek.
https://securityonion.net
3.32k stars 514 forks source link

Malware Detection in .170 ISO #8901

Closed Cra5hedC0w closed 2 years ago

Cra5hedC0w commented 2 years ago

AV detects trojan in .170 ISO. Virustotal confirms this as well.

VT: https://www.virustotal.com/gui/file/6bdb83059b0e9896b60e1b844d0b7ef3ae9cee611bcbeb6135b5cc3cb00863a7/detection

Location of file: securityonion-2.3.170-20220922\docker\registry\v2\blobs\sha256\cf\cfa02abcd83b08b03a34044f8a8c0c9319c75df85b028914e2ceeeda679b4a52\root.cache\pip\http\1\c\e\c\b\speakeasy\winenv\decoys\x86\default_exe.exe

Also located here: \securityonion-2.3.170-20220922\docker\registry\v2\blobs\sha256\cf\cfa02abcd83b08b03a34044f8a8c0c9319c75df85b028914e2ceeeda679b4a52\usr\local\lib\python3.8\dist-packages\speakeasy\winenv\decoys\x86\default_exe.exe

Can the authors confirm/deny, or provide any guidance on this?

dougburks commented 2 years ago

From https://docs.securityonion.net/en/2.3/download.html:

If you download our ISO image and then scan it with antivirus software, it is possible that one or more of the files included in the ISO image may generate false positives. If you look at the antivirus scan details, it will most likely tell you that it alerted on a file in SecurityOnion\agrules\strelka\yara. This is part of Strelka and it is being incorrectly flagged as a backdoor when it is really just a Yara ruleset that looks for backdoors. In some cases, the alert may be for a sample EXE that is included in Strelka but again a false positive.

Cra5hedC0w commented 2 years ago

The location of the malware does not match what your documentation is stating in terms of location. Again, the locations indicated are

securityonion-2.3.170-20220922\docker\registry\v2\blobs\sha256\cf\cfa02abcd83b08b03a34044f8a8c0c9319c75df85b028914e2ceeeda679b4a52\root.cache\pip\http\1\c\e\c\b\speakeasy\winenv\decoys\x86\default_exe.exe

and

\securityonion-2.3.170-20220922\docker\registry\v2\blobs\sha256\cf\cfa02abcd83b08b03a34044f8a8c0c9319c75df85b028914e2ceeeda679b4a52\usr\local\lib\python3.8\dist-packages\speakeasy\winenv\decoys\x86\default_exe.exe

If these correspond to Strelka locations on install, then disregard.

dougburks commented 2 years ago

Please see the final sentence:

In some cases, the alert may be for a sample EXE that is included in Strelka but again a false positive.

In this case, speakeasy\winenv\decoys\x86\default_exe.exe is a sample EXE that is included in Speakeasy which is part of Strelka.

For more information about Speakeasy, please see: https://pypi.org/project/speakeasy-emulator/