search

chowder / duck-gen

Generate Private Duck Addresses from your command-line
MIT License
16 stars 2 forks source link

Malware detections in pre-built Windows binary #4

Closed BionicBison05 closed 1 year ago

BionicBison05 commented 1 year ago

Upon downloading the binary for Windows, Microsoft Defender flagged it as a "Severe" threat. A few others on VirusTotal also flag it as malware. Interestingly, there are less detections for a binary I built myself, which strike me more as false positives. This leads me to wonder whether the provided Windows binary is compromised in some way. Any insight on this would be appreciated.

chowder commented 1 year ago

Hm, quite peculiar indeed. For what it's worth, the release was built and published off GitHub Actions, and you can verify this by checking the MD5/SHA256 checksums reported in the job:

https://github.com/chowder/duck-gen/actions/runs/6532353809/job/17735367011

++ md5sum duck-gen-v0.4-windows-amd64.exe
+ MD5_SUM=f4765e6ab8b0833a24b9161af92b42c3
++ cut -d ' ' -f 1
++ sha256sum duck-gen-v0.4-windows-amd64.exe
+ SHA256_SUM=3646ed70d39429110bd7ac4ce6b0d896b4cd7eeb7e82164617bafa5d12f6e3de

So you know for sure that the binaries were not uploaded by me. Looking at the logs, it's not obvious to me that the build process has been compromised either.

I'll try to upgrade the project go Go 1.21 and have the builds be perfectly reproducible.

the-real-neil commented 1 year ago

As of Go 1.21, the Go toolchain is perfectly reproducible: its only relevant input is the source code for that build.

I think that statement is being made in regard to the go toolchain in specificity, and not any/all golang projects in general.

Be that as it may, I believe that the duck-gen project is being built reproducibly since it consumes only golang source code.

chowder commented 1 year ago

I think that statement is being made in regard to the go toolchain in specificity

Yeah you're right.

In any case, with #5, building with CGO_ENABLED=0 go build -trimpath ... gives me the exact same binary as the one produced by GHA.

Build Details

- On my machine: ``` $ CGO_ENABLED=0 GOAMD64=v1 GOOS=windows GOARCH=amd64 go build -trimpath -ldflags "-s -w" $ sha256sum duck-gen.exe 066bc01519b739f23a4f49b6e63284231396792b47083c1d662d8a242fd3eedf duck-gen.exe ``` - On GHA: ``` ++ sha256sum duck-gen-v0.5-windows-amd64.exe ++ cut -d ' ' -f 1 + SHA256_SUM=066bc01519b739f23a4f49b6e63284231396792b47083c1d662d8a[242](https://github.com/chowder/duck-gen/actions/runs/6763929128/job/18381623022#step:4:243)fd3eedf ``` https://github.com/chowder/duck-gen/actions/runs/6763929128/job/18381623022

The Windows binary no longer trips (as many) malware checks - but I've also updated the toolchain & dependency versions while I was at it, so I'm also not too surprised, assuming if it was a false flag.

https://www.virustotal.com/gui/file/066bc01519b739f23a4f49b6e63284231396792b47083c1d662d8a242fd3eedf/detection

In any case while I'm still not quite convinced that the binaries were compromised - just to be safe, I'll yank the v0.4 binaries from the release page, a roll a new release with reproducible ones.

the-real-neil commented 1 year ago

@BionicBison05 for the record, here's what the v0.5 artifacts for windows look like:

$ git describe --long --always --dirty && go tool dist list | grep windows | tr '/' ' ' | while read -r GOOS GOARCH; do export GOOS GOARCH && echo "${GOOS}" "${GOARCH}" && go build && file duck-gen.exe && sha512sum duck-gen.exe ; done
c611ca2
windows 386
duck-gen.exe: PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows, 13 sections
f5cb22183c1ea7934c3ee05022fe159872de75a82fe51c236d039a0fdca14d0d3cb6c9c7c69f52eda475ae37b884321c25855bff9a6b9973ead64a637d45a480  duck-gen.exe
windows amd64
duck-gen.exe: PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows, 13 sections
f27a38a4f10195435a2d185028c213a7504b29a7013d8f925221928713247eaa23201634be8ad2c47b62a73c008cece6d76a8a59e0c7e3cfb225a0aa5f19ab1f  duck-gen.exe
windows arm
duck-gen.exe: PE32 executable (console) ARMv7 Thumb (stripped to external PDB), for MS Windows, 13 sections
639919c99e55c5b5debb3ca45fd73d8dda9368e9d8232e3872fa3ad09cd62922598f7e4b1a1b39fa6aedb4cac212f55d8b7af1783bc357c59701de3511ffb31a  duck-gen.exe
windows arm64
duck-gen.exe: PE32+ executable (console) Aarch64 (stripped to external PDB), for MS Windows, 13 sections
cc77b052ad4d6d215fc19f54928b1b88e21dceb68e7902538ed5c8f8643d4e17eff9b06065b486df0ebe26f7d6ab7a24704a28accfa21927490d150291445474  duck-gen.exe