Win64.Trojan.Ursu reported in binary of lib_ebm_native_win_x64_debug.dll

[jorhett]

We've gotten a malware report claiming that the malware is Win64.Trojan.Ursu is in /usr/local/lib/python3.8/site-packages/interpret/lib/lib_ebm_native_win_x64_debug.dll

This node has these packages:

$ pip3 list | grep -i interpret
interpret                 0.2.4
interpret-core            0.2.7
treeinterpreter           0.2.3

It looks like the insertion would be in the build of the binary pypi package.

[interpret-ml]

Hi @jorhett -- Can you please send us an md5sum of the lib_ebm_native_win_x64_debug.dll file and also a directory listing with file sizes and last write dates for all files within the /usr/local/lib/python3.8/site-packages/interpret/lib/ directory.

We'll compare your md5 fingerprint with the files on pypi and also in our build pipeline.

-InterpretML team

[interpret-ml]

Hi @jorhett -- If you have an unmodified copy of that file, it should have an md5 fingerprint of 15ec6e6594c4b9a7b09107937704aec7. That's the fingerprint we see on pypi, on a local machine after installing from pypi, and also in the Azure pipeline where it's built. Given that dll was built from source on one of the widely used Azure pipeline VM images, it seems unlikely the package itself contains malware. We believe the most likely explanation is that it's either a false positive by the virus checker, or a local infection, or a misdirection by another malicious trojan.

What malware detection software are you seeing this being flagged under?

-InterpretML team

[jorhett]

What malware detection software are you seeing this being flagged under?

This was flagged by Wiz.io based on an SHA fingerprint. Since we removed it, we don't have the ability to check the SHA again.

We believe the most likely explanation is that it's either a false positive by the virus checker, or a local infection, or a misdirection by another malicious trojan.

We've been looking at this, and we can find no evidence of any other infection. I understand the concern about a false positive, but SHA checksums are considerably less likely to overlap than MD5...

[interpret-ml]

Thanks for getting back to us @jorhett with this info. We've contacted Wiz.io and reported it to them. We're not worried so much about there being an md5 collision since we were using md5 as a non-secure checksum, but rather that Wiz.io might have mistakenly put our file, or a part of our file, in their alert list.

For anyone referencing this issue, the sha1 of an unmodified copy of that DLL should be 61ea6e29c0629ee1f8974af11c1572d67fd009b0

jorhett one possible other course of action you could take would be to install InterpretML in another test machine or VM in your environment and see if Wiz.io flags it again. If it doesn't get flagged, then it implies that it was a local infection. Given you are running Linux that DLL shouldn't be run in any case.

-InterpretML team

[interpret-ml]

For anyone else coming to this issue, that DLL shouldn't be accessed by the vast majority of installations. It will only be accessed if you are running on Windows and also purposely set native_debug to True by invoking:

from interpret.develop import debug_mode
debug_mode(native_debug=True)

[jorhett]

Here's what Wiz provided to me:

Hi,Here is the information I could find: Malware type - Win64.Trojan.Ursu MD5 - 15ec6e6594c4b9a7b09107937704aec7 SHA1 - 61ea6e29c0629ee1f8974af11c1572d67fd009b0

[jorhett]

From wiz:

Hello,After further investigation of this detection, we've concluded it as false-positive.Wiz will no longer raise this file as malware. Thank you for reporting!