Malware Alert in Package: prometheus-0.60.1-41.7.3.tar.gz (alertmanager)

[BenjaminSchwenk]

Hi kURL team,

I've encountered a potential security issue with the prometheus-0.60.1-41.7.3.tar.gz package, specifically within the alertmanager tarball located at /var/lib/kurl/addons/prometheus/0.60.1-41.7.3/images/alertmanager.tar.gz.

While downloading the package from https://kurl.sh/815b042, my malware detection tools triggered an alert. To further investigate, I submitted the file to VirusTotal, and the analysis reported potential malware signatures.

VirusTotal Report: https://www.virustotal.com/gui/file/dcd9a5af1c6297ed1a66c851efa305000335d8ade068ba515125a6612f1d5300

Could the team please investigate this? If additional information or assistance is needed, I'm happy to help.

Thank you for your attention to this matter.

[St0rmz1]

Hi @BenjaminSchwenk thanks for opening this issue. I'm taking a look now.

--A

[St0rmz1]

Hi @BenjaminSchwenk This is a false positive from VirusTotal.

If you work your way down the package and gunzip and untar everything, you'll find a directory kurl/kurl/addons/prometheus/0.60.1-41.7.3/images/e664345d1500be905a2d0fae028b7ebf0af2414c89a28392237aa3abf60de6ff/bin

You can upload many of the binaries to VirusTotal and they will report the same finding that you discovered.

Here's what's going on:

• On Feb 7th, Fortinet published an advisory regarding "N-Day Vulnerabilities" and/or "Coathanger" types of attacks.
• In their report (and also by some other vendors), they published all the various binaries and their hashes that have been used as part of the attack chain. Included in the report are a handful of normal everyday *nix binaries.
• We've got some AV vendors that saw the hashes on these reports and tagged them as malware.
• This would be like saying ls has malware, only because an investigator found that the attacker issued ls after gaining access.

Here's the Fortinet blog post: https://www.fortinet.com/blog/psirt-blogs/importance-of-patching-an-analysis-of-the-exploitation-of-n-day-vulnerabilities And here is a VirusTotal report on one of the *nix binaries: https://www.virustotal.com/gui/file/dcd9a5af1c6297ed1a66c851efa305000335d8ade068ba515125a6612f1d5300/detection

Let me know if that helps and/or if you've got any additional questions.

Thanks --A

[BenjaminSchwenk]

Thank you for that perfect answer. TThat clears all open questions, thanks a lot again.