Opened 7 years ago

Closed 7 years ago

Last modified 7 years ago

#48756 closed defect (invalid)

zlib @1.2.8 Infected with iPhone WireLurker malware

Reported by: bhavinhasmail@… Owned by: landonf (Landon Fuller)
Priority: Normal Milestone:
Component: ports Version: 2.3.3
Keywords: Cc: ryandesign (Ryan Schmidt), mkae (Marko Käning)
Port: zlib

Description

When upgrading my ports installation my anti-virus software (Sophos Home Edition v 9.2.7) detected the iPhone/WireLurk malware.

Infected file: /opt/local/lib/libz.1.2.8.dylib

Attachments (1)

macports-libz-wirelurk.jpg (219.1 KB) - added by bhavinhasmail@… 7 years ago.
Screen capture of Sophos malware detection of WireLurker

Download all attachments as: .zip

Change History (10)

Changed 7 years ago by bhavinhasmail@…

Attachment: macports-libz-wirelurk.jpg added

Screen capture of Sophos malware detection of WireLurker

comment:1 Changed 7 years ago by ryandesign (Ryan Schmidt)

Cc: ryandesign@… added
Owner: changed from macports-tickets@… to landonf@…
Port: zlib added
Summary: libz @1.2.8 Infected with iPhone WireLurker malwarezlib @1.2.8 Infected with iPhone WireLurker malware

I don't see how the zlib port could be infected with anything. For one thing, the port hasn't been updated in any way in over 2 years; if there were a problem, it would have been reported long before now. So either your local copy of zlib on your machine was replaced with an infected copy (by something outside of MacPorts), or your virus scanner is giving you a false positive. To check whether it is the former, you could force a reinstallation of zlib by running:

sudo port -n upgrade --force zlib

Then run your virus scanner again. If it no longer says the file is infected, then something replaced your zlib with a corrupted copy, and you should try to figure out how that happened. If it still says it is infected, I suspect a false positive, and you should report it to the maker of your antivirus software.

comment:2 Changed 7 years ago by bhavinhasmail@…

I force reinstalled zlib as you described and Sophos is STILL detecting it as malware.

I have submitted the file to Sophos and reported it as a possible false-positive.

For the record, the MD5 of the file on my system (OSX 10.9.5) after a force reinstall:

3c7c50ef664fcdc089776f11d269a9dc    /opt/local/lib/libz.1.2.8.dylib
Last edited 7 years ago by bhavinhasmail@… (previous) (diff)

comment:3 Changed 7 years ago by Ionic (Mihai Moldovan)

33d63b553961919e9a7f28b1386f5a1e  /opt/local/lib/libz.1.2.8.dylib

On my 10.9 box.

comment:5 Changed 7 years ago by mkae (Marko Käning)

Cc: mk@… added

Cc Me!

comment:6 Changed 7 years ago by JDLH (Jim DeLaHunt)

For what it's worth, on my system (Mac OS X 10.10.5):

% ls -l /opt/local/lib/libz.1.2.8.dylib 
-rwxr-xr-x  1 root  admin  161884 19 Nov  2014 /opt/local/lib/libz.1.2.8.dylib
% md5 -r /opt/local/lib/libz.1.2.8.dylib
e2a778e45a1d89993fa4b576966e94de /opt/local/lib/libz.1.2.8.dylib

This differs from either bh...'s or ionic's checksums above.

After rebuilding zlib, I got:

% sudo port -n upgrade --force zlib
... [lots of response omitted] ...
--->  Scanning binaries for linking errors
--->  No broken files found.                             
% ls -l /opt/local/lib/libz.1.2.8.dylib 
-rwxr-xr-x  1 root  admin  161884 19 Nov  2014 /opt/local/lib/libz.1.2.8.dylib
% md5 -r /opt/local/lib/libz.1.2.8.dylib
e2a778e45a1d89993fa4b576966e94de /opt/local/lib/libz.1.2.8.dylib

This looks pretty much unchanged.

Last edited 7 years ago by ryandesign (Ryan Schmidt) (previous) (diff)

comment:7 Changed 7 years ago by ryandesign (Ryan Schmidt)

You'll get a different checksum for Mach-O files like dylibs every time you rebuild. The fact that you got the same checksum and the same timestamp on the file tells us you happened to get a binary from our server, rather than actually rebuilding the port on your computer. Binaries are specific to each version of OS X, so even two users who both got the files from our build server will get different checksums if they are on different OS X versions. You're on 10.10 and bh and ionic are on 10.9.

comment:8 Changed 7 years ago by ryandesign (Ryan Schmidt)

Resolution: invalid
Status: newclosed

I'm going to close this ticket now since as far as I can tell there is no MacPorts bug here.

comment:9 Changed 7 years ago by mf2k (Frank Schima)

Keywords: libz iPhone WireLurker WIreLurk malware removed
Note: See TracTickets for help on using tickets.