ClamAV found Mirai trojan in Slack Snap

Rovermars · September 4, 2018, 2:36pm

Hi all,

Not sure if I am in the right spot, but this needed reporting somewhere. I am an avid Snap user, but not proficient in its mechanics. I just did a scan of my work-system with ClamAV and it appears to have found a trojan named and found Mirai in the Slack Snap package.

Now, I am not 100% sure this is due to the package, something I received via Slack or a false positive. I researched it online and couldn’t find any other mentions on this. I did a full removal of the snap package and it’s directories and confirmed it was gone. After reinstalling the Slack Snap the trojan was back again.

For now I have removed the Slack Snap. Could someone please investigate this?

Scan results:
user@system:~$ sudo clamscan --max-filesize=3999M --max-scansize=3999M -i -r /snap/slack/8/usr/lib/slack
_[sudo] password for user: _
/snap/slack/8/usr/lib/slack/slack: Unix.Trojan.Mirai-5932143-0 FOUND

----------- SCAN SUMMARY -----------
Known viruses: 6634140
Engine version: 0.100.1
Scanned directories: 44
Scanned files: 146
Infected files: 1
Data scanned: 261.75 MB
Data read: 182.37 MB (ratio 1.44:1)
Time: 24.151 sec (0 m 24 s)
user@system:~$ sudo clamscan --max-filesize=3999M --max-scansize=3999M -i -r /snap/slack/7/usr/lib/slack
/snap/slack/7/usr/lib/slack/slack: Unix.Trojan.Mirai-5932143-0 FOUND

----------- SCAN SUMMARY -----------
Known viruses: 6634140
Engine version: 0.100.1
Scanned directories: 49
Scanned files: 142
Infected files: 1
Data scanned: 262.89 MB
Data read: 189.34 MB (ratio 1.39:1)
Time: 27.368 sec (0 m 27 s)

lucyllewy · September 4, 2018, 3:07pm

I can confirm that clamav detects this as mirai-infected on another system.

Virustotal thinks it’s clean, however:

lucyllewy · September 4, 2018, 3:15pm

This might be a false-positive. Another electron application that I run which is not related to slack in any way other than it being electron-based, IRCCloud, is also marked as containing mirai by clamav.

popey · September 4, 2018, 3:29pm

This seems to happen a fair amount. Spotify, Chromium, Chrome and others have been hit by this Unix.Trojan.Mirai fingerprint before.

@felix - have you been notified of these via other channels?

lucyllewy · September 4, 2018, 3:30pm

perhaps it’s the execstack stripping that causes it?

Rovermars · September 5, 2018, 6:40am

Hi, thanks for looking into this. I also left a report at Slack and below is their response confirming this as a false positive by ClamAV.

Megan (Slack)

Sep 4, 4:52 PM PDT

Hi Rick,

Thanks for waiting! I have spoken with our security team, and they’ve reviewed the case and determined what you were seeing was a false-positive. Our team has now submitted a false-positive repot to ClamAV in hopes that this kind of issue can be avoided in future.

Thanks again for taking the time to report this! Let me know if I can assist further in any way.

All the best,

Megan

lucyllewy · September 5, 2018, 1:09pm

That’s a really awesome reply from Slack! I love when a company owns an issue that isn’t really their problem (it’s really a ClamAV problem). Well done them for a top-notch effort.