Update trojan signatures to avoid false positives on modern distros#35927
Open
Miguevrgo wants to merge 1 commit into
Open
Conversation
…modern distros Signatures for chsh, chfn, passwd, date and md5sum were triggering false positives on Debian 13 (Trixie), Arch Linux and Ubuntu 26.04 because modern binaries legitimately contain strings such as 'bash', '/dev/null', '/dev/urandom' or '/dev/stdout'. - chsh, chfn: remove 'bash' from signature; exclude 'n' (/dev/null) from the character-class range - passwd: exclude 'n' (/dev/null) from the character-class range - date, md5sum: widen the excluded-character set in /dev/[^...] to also skip f, h, r, s, t, u, w — characters present in the legitimate device paths (/dev/fd, /dev/hda help text, /dev/random, /dev/stdin, /dev/stdout, /dev/tty, /dev/urandom, /dev/who-idle) embedded in the uutils-coreutils multicall binary shipped by Ubuntu 26.04
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
False positives on "Trojaned version of file detected." (rule 510) triggered on several modern distributions due to signatures matching legitimate strings present in current binary builds.
Closes #32142
Proposed Changes
Minimal signature adjustments in
ruleset/rootcheck/db/rootkit_trojans.txt:chsh,chfnshadowbinaries contain the stringbash(e.g.BASH_ENV=from PAM)bash|from signaturechsh,chfn/dev/nullmatched[a-s,uvxz]becausen∈ [a–s][a-s,uvxz]→[a-mo-s,uvxz]passwd/dev/nullmatched[b-s,uvxz]becausen∈ [b–s][b-s,uvxz]→[b-mo-s,uvxz]date,md5sum/dev/urandom,/dev/random,/dev/stdout,/dev/stdin,/dev/tty,/dev/fd, etc.[^cln]/ bare/dev/→[^cfhlnrstuw]Real trojan indicators (
/dev/kmem,/dev/mem,/dev/ptyXX,/dev/ttyo, etc.) are unaffected — their leading characters (k,m,p,o, …) are not in the excluded set.Manual Tests with Their Corresponding Evidence
Tests run on Incus containers (Debian 13 Trixie, Arch Linux, Ubuntu 26.04 Resolute).
Methodology
Each binary was inspected with
stringsand the output was matched against both the old and new signature usinggrep -P. An empty result means no match → no alert.Debian 13 —
/usr/bin/chshSignature:
!bash|file\.h|proc\.h|/dev/ttyo|/dev/[A-Z]|/dev/[a-mo-s,uvxz]!Arch Linux —
/usr/bin/passwdSignature:
!bash|file\.h|proc\.h|/dev/ttyo|/dev/[A-Z]|/dev/[b-mo-s,uvxz]!Ubuntu 26.04 —
/usr/bin/passwd,/usr/bin/chfn,/usr/bin/chshSame
/dev/null→nin range issue, resolved with[a-mo-s,uvxz]/[b-mo-s,uvxz].Ubuntu 26.04 —
/usr/bin/dateand/usr/bin/md5sum(uutils multicall)Both are symlinks to
/usr/lib/cargo/bin/coreutils/date(uutils-coreutils 0.8.0, Rust).Review Checklist