Malware Alert in felix-cache - false alarm?

s0ftice · May 3, 2023, 3:43am

Hi folks,

Clamav found the malware Revoked.CRT.HookSignTool-9999979-0 FOUND in lucee/tomcat/lucee-server/felix-cache/bundle49/version0.0/bundle.jar today.
To be precise, in:
resource/bin/windows64/attach.dll and
resource/bin/windows32/attach.dll

Can I assume this is a false positive?

Thanks

OS: Debian 11.7 x64 (Linux 5.10.0)
Java Version: 11.0.18
Tomcat Version: 9.0.65
Lucee Version: 5.3.10.120

Zackster · May 3, 2023, 7:20am

can you share the manifest.mf from the bundle.jar?

s0ftice · May 3, 2023, 7:39am

“Sorry, new users can not upload attachments.”
I attached it inline below.

By the way:

$ md5sum resource/bin/windows64/attach.dll
ccb5cc70db9b9b6961bc2ef7fa7ee97a resource/bin/windows64/attach.dll

$ md5sum resource/bin/windows32/attach.dll
5f85fa89587337034e9ddb37662cc496 resource/bin/windows32/attach.dll

MANIFEST.MF

Manifest-Version: 1.0
Ant-Version: Apache Ant 1.9.4
Created-By: 10.0.2+13 ("Oracle Corporation")
Bundle-Version: 5.3.10.120
Built-Date: 2023/02/07 16:46:49 CET
Minor-Name: Gelert
Minor-Name-Explanation: https://en.wikipedia.org/wiki/Gelert
State: beta
Bundle-Name: Lucee Core
Multi-Release: true
Require-Bundle-Fragment: slf4j.nop;bundle-version=1.7.12
Bundle-ManifestVersion: 2
Bundle-SymbolicName: lucee.core
Import-Package: coldfusion.xml.rpc,com.allaire.cfx,com.intergral.fusio
 ndebug.server,com.sun.management,com.sun.mail.smtp,com.sun.net.ssl.in
 ternal.ssl,javax.el,javax.servlet,javax.servlet.jsp,javax.servlet.htt
 p,javax.script,javax.activation,javax.imageio,javax.imageio.metadata,
 javax.imageio.stream,javax.imageio.plugins.jpeg,javax.management,java
 x.naming,javax.naming.directory,javax.net.ssl,javax.sql,org.osgi.fram
 ework,org.apache.logging.log4j.core,org.apache.logging.log4j
Export-Package: coldfusion,coldfusion.image,coldfusion.runtime,coldfus
 ion.runtime.java,coldfusion.server,coldfusion.sql,org.apache,org.apac
 he.taglibs,org.apache.taglibs.datetime,org.objectweb,org.objectweb.as
 m,org.opencfml,org.opencfml.cfx,lucee,lucee.commons,lucee.commons.act
 ivation,lucee.commons.cli,lucee.commons.collection,lucee.commons.coll
 ection.concurrent,lucee.commons.color,lucee.commons.date,lucee.common
 s.db,lucee.commons.digest,lucee.commons.i18n,lucee.commons.img,lucee.
 commons.io,lucee.commons.io.auto,lucee.commons.io.cache,lucee.commons
 .io.compress,lucee.commons.io.ini,lucee.commons.io.log,lucee.commons.
 io.log.sl4j,lucee.commons.io.reader,lucee.commons.io.res,lucee.common
 s.io.res.filter,lucee.commons.io.res.type,lucee.commons.io.res.type.c
 ache,lucee.commons.io.res.type.cfml,lucee.commons.io.res.type.compres
 s,lucee.commons.io.res.type.datasource,lucee.commons.io.res.type.data
 source.core,lucee.commons.io.res.type.file,lucee.commons.io.res.type.
 ftp,lucee.commons.io.res.type.http,lucee.commons.io.res.type.ram,luce
 e.commons.io.res.type.s3,lucee.commons.io.res.type.tar,lucee.commons.
 io.res.type.tgz,lucee.commons.io.res.type.zip,lucee.commons.io.res.ut
 il,lucee.commons.io.retirement,lucee.commons.lang,lucee.commons.lang.
 font,lucee.commons.lang.lock,lucee.commons.lang.mimetype,lucee.common
 s.lang.types,lucee.commons.lock,lucee.commons.lock.rw,lucee.commons.m
 anagement,lucee.commons.math,lucee.commons.net,lucee.commons.net.http
 ,lucee.commons.net.http.httpclient,lucee.commons.net.http.httpclient.
 entity,lucee.commons.res,lucee.commons.res.io,lucee.commons.res.io.fi
 lter,lucee.commons.security,lucee.commons.sql,lucee.commons.surveilla
 nce,lucee.commons.util,lucee.deployer,lucee.deployer.filter,lucee.int
 ergral,lucee.intergral.fusiondebug,lucee.intergral.fusiondebug.server
 ,lucee.intergral.fusiondebug.server.type,lucee.intergral.fusiondebug.
 server.type.coll,lucee.intergral.fusiondebug.server.type.nat,lucee.in
 tergral.fusiondebug.server.type.qry,lucee.intergral.fusiondebug.serve
 r.type.simple,lucee.intergral.fusiondebug.server.util,lucee.runtime,l
 ucee.runtime.cache,lucee.runtime.cache.eh,lucee.runtime.cache.eh.remo
 te,lucee.runtime.cache.eh.remote.rest,lucee.runtime.cache.eh.remote.r
 est.sax,lucee.runtime.cache.eh.remote.soap,lucee.runtime.cache.legacy
 ,lucee.runtime.cache.ram,lucee.runtime.cache.tag,lucee.runtime.cache.
 tag.include,lucee.runtime.cache.tag.query,lucee.runtime.cache.tag.req
 uest,lucee.runtime.cache.tag.smart,lucee.runtime.cache.tag.timespan,l
 ucee.runtime.cache.tag.udf,lucee.runtime.cache.util,lucee.runtime.cfx
 ,lucee.runtime.cfx.customtag,lucee.runtime.chart,lucee.runtime.coder,
 lucee.runtime.com,lucee.runtime.compiler,lucee.runtime.component,luce
 e.runtime.concurrency,lucee.runtime.config,lucee.runtime.config.ajax,
 lucee.runtime.config.component,lucee.runtime.converter,lucee.runtime.
 converter.bin,lucee.runtime.crypt,lucee.runtime.customtag,lucee.runti
 me.db,lucee.runtime.db.driver,lucee.runtime.db.driver.state,lucee.run
 time.debug,lucee.runtime.debug.filter,lucee.runtime.dump,lucee.runtim
 e.engine,lucee.runtime.err,lucee.runtime.exp,lucee.runtime.ext,lucee.
 runtime.ext.tag,lucee.runtime.extension,lucee.runtime.flash,lucee.run
 time.format,lucee.runtime.functions,lucee.runtime.functions.arrays,lu
 cee.runtime.functions.cache,lucee.runtime.functions.closure,lucee.run
 time.functions.component,lucee.runtime.functions.conversion,lucee.run
 time.functions.csrf,lucee.runtime.functions.dateTime,lucee.runtime.fu
 nctions.decision,lucee.runtime.functions.displayFormatting,lucee.runt
 ime.functions.dynamicEvaluation,lucee.runtime.functions.file,lucee.ru
 ntime.functions.gateway,lucee.runtime.functions.image,lucee.runtime.f
 unctions.international,lucee.runtime.functions.list,lucee.runtime.fun
 ctions.math,lucee.runtime.functions.orm,lucee.runtime.functions.other
 ,lucee.runtime.functions.owasp,lucee.runtime.functions.query,lucee.ru
 ntime.functions.rest,lucee.runtime.functions.s3,lucee.runtime.functio
 ns.string,lucee.runtime.functions.struct,lucee.runtime.functions.syst
 em,lucee.runtime.functions.video,lucee.runtime.functions.xml,lucee.ru
 ntime.gateway,lucee.runtime.gateway.proxy,lucee.runtime.helpers,lucee
 .runtime.i18n,lucee.runtime.img,lucee.runtime.img.coder,lucee.runtime
 .img.composite,lucee.runtime.img.filter,lucee.runtime.img.gif,lucee.r
 untime.img.interpolation,lucee.runtime.img.math,lucee.runtime.img.vec
 math,lucee.runtime.instrumentation,lucee.runtime.interpreter,lucee.ru
 ntime.interpreter.ref,lucee.runtime.interpreter.ref.cast,lucee.runtim
 e.interpreter.ref.func,lucee.runtime.interpreter.ref.literal,lucee.ru
 ntime.interpreter.ref.op,lucee.runtime.interpreter.ref.util,lucee.run
 time.interpreter.ref.var,lucee.runtime.java,lucee.runtime.listener,lu
 cee.runtime.lock,lucee.runtime.monitor,lucee.runtime.net,lucee.runtim
 e.net.amf,lucee.runtime.net.ftp,lucee.runtime.net.http,lucee.runtime.
 net.imap,lucee.runtime.net.ipsettings,lucee.runtime.net.ldap,lucee.ru
 ntime.net.mail,lucee.runtime.net.ntp,lucee.runtime.net.pop,lucee.runt
 ime.net.proxy,lucee.runtime.net.rpc,lucee.runtime.net.rpc.client,luce
 e.runtime.net.rpc.server,lucee.runtime.net.s3,lucee.runtime.net.smtp,
 lucee.runtime.op,lucee.runtime.op.date,lucee.runtime.op.validators,lu
 cee.runtime.orm,lucee.runtime.osgi,lucee.runtime.query,lucee.runtime.
 query.caster,lucee.runtime.reflection,lucee.runtime.reflection.pairs,
 lucee.runtime.reflection.storage,lucee.runtime.regex,lucee.runtime.re
 gistry,lucee.runtime.rest,lucee.runtime.rest.path,lucee.runtime.sched
 ule,lucee.runtime.search,lucee.runtime.search.lucene2,lucee.runtime.s
 earch.lucene2.analyzer,lucee.runtime.search.lucene2.docs,lucee.runtim
 e.search.lucene2.highlight,lucee.runtime.search.lucene2.html,lucee.ru
 ntime.search.lucene2.net,lucee.runtime.search.lucene2.query,lucee.run
 time.security,lucee.runtime.services,lucee.runtime.spooler,lucee.runt
 ime.spooler.mail,lucee.runtime.spooler.remote,lucee.runtime.spooler.t
 est,lucee.runtime.sql,lucee.runtime.sql.exp,lucee.runtime.sql.exp.op,
 lucee.runtime.sql.exp.value,lucee.runtime.sql.old,lucee.runtime.tag,l
 ucee.runtime.tag.util,lucee.runtime.text,lucee.runtime.text.csv,lucee
 .runtime.text.feed,lucee.runtime.text.xml,lucee.runtime.text.xml.stor
 age,lucee.runtime.text.xml.struct,lucee.runtime.thread,lucee.runtime.
 timer,lucee.runtime.type,lucee.runtime.type.cfc,lucee.runtime.type.co
 mparator,lucee.runtime.type.dt,lucee.runtime.type.it,lucee.runtime.ty
 pe.query,lucee.runtime.type.ref,lucee.runtime.type.scope,lucee.runtim
 e.type.scope.client,lucee.runtime.type.scope.session,lucee.runtime.ty
 pe.scope.storage,lucee.runtime.type.scope.storage.clean,lucee.runtime
 .type.scope.storage.db,lucee.runtime.type.scope.util,lucee.runtime.ty
 pe.sql,lucee.runtime.type.trace,lucee.runtime.type.util,lucee.runtime
 .type.wrap,lucee.runtime.user,lucee.runtime.util,lucee.runtime.util.p
 ool,lucee.runtime.video,lucee.runtime.vm,lucee.runtime.writer,lucee.s
 ervlet,lucee.servlet.pic,lucee.transformer,lucee.transformer.bytecode
 ,lucee.transformer.bytecode.cast,lucee.transformer.bytecode.expressio
 n,lucee.transformer.bytecode.expression.type,lucee.transformer.byteco
 de.expression.var,lucee.transformer.bytecode.literal,lucee.transforme
 r.bytecode.op,lucee.transformer.bytecode.reflection,lucee.transformer
 .bytecode.statement,lucee.transformer.bytecode.statement.tag,lucee.tr
 ansformer.bytecode.statement.udf,lucee.transformer.bytecode.util,luce
 e.transformer.bytecode.visitor,lucee.transformer.cfml,lucee.transform
 er.cfml.attributes,lucee.transformer.cfml.attributes.impl,lucee.trans
 former.cfml.evaluator,lucee.transformer.cfml.evaluator.func,lucee.tra
 nsformer.cfml.evaluator.func.impl,lucee.transformer.cfml.evaluator.im
 pl,lucee.transformer.cfml.expression,lucee.transformer.cfml.script,lu
 cee.transformer.cfml.tag,lucee.transformer.expression,lucee.transform
 er.expression.literal,lucee.transformer.expression.var,lucee.transfor
 mer.library,lucee.transformer.library.function,lucee.transformer.libr
 ary.tag,lucee.transformer.util,lucee.transformer.cfml.script.java.fun
 ction
Require-Bundle: org.apache.commons.commons-codec;bundle-version=1.15.0
 ,org.apache.commons.commons-collections4;bundle-version=4.4.0,org.luc
 ee.commons.compress;bundle-version=1.9.0,org.lucee.commons.fileupload
 ;bundle-version=1.3.2.L0001,org.lucee.commons.io;bundle-version=2.4.0
 ,org.lucee.commons.lang;bundle-version=2.6.0,org.lucee.commons.loggin
 g.adapters;bundle-version=1.1.0.0000L,org.lucee.commons.logging.api;b
 undle-version=1.1.0.0000L,org.lucee.commons.logging;bundle-version=1.
 2.0.0000L,org.apache.commons.net;bundle-version=3.3.0,org.apache.oro;
 bundle-version=2.0.8,org.lucee.log4j-core;bundle-version=2.17.2.0001L
 ,org.lucee.log4j-api;bundle-version=2.17.2.0001L,org.lucee.portlet;bu
 ndle-version=1.0.0,org.lucee.xml.apis;bundle-version=1.4.1,backport.u
 til.concurrent;bundle-version=2.2.0,org.lucee.oswego-concurrent;bundl
 e-version=1.3.4,org.lucee.jta;bundle-version=1.1.0,fusiondebug.api.se
 rver;bundle-version=1.0.20,org.lucee.httpcomponents.httpclient;bundle
 -version=4.5.10.0002L,org.lucee.httpcomponents.httpcore;bundle-versio
 n=4.4.12,org.lucee.httpcomponents.httpmime;bundle-version=4.5.10.0002
 L,hsqldb;bundle-version=1.8.0,jacob;bundle-version=1.16.1,javasysmon;
 bundle-version=0.3.3,jcifs;bundle-version=1.3.17,jencrypt;bundle-vers
 ion=1.4.2.04,org.apache.tika.core;bundle-version=1.28.3,org.objectweb
 .asm.all;bundle-version=4.2,org.lucee.xml.resolver;bundle-version=1.2
 .0,slf4j.api;bundle-version=1.7.12,ss.css2;bundle-version=0.9.4,stax.
 api;bundle-version=1.0.1.0002L,sun.jndi.ldap;bundle-version=1.2.4,sun
 .jndi.ldapbp;bundle-version=1.2.4,sun.jndi.ldapsec;bundle-version=1.2
 .4,sun.jndi.providerutil;bundle-version=1.2.4,javax.mail.activation;b
 undle-version=1.6.2.0000L,sun.security.jaas;bundle-version=1.2.4,tags
 oup;bundle-version=1.2.1.0002L,w3c.dom;bundle-version=1.1.0,org.lucee
 .commons.email;bundle-version=1.2.0,org.lucee.jsch;bundle-version=0.1
 .55,org.lucee.jzlib;bundle-version=1.1.3,xmpcore;bundle-version=5.1.2
 .0002L,org.lucee.argon2;bundle-version=2.7.0,com.sun.jna;bundle-versi
 on=5.10.0
Require-Extension: 7E673D15-D87C-41A6-8B5F1956528C605F;name=MySQL;labe
 l=MySQL;version=8.0.30,99A4EF8D-F2FD-40C8-8FB8C2E67A4EEEB6;name=MSSQL
 ;label=MS SQL Server;version=7.2.2.jre8,671B01B8-B3B3-42B9-AC055A356B
 ED5281;name=PostgreSQL;label=PostgreSQL;version=42.2.20,2BCD080F-4E1E
 -48F5-BEFE794232A21AF6;name=JDTsSQL;label=jTDS (MSSQL);version=1.3.1,
 CED6227E-0F49-6367-A68D21AACA6B07E8;name=Admin;label=Lucee Administra
 tor;version=1.0.0.3,D46D49C3-EB85-8D97-30BEC2F38561E985;name=Doc;labe
 l=Lucee Documentation;version=1.0.0.2,17AB52DE-B300-A94B-E058BD978511
 E39E;name=S3;label=S3;version=0.9.4.156,87FE44E5-179C-43A3-A87B3D38BE
 F4652E;name=EHCache;label=EHCache;version=2.10.0.31,D46B46A9-A0E3-44E
 1-D972A04AC3A8DC10;name=Chart;label=CFChart;version=1.0.19.24,FAD1E8C
 B-4F45-4184-86359145767C29DE;name=Hibernate;label=Hibernate;version=3
 .5.5.87,EFDEB172-F52E-4D84-9CD1A1F561B3DFC8;name=Lucene;label=Lucene;
 version=2.4.2.4,66E312DD-D083-27C0-64189D16753FD6F0;name=PDF;label=PD
 F;version=1.1.0.19,FAD67145-E3AE-30F8-1C11A6CCF544F0B7;name=Form;labe
 l=Form tags;version=1.0.0.10;since=5.1.0.21,DF28D0A4-6748-44B9-A2FDC1
 2E4E2E4D38;name=Axis;label=Axis 1;version=1.4.0.37;since=5.3.0.20-ALP
 HA,B737ABC4-D43F-4D91-8E8E973E37C40D1B;name=Image;label=Image;version
 =1.0.0.50;since=5.3.0.35-ALPHA,37C61C0A-5D7E-4256-8572639BE0CF5838;na
 me=Esapi;label=ESAPI;version=2.2.4.8;since=5.3.0.37-ALPHA,8D7FB0DF-08
 BB-1589-FE3975678F07DB17;name=Compress;label=Compress;version=1.0.0.1
 2;since=5.3.2.31-SNAPSHOT,6E2CB28F-98FB-4B51-B6BE6C64ADF35473;name=Aj
 ax;label=Ajax;version=1.0.0.5;since=5.3.2.40-SNAPSHOT

neko-bf · May 3, 2023, 8:29am

We got a similar alert on out systems but with other files.
lucee/tomcat/lucee-server/patches/5.2.9.31.lco
lucee/tomcat/lucee-server/patches/5.3.7.48.lco
lucee/tomcat/lucee-server/felix-cache/bundle46/version0.0/bundle.jar

Lucee 5.2.9.31

Zackster · May 3, 2023, 9:01am

ok, those dlls are coming from jacob Releases · freemansoft/jacob-project · GitHub

github.com

lucee/Lucee/blob/5.3/core/pom.xml#L299


      
          </dependency>
          <dependency>
            <groupId>hsqldb</groupId>
            <artifactId>hsqldb</artifactId>
            <version>1.8.0</version>
            <scope>provided</scope>
          </dependency>
          <dependency>
            <groupId>jacob</groupId>
            <artifactId>jacob</artifactId>
            <version>1.16.1</version>
            <scope>provided</scope>
          </dependency>
          <dependency>
            <groupId>javasysmon</groupId>
            <artifactId>javasysmon</artifactId>
            <version>0.3.3</version>
            <scope>provided</scope>
          </dependency>
          <dependency>
            <groupId>org.samba</groupId>

reckon it’s a false positive, i.e it was used in some malware as a lib, we can update it

https://luceeserver.atlassian.net/browse/LDEV-3314

I checked both those attach.dll files against virustotal and both came back clean

neko-bf · May 3, 2023, 10:43am

@Zackster are the other files that got triggered on our machine also due to the Jacob library?

Zackster · May 3, 2023, 10:54am

those files are bundled in the core .lco files, so most likely yes

which like .lex and .jar files are simply .zip files so you can open then to see what’s inside using tools like 7zip on windows

neko-bf · May 3, 2023, 11:04am

Thanks for the confirmation

KneadToKnow · May 3, 2023, 11:30am

I, too, got bunch of alerts on “Revoked.CRT.HookSignTool-9999979-0 FOUND” on yesterday’s clamav scan, which I suspected were false alarms because I scan daily and these were all found in a folder that hasn’t changed in a few years (archived WinXP installs for a virtual machine I maintain, ironically the AVG Anti-Virus installer among them). Glad to hear confirmation. Thanks!

s0ftice · May 4, 2023, 12:34am

These files are no longer flagged in our daily clamav scans after yesterdays virus signature updates. False alarm as suspected.

Thanks

Zackster · May 4, 2023, 7:04am

thanks for the update, really appreciated!