Malware detection. Binary and compiled hashes do not match about web-cache-vulnerability-scanner HOT 6 CLOSED

The new release was compiled with Ubuntu 22.04.4 LTS and go1.22.1
https://github.com/Hackmanit/Web-Cache-Vulnerability-Scanner/releases/tag/1.2.1
No FPs anymore. (The question is for how long...)

from web-cache-vulnerability-scanner.

I just compiled using the same OS/Go Version. No scanners detected it for me as well. Thank you for your help with this.

from web-cache-vulnerability-scanner.

Hello @Dave-0-0,

thanks for bringing this to our attention. The provided binaries are all cross-compiled from a Ubuntu host. That should be the reason for both the not matching hashes (not sure if the golang version etc. plays a role as well) as well as the AV detections. Golang is widely used among malware writers especially for its cross compilation features.
I just cross compiled it from source from another ubuntu host and it got flagged by the same 4 AVs.
We will check whether it's feasible to compile it on a windows host or to contact the AV vendors.

from web-cache-vulnerability-scanner.

Hello @m10x

Thank you for the quick response. I also thought it might be related to cross compiling, however when I compile the source using on an Ubuntu machine, I get a second different sha256 hash.

GOOS=windows GOARCH=amd64 go build web-cache-vulnerability-scanner.go 
sha256sum web-cache-vulnerability-scanner.exe 
3fc6293ac74442ec7cb1c9c56aca29c0ff59afc29336f80f0513db612df033b4  web-cache-vulnerability-scanner.exe

Can you share the version of Ubuntu and version of Go you are using to do the cross compilation? I'd like to see if I can reproduce the hash from the original binary from the source code.

Thanks,

Dave

from web-cache-vulnerability-scanner.

Summary:

Some AV seem to not like cross compilation with go version 1.21.5 (on a PopOS Host)

Detailed:

This is from my current Ubuntu Host with go1.22.1 (0 positive)

GOOS=windows GOARCH=amd64 go build web-cache-vulnerability-scanner.go && sha256sum ./web-cache-vulnerability-scanner.exe:
03ac1b66a9c6a0ad44c6520415df31deab38d98c6d50aafa8329e3358031ce8a  ./web-cache-vulnerability-scanner.exe

VERSION="22.04.4 LTS (Jammy Jellyfish)"
go version go1.22.1 linux/amd64

virustotal (0 positive): https://www.virustotal.com/gui/file/03ac1b66a9c6a0ad44c6520415df31deab38d98c6d50aafa8329e3358031ce8a?nocache=1

This is from my PopOS Host (distro based on Ubuntu) with go1.21.5 (4 Positive)

GOOS=windows GOARCH=amd64 go build web-cache-vulnerability-scanner.go 
sha256sum web-cache-vulnerability-scanner.exe 
58620c66ee90dbdd287580dd66dab8ae322c2d381bef035b7bb41bbf3dff254b  web-cache-vulnerability-scanner.exe

ID_LIKE="ubuntu debian"
PRETTY_NAME="Pop!_OS 22.04 LTS"

go version
go version go1.21.5 linux/amd64

https://www.virustotal.com/gui/file/58620c66ee90dbdd287580dd66dab8ae322c2d381bef035b7bb41bbf3dff254b?nocache=1

After upgrading go from 1.21.5 to 1.22.1 it went down to 0 positive

go version
go version go1.22.1 linux/amd64
GOOS=windows GOARCH=amd64 go build web-cache-vulnerability-scanner.go 
sha256sum web-cache-vulnerability-scanner.exe 
98b3b115105c038bf0e4832ef693ae277191beeae616b87918c42d500fec5a69  web-cache-vulnerability-scanner.exe

https://www.virustotal.com/gui/file/98b3b115105c038bf0e4832ef693ae277191beeae616b87918c42d500fec5a69?nocache=1

from web-cache-vulnerability-scanner.

My bet is that some malware was cross-compiled using go1.21.5 and therefore some AVs are throwing false positives. I'll create a new minor release soon and will use go 1.22.1 for cross-compilation. I hope that the AVs won't throw a FP again sometime in the future. When the latest release was created over a month ago, it wasn't flagged by any AV.

from web-cache-vulnerability-scanner.