New malware identified when trying to download metasploitable3-master.zip

[sudo-chinche]

Issue Description

Please check the General Issues section in the wiki before you submit the issue.
If you didn't find your issue mentioned, please give a thorough description of the issue you're seeing.
Also, please be sure to include any troubleshooting steps that you've already attempted.

I have seem other similar issues where different malware was identified while trying to download and all of them seem to be false positive. This time Windows firewall and Chrome both block the download because both identified a malware:

Level of blocked threat: severe
Malware detected: Backdoor:ASP/Dirtelti.HA
Date: I tried to download it yesterday and today 15.11.2020
Details: This program provides remote access to the computer on which it is installed.
https://go.microsoft.com/fwlink/?linkid=142185&name=Backdoor:ASP/Dirtelti.HA&threatid=2147761339
file: C:\Users\xxxx\Downloads\metasploitable3-master.zip
webfile: C:\Users\xxxx\Downloads\metasploitable3-master.zip|https://codeload.github.com/rapid7/metasploitable3/zip/master|pid:3768,ProcessStart:132498561430364935

Is it still a false positive? I can't see the specific file in the zip that launch the alert, it's just after 100-110MB downloaded

Host System

• OS: Windows 10
  Browser: Google Chrome Versión 86.0.4240.198 (Build oficial) (64 bits)
• Packer Version: 1.6.5
• Vagrant Version: 2.2.13
• VirtualBox Version: 6.1

Command Output

Copy the relevant command output here.
If it's long, either post to a gist and add the link here, or isolate the error lines.

Thanks in advance.

[sudo-chinche]

Analysis from virustotal:
https://www.virustotal.com/gui/file/4ed50f085f0fcb44d885c174ad7cf78dcf2b502c3a0d0b76ad1d44e8ecc0ab23/detection

[tehtw]

Chrome flagged the zip as malware and dangerous when i tried to download it as well but there are other reports of this in General Issues with some answers. Here - #280

It is important to remember that metasploitable is a vulnerable web app and should be run cautiously and in Host-Only or NAT mode.

• Host-Only: The VM will be assigned one IP, but it's only accessible by the box VM is running on. No other computers can access it.

• NAT: Just like your home network with a wireless router, the VM will be assigned in a separate subnet, like 192.168.6.1is your host computer, and VM is 192.168.6.3, then your VM can access outside network like your host, but no outside access to your VM directly, it's protected.

[sudo-chinche]

Thank you, tehtw, don't worry about running this VM, I have an isolated virtual network where this machine will be running in "internal" network mode.

My concerns are related to the virustotal analysis, where it finds bundled files different as the files called in previous issues (kingofclubs.exe?) and as my Windows Defender and my explorer doesn't allow me to download it unless I deactivate all firewall and antivirus, so I can't even install this VM in the isolated network at all avoiding putting my computer in risk.

I have been able to download it in one of the virtual machines installed into the isolated network, but I think it's not possible to install it from there in the Virtual Box, without going through the physical machine.

[deargle]

Fwiw, I use an instance of kali that I prepped for gcp with nested virtualization enabled (libvirt), so everything stays on gcp's network. Repo is a mess, but https://github.com/deargle/kali-xfce-gcp-qemu-packer, and anyone can use a ready-to-go kali that I prepared for a class I teach by following the instructions here: https://daveeargle.com/security-assignments/tutorials/intro-to-gcp.html

…

On Sat, Nov 21, 2020, 5:54 AM sudo-chinche ***@***.***> wrote: Thank you, tehtw, don't worry about running this VM, I have an isolated virtual network where this machine will be running in "internal" network mode. My concerns are related to the virustotal analysis, where it finds bundled files different as the files called in previous issues (kingofclubs.exe?) and as my Windows Defender and my explorer doesn't allow me to download it unless I deactivate all firewall and antivirus, so I can't even install this VM in the isolated network at all avoiding putting my computer in risk. I have been able to download it in one of the virtual machines installed into the isolated network, but I think it's not possible to install it from there in the Virtual Box, without going through the physical machine. — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#497 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAI6Y7IOWFQZ6F526YGKZPLSQ6Z7PANCNFSM4TWLWT3A> .

[sudo-chinche]

Windows powershell execution: The operation could not be completed because the file contains a virus or potentially unwanted software.

Log:

PS E:\user-sudo-chinche\Maquinas_Virtuales\metasploitable3-master> packer build --only=virtualbox-iso ./packer/templates/windows_2008_r2.json
virtualbox-iso: output will be in this color.

==> virtualbox-iso: Retrieving Guest additions
==> virtualbox-iso: Trying C:\Program Files\Oracle\VirtualBox/VBoxGuestAdditions.iso
==> virtualbox-iso: Trying file://C:/Program%20Files/Oracle/VirtualBox/VBoxGuestAdditions.iso
==> virtualbox-iso: file://C:/Program%20Files/Oracle/VirtualBox/VBoxGuestAdditions.iso => C:/Program Files/Oracle/VirtualBox/VBoxGuestAdditions.iso
==> virtualbox-iso: Retrieving ISO
==> virtualbox-iso: Trying http://download.microsoft.com/download/7/5/E/75EC4E54-5B02-42D6-8879-D8D3A25FBEF7/7601.17514.101119-1850_x64fre_server_eval_en-us-GRMSXEVAL_EN_DVD.iso
==> virtualbox-iso: Trying http://download.microsoft.com/download/7/5/E/75EC4E54-5B02-42D6-8879-D8D3A25FBEF7/7601.17514.101119-1850_x64fre_server_eval_en-us-GRMSXEVAL_EN_DVD.iso?checksum=md5%3A4263be2cf3c59177c45085c0a7bc6ca5
==> virtualbox-iso: http://download.microsoft.com/download/7/5/E/75EC4E54-5B02-42D6-8879-D8D3A25FBEF7/7601.17514.101119-1850_x64fre_server_eval_en-us-GRMSXEVAL_EN_DVD.iso?checksum=md5%3A4263be2cf3c59177c45085c0a7bc6ca5 => E:\user-sudo-chinche\Maquinas_Virtuales\metasploitable3-master\packer_cache\6a49219888284f0371f588f026e9ccf49f186c33.iso
==> virtualbox-iso: Creating floppy disk...
virtualbox-iso: Copying files flatly from floppy_files
virtualbox-iso: Copying file: E:\user-sudo-chinche\Maquinas_Virtuales\metasploitable3-master\packer\templates/../answer_files/2008_r2/Autounattend.xml
virtualbox-iso: Copying file: E:\user-sudo-chinche\Maquinas_Virtuales\metasploitable3-master\packer\templates/../../scripts/configs/microsoft-updates.bat
virtualbox-iso: Copying file: E:\user-sudo-chinche\Maquinas_Virtuales\metasploitable3-master\packer\templates/../../scripts/configs/win-updates.ps1
virtualbox-iso: Copying file: E:\user-sudo-chinche\Maquinas_Virtuales\metasploitable3-master\packer\templates/../../scripts/installs/openssh.ps1
virtualbox-iso: Copying file: E:\user-sudo-chinche\Maquinas_Virtuales\metasploitable3-master\packer\templates/../../scripts/installs/install_dotnet45.ps1
virtualbox-iso: Copying file: E:\user-sudo-chinche\Maquinas_Virtuales\metasploitable3-master\packer\templates/../../scripts/installs/install_wmf.ps1
virtualbox-iso: Copying file: E:\user-sudo-chinche\Maquinas_Virtuales\metasploitable3-master\packer\templates/../../resources/certs/oracle-cert.cer
virtualbox-iso: Copying file: E:\user-sudo-chinche\Maquinas_Virtuales\metasploitable3-master\packer\templates/../../resources/certs/gdig2.crt
virtualbox-iso: Copying file: E:\user-sudo-chinche\Maquinas_Virtuales\metasploitable3-master\packer\templates/../../resources/certs/comodorsadomainvalidationsecureserverca.crt
virtualbox-iso: Copying file: E:\user-sudo-chinche\Maquinas_Virtuales\metasploitable3-master\packer\templates/../../resources/certs/comodorsacertificationauthority.crt
virtualbox-iso: Copying file: E:\user-sudo-chinche\Maquinas_Virtuales\metasploitable3-master\packer\templates/../../resources/certs/addtrust_external_ca.cer
virtualbox-iso: Copying file: E:\user-sudo-chinche\Maquinas_Virtuales\metasploitable3-master\packer\templates/../../resources/certs/baltimore_ca.cer
virtualbox-iso: Copying file: E:\user-sudo-chinche\Maquinas_Virtuales\metasploitable3-master\packer\templates/../../resources/certs/digicert.cer
virtualbox-iso: Copying file: E:\user-sudo-chinche\Maquinas_Virtuales\metasploitable3-master\packer\templates/../../resources/certs/equifax.cer
virtualbox-iso: Copying file: E:\user-sudo-chinche\Maquinas_Virtuales\metasploitable3-master\packer\templates/../../resources/certs/globalsign.cer
virtualbox-iso: Copying file: E:\user-sudo-chinche\Maquinas_Virtuales\metasploitable3-master\packer\templates/../../resources/certs/gte_cybertrust.cer
virtualbox-iso: Copying file: E:\user-sudo-chinche\Maquinas_Virtuales\metasploitable3-master\packer\templates/../../resources/certs/microsoft_root_2011.cer
virtualbox-iso: Copying file: E:\user-sudo-chinche\Maquinas_Virtuales\metasploitable3-master\packer\templates/../../resources/certs/thawte_primary_root.cer
virtualbox-iso: Copying file: E:\user-sudo-chinche\Maquinas_Virtuales\metasploitable3-master\packer\templates/../../resources/certs/utn-userfirst.cer
virtualbox-iso: Done copying files from floppy_files
virtualbox-iso: Collecting paths from floppy_dirs
virtualbox-iso: Resulting paths from floppy_dirs : []
virtualbox-iso: Done copying paths from floppy_dirs
==> virtualbox-iso: Creating virtual machine...
==> virtualbox-iso: Creating hard drive...
==> virtualbox-iso: Mounting ISOs...
virtualbox-iso: Mounting boot ISO...
==> virtualbox-iso: Deleting any current floppy disk...
==> virtualbox-iso: Attaching floppy disk...
==> virtualbox-iso: Creating forwarded port mapping for communicator (SSH, WinRM, etc) (host port 2685)
==> virtualbox-iso: Executing custom VBoxManage commands...
virtualbox-iso: Executing: modifyvm metasploitable3-win2k8 --memory 4096
virtualbox-iso: Executing: modifyvm metasploitable3-win2k8 --cpus 2
==> virtualbox-iso: Starting the virtual machine...
==> virtualbox-iso: Waiting 10m0s for boot...
==> virtualbox-iso: Typing the boot command...
==> virtualbox-iso: Using ssh communicator to connect: 127.0.0.1
==> virtualbox-iso: Waiting for SSH to become available...
==> virtualbox-iso: Connected to SSH!
==> virtualbox-iso: Uploading VirtualBox version info (6.1.12)
==> virtualbox-iso: Uploading VirtualBox guest additions ISO...
==> virtualbox-iso: Uploading E:\user-sudo-chinche\Maquinas_Virtuales\metasploitable3-master\packer\templates/../../scripts => C:/vagrant
==> virtualbox-iso: Uploading E:\user-sudo-chinche\Maquinas_Virtuales\metasploitable3-master\packer\templates/../../resources => C:/vagrant
==> virtualbox-iso: Upload failed: open E:\user-sudo-chinche\Maquinas_Virtuales\metasploitable3-master\resources\jmx\jmx.exe: No se pudo completar la operación porque el archivo contiene un virus o software potencialmente no deseado.
==> virtualbox-iso: Provisioning step had errors: Running the cleanup provisioner, if present...
==> virtualbox-iso: Cleaning up floppy disk...
==> virtualbox-iso: Deregistering and deleting VM...
==> virtualbox-iso: Deleting output directory...
Build 'virtualbox-iso' errored after 1 hour 30 minutes: open E:\user-sudo-chinche\Maquinas_Virtuales\metasploitable3-master\resources\jmx\jmx.exe: No se pudo completar la operación porque el archivo contiene un virus o software potencialmente no deseado.

==> Wait completed after 1 hour 30 minutes

==> Some builds didn't complete successfully and had errors:
--> virtualbox-iso: open E:\user-sudo-chinche\Maquinas_Virtuales\metasploitable3-master\resources\jmx\jmx.exe: No se pudo completar la operación porque el archivo contiene un virus o software potencialmente no deseado.

==> Builds finished but no artifacts were created.

[bcoles]

==> virtualbox-iso: Upload failed: open E:\user-sudo-chinche\Maquinas_Virtuales\metasploitable3-master\resources\jmx\jmx.exe:

Your anti-virus software has removed jmx.exe

#346
#455

[sudo-chinche]

Not really, I configured antivirus to not to delete anything from this directory:

[bcoles]

Not really, I configured antivirus to not to delete anything from this directory:

ok

anti-virus has flagged jmx.exe

#346
#455

[Isaaai]

I used Microsoft Edge browser and was able to download it just fine.

[jmartin-tech]

While the project tries to get all files whitelisted in AV, these issued do crop up from time to time.

This is false-positive mirroring issue #280, the binary is a service executable to provide for one of the intended vulnerable configurations in the windows host.

[jtheanalytica]

Hi there;
Just tried to download the ZIP file - same issue: Edge browser detected a payload.
Please see attached.
Any idea how to solve this? Or this is really contains a payload?

Thanks