Ubuntu – Windows Defender reports Win64/Longage Trojan malware in Ubuntu 18.04.3 live server

malwareSecurity

Windows Defender 8 Dec 2019 reports Win64/Longage severe Trojan malware in Ubuntu 18.04.3 live server, file:

ubuntu-18.04.3-live-server-amd64.iso->
pool\main\l\linux\linux-modules-4.15.0-55-generic_4.15.0-55.60_amd64.deb->data.tar.xz->(xz)->
./lib/modules/4.15.0-55-generic/kernel/drivers/md/raid456.ko

enter image description here

Best Answer

I have received the exact same message today. I've downloaded the .iso again to a separate Ubuntu machine and verified the checksum:

$ echo "b9beac143e36226aa8a0b03fc1cbb5921cff80123866e718aaeba4edb81cfa63 *ubuntu-18.04.3-live-server-amd64.iso" | shasum -a 256 --check
ubuntu-18.04.3-live-server-amd64.iso: OK

After that, I've extracted the file in question (raid456.ko) and uploaded to virustotal.com: https://www.virustotal.com/gui/file/9443cd40874b29cf452a7af3a033fc72f5afff26e2bfd43ca0dfcf81c5a9127f/detection

It was last analyzed a month ago and it was fine. I've reanalyzed it again and it seems that now Microsoft is the only one detecting this as Trojan:Win64/Longage: Screenshot

I would say new Microsoft Defender signatures triggered a false positive here. Even in the very unlikely event that Ubuntu would have embedded a trojan in .iso, Windows machine itself does not / should not execute Linux (ELF) binaries and there's nothing to worry about on Windows side. However, if that were the case we would, of course, have a whole lot bigger issue to worry about.

I have submitted this file to Microsoft and flagged it as false positive, using this link: https://www.microsoft.com/en-us/wdsi/filesubmission

I'll update this answer when/if I receive a response from Microsoft analyst.

UPDATE: No response from Microsoft yet, but their engine no longer detects this. TrendMicro does now though. The likelihood that this is a false positive is extremely high.

UPDATE 2: I have also submitted the file to TrendMicro yesterday (no reply yet - will not follow up). I consider this case closed. Reply from Microsoft:

We have removed the detection. Please follow the steps below to clear cached detection and obtain the latest malware definitions.

  1. Open command prompt as administrator and change directory to c:\Program Files\Windows Defender
  2. Run “MpCmdRun.exe -removedefinitions -dynamicsignatures”
  3. Run "MpCmdRun.exe -SignatureUpdate"

Alternatively, the latest definition is available for download here: https://www.microsoft.com/en-us/wdsi/definitions

Thank you for contacting Microsoft.