Launchpad itself

Suspicious ppa neurobin - potential virus generator

Asked by Daniel

I'm not totally sure, and I don't have a safe environment to check it, but..

I wanted to download shc from the ppa:neurobin/ppa, the file is https://ppa.launchpadcontent.net/neurobin/ppa/ubuntu/pool/main/s/shc/shc_4.0.1-1_amd64.debXX (remove the XX).

The tool should compile a shell script to an executable ELF file (native binary).

I used the following input file:

a.sh:
    #!/bin/sh
    echo abc

and called

    shc -f a.sh -o a

then started

./a:
    ./BeurerScaleManager-launcher: ����h:���O�7ZG]�=�Ӎhas expired!
    Please contact your provider <email address hidden>

I guess, something didn't work. But the text was highly alarming for me, and so I checked the intermediate c file, and it looks very weird, with lots of encoded data, and with the following main code which is far away of what I wrote.

--
last lines:
        argv[1] = xsh(argc, argv);
        fprintf(stderr, "%s%s%s: %s\n", argv[0],
                errno ? ": " : "",
                errno ? strerror(errno) : "",
                argv[1] ? argv[1] : "<null>"
        );
        return 1;
--

I checked the file on virustotal, the result is that 4 engines show it as suspicious.

https://www.virustotal.com/gui/file/5254a18cf03010275c89c38f381d7ab6a99e9ddd5d20f50c567543c02ab99ebd?nocache=1
https://ibb.co/Lzk0WSm

I don't know what happened here with the ppa, but this software IS NOT SAFE

Question information

Language:
English Edit question
Status:
Answered
For:
Launchpad itself Edit question
Assignee:
No assignee Edit question
Last query:
Last reply:
Revision history for this message
Jürgen Gmach (jugmac00) said : 		#1

Thank you, I asked our colleagues from the security department for support.

Revision history for this message
Mark Esler (eslerm) said : 		#2

This does not sound alarming: https://github.com/neurobin/shc

Revision history for this message
Daniel (hackie) said : 		#3

@mark how does this reference bring you to this conclusion?

yes, shc is a compiler, but it seems that this compier doesn't produce what it should. a simple "echo abc" shouldn't result in a file which downloads something from the internet, or whatever happens when trying to execute this file

Revision history for this message
Mark Esler (eslerm) said : 		#4

Running your poc with the latest version of shc from main on clean xenial and lunar vms result in binaries printing `abc`.

Running your poc with shc-4.0.1-1 from the ~neurobin repo on a clean trusty vm also results in a binary echoing `abc`. I cannot reproduce your error message. Monitoring the vm's network with tcpdump verifies no network activity.

The claims in the code comments of shc.c appear true.

Generally, I am not concerned with obfuscators and would expect virus heuristics to alarm at software similar to this.

Revision history for this message
Daniel (hackie) said (last edit ): 		#5

then it's probably time to learn. and check your system ;)

this article is dated January 4, 2023:
https://www.bleepingcomputer.com/news/security/new-shc-compiled-linux-malware-installs-cryptominers-ddos-bots/

Revision history for this message
Mark Esler (eslerm) said : 		#6

"A new Linux malware downloader created using SHC"

Do you believe there is malicious code in the shc compiler?

Revision history for this message
Daniel (hackie) said : 		#7

yes, that is what this ticket is about.

I don't think this code is executed by running shc. but it seems to be executed by running a binary which was generated by shc, so yes, the code comes from shc.

maybe not all versions, and not all binaries, but the shc_4.0.1-1_amd64.deb seems to contain what is mentioned in the article

Revision history for this message
Mark Esler (eslerm) said : 		#8

I cannot reproduce the reported issue in shc_4.0.1-1_amd64.deb.

All compilers can be used to generate malware.

Please raise an issue with https://github.com/neurobin/shc if you are still concerned.

Revision history for this message
Daniel (hackie) said : 		#9

Sorry, I can't help here anymore. If you want to keep this software, keep it. I won't use it. I found something and reported it, that's all I will do.

Yes, all compilers can be used to generate malware, if the input is malware.

In my example, the input is not malware, but the output is. So there is a piece in the middle which makes it to malware, and this piece is the mentioned shc.

I guess you've seen the virustotal result. I guess you've ignored it.

I did some last/further tests, under different versions of ubuntu:

---
$ docker run -ti ubuntu:14.04
-or-
$ docker run -ti ubuntu:22.04

apt-get update
apt-get install software-properties-common gcc
add-apt-repository ppa:neurobin/ppa
apt-get update
apt-get install shc

echo '#!/bin/sh' >simplescript-harmless.sh
echo 'echo abc' >>simplescript-harmless.sh
cat simplescript-harmless.sh

shc -f simplescript-harmless.sh -o simplescript-harmful

./simplescript-harmful
# this file seems harmless. probably it doesn't execute anything when being run in a container

# upload this file now to virustotal and look.
---

Summary:

Ubuntu 14.04: malicious code
apt-get download --print-uris shc : 'http://ppa.launchpad.net/neurobin/ppa/ubuntu/pool/main/s/shc/shc_4.0.1-1_amd64.deb' shc_4.0.1-1_amd64.deb 17730 SHA256:2efbc2279651a9f783ce147b6dd91619ad8b5724c3bd168a0848c8748017a5dc
Version: 4.0.1-1 (under 14.04)
https://www.virustotal.com/gui/file/ad2742341a40373eb16475ee2f2a45738ead14bc190122ea2be98cd5584aa9ee?nocache=1

Ubuntu 22.04: seems ok
apt-get download --print-uris shc : 'http://archive.ubuntu.com/ubuntu/pool/universe/s/shc/shc_4.0.3-1_amd64.deb' shc_4.0.3-1_amd64.deb 22788 SHA512:036b3d0a7ef0d77cffac3bb7c4fa4eae3c5b66d88ca0eba116db81cdc6ba6a6d442077c72e227626bc82f293520a3cd8d434200e02362ed4a110a69844af1b0d
Version: 4.0.3-1 (under 22.04)
https://www.virustotal.com/gui/file/9836d133b7706cc700ee396531b767047c8115916bf750bdaeeab3124cef8952?nocache=1

Revision history for this message
Mark Esler (eslerm) said (last edit ): 		#10

Thank you for checking and adding more notes.

On a fresh vm of Trusty 14.04.6 using the latest server image (sha256: b17d7c1e9d0321ad5810ba77b69aef43f0f29a5422b08120e6ee0576c4527c0e), I ran your commands (and added the key of the neurbin ppa). Running the resulting binary prints `abc`.

If you share information about your 14.04 docker image, I can test that as well. https://hub.docker.com/_/ubuntu does not list 14.04 as a supported tag.

Revision history for this message
Seth Arnold (seth-arnold) said : 		#11

Do you have access to the 'Files dropped' on https://www.virustotal.com/gui/file/ad2742341a40373eb16475ee2f2a45738ead14bc190122ea2be98cd5584aa9ee/behavior ? Most of that list of files just looks like standard log rotation.

One huge question is /var/jbx/logs/jbxinit.linux.out.log -- is this an artifact of how virustotal works? or one of the sandboxes that reported these files? Or is this a malicious file?

Can you help with this problem?

Provide an answer of your own, or ask Daniel for more information if necessary.

To post a message you must log in.