ClamAV detected Coinminer in docker image

[shawnhwei]

Was scanning the other day and got the warning on my containerd folder. Sure enough I can reproduce it by saving the docker image.

shawn@SHAWN-DESKTOP:~$ docker pull docker.io/binwiederhier/ntfy
Using default tag: latest
latest: Pulling from binwiederhier/ntfy
Digest: sha256:d13fda9b2741de857c3c9be2f89b24c514922da7aa3da060580640865beffdc1
Status: Image is up to date for binwiederhier/ntfy:latest
docker.io/binwiederhier/ntfy:latest
shawn@SHAWN-DESKTOP:~$ docker save -o ntfy.tar docker.io/binwiederhier/ntfy@sha256:d13fda9b2741de857c3c9be2f89b24c514922da7aa3da060580640865beffdc1
shawn@SHAWN-DESKTOP:~$ mkdir ntfy
shawn@SHAWN-DESKTOP:~$ tar -xf ntfy.tar -C ntfy
shawn@SHAWN-DESKTOP:~$ clamscan -r -i ntfy
/home/shawn/ntfy/785c9d282366f58ab6d7a65b79e22192780e823a0455bddbbf84facdc4732370/layer.tar: Unix.Packed.Coinminer-6856324-0 FOUND

----------- SCAN SUMMARY -----------
Known viruses: 8647316
Engine version: 0.103.6
Scanned directories: 3
Scanned files: 8
Infected files: 1
Data scanned: 34.96 MB
Data read: 26.05 MB (ratio 1.34:1)
Time: 16.469 sec (0 m 16 s)
Start Date: 2023:01:09 03:50:34
End Date:   2023:01:09 03:50:50

[MaeIsBad]

I believe this issue is caused due to #137, which adds upx compression to the binary for the sake of reducing the container size

[binwiederhier]

Damn, you caught me. My days of coin mining are over. 😱

No but seriously, this seems to be pretty common with upx-packed Go binaries. I had to remove the packing from the Windows binary already because of false virus flagging. It's quite annoying.

The releases are built in CI and print checksums of everything at the end. See here: https://github.com/binwiederhier/ntfy/actions/runs/3766338182/jobs/6402734758

[shawnhwei]

How about publishing a "fat" image without the compression on a separate tag?

[binwiederhier]

If anything, I'll just remove the upx step. It's been more painful than helpful anyway. And we already have too many published assets.

[binwiederhier]

Done in 1fd166d