Gluetun detected as a Trojan!?

[qdm12]

Hello all,

Since 9 September 2022, Gluetun is detected as a Trojan virus "Unix.Trojan.Agent-6762136-0", for now only by ClamAV.

TLDR: false positive detection due to Gluetun being compiled from Go and handling firewall/routing/wireguard/kernel.

Analyzing the Gluetun binary program (built locally for amd64, commit e5be20d) with virustotal.com gives this result, where only ClamAV finds it as a trojan virus.

The behavior section lists the following:

1. Defense evasion: Sample contains symbols with suspicious names. - I guess it doesn't like Go compiled programs. It it is true a lot of viruses are now written in Go since its program compilation is unique and so there is not much tooling to reverse engineer it. I also don't do any funny compilation with Gluetun, it's just go build ./cmd/gluetun/main.go.
2. System Network Configuration Discovery: Executes the "iptables" command used for managing IP filtering and manipulation yes it does but for good reasons, to interact with the container firewall. It also runs ip6tables, iptables-nft and ip6tables-nft. It might be replaced one day with Feature request: use google/nftables to handle nftables firewall #898 which would remove this warning, but I can't give an exact timeline.
3. Security Software Discovery: Uses the "uname" system call to query kernel version information (possible evasion): it doesn't in Gluetun code (see this search). Checking dependencies, the only match I found is in golang.org/x/sys, which is used for golang.org/x/sys/unix to read and create the tun device as well as in Wireguard code. Also that's code from the official Go repositories (from Google) so they can be quite trusted.

You can also see the Processes Tree which is just what Gluetun does to detect the firewall capabilities (does it support iptables, ip6tables, iptables-nft? For example /usr/sbin/iptables iptables -A OUTPUT -o fpllngzieyoh43e -j DROP).

For context/historical/transparency purposes (all times are EST timezone):

1. [email protected] reached out to me by email on Sep 9, 2022, 4:24 AM asking why Gluetun disappeared from the Unraid app store

2. On Sep 9, 2022, 10:06 AM, he/she replied:

   Got word from a community dev:
   "There was a report that the container had a trojan embedded in it. It was removed from Apps a couple days ago as a precaution pending a full investigation (this weekend)"

   Looking at the Unraid forum, indeed Squid commented this on Sep 9, 2022, 09:27 AM.

3. I signed up on these Unraid forums to post my comment here on Sep 10, 2022, 12:25 PM.

4. Squid added Gluetun back in the Unraid app store on Sep 13, 2022, 12:00PM

5. @wjoshraymond created another discussion mentioning the same detection on Sep 14, 2022, 3:17PM

6. I wrote this announcement Sep 14, 2022, at around 4:30PM