flat assembler
Message board for the users of flat assembler.

Index > Projects and Ideas > TROJAN - fasmlib-0.8.0

Goto page 1, 2, 3, 4  Next
Author
Thread Post new topic Reply to topic
janequorzar



Joined: 11 Sep 2010
Posts: 60
janequorzar
Ok folks, I tried to make sure not to blame someone.. I checked and doubled checked for a couple weeks. But truth is, all the anti-viruses I use have come up with same info about fasmlib-0.8.0. It says its a TROJAN. Here is todays scan with Windows Defender. NOD32 and BitDefender came up with same info. I checked it out from the Microsoft website and sure enough it confirmed it. The following info is what I found just from Windows Defender ( Win7 ) alone. You should probably use whatever Anti-virus and Spyware program you can think of to test this.

-------------------------------------------------------------

Category:
Backdoor:WinNT/Rustock.C

http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=Backdoor:WinNT/Rustock.C&threatid=115162

Description:
This program provides remote access to the computer it is installed on.

Advice:
Remove this software immediately.

Downloaded From :
http://fasmlib.x86asm.net/

Resources:
containerfile:
C:\Users\USER\Documents\fasmlib-0.8.0.zip

file:
C:\Users\USER\Documents\fasmlib-0.8.0.zip->fasmlib-0.8.0/examples/fasm/portable/dec2hex/dec2hex.exe

file:
C:\Users\USER\Documents\fasmlib-0.8.0.zip->fasmlib-0.8.0/examples/fasm/portable/mstream/mstream.exe

file:
C:\Users\USER\Documents\fasmlib-0.8.0.zip->fasmlib-0.8.0/examples/fasm/portable/str2db/str2db.exe

file:
C:\Users\USER\Documents\fasmlib-0.8.0.zip->fasmlib-0.8.0/examples/fasm/portable/wc/wc.exe

file:
C:\Users\USER\Documents\fasmlib-0.8.0.zip->fasmlib-0.8.0/examples/fasm/win32/cat/cat.exe

file:
C:\Users\USER\Documents\fasmlib-0.8.0.zip->fasmlib-0.8.0/examples/fasm/win32/dec2hex/dec2hex.exe

file:
C:\Users\USER\Documents\fasmlib-0.8.0.zip->fasmlib-0.8.0/examples/fasm/win32/symbols/symbols.exe

--------------------------------------------------------------

I was really hoping to be wrong about this. I love this library. Sad
Post 21 Oct 2010, 17:40
View user's profile Send private message Reply with quote
ManOfSteel



Joined: 02 Feb 2005
Posts: 1154
ManOfSteel
janequorzar wrote:
I was really hoping to be wrong about this. I love this library. Sad

Quick, do as Microsoft tells you to do and delete it before the infection spreads to the entire planet and then take cover before the machine blows! Or maybe you could check the source and stop trusting the biggest computer scam that is the AV software industry.

Microsoft wrote:
Description:
This program provides remote access to the computer it is installed on.

Nope it does not. Though some of your main product's services (remote registry, NetBT, etc.) do.


Last edited by ManOfSteel on 21 Oct 2010, 18:44; edited 1 time in total
Post 21 Oct 2010, 18:29
View user's profile Send private message Reply with quote
janequorzar



Joined: 11 Sep 2010
Posts: 60
janequorzar
ManOfSteel wrote:
janequorzar wrote:
I was really hoping to be wrong about this. I love this library. Sad

Quick, do as Microsoft tells you to do and delete it before the infection spreads to the entire planet and then take cover before the machine blows! Or maybe you could check the source and stop trusting the biggest computer scam that is the AV software industry.

Microsoft wrote:
Description:
This program provides remote access to the computer it is installed on.

Nope it does not. Though some of your main product's services do. Remote registry, anyone?


Yea I know.. If I had only one anti-virus show this and the others did not, I would totally agree with you.. But in this case.. I checked it from other sources too as I mentioned above.. Bit-Defender and NOD32 are both reliable anti-virus software and they both reported it as well.

And you don't have to be asinine about it. And no, I will not respond anymore to your trolling.
Post 21 Oct 2010, 18:43
View user's profile Send private message Reply with quote
janequorzar



Joined: 11 Sep 2010
Posts: 60
janequorzar
One more thing.. The anti-virus did not see anything wrong with the uncompiled DEV version of that Zip file. Which I think ManOfSteel was referring too. But I am speaking of the Compiled ZIP that others like myself went straight for and downloaded and didn't know it had a problem. Just an FYI.
Post 21 Oct 2010, 18:50
View user's profile Send private message Reply with quote
ManOfSteel



Joined: 02 Feb 2005
Posts: 1154
ManOfSteel
Unbelievable! You accuse honest programmers of being malware writers, pretend you read the source when you obviously have not (hence this thread) and you call me a troll?

All AV are reliable and trustworthy, sure, especially when it tells you your own program you just coded is a virus/trojan Rolling Eyes
Post 21 Oct 2010, 18:53
View user's profile Send private message Reply with quote
guignol



Joined: 06 Dec 2008
Posts: 701
guignol
ManOfSteel
Sure!
But I think if "Programmers" were more user friendly, and really spent some time on changing this world to better, there won't be much of a problem.
Like-a, really having the A priority on developing an open, flawless and ever improving antivirus. (It had to be all along from the start!)
Next to it - the browser!
How much time did it take for FireFox to become "somewhat neat" browser?..
How much more time will it take to become "pretty neat"?


Honest programmers? huh? Altruists? huh?!
Can you prove you are the one?
Can you prove you are not benefiting from malware AV in any way?
Post 21 Oct 2010, 19:15
View user's profile Send private message Reply with quote
janequorzar



Joined: 11 Sep 2010
Posts: 60
janequorzar
Fellow programmers, please understand, this is not an attack on the person who made the ZIP, its just an announcement to warn those who might have it. AND I hope that it will get the message to the creator to fix it. No harm other then to help with this info to those who didn't know and would have no way of knowing if they didn't have proper scanning abilities. Norton will not catch it for example. Just check the code as ManOfSteel suggested and just compile it until the creator fixes this issue. Until then, others who have this on their machine that did what I did as well, need to be let known about it. This is no cause to be attacked here personally or by a flame war here in this forum.
Post 21 Oct 2010, 19:22
View user's profile Send private message Reply with quote
janequorzar



Joined: 11 Sep 2010
Posts: 60
janequorzar
Another FYI - the creator may never have known that he had this Trojan on his machine when he compiled the software which means he would need to scan as well. The Trojan could be active enough to attach itself to an EXE when you compile. Its not impossible for a Trojan / Virus to do that. We used to use a Virus Creation Lab (VCL ) back in the DOS days.. learning how Trojans work.. Heck I even blew up a CRT monitor once by over resonating one of the guns in the back of the monitor. Talk about the good old days.. Smile
Post 21 Oct 2010, 19:31
View user's profile Send private message Reply with quote
vid
Verbosity in development


Joined: 05 Sep 2003
Posts: 7105
Location: Slovakia
vid
Calm down guys, just another annoying false alarm. Maybe I should delete FASMLIB altogether.
Post 21 Oct 2010, 19:34
View user's profile Send private message Visit poster's website AIM Address MSN Messenger ICQ Number Reply with quote
ManOfSteel



Joined: 02 Feb 2005
Posts: 1154
ManOfSteel
guignol wrote:
Like-a, really having the A priority on developing an open, flawless and ever improving antivirus.

The "security" concept of AVs is flawed, i.e. excluding specific potential threats instead of only allowing trusted sources and excluding everything else.
Only corporations that are ready to con people develop them.
Any system where security is crucial is based on the latter concept, i.e. have a trusted base and exclude the rest.

guignol wrote:
Honest programmers? huh? Altruists? huh?!

Yes, open-source programmers are de facto honest since they are telling the world: here, check the source, I have nothing to hide, if you find anything wrong feel free to correct it and send me the patch.

~~~~

janequorzar wrote:
Fellow programmers, please understand, this is not an attack on the person who made the ZIP, its just an announcement to warn those who might have it.
[...]
This is no cause to be attacked here personally or by a flame war here in this forum.

No one wants a flame war and I never intended to start one. But you are not understanding something: there is nothing to be fixed other than the AVs.
I just assembled the code for "dec2hex" and ran it through VirusTotal and it is recognized as multiple viruses by at least two thirds of AVs.

~~~~

vid wrote:
Maybe I should delete FASMLIB altogether.

Please, don't. There is no reason to be hostages of the AV industry.
Post 21 Oct 2010, 19:41
View user's profile Send private message Reply with quote
janequorzar



Joined: 11 Sep 2010
Posts: 60
janequorzar
vid wrote:
Calm down guys, just another annoying false alarm. Maybe I should delete FASMLIB altogether.


Well, its not a false alarm if more then one anti-virus picks it up. And I have personally seen that someone is using it as what the Trojan is intended for. Why do you think I scanned in the first place. I had no anti-virus running at the time. I installed ALL of the above mentioned and they all found it. I then proceeded to reformat my computer and reinstalled Windows 7 and downloaded that file directly and scanned it. Sure enough, it reports it every time. I tried Windows Defender first, then I tried NOD32. Before I reformatted I tried BitDefender from my friends account and made sure it was updated. As I mentioned, I spent 2 weeks on this hoping I was wrong. ( NOTE : My computer always came up clean accept this file at any given time. )

As for deleting it completely.. thats a little extreme don't you think ?

I am shocked by the hostility here on this forum lately..


Last edited by janequorzar on 21 Oct 2010, 20:16; edited 1 time in total
Post 21 Oct 2010, 19:53
View user's profile Send private message Reply with quote
janequorzar



Joined: 11 Sep 2010
Posts: 60
janequorzar
VirusTotal has this disclaimer at the bottom - "these results DO NOT guarantee the harmlessness of a file"

The whole paragraph - "ATTENTION: VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware."

I agree "somewhat" about what ManOfSteel is saying though about corporations. Some do tend to make things just to have people pay for a cure.. But I wont get into that. Smile

I too did a scan just now again. Here is what I got :
-----------------------------------------
File name: fasmlib-0.8.0.zip
Submission date: 2010-10-21 19:57:28 (UTC)
Current status: finished
Result: 36/ 43 (83.7%)
VT Community

not reviewed
Safety score: -
Compact
Print results
Antivirus Version Last Update Result
AhnLab-V3 2010.10.22.00 2010.10.21 Win-Trojan/Xema.variant
AntiVir 7.10.13.15 2010.10.21 -
Antiy-AVL 2.0.3.7 2010.10.21 Trojan/Win32.Genome.gen
Authentium 5.2.0.5 2010.10.21 W32/Zbot.I.gen!Eldorado
Avast 4.8.1351.0 2010.10.21 Win32:Trojan-gen
Avast5 5.0.594.0 2010.10.21 Win32:Trojan-gen
AVG 9.0.0.851 2010.10.21 BackDoor.Generic12.AQFC
BitDefender 7.2 2010.10.21 Backdoor.Generic.212413
CAT-QuickHeal 11.00 2010.10.21 Backdoor.Rustock.c
ClamAV 0.96.2.0-git 2010.10.21 -
Comodo 6467 2010.10.21 Heur.Corrupt.PE
DrWeb 5.0.2.03300 2010.10.21 Trojan.Click1.17873
Emsisoft 5.0.0.50 2010.10.21 Backdoor.WinNT.Rustock!IK
eSafe 7.0.17.0 2010.10.21 Win32.TRCrypt.XPACK
eTrust-Vet 36.1.7924 2010.10.21 -
F-Prot 4.6.2.117 2010.10.21 W32/Zbot.I.gen!Eldorado
F-Secure 9.0.16160.0 2010.10.21 Backdoor.Generic.212413
Fortinet 4.2.249.0 2010.10.21 -
GData 21 2010.10.21 Backdoor.Generic.212413
Ikarus T3.1.1.90.0 2010.10.21 Backdoor.WinNT.Rustock
Jiangmin 13.0.900 2010.10.21 -
K7AntiVirus 9.66.2805 2010.10.21 Riskware
Kaspersky 7.0.0.125 2010.10.21 Trojan.Win32.Genome.hntr
McAfee 5.400.0.1158 2010.10.21 Generic BackDoor!cqx
McAfee-GW-Edition 2010.1C 2010.10.21 Generic BackDoor!cqx
Microsoft 1.6301 2010.10.21 Backdoor:WinNT/Rustock.C
NOD32 5552 2010.10.21 probably a variant of Win32/Agent.MTVEIXF
Norman 6.06.10 2010.10.21 W32/Suspicious_Gen2.PMCS
nProtect 2010-10-21.01 2010.10.21 -
Panda 10.0.2.7 2010.10.21 Generic Malware
PCTools 7.0.3.5 2010.10.21 Trojan.Generic
Prevx 3.0 2010.10.21 -
Rising 22.70.02.05 2010.10.21 Trojan.Win32.Generic.51FB56F6
Sophos 4.58.0 2010.10.21 Mal/Generic-A
Sunbelt 7112 2010.10.21 Trojan.Win32.Generic!BT
SUPERAntiSpyware 4.40.0.1006 2010.10.21 Trojan.Dropper/Win-NV.Process
Symantec 20101.2.0.161 2010.10.21 Trojan Horse
TheHacker 6.7.0.1.064 2010.10.21 Trojan/FraudPack.xeg
TrendMicro 9.120.0.1004 2010.10.21 TROJ_RUSTOCK.EX
TrendMicro-HouseCall 9.120.0.1004 2010.10.21 BKDR_Generic.DIT
VBA32 3.12.14.1 2010.10.21 Trojan.Win32.Genome.hntr
ViRobot 2010.10.21.4104 2010.10.21 Backdoor.Win32.Rustock.8704
VirusBuster 12.69.11.0 2010.10.21 Trojan.Zbot.ANFE
------------------------------------------------

If that is a False alarm.. That is an awesome one. You decide. Smile
Post 21 Oct 2010, 20:04
View user's profile Send private message Reply with quote
janequorzar



Joined: 11 Sep 2010
Posts: 60
janequorzar
And please, I would rather us work together to solve the problem and have a good explanation as to why this "could be" a false alarm. If anyone has a plausible explanation as to why it would show that, please, let us know. Show facts. I'm wide open to learning new things. Nothing wrong with knowledge.
Post 21 Oct 2010, 20:14
View user's profile Send private message Reply with quote
vid
Verbosity in development


Joined: 05 Sep 2003
Posts: 7105
Location: Slovakia
vid
http://en.wikipedia.org/wiki/Antivirus_software (3rd paragraph)
http://en.wikipedia.org/wiki/Heuristic_analysis
http://service1.symantec.com/sarc/sarc.nsf/info/html/what.false.positive.html
http://antivirus.about.com/od/antivirusglossary/g/falsepositive.htm
etc.

Also search this forum for many false alarms in FASM apps in past.

You are right this problem should be solved. Problem is this: FASMLIB is not being developed anymore, it is dead. Otherwise I'd try to figure out what exactly causes those false alarm and eliminate it.
Post 21 Oct 2010, 20:21
View user's profile Send private message Visit poster's website AIM Address MSN Messenger ICQ Number Reply with quote
ManOfSteel



Joined: 02 Feb 2005
Posts: 1154
ManOfSteel
Please, pretty please, discard .zip and .exe files, pick one of the "offending" programs and assemble it yourself using the fasmlib-0.8.0-dev version. You will get the exact same results.

It is a false positive when you have the source before your eyes and AVs tell you you are looking at malware.
Post 21 Oct 2010, 20:26
View user's profile Send private message Reply with quote
janequorzar



Joined: 11 Sep 2010
Posts: 60
janequorzar
vid wrote:
http://en.wikipedia.org/wiki/Antivirus_software (3rd paragraph)
http://en.wikipedia.org/wiki/Heuristic_analysis
http://service1.symantec.com/sarc/sarc.nsf/info/html/what.false.positive.html
http://antivirus.about.com/od/antivirusglossary/g/falsepositive.htm
etc.

Also search this forum for many false alarms in FASM apps in past.

You are right this problem should be solved. Problem is this: FASMLIB is not being developed anymore, it is dead. Otherwise I'd try to figure out what exactly causes those false alarm and eliminate it.


Yea, the problem I ran into when I researched this is sites like this that explain what this is in more detail.
-----------------------------
http://www.threatexpert.com/report.aspx?md5=808a61e8138a696e0ca7a9e6a8d80db9

http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor:WinNT/Rustock.C

http://blogs.technet.com/b/mmpc/archive/2008/10/29/win32-rustock-hide-and-seek.aspx

This last one is what got me. This is one of many variations. Its also known as a Rootkit which back in 2005 was a really big deal on AMD machines.

The links you provided are great, but are about false positives.. not this exact problem. I know what a false positive is.

I am hoping that if there is a new library or if this library is the only one, that maybe it can be resolved. I really love it.
Post 21 Oct 2010, 20:31
View user's profile Send private message Reply with quote
janequorzar



Joined: 11 Sep 2010
Posts: 60
janequorzar
ManOfSteel wrote:
Please, pretty please, discard .zip and .exe files, pick one of the "offending" programs and assemble it yourself using the fasmlib-0.8.0-dev version. You will get the exact same results.

It is a false positive when you have the source before your eyes and AVs tell you you are looking at malware.


I totally agree. But that means you have to go through ALL the code in the source. So give people time, now that we are aware of this problem to do so.
Post 21 Oct 2010, 20:34
View user's profile Send private message Reply with quote
vid
Verbosity in development


Joined: 05 Sep 2003
Posts: 7105
Location: Slovakia
vid
Quote:
The links you provided are great, but are about false positives.. not this exact problem. I know what a false positive is.

I don't think so. Freshly compiled executable is same as the one which triggers alarms with some AVs. And every AV reports different virus present. And this is known problem with FASM executables. Conclusion should be obvious.

Quote:
I am hoping that if there is a new library or if this library is the only one, that maybe it can be resolved. I really love it.

Hmmm.... I lost one script which I used to "clean up" directory for release, that one was not so important. Bigger problem is that I lost my "asmdoc" utility which I used to extract comments from source code, so the documentation cannot be generated anymore. Aside from that, you should be able to fully build FASMLIB using the dev version provided online. It is just matter of installing correct tools and running one batch. I don't know which distribution you prefer, if the include-by-source (without linking), then you can just copy "src" and "include" dirs somewhere else and use it, and ignore rest of stuff in the package.


Last edited by vid on 21 Oct 2010, 20:52; edited 1 time in total
Post 21 Oct 2010, 20:47
View user's profile Send private message Visit poster's website AIM Address MSN Messenger ICQ Number Reply with quote
DarkAlchemist



Joined: 08 Oct 2010
Posts: 108
DarkAlchemist
What I never understood is how it considers our own code to be malware. It could be as innocent as can be and be labeled malware. Once labeled malware I honestly think a commercial company should sue for lost income and potential income and possibly the false positives will cease or at least be reduced.
Post 21 Oct 2010, 20:48
View user's profile Send private message Send e-mail Reply with quote
janequorzar



Joined: 11 Sep 2010
Posts: 60
janequorzar
DarkAlchemist wrote:
What I never understood is how it considers our own code to be malware. It could be as innocent as can be and be labeled malware. Once labeled malware I honestly think a commercial company should sue for lost income and potential income and possibly the false positives will cease or at least be reduced.


That makes a lot of sense.. After this thread I am starting to think this way.
Post 21 Oct 2010, 20:51
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  
Goto page 1, 2, 3, 4  Next

< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar.

Powered by rwasa.