flat assembler
Message board for the users of flat assembler.
Index
> Projects and Ideas > TROJAN - fasmlib-0.8.0 Goto page 1, 2, 3, 4 Next |
Author |
|
janequorzar 21 Oct 2010, 17:40
Ok folks, I tried to make sure not to blame someone.. I checked and doubled checked for a couple weeks. But truth is, all the anti-viruses I use have come up with same info about fasmlib-0.8.0. It says its a TROJAN. Here is todays scan with Windows Defender. NOD32 and BitDefender came up with same info. I checked it out from the Microsoft website and sure enough it confirmed it. The following info is what I found just from Windows Defender ( Win7 ) alone. You should probably use whatever Anti-virus and Spyware program you can think of to test this.
------------------------------------------------------------- Category: Backdoor:WinNT/Rustock.C http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=Backdoor:WinNT/Rustock.C&threatid=115162 Description: This program provides remote access to the computer it is installed on. Advice: Remove this software immediately. Downloaded From : http://fasmlib.x86asm.net/ Resources: containerfile: C:\Users\USER\Documents\fasmlib-0.8.0.zip file: C:\Users\USER\Documents\fasmlib-0.8.0.zip->fasmlib-0.8.0/examples/fasm/portable/dec2hex/dec2hex.exe file: C:\Users\USER\Documents\fasmlib-0.8.0.zip->fasmlib-0.8.0/examples/fasm/portable/mstream/mstream.exe file: C:\Users\USER\Documents\fasmlib-0.8.0.zip->fasmlib-0.8.0/examples/fasm/portable/str2db/str2db.exe file: C:\Users\USER\Documents\fasmlib-0.8.0.zip->fasmlib-0.8.0/examples/fasm/portable/wc/wc.exe file: C:\Users\USER\Documents\fasmlib-0.8.0.zip->fasmlib-0.8.0/examples/fasm/win32/cat/cat.exe file: C:\Users\USER\Documents\fasmlib-0.8.0.zip->fasmlib-0.8.0/examples/fasm/win32/dec2hex/dec2hex.exe file: C:\Users\USER\Documents\fasmlib-0.8.0.zip->fasmlib-0.8.0/examples/fasm/win32/symbols/symbols.exe -------------------------------------------------------------- I was really hoping to be wrong about this. I love this library. |
|||
21 Oct 2010, 17:40 |
|
janequorzar 21 Oct 2010, 18:43
ManOfSteel wrote:
Yea I know.. If I had only one anti-virus show this and the others did not, I would totally agree with you.. But in this case.. I checked it from other sources too as I mentioned above.. Bit-Defender and NOD32 are both reliable anti-virus software and they both reported it as well. And you don't have to be asinine about it. And no, I will not respond anymore to your trolling. |
|||
21 Oct 2010, 18:43 |
|
janequorzar 21 Oct 2010, 18:50
One more thing.. The anti-virus did not see anything wrong with the uncompiled DEV version of that Zip file. Which I think ManOfSteel was referring too. But I am speaking of the Compiled ZIP that others like myself went straight for and downloaded and didn't know it had a problem. Just an FYI.
|
|||
21 Oct 2010, 18:50 |
|
ManOfSteel 21 Oct 2010, 18:53
Unbelievable! You accuse honest programmers of being malware writers, pretend you read the source when you obviously have not (hence this thread) and you call me a troll?
All AV are reliable and trustworthy, sure, especially when it tells you your own program you just coded is a virus/trojan |
|||
21 Oct 2010, 18:53 |
|
guignol 21 Oct 2010, 19:15
ManOfSteel
Sure! But I think if "Programmers" were more user friendly, and really spent some time on changing this world to better, there won't be much of a problem. Like-a, really having the A priority on developing an open, flawless and ever improving antivirus. (It had to be all along from the start!) Next to it - the browser! How much time did it take for FireFox to become "somewhat neat" browser?.. How much more time will it take to become "pretty neat"? Honest programmers? huh? Altruists? huh?! Can you prove you are the one? Can you prove you are not benefiting from malware AV in any way? |
|||
21 Oct 2010, 19:15 |
|
janequorzar 21 Oct 2010, 19:22
Fellow programmers, please understand, this is not an attack on the person who made the ZIP, its just an announcement to warn those who might have it. AND I hope that it will get the message to the creator to fix it. No harm other then to help with this info to those who didn't know and would have no way of knowing if they didn't have proper scanning abilities. Norton will not catch it for example. Just check the code as ManOfSteel suggested and just compile it until the creator fixes this issue. Until then, others who have this on their machine that did what I did as well, need to be let known about it. This is no cause to be attacked here personally or by a flame war here in this forum.
|
|||
21 Oct 2010, 19:22 |
|
janequorzar 21 Oct 2010, 19:31
Another FYI - the creator may never have known that he had this Trojan on his machine when he compiled the software which means he would need to scan as well. The Trojan could be active enough to attach itself to an EXE when you compile. Its not impossible for a Trojan / Virus to do that. We used to use a Virus Creation Lab (VCL ) back in the DOS days.. learning how Trojans work.. Heck I even blew up a CRT monitor once by over resonating one of the guns in the back of the monitor. Talk about the good old days..
|
|||
21 Oct 2010, 19:31 |
|
vid 21 Oct 2010, 19:34
Calm down guys, just another annoying false alarm. Maybe I should delete FASMLIB altogether.
|
|||
21 Oct 2010, 19:34 |
|
ManOfSteel 21 Oct 2010, 19:41
guignol wrote: Like-a, really having the A priority on developing an open, flawless and ever improving antivirus. The "security" concept of AVs is flawed, i.e. excluding specific potential threats instead of only allowing trusted sources and excluding everything else. Only corporations that are ready to con people develop them. Any system where security is crucial is based on the latter concept, i.e. have a trusted base and exclude the rest. guignol wrote: Honest programmers? huh? Altruists? huh?! Yes, open-source programmers are de facto honest since they are telling the world: here, check the source, I have nothing to hide, if you find anything wrong feel free to correct it and send me the patch. ~~~~ janequorzar wrote: Fellow programmers, please understand, this is not an attack on the person who made the ZIP, its just an announcement to warn those who might have it. No one wants a flame war and I never intended to start one. But you are not understanding something: there is nothing to be fixed other than the AVs. I just assembled the code for "dec2hex" and ran it through VirusTotal and it is recognized as multiple viruses by at least two thirds of AVs. ~~~~ vid wrote: Maybe I should delete FASMLIB altogether. Please, don't. There is no reason to be hostages of the AV industry. |
|||
21 Oct 2010, 19:41 |
|
janequorzar 21 Oct 2010, 19:53
vid wrote: Calm down guys, just another annoying false alarm. Maybe I should delete FASMLIB altogether. Well, its not a false alarm if more then one anti-virus picks it up. And I have personally seen that someone is using it as what the Trojan is intended for. Why do you think I scanned in the first place. I had no anti-virus running at the time. I installed ALL of the above mentioned and they all found it. I then proceeded to reformat my computer and reinstalled Windows 7 and downloaded that file directly and scanned it. Sure enough, it reports it every time. I tried Windows Defender first, then I tried NOD32. Before I reformatted I tried BitDefender from my friends account and made sure it was updated. As I mentioned, I spent 2 weeks on this hoping I was wrong. ( NOTE : My computer always came up clean accept this file at any given time. ) As for deleting it completely.. thats a little extreme don't you think ? I am shocked by the hostility here on this forum lately.. Last edited by janequorzar on 21 Oct 2010, 20:16; edited 1 time in total |
|||
21 Oct 2010, 19:53 |
|
janequorzar 21 Oct 2010, 20:04
VirusTotal has this disclaimer at the bottom - "these results DO NOT guarantee the harmlessness of a file"
The whole paragraph - "ATTENTION: VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware." I agree "somewhat" about what ManOfSteel is saying though about corporations. Some do tend to make things just to have people pay for a cure.. But I wont get into that. I too did a scan just now again. Here is what I got : ----------------------------------------- File name: fasmlib-0.8.0.zip Submission date: 2010-10-21 19:57:28 (UTC) Current status: finished Result: 36/ 43 (83.7%) VT Community not reviewed Safety score: - Compact Print results Antivirus Version Last Update Result AhnLab-V3 2010.10.22.00 2010.10.21 Win-Trojan/Xema.variant AntiVir 7.10.13.15 2010.10.21 - Antiy-AVL 2.0.3.7 2010.10.21 Trojan/Win32.Genome.gen Authentium 5.2.0.5 2010.10.21 W32/Zbot.I.gen!Eldorado Avast 4.8.1351.0 2010.10.21 Win32:Trojan-gen Avast5 5.0.594.0 2010.10.21 Win32:Trojan-gen AVG 9.0.0.851 2010.10.21 BackDoor.Generic12.AQFC BitDefender 7.2 2010.10.21 Backdoor.Generic.212413 CAT-QuickHeal 11.00 2010.10.21 Backdoor.Rustock.c ClamAV 0.96.2.0-git 2010.10.21 - Comodo 6467 2010.10.21 Heur.Corrupt.PE DrWeb 5.0.2.03300 2010.10.21 Trojan.Click1.17873 Emsisoft 5.0.0.50 2010.10.21 Backdoor.WinNT.Rustock!IK eSafe 7.0.17.0 2010.10.21 Win32.TRCrypt.XPACK eTrust-Vet 36.1.7924 2010.10.21 - F-Prot 4.6.2.117 2010.10.21 W32/Zbot.I.gen!Eldorado F-Secure 9.0.16160.0 2010.10.21 Backdoor.Generic.212413 Fortinet 4.2.249.0 2010.10.21 - GData 21 2010.10.21 Backdoor.Generic.212413 Ikarus T3.1.1.90.0 2010.10.21 Backdoor.WinNT.Rustock Jiangmin 13.0.900 2010.10.21 - K7AntiVirus 9.66.2805 2010.10.21 Riskware Kaspersky 7.0.0.125 2010.10.21 Trojan.Win32.Genome.hntr McAfee 5.400.0.1158 2010.10.21 Generic BackDoor!cqx McAfee-GW-Edition 2010.1C 2010.10.21 Generic BackDoor!cqx Microsoft 1.6301 2010.10.21 Backdoor:WinNT/Rustock.C NOD32 5552 2010.10.21 probably a variant of Win32/Agent.MTVEIXF Norman 6.06.10 2010.10.21 W32/Suspicious_Gen2.PMCS nProtect 2010-10-21.01 2010.10.21 - Panda 10.0.2.7 2010.10.21 Generic Malware PCTools 7.0.3.5 2010.10.21 Trojan.Generic Prevx 3.0 2010.10.21 - Rising 22.70.02.05 2010.10.21 Trojan.Win32.Generic.51FB56F6 Sophos 4.58.0 2010.10.21 Mal/Generic-A Sunbelt 7112 2010.10.21 Trojan.Win32.Generic!BT SUPERAntiSpyware 4.40.0.1006 2010.10.21 Trojan.Dropper/Win-NV.Process Symantec 20101.2.0.161 2010.10.21 Trojan Horse TheHacker 6.7.0.1.064 2010.10.21 Trojan/FraudPack.xeg TrendMicro 9.120.0.1004 2010.10.21 TROJ_RUSTOCK.EX TrendMicro-HouseCall 9.120.0.1004 2010.10.21 BKDR_Generic.DIT VBA32 3.12.14.1 2010.10.21 Trojan.Win32.Genome.hntr ViRobot 2010.10.21.4104 2010.10.21 Backdoor.Win32.Rustock.8704 VirusBuster 12.69.11.0 2010.10.21 Trojan.Zbot.ANFE ------------------------------------------------ If that is a False alarm.. That is an awesome one. You decide. |
|||
21 Oct 2010, 20:04 |
|
janequorzar 21 Oct 2010, 20:14
And please, I would rather us work together to solve the problem and have a good explanation as to why this "could be" a false alarm. If anyone has a plausible explanation as to why it would show that, please, let us know. Show facts. I'm wide open to learning new things. Nothing wrong with knowledge.
|
|||
21 Oct 2010, 20:14 |
|
vid 21 Oct 2010, 20:21
http://en.wikipedia.org/wiki/Antivirus_software (3rd paragraph)
http://en.wikipedia.org/wiki/Heuristic_analysis http://service1.symantec.com/sarc/sarc.nsf/info/html/what.false.positive.html http://antivirus.about.com/od/antivirusglossary/g/falsepositive.htm etc. Also search this forum for many false alarms in FASM apps in past. You are right this problem should be solved. Problem is this: FASMLIB is not being developed anymore, it is dead. Otherwise I'd try to figure out what exactly causes those false alarm and eliminate it. |
|||
21 Oct 2010, 20:21 |
|
ManOfSteel 21 Oct 2010, 20:26
Please, pretty please, discard .zip and .exe files, pick one of the "offending" programs and assemble it yourself using the fasmlib-0.8.0-dev version. You will get the exact same results.
It is a false positive when you have the source before your eyes and AVs tell you you are looking at malware. |
|||
21 Oct 2010, 20:26 |
|
janequorzar 21 Oct 2010, 20:31
vid wrote: http://en.wikipedia.org/wiki/Antivirus_software (3rd paragraph) Yea, the problem I ran into when I researched this is sites like this that explain what this is in more detail. ----------------------------- http://www.threatexpert.com/report.aspx?md5=808a61e8138a696e0ca7a9e6a8d80db9 http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor:WinNT/Rustock.C http://blogs.technet.com/b/mmpc/archive/2008/10/29/win32-rustock-hide-and-seek.aspx This last one is what got me. This is one of many variations. Its also known as a Rootkit which back in 2005 was a really big deal on AMD machines. The links you provided are great, but are about false positives.. not this exact problem. I know what a false positive is. I am hoping that if there is a new library or if this library is the only one, that maybe it can be resolved. I really love it. |
|||
21 Oct 2010, 20:31 |
|
janequorzar 21 Oct 2010, 20:34
ManOfSteel wrote: Please, pretty please, discard .zip and .exe files, pick one of the "offending" programs and assemble it yourself using the fasmlib-0.8.0-dev version. You will get the exact same results. I totally agree. But that means you have to go through ALL the code in the source. So give people time, now that we are aware of this problem to do so. |
|||
21 Oct 2010, 20:34 |
|
vid 21 Oct 2010, 20:47
Quote: The links you provided are great, but are about false positives.. not this exact problem. I know what a false positive is. I don't think so. Freshly compiled executable is same as the one which triggers alarms with some AVs. And every AV reports different virus present. And this is known problem with FASM executables. Conclusion should be obvious. Quote: I am hoping that if there is a new library or if this library is the only one, that maybe it can be resolved. I really love it. Hmmm.... I lost one script which I used to "clean up" directory for release, that one was not so important. Bigger problem is that I lost my "asmdoc" utility which I used to extract comments from source code, so the documentation cannot be generated anymore. Aside from that, you should be able to fully build FASMLIB using the dev version provided online. It is just matter of installing correct tools and running one batch. I don't know which distribution you prefer, if the include-by-source (without linking), then you can just copy "src" and "include" dirs somewhere else and use it, and ignore rest of stuff in the package. Last edited by vid on 21 Oct 2010, 20:52; edited 1 time in total |
|||
21 Oct 2010, 20:47 |
|
DarkAlchemist 21 Oct 2010, 20:48
What I never understood is how it considers our own code to be malware. It could be as innocent as can be and be labeled malware. Once labeled malware I honestly think a commercial company should sue for lost income and potential income and possibly the false positives will cease or at least be reduced.
|
|||
21 Oct 2010, 20:48 |
|
janequorzar 21 Oct 2010, 20:51
DarkAlchemist wrote: What I never understood is how it considers our own code to be malware. It could be as innocent as can be and be labeled malware. Once labeled malware I honestly think a commercial company should sue for lost income and potential income and possibly the false positives will cease or at least be reduced. That makes a lot of sense.. After this thread I am starting to think this way. |
|||
21 Oct 2010, 20:51 |
|
Goto page 1, 2, 3, 4 Next < Last Thread | Next Thread > |
Forum Rules:
|
Copyright © 1999-2024, Tomasz Grysztar. Also on GitHub, YouTube.
Website powered by rwasa.