flat assembler
Message board for the users of flat assembler.

Index > Projects and Ideas > TROJAN - fasmlib-0.8.0

Goto page Previous  1, 2, 3, 4  Next
Author
Thread Post new topic Reply to topic
DarkAlchemist



Joined: 08 Oct 2010
Posts: 108
DarkAlchemist
Well, the damage in reputation to a company and the product is unquestionable ESPECIALLY with the internet allowing instant information exchange that will ruin you.

I never used to see this many false positives but I will say this that whatever is inside a keygen, I never wrote one so I don't know what it is they are doing, will trigger a false positive 99.97% of the time. If you use any routine for your program that a keygen uses then your program will be labeled as one.

I had a product I wrote marked as a trojan for the longest time because I compressed it. I removed the compression and it was labeled alright.
Post 21 Oct 2010, 21:07
View user's profile Send private message Send e-mail Reply with quote
janequorzar



Joined: 11 Sep 2010
Posts: 60
janequorzar
DarkAlchemist wrote:
Well, the damage in reputation to a company and the product is unquestionable ESPECIALLY with the internet allowing instant information exchange that will ruin you.

I never used to see this many false positives but I will say this that whatever is inside a keygen, I never wrote one so I don't know what it is they are doing, will trigger a false positive 99.97% of the time. If you use any routine for your program that a keygen uses then your program will be labeled as one.

I had a product I wrote marked as a trojan for the longest time because I compressed it. I removed the compression and it was labeled alright.


Ahh a thing about Keygens.. AVG, just for an example, also did a search for the word keygen in the past when I have used it. I renamed the file to something else and It would not see it as a threat.. So not sure if that got fixed in AVG or not. And I have known others to do this as well. This has been a problem for a couple years from what I have personally seen.

As for False Positives, thats my point.. I can see roughly 5 of them maybe.. but this was almost ALL of them. 36 to be exact that found something wrong with this ZIP. And in a lot of cases the company that makes the anti-virus software will name the target differently from other anit-virus software companies just for their own records. Which is why one Anti-Virus can have many names. Its another reason to look up all of them to see whats going on. In this case, all those listed on the previous page show what each of them name this one Trojan / RootKit.

Example : In the past, I had a file that was a false positive.. In fact it came FROM MS of all people. And windows detected it as a False Positive. Called it a Generic Backdoor as some have listed this ZIP file. Keep in mind, if the company has never seen it but is questioning it, they call it generic. Now, the whole time the MS file was being known as a Generic from Microsoft, other companies ALSO called it Generic. Because no one could find the actual problem.

But in this ZIP file's case, you can see that it is not the same as generic. They know what it is. Most of those companies have obviously seen this particular Trojan / RootKit. And on all kinds of websites when you do a search for it, you will see many posts about it. Including variation names of this same thing.

So again, is it a False Positive.. there really is NO other way to know accept we just have to go through the code step by step and figure it out.


Last edited by janequorzar on 21 Oct 2010, 21:39; edited 1 time in total
Post 21 Oct 2010, 21:32
View user's profile Send private message Reply with quote
DarkAlchemist



Joined: 08 Oct 2010
Posts: 108
DarkAlchemist
What happens if you assemble the product yourself and zip it up? I know av programs hate assembly in the first place since they consider assembly language programmers as dirty. If we wanted to be clean we would just roll over and program in C# or some such nonsense the av companies think.
Post 21 Oct 2010, 21:36
View user's profile Send private message Send e-mail Reply with quote
janequorzar



Joined: 11 Sep 2010
Posts: 60
janequorzar
DarkAlchemist wrote:
What happens if you assemble the product yourself and zip it up? I know av programs hate assembly in the first place since they consider assembly language programmers as dirty. If we wanted to be clean we would just roll over and program in C# or some such nonsense the av companies think.


Uhmm not understanding the point.. Everything, including C language compilers, compile down to binary.. this has nothing to do with the Assembly Language in itself.

And if anything, the AV companies love assemblers if that was the case.. it keeps them in business.
Post 21 Oct 2010, 21:41
View user's profile Send private message Reply with quote
DarkAlchemist



Joined: 08 Oct 2010
Posts: 108
DarkAlchemist
You would think that way but they honestly distrust assemblers and if you look at how something is compiled versus how it is assembled you will see a difference immediately.

There was a thread someplace about fasm assembled binaries triggering false positives in av tools whereas something compiled with visual studio was not triggering them.
Post 21 Oct 2010, 22:38
View user's profile Send private message Send e-mail Reply with quote
janequorzar



Joined: 11 Sep 2010
Posts: 60
janequorzar
DarkAlchemist wrote:
You would think that way but they honestly distrust assemblers and if you look at how something is compiled versus how it is assembled you will see a difference immediately.

There was a thread someplace about fasm assembled binaries triggering false positives in av tools whereas something compiled with visual studio was not triggering them.


Yea I would like to see the link.

On the same note, binary is binary if its executable in any way. The Anti-Virus looks through the binary file and determines its contents. However, a COMPRESSED file is of a different nature. Its not executed like a EXE or DLL is. Its more about an algorithm that is used for storage of said Binaries. In fact, I do not know of an anti-virus that can scan inside of a RAR file. But just about all of them can scan a ZIP because ZIP compression is pretty open knowledge, RAR is not. ( Please correct me if I am wrong on this point ). Text files are not considered Binary. Most all non executable files are not considered binaries. Sure, they may be translated into binary on the Hard Drive during storage, but they are not executed to cause problems. ( AVI files for example is executed in all sense of purpose of this conversation because you can store a virus inside of a picture or video and the code inside of it will actually execute. )

Hope this helps with the meaning I was getting at earlier. The point is, a False negative goes by what it perceives it to be because of the arrangement of the binary code or the anti-virus just not properly coded. But when you have multiple AV ( More then a few ) pretty much telling you something is wrong.. yea.. time to check into it.
Post 21 Oct 2010, 23:31
View user's profile Send private message Reply with quote
DarkAlchemist



Joined: 08 Oct 2010
Posts: 108
DarkAlchemist
I wish I had the link but I was doing a lot of investigating into which assembler I was going to dive into as it has been eons since I touched asm and that was for the Motorola (more civilized asm if you ask me). I was googling like mad and came across just a situation.

For instance I just learned how to link my obj into a c++ file and I loaded it up in Ollydbg and it hit alt-m (memory map). What I saw for my program was very odd looking and not like anything I had seen with a compiled program. Did my program work? You bet but that weirdness in the memory map says that just because it is compiled down to machine language does not mean it is all created equal in the eyes of the OS or the AV.
Post 21 Oct 2010, 23:40
View user's profile Send private message Send e-mail Reply with quote
janequorzar



Joined: 11 Sep 2010
Posts: 60
janequorzar
DarkAlchemist wrote:
I wish I had the link but I was doing a lot of investigating into which assembler I was going to dive into as it has been eons since I touched asm and that was for the Motorola (more civilized asm if you ask me). I was googling like mad and came across just a situation.

For instance I just learned how to link my obj into a c++ file and I loaded it up in Ollydbg and it hit alt-m (memory map). What I saw for my program was very odd looking and not like anything I had seen with a compiled program. Did my program work? You bet but that weirdness in the memory map says that just because it is compiled down to machine language does not mean it is all created equal in the eyes of the OS or the AV.


Why can't it be equal ? sure, you have different compilers etc that compile each one different. granted that. But one is just rearranged differently then the other. So it will be in memory differently from the other. Doesn't mean that it is what is causing an AV to fall apart at the seams.. lol
Post 22 Oct 2010, 00:07
View user's profile Send private message Reply with quote
rugxulo



Joined: 09 Aug 2005
Posts: 2341
Location: Usono (aka, USA)
rugxulo
Antiviruses are definitely a bane on society, often worse than what they are assumed to protect against! Yes, I've dealt with false positives, and it's ridiculous stupid extreme cases where you know it's not a virus (or is only run in an emulator anyways, but that's flagged too, go figure).

Potential solutions:

1). delete, modify, or rebuild the offending files
2). turn off heuristics (if your AV supports that option)
3). report to (erm, nag nag nag) those blasted AV vendors to actually give a crap to not flag so many false positives ... they shouldn't even let ONE single good program be rejected !!!
4). get a better antivirus program (ClamAV?)
5). get a better OS (okay, kinda silly / lame, but people do actually suggest this a lot!)

Very sad that viruses still exist. Sad
Post 22 Oct 2010, 00:12
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17279
Location: In your JS exploiting you and your system
revolution
I once had a source file that was marked as a virus. The users machine had Symantec AV. I was writing the source file in notepad and saved it to disk. Everything seemed fine until I tried to assemble: "File not found". Huh? So I hit save again and assemble: Still "File not found". WTF? So I open Explorer. File does not exist. Save. Explorer shows the file for a brief moment and then it disappears again. Examine further and find that Symantec AV is silently "Quarantining" my source file because it is a virus! I asked the owner if I could disable the AV and was told "No way. You should stop writing viruses on my machine". Ugh, even the owner trusted the AV more than they trusted the person in front of them telling them it was wrong.

AVs get constantly updated. Just because some code triggers 36/43 detections does not mean you definitely have a virus. What it does mean is that some virus writer out there wrote something that has a section similar to the code you have. And now all files that contain code like that will trigger the AVs into panic mode. Blame the other guy that wrote whatever virus, not vid. Also did you consider that the virus writer may have used fasmlib to help in writing the virus? Shocked
Post 22 Oct 2010, 00:22
View user's profile Send private message Visit poster's website Reply with quote
DarkAlchemist



Joined: 08 Oct 2010
Posts: 108
DarkAlchemist
revolution wrote:
...AVs get constantly updated. Just because some code triggers 36/43 detections does not mean you definitely have a virus. What it does mean is that some virus writer out there wrote something that has a section similar to the code you have. And now all files that contain code like that will trigger the AVs into panic mode. Blame the other guy that wrote whatever virus, not vid. Also did you consider that the virus writer may have used fasmlib to help in writing the virus? Shocked
Exactly.

Eventually, given enough time, every damn thing known to man will be flagged because the virus writers will have made a section of code that your VALID program resembles.

Absolutely ludicrous and to be honest I haven't used an AV in over 2 years (almost 3 now). OMG, the virus will rape me if I don't...NOT!
Post 22 Oct 2010, 00:33
View user's profile Send private message Send e-mail Reply with quote
Ivan2k2



Joined: 08 Sep 2004
Posts: 80
Location: Russia, Angarsk
Ivan2k2
... about Rustock from ESET, a so-called "reliable" antivirus software:
"... 218 KB of obfuscated code versus 70 KB of clear, optimized code..."

... can't find any executable in fasmlib larger 40 KB Smile
Post 22 Oct 2010, 02:40
View user's profile Send private message ICQ Number Reply with quote
janequorzar



Joined: 11 Sep 2010
Posts: 60
janequorzar
What I find fascinating about all the answers here is no one is showing facts to prove that AVs are a joke. Its all speculation.

Fact : A Virus / Rootkit can destroy computer hardware. If you say it cannot, look it up.
Fact : A virus / Rootkit can steal information from people that a would be attacker can use in an illegal way such as identity theft. This has even happened to me.
Fact : A lot of people saying and exposing the fact that they do not use an anti-virus gives opportunity to others to exploit you.
Fact : We all see the results of all those anti-Virus programs saying there is something wrong with the files. But we have no proof if it IS or IS NOT real unless you go through the code yourself.

These facts above can not be disputed.

Look, again, everyone is speculating.. but find facts to support your claims. Lets get FASMLIB working.. not conjecture of what the validity of an AV is for. Seriously who cares. This thread is what the FASM Library is about. NOT about AVs in general. Lets get back on track here.
Post 22 Oct 2010, 03:24
View user's profile Send private message Reply with quote
DarkAlchemist



Joined: 08 Oct 2010
Posts: 108
DarkAlchemist
No, lets not get back on track because that whole nonsense you spouted sounds more like a scared child than a grown, and rational, thinking programmer.

You are telling me that you do not take precautions? Think of precautions as a condom for your pc whereas AV is just to help you "TRY" and prevent a problem.

With knowledge and safety you will prevent it from happening and let me tell you something I have had all of the free and the not free AV programs and I have become infected. I knew it when I did it YET the av programs did not detect it then I had to wait a week to a month for the av programs to catch up with the strain I had. Ever since then I stopped using AV on this pc.

A condom for your pc is the best approach because you are using your knowledge to prevent the crap from happening in the first place but an AV only reacts to a problem after it has happened to at least someone, more like a lot of someones, before you.

You are on a programming forum so use that knowledge of yours to know that an AV is a false sense of security because if you deny this then you are no longer to be listened to.
Post 22 Oct 2010, 03:35
View user's profile Send private message Send e-mail Reply with quote
janequorzar



Joined: 11 Sep 2010
Posts: 60
janequorzar
I was not the one who said they do not use a AV. I did at that time period not have one correct.. but normally I do. I had it shut off and forgot to turn it back on. I have been pretty clear about all this. Nuff Said.
Post 22 Oct 2010, 03:44
View user's profile Send private message Reply with quote
Ivan2k2



Joined: 08 Sep 2004
Posts: 80
Location: Russia, Angarsk
Ivan2k2
janequorzar wrote:
Lets get back on track here.


Ok.

Fact: FASMLIB without Rustock
Proof: sources
Post 22 Oct 2010, 03:46
View user's profile Send private message ICQ Number Reply with quote
janequorzar



Joined: 11 Sep 2010
Posts: 60
janequorzar
Ivan2k2 wrote:
janequorzar wrote:
Lets get back on track here.


Ok.

Fact: FASMLIB without Rustock
Proof: sources


So if its not in the sources then what is it that IS causing it ? Is fasm pulling from another DLL no one knows about ? Is the computer that the compiler is on infected in someway and over time has been spread ? Or is it just code that simply needs to be found to keep this from happening in the future ?

These are the Questions that even Vid and I were speaking about earlier in the thread.
Question


Last edited by janequorzar on 22 Oct 2010, 07:35; edited 1 time in total
Post 22 Oct 2010, 04:01
View user's profile Send private message Reply with quote
Tyler



Joined: 19 Nov 2009
Posts: 1216
Location: NC, USA
Tyler
Has anyone verified the dl? Maybe vid's server was compromised? I really don't care enough to do it myself, but if you wanted to, you could compile the sources yourself, and check the two resulting libs for similarities/differences(No, I don't expect you to RTFB. Use a hash or something.).
Post 22 Oct 2010, 04:08
View user's profile Send private message Reply with quote
DarkAlchemist



Joined: 08 Oct 2010
Posts: 108
DarkAlchemist
janequorzar wrote:
I was not the one who said they do not use a AV. I did at that time period not have one correct.. but normally I do. I had it shut off and forgot to turn it back on. I have been pretty clear about all this. Nuff Said.
Yep, enuff said as you are unwilling to admit that all AV is reactionary and your brain and habits are proactive.

Yep, 'nuff said.
Post 22 Oct 2010, 05:26
View user's profile Send private message Send e-mail Reply with quote
vid
Verbosity in development


Joined: 05 Sep 2003
Posts: 7105
Location: Slovakia
vid
AFAIK we haven't yet discovered what exactly causes various AV to report various viruses. But FASM uses so many non-standard things (otherwise utilized in most cases only by viruses), that this is not surprising at all. As for proof, it is both sources (which you can analyze and compile yourself) and the binary which supposedly contains virus. Those binaries are very small and can be disassembled in couple of minutes.

I can't imagine any other/better proof. What kind of proof that this is false alarm would you accept?
Post 22 Oct 2010, 10:42
View user's profile Send private message Visit poster's website AIM Address MSN Messenger ICQ Number Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  
Goto page Previous  1, 2, 3, 4  Next

< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar.

Powered by rwasa.