Closed solemgar closed 1 year ago
TubbyCat
commented
1 year ago This is an argument for having file checksums available in the download section: To determine whether you have a corrupt version of the file. (e.g. modified by hacker). @0x192
A lot of virus scan sites work on heuristics so false positives are possible as are false negatives (missing true malware).
TubbyCat
commented
1 year ago Only reliable way to know if this is malware is to look through the source code carefully and also analyzing the data the app requests & sends over the internet. If concerned only use this software on a system without important stuff on it. E.g. a "dev" or testing pc or a container of some kind.
solemgar
commented
1 year ago @TubbyCat Indeed! I meant to say that md5 / sha256 of each released file is more than enough, just to be sure it was not tampered. That already brings a sense of security.
Some additional notes in the readme would be also great.
It was anyway flagged by two minor engines and we know false positives are not uncommon
AnonymousWP
commented
1 year ago I doubt it's malicious, but I also found this: https://www.filescan.io/uploads/635295d2b87ce1b32f791781/reports/f1a9606d-97b6-403e-9ae7-955164ccc384/overview
This is an argument for having file checksums available in the download section: To determine whether you have a corrupt version of the file. (e.g. modified by hacker). @0x192
A lot of virus scan sites work on heuristics so false positives are possible as are false negatives (missing true malware).
And you are aware that if a hacker/intruder uploads a malicious file to releases, it may as well change the checksums to its own file? As long as the attacker can change the checksums, it's useless.
0x192
commented
1 year ago Hi,
Sorry for responding late. This is a non- issue :slightly_smiling_face:
The binary is clean according to VirusTotal, this is just 1 anti-malware (among 91 others) which flagged the raw.githubusercontent.com domain. It is mentioned in the report because UAD makes a HTTP request to this subdomain to update the debloat list (source code):
match ureq::get(
"https://raw.githubusercontent.com/0x192/universal-android-debloater/\
main/resources/assets/uad_lists.json",
)
.call()There will always be false-positives especially with tools like VirusTotal which can scan a binary with almost 100 antivirus engines. I don't feel the need to add a warning in the README.
Adding a checksum in the release note would be pointless because if an attacker has the ability to upload malicious binary then, as @AnonymousWP aptly pointed out, he can also modify the checksum.
I doubt it's malicious, but I also found this: https://www.filescan.io/uploads/635295d2b87ce1b32f791781/reports/f1a9606d-97b6-403e-9ae7-955164ccc384/overview
PE imports APIs commonly found in keyloggers --> MapVirtualKeyW@user32.dll
Well, on Windows, Iced, the GUI library I use depends on Winit. MapVirtualKeyW is used for legitimate purpose: source code
OSINT source detected malicious resource
This links to the VirusTotal report
PE imports APIs often used by malware --> GetFileType@kernel32.dll
Ahaha! No comment! (Microsoft specification)
solemgar
commented
1 year ago Thanks @TubbyCat ! Very comprehensive explanation. Appreciate a lot the reply, issue (non) can definitely stay closed :)
== Not a big deal, but I think it's nice to document it at least 👍 ==
Describe the bug Virustotal flags the exe as Ikarus keylogger
Expected behavior Clean report or at least update README noting this is a false positive (hopefully! :))
You have a solution? Update README. Ideally find which piece of code triggers the antivirus but looks like heuristics?
UAD log No need for log as not application issue.
Link to Virustotal report: https://www.virustotal.com/gui/file/91c7d32b8f2b021748e4dd0a6bfb7fee6c9882ae1ae2a0f62042381726c992b5/community
This is the file that triggers the antimalware: uad_gui-windows.exe
MD5 238743e5fd112b770ca52feb34117f54 SHA-1 92bc2a0a8e917cf5212ac2be96e625e65e7cb14a SHA-256 91c7d32b8f2b021748e4dd0a6bfb7fee6c9882ae1ae2a0f62042381726c992b5 Vhash 076066656d1565155015z300877z77z32z453z3157z Authentihash f9f22b9d91e13960a7b8cb65acb95504de98007593f6355b33d446d01fc74cbd Imphash 2eb8e97af4a0c67d8816a670026671ce Rich PE header hash 95b9dd6afa643340cfe2857bcb2e8894 SSDEEP 98304:eP8akWhbDs71trlmYC//GehKLC+YYbuoVbot+J:Behy1X1YYag TLSH T1C9765A02FE466DAAC0ADC4B8874A47A39B2175CF0725B5BF31E5116C2F3A6B15F2D309 File type Win32 EXE Magic PE32+ executable for MS Windows (GUI) Mono/.Net assembly TrID Win64 Executable (generic) (48.7%) TrID Win16 NE executable (generic) (23.3%) TrID OS/2 Executable (generic) (9.3%) TrID Generic Win/DOS Executable (9.2%) TrID DOS Executable Generic (9.2%) File size 7.34 MB (7694336 bytes)