Trojan detected in latest release

[archanox]

On the latest 062 release the following is detected.

[toxieainc]

Unfortunately this is due to how Nuance works: It generates code dynamically, and this does not go well with certain virus scan heuristics. :/ So depending on the other code of an executable, sometimes such a heuristic will trigger, sometimes not. Here i uploaded it to virustotal: https://www.virustotal.com/gui/file/193e7a2e7090bc8d8656f3f86570e0e9841d6b6d53f91d4761d0d1c4d5348ba2/detection

[archanox]

I had a look at your link and it looks like it's doing some naughty things like "phoning home" and installing some things into the system directory, doing so invisibly.

Either you're unaware of this and it was in the code you adopted, (or was injected during the compilation of the release) or you are aware of the malware and you're trying to pull the wool over everyone's eyes?

It's a real shame if it's the latter. Also a shame if it's the former as I can see you've put in a bit of work lately.

[toxieainc]

Actually its neither of the two, i'd say. I'm now close to 3 years working on this (so not just a 'bit lately'), and i never stumbled over anything that would allow to phone home or install stuff anywhere.

So either it would have to be a sideeffect of a 3rdparty dll (=glew or fmod), or of some of the windows API/SDK calls. Or, some seemingly harmless snippet of code that actually does harmful things in practice, AND that i did not stumble over so far (very unlikely though).

That this is injected somehow by my system/compilation could easily be proven wrong by yourself, by just compiling the executable on your own and uploading it to virustotal to check if this (roughly) matches the previous results. As the whole project is self contained, its as simple as opening the .sln with any recent VS and clicking build.

Plan B is to get active on this project yourself and try to refactor things so that virustotal gets down to 0.

[toxieainc]

Here, btw, another one, using latest master and VS2019 (instead of VS2022 like the release), compiled in a sandbox: https://www.virustotal.com/gui/file/1f88701af04fe0e97cdb7e48d363e63f152cddfa80f94ea3e90a540042310b1c/behavior So IMHO the virus scan heuristics are just extremely fragile (as this one has less flags as the one above).

..oh, and did you even read through the virustotal report in detail? I.e. which files it drops and what are the IPs? (temp dir, microsoft) And what the 'malicious behavior' is? (dynamically loading dlls and creating direct input objects)

[archanox]

The vs2019 build looks a whole lot different. I'll have to install the C/C++ toolchains and take a gander.

I'll maybe look at getting rid of some of the binaries (at least locally) and referencing the source as submodules and see if the compiler acts differently when outputting the executable against Windows Defender.

[toxieainc]

Would be nice to get some help on that, thanks! My major focus is still on getting T3K to be fully playable, so with the bit of spare time i have, i don't want to spend this on fiddling with false alarms.

[toxieainc]

The weird behavior continues with the 0.6.3 release: https://www.virustotal.com/gui/file/499d8b50608d2f84b3e5216395b3f541455d5b2b9ed2e34fb4796dd6e0e8afc9?nocache=1 For whatever reason it triggers less engines than before (build with latest VC2019).

[archanox]

I've still yet to dig into this, I pulled it down and tried to build it but I think I'm missing a bunch of the C/C++ toolchains for visual studio. Hopefully I can take another look.

[toxieainc]

Yet another 'variant', 0.6.4 release, which was this time compiled with VS2017/XP-compatible: https://www.virustotal.com/gui/file-analysis/YTczMGQxOWFhMWQyZWFhMjUwMDUwNjJlNzNmYjY2Y2Y6MTY3MzM1MzUzMw== Again, less triggers than before (which makes no sense, again).

[gordonfreeman01]

Something to consider: maybe MS compilers are adding operations for telemetry and phoning home. Over the past few years they've basically added spyware everywhere and you have to go out of your way to disable telemetry in almost all their toolchains and software.

[toxieainc]

I doubt that. It will rather be one of the many many many components that comes shipping with windows. And as Nuance triggers quite some of them via its code/windows-API-calls, one of them may be the one that connects to a MS server for whatever reason.

I also think that this part of the isse is not of any real concern. I only want to get rid of any virus detection engine detecting Nuance as a real threat. So we have to find out which code parts are detected as harmful (basically commenting out huge chunks (binary search style) and uploading to virustotal) and then see if we can recode them (newer APIs? etc) somehow to make these false detections go away.