search

groupgets / LeptonModule

Code for getting started with the FLIR Lepton breakout board
https://groupgets.com/manufacturers/flir/products/flir-lepton
BSD 2-Clause "Simplified" License
317 stars 197 forks source link

ThermalView.exe may contain malware #13

Closed MartyMacGyver closed 9 years ago

MartyMacGyver commented 9 years ago

Over a dozen virus scanners are detecting a trojan in ThermalView/ThermalView.exe:

https://www.virustotal.com/en/file/055ac103ab139b6cb81c632fd67e38f1a758704c82683cbebb266bc3fb9a2b8e/analysis/1439180429/

PureEngineering commented 9 years ago

Thanks for the info, that is weird.. If you recompile from the source do you get the same trojans?

MartyMacGyver commented 9 years ago

I am not using this module and cannot compile it at this time (it's not clear what environment this requires that I don't already have) - I was alerted to the potential virus when I cloned this repo, and investigated as above.

Edit: I was able to rebuild ThermalView.exe with mingw32. I still recommend against putting the executable here, but more detail in the readme would help others create their own (e.g., install MinGW/MinGW32 (links provided), add to the path if necessary (e.g., path=C:\MinGW\bin;%PATH%), call make (mingw32-make.exe). There's more - I could create a pull request tonight.

I would suggest removing the executable and leave it to the user to build their binary, at least until a clean binary is available or (if this is a false positive) the reason for the problem is more clear.

MartyMacGyver commented 9 years ago

So, I thought it was fine but it wasn't... still showing the same heuristic detection though not as many. Not sure what it is about the code that is triggering this but it'll trip any antivirus that sees it as a threat.

MartyMacGyver commented 9 years ago

Well, this ranks up there as one of the weirder things I've ever seen: the problem is the application icon, period. Using a different app icon resolves the issue. I'll create a pull request tonight with that as well as an updated readme and a couple other minor cleanups.

(Background: I'm going to guess that this old generic icon is featured in many a demo app, and probably many a malicious app derived from a demo app. I scanned the icon alone and got nothing... and I scanned the app with no icon and also got nothing. But the combination of the two triggers the heuristics for multiple scanners.)