The antivirus controversy

[radiumatic]

There are several closed issues regarding this, but it seems like none of them actually discuss the source of the blacklist. I recommend reading these articles:

• https://www.securemac.com/definitions/Chisel
• https://varutra.com/ctp/threatpost/postDetails/Russian-Backed-%27Infamous-Chisel%27-Android-Malware-Targeting-the-Ukrainian-Military/UjZ4SlB3Uy9MNStXWlVxZTFuMmMzQT09
• https://www.cisa.gov/news-events/analysis-reports/ar19-304a
• https://securityaffairs.com/150167/cyber-warfare-2/infamous-chisel-malware-targets-ukraine.html
• https://sensorstechforum.com/chisel-mac-trojan/

I'm not sure what can be done at this point. Maybe contacting virustotal and asking them for help? They are directly working with antiviruses afterall.

A valid argument might be that there are many self-containing ssh implementations and you could do the same thing (ssh over http/s) fairly easy with socat. But the problem seems to be actually the name. Chisel is now known as a trojan. Maybe changing the name would be easier?

[jpillora]

Agreed, it’s a general networking tool though can be used for nefarious purposes - just like ssh, socat, etc

I don’t really wish to engage in a cat and mouse game with AV vendors. I only use chisel on Mac and Linux and have no issues there. If you want to compile your own renamed chisel, well the source is open, and it’s MIT licensed.

On Sun, 24 Dec 2023 at 9:31 PM Nima Ghasemi Por @.***> wrote:

There are several closed issues regarding this, but it seems like none of them actually discuss the source of the blacklist. I recommend reading these articles: . https://www.securemac.com/definitions/Chisel . https://varutra.com/ctp/threatpost/postDetails/Russian-Backed-%27Infamous-Chisel%27-Android-Malware-Targeting-the-Ukrainian-Military/UjZ4SlB3Uy9MNStXWlVxZTFuMmMzQT09 . https://www.cisa.gov/news-events/analysis-reports/ar19-304a . https://securityaffairs.com/150167/cyber-warfare-2/infamous-chisel-malware-targets-ukraine.html . https://sensorstechforum.com/chisel-mac-trojan/

I'm not sure what can be done at this point. Maybe contacting virustotal and asking them for help? They are directly working with antiviruses afterall.

A valid argument might be that there are many self-containing ssh implementations and you could do the same thing (ssh over http/s) fairly easy with socat. But the problem seems to be actually the name. Chisel is now known as a trojan. Maybe changing the name would be easier?

— Reply to this email directly, view it on GitHub https://github.com/jpillora/chisel/issues/480, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAE2X4YTBUFPJMJ23EBOZMLYK777BAVCNFSM6AAAAABBBN7C6KVHI2DSMVQWIX3LMV43ASLTON2WKOZSGA2TKMBVGYZTGNI . You are receiving this because you are subscribed to this thread.Message ID: @.***>

[radiumatic]

I meant to suggest asking virustotal to act as a bridge and contact the AVs for this false flag.

If you want to compile your own renamed chisel, well the source is open, and it’s MIT licensed.

The problem is binary signature, and not the name? I saw someone in an issue editing the name references in hex to a random string and as far as I can remember it worked, but again, it would be a cat and mouse game. (and hackers can do this too)

If you don't mind, I can contact virustotal in a month or so (when I have free time) on your behalf.

[jpillora]

Sure, I can agree that chisel itself is not malicious - however it can be used maliciously - if you’re an AV company, your customers are mostly non technical users, AV finds chisel on users machine, what percentage of these detections will be malicious?

On Tue, 26 Dec 2023 at 7:34 AM Nima Ghasemi Por @.***> wrote:

I meant to suggest asking virustotal to act as a bridge and contact the AVs for this false flag.

If you want to compile your own renamed chisel, well the source is open, and it’s MIT licensed. The problem is binary signature, and not the name? I saw someone in an issue editing the name references in hex to a random string and as far as I can remember it worked, but again, it would be a cat and mouse game. (and hackers can do this too)

If you don't mind, I can contact virustotal in a month or so (when I have free time) on your behalf.

— Reply to this email directly, view it on GitHub https://github.com/jpillora/chisel/issues/480#issuecomment-1869110524, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAE2X4ZWZFGMXPCYYLNTE4DYLHPOBAVCNFSM6AAAAABBBN7C6KVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQNRZGEYTANJSGQ . You are receiving this because you commented.Message ID: @.***>