The previous version of the LordPE page (http://www.woodmann.com/collaborative/tools/LordPE) on the Collaborative RCE Tool Library (http://www.woodmann.com/collaborative/tools/Category:RCE_Tools) was actually infected by a virus (a trojan horse).

See http://www.virustotal.com/analisis/354aa2ad5d67f8ce77497ccca2207be8f1bdc368bbe8bbed9689576951be1706-1277599879

This is NOT a false positive: when I launched the executable the virus duplicated itself in several system directories and added itself to the Windows scheduled tasks to be launched each day at 14:00. I noticed something was wrong as the performance of my computer dropped to a nearly unusable state when the scheduled task started, starting tens of executable files doing God knows what.

What makes this extremely dangerous is that this page is linked from Wikipedia , which means a lot of potential victims could get infected. ( see http://en.wikipedia.org/w/?title=Portable_Executable&oldid=369380938#Import_Table )

Consequently, I modified the Collaborative RCE Tool Library page and replaced the infected archive with a ZIP file containing nothing but a README file explaining everything, so as to avoid anyone else's computer getting hurt.

If you own a clean copy of LordPE, by all means upload it to replace this dummy archive.

Man, I really had to calm down a bit before replying to your post.
And now in this calmed down mood let me ask you one thing: Are you crazy?
You signed just up to a board where a great deal of the members are avid reversers and really skilled in reversing malware - and the first thing you did is deleting a file from the CRTL, obviously without contacting someone before. All that, because 6 (SIX!) out of 41 crappy AV-engines found some GENERIC malware? I'm using EXACTLY the same file for ages and believe me all is well with it!
I will upload it again now and don't you dare to delete it again.
There is NOTHING wrong with it.

lol....

this guy is great, but still the very best was this one:
http://www.woodmann.com/forum/showthread.php?9287-Alright-what-is-DbgBreakPoint%28%29/page2

:P

I think you're right. I downloaded the old package again (still had the old URL buried with a wget command in my shell history) and even though AVG indeed finds something, after executing it and monitoring everything using Process Monitor I didn't find anything out of the ordinary, and nothing was added to my scheduled tasks.

After some digging through the Windows logs I found out that the scheduled tasks had been added some time around 2010-06-20 16:00. I don't know how they got there or how did I miss them all this time. Bottom line is, it didn't come from the LordPE download.

Considering that I found out about these mysterious scheduled tasks about one hour after downloading LordPE, that LordPE was the only executable I downloaded today, and that some AVs considered the file infected, I jumped to conclusions a little too quickly and falsely accused your download package.

Please accept my sincere apologies for the trouble that I caused. Next time I'll run the suspicious file in a "sandbox" virtual machine and see what happens before making false accusations.

I see you already posted a retraction e-t172, so all is OK, but I'll go ahead and post what I already wrote anyway..

We certainly appreciate any report of infected files in the CRCETL. However in this case, I would definitely look elsewhere for the real source of your infection.

The original LordPE-DLX package was the one put there by dELTA when the CRCETL was first created. It was version 1.41 (a microupdate known as Deluxe b that included a second lordpe.exe file - not the one you sent to virustotal) and hasn't been modified since.

http://www.woodmann.com/collaborative/tools/Bin_LordPE_2007-10-21_1.48_LordPE_1.41_Deluxe_b.zip

I did a byte check of the file in question with my old lordpe.exe obtained from the original y0da site (v 1.41 but not the "b" compile). The only difference was the SizeOfImage field (36000 vs 35E50 in the "b" compile).



Darkelf, thanks for uploading the file again. However I think your version is the same old one as mine, and not the "b" version we had there originally. So I think we'll confer and maybe revert back to the last "b" version y0da had created. Appreciate the fixup though.

If anyone feels more comfortable with the older version Darkelf uploaded, here it is:

http://www.woodmann.com/collaborative/tools/Bin_LordPE_2010-6-28_22.0_LordPE_1.41_Deluxe.zip


For the record, all additions and updates to the CRCETL go through a moderation queue where one of 4 or so of us confirm the entry. We don't necessarily do a virus scan on every file (though I have several times before OK'ing a new file), but we do assess the entry and its source. The majority of new or updated entries are from known and trusted members and we very much appreciate all additions.

We "see" who does what and everyone who contributes (the essence of the "collaborative" part of the Collaborative Libraries) gets at least mental brownie points from the moderators. Thank you and you know who'ze you are


Again e-t172, thanks for the concern but I'd seriously look closer for the source of your problem but you're welcome to point out where the virus code is in that LordPE package.

Kayaker

It's a toss up.

Woodmann

e-t172, yeah, things like that happen. No problem - you're welcome.

Kayaker, I just saw that I also have the "b"-version from CRCETL on my disk. I will upload it in a couple of minutes so the former status-quo is restored.

Regards

Edit: Done

Jeesh!

I didn't think anyone still believed that heuristic detection actually works! Actually a lot of reversing tools are listed as malware simply because the "do baddd things" like reverse engineer software.

SiGiNT

And no I didn't die - just been working my ass off for very little money - 16 hour days aint nice when your almost retirement age! :P

Let me clarify a bit before disavowed jumps my ass, for everyday normal people type computer use heuristic is probably fine - unless they try to install PowerDVD. another problem is keygens most are flagged big time simply because they use out of the ordinary packers.

*another problem is keygens most are flagged big time simply because they use out of the ordinary packers.
Its certainly not only about packers,95% of keygens are flagged coz IT IS EMBEDED WITH TROJANS,VIRUS etc...to play safe,test it in a virtual machine before you want to use it

I'm with SiG on this one.

I especially enjoy how some AV flag mal cleaners.

Woodmann

Hey SiG, I know someone on here that is older then you .
And it aint JMI.

No hijack intended.

Well, all I can say to that is it isn't fun working 16 hours a day when you finally ARE retirement age ... but can't retire. On my current schedule, I will still be working for at least two weeks after I am dead and buried.

Regards,

Esther,

I agree better safe than sorry, but. hackers and crackers are like water and oil. very seldom do you find both sets of skills in one person, crackers are all about making things that please people and hackers are the opposite, why go to the trouble of making a keygen, that's going to be obsolete within a month. when it's far easier to accomplish your dirty deed other ways - like making a replacement executable with your code embedded in it or a dll included in the installation, when anti-virii went heuristic, half the reversing tools I had been using for years were flagged with either a virus or trojan, but in reality I had neither, hell the patcher I'd been using forever was generating heuristic mis-calls when using the built in packer, but when not packed everything was fine - if a heuristic anti-virii encounters a packer it can't deal with it automatically generates a detection - looking it up usually yeilds the description generic - .... for instance, at least one release of ArmaGeddon was flagged as being infected.

SiGiNT

And hey Woody it aint the age it's the wear and tear!!!!! - obviously JMI has very little Which leads me to the belief that exposure to psychedelic and other drugs during the formative years leads to Engineers and reverse Engineers!

Well I mostly agree
Heuristic detections, if properly implemented, are better than nothing and can often catch "0-day" malware for which no specific signatures exist. However, if a heuristic detection detects LordPE as malware, then it is clearly *not* properly implemented.

I'm okay with AV software detecting tools like http://www.microsoft.com/Security/portal/Threat/Encyclopedia/Entry.aspx?Name=HackTool:Win32/Passview as "HackTool" (Microsoft, Symantec) or "not-a-virus" (Kaspersky), etc., but they shouldn't automatically try to delete the program. Most AV software handles such detected files as they would a "suspicious" detection -- pop up a warning, but allow the user to keep the file.

False positives have long been a nuisance. I chose to be the sheriff of my PC a long time ago. No need for deputies.

Putting the outsiders behind bars and tampering from the inside is fun, and it's good both for technical hygiene and mental exercise.



Who else could possibly be older than JMI? Last time I checked he was on display at the Smithsonian's.

Oh, my retirement! They kept me employed until just before the time I'd start submitting my Alzheimer's treatment & medication bills. On my last day they handed me a bond case full of $s as a token of their appreciation but I can't remember where I put it. So, still working now. I should have had them duplicated.

Did your bond case have Euro's in it?

Woodmann

Oh, speaking of AV flagging other softs.
I have a thumb drive with the usual tools for fixing dirty boxes
and now Comodo is bitching about the winrar portable exe
thats on the thumb drive.

No, Euro was not in circulation at that time. Green bills they were, all green.

I gave up antivirus's a long time ago, with the enormous number of false positives and up until i built my new PC, they just slowed my computer WAY WAY down, so i decided to not use antivirus. Its been over a year since i put win7x64 on my computer, and 3 mobos, 2 processors, and 3 different video cards have been through it, and it still runs super fast, and i get no popups, no unusual .exe's, when my friends call me over all the time to fix their malware filled box...

maybe i have really good karma, or maybe i'm not dumb and don't download and run things from untrusted sources (file sharing sites? apple itunes? random toolbars for IE?).

The only attacker whos managed to comprimize my system is myself in my many quests to learn

Sadly, the majority do such things.
BUT, the saddest part is that those who visit here should know better,
myself included. A VM is still the best choice for playing with fire.

Because I am lazy, I use multiple scanners on everything I download.
Even if its from a trusted source. If I get infected after that, well, I deserved it.

Woodmann

That's great, but what happens when a website you commonly visit gets hacked and starts hosting a page containing an exploit for a yet-unpatched browser vulnerability that an AV engine would have caught? This can (and does) happen, so it seems to me like it's worth sacrificing some CPU cycles for a better peace-of-mind.

And yes, of course there may be exploits for yet-unpatched browser vulnerabilities that AV engines don't catch, but I'd rather catch some than none at all.

if one of my favorite websites gets hacked and they root my box via a client side exploit, they are probably way too smart to put that annoying spyware and fake AV popups, so chances are they are just botting me or otherwise running a program that will be easy to detect with an unconventional firewall when it tries to phone home, and from there i can attach olly to it and remove it completely

Agreed.
It happened on a forum I'm visiting from time to time, a user reported the forum as making his AV tilt while everyone else didn't noticed anything (still the malicious shit was there), flash plugin exploit that sorta stuff.

We weren't malware-oriented, but our hosting provider was unfortunately (and still is, afaik) far less concerned about security than us..

Well then let me do this, boot up a virtual machine, and comense all my internet browsing within that, there now I am virtually virus proof.

Then you should read some of the information available with this google search:

malware escaping from virtual machine

Regards,

AV software consumes less CPU resources than a VM

shellc0de> What JMI says should be taken as "nobody is virus proof", cause malware escaping virtual machines aren't that common (far less than `simple` virtualization detection anyway).

Hey woodmann, could you list what tools you are running from your thumbdrive. I would be interested to know.

It does help when you do all your web browsing on a daily updated Linux distro running in VM and SVN browser code though Can save yourself lots of trouble. I like to think that the number of open-source eyes going through code nightly cause it's their passion are way better than a few paid monkeys at MS.

Maybe I'm just paranoid, though...


Oh, yeah, and what Owl said - what are you running for a cleanup toolset, Woodmann?

Howdy,

Lemme plug it in and give you the list.

Clamwin
Combofix
Rootkit Buster
Root Repeal
RU Botted
Malwarebytes
UBCD
Comodo
GMER

And a Knoppix live CD.

You can try Avira to get an infected MBR clean also.
I dont bother because most of the time an infected MBR
will keep rewriting so I just use UBCD and wipe it clean
and start over again.

I also run some of these tools at the same time so shit that is
morphing gets caught before it rewrites again.

I am always looking for new tools if anyone knows of any.

Woodmann

I'm paranoid too, which is why I use Microsoft's software as opposed to most open source software. I have never seen any evidence at all (in the form of peer-reviewed studies, etc.) to show that open-source code is more secure than Microsoft's code. If you know of any such studies though, please feel free to provide links.

Disa,

The problem is maybe it's not closed source for everyone (law enforcement/governments like recently with Russia)... but that's another type of paranoia

Yes, but any well-funded government agency could get one of their spies hired by a company like Microsoft to steal the code to a given product.

I'm afraid I'm not too up on the "studies," but I speak specific to OS-level, not individual software pieces like OneCare (which is actually pretty nice). If you mean to compare IE vs. Firefox, I'd say you need to not look at the Windows version of FF - a 'nix user on nightly builds (like I am with Google Chrome) IS way safer than a Windows user on IE8 or even on FF. The whole Windows OS is simply not designed with 0-day in mind. Rather than studies, I'd point you to the dev-branch hosting of either FF or Chrome, where you can read the nightly patches, then compare them to how quickly they propagate the fix log on Windows Update. Even a fairly security conscious windows user is hardly going to completely update his browser every day (too much of a pain)...but on 'nix it's one button click away, along with all the other nightly patches for the system.

If you want to compare vulns between any Posix OS and MS Windows, I'm happy to chat about it. PacketStorm alone gives a great daily picture, as well as just browsing over Metasploit's SVN framework. Symantec's semi-annual whitepapers are always good reading, as well.

Granted, there's always the very, very logical argument that Linux/Unix is all of about 10% of market share (and that's quite generous), so nobody codes much in the way of malware for them, at least on the end-user level. Though security by obscurity (as we all know from reversing) is hardly a form of protection, opening up an infected webpage in Linux (even in a VM) is simply not the same threat as that of a Windows system. And threats that do target Linux are largely closed up in short order.

Of course, your mileage may vary. Run an Ubuntu 8.10 build and never do your updates, and you're in just the same boat as every other person out there. But I don't think anyone on THIS forum is quite that silly.

I know it's a couple of years old, but here's a somewhat recent study comparing security vulnerabilities in IE on Windows to security vulnerabilities in Firefox on Ubuntu: http://blogs.technet.com/cfs-file.ashx/__key/CommunityServer-Components-PostAttachments/00-02-59-48-22/ie_2D00_firefox_2D00_vuln_2D00_analysis.pdf

This one's a bit more recent: http://secunia.com/gfx/Secunia2008Report.pdf

Good reads, indeed. And should be taken quite seriously that NOTHING is secure without good updating, particularly "stable" branches.

Personally, though, I use the nightly dev branch of chrome. And for an idea of why I feel more secure...
http://news.cnet.com/8301-30685_3-20011736-264.html

Actually, that's probably a fun way for some of the malware reversers on this board to make a few bucks!

(For the record, I still don't think my way is foolproof or that one should live life on windows without adequate common sense and virus protection...just that there are "safer" ways to do things!)

I agree with everything you said in your comment above and am *shocked* this didn't turn into a flame-war

hehe I figure that I'm here to learn. Can't do that if I'm too busy thinking I'm right all the time and know more than everyone!

Man.......

As I kept reading this I was thinking,
"shit this aint gonna end good".

Nice thread

Woodmann

Alexey Karetnikov, are you there ?