It is currently Wed Jul 08, 2020 12:58 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 108 posts ]  Go to page Previous  1 ... 3, 4, 5, 6, 7, 8  Next
Author Message
 Post subject: Re: Oh crap... PB ransomware
PostPosted: Thu May 14, 2020 3:45 pm 
Offline
Administrator
Administrator

Joined: Fri May 17, 2002 4:39 pm
Posts: 14065
Location: France
BarryG wrote:
nsstudios wrote:
how can antiviruses pinpoint PB specifically?

Because all PureBasic executables have the "Neil Hogdson" signature in them (a series of known bytes), so they're easily detectable as compiled with PureBasic, as opposed to compiled with C. The ransomware coded with PureBasic, called PureLocker, didn't help things.


Where did you get this info ? It might be the case if you use the ScintillaGadget() becase he wrote it, but it's not in every exe


Top
 Profile  
Reply with quote  
 Post subject: Re: Oh crap... PB ransomware
PostPosted: Thu May 14, 2020 4:57 pm 
Offline
Addict
Addict
User avatar

Joined: Tue Nov 09, 2010 10:15 pm
Posts: 1670
I doubt scintilla is the issue, more likely some standard library stuff. You get false flags even with the simplest of code without scintilla.


Top
 Profile  
Reply with quote  
 Post subject: Re: Oh crap... PB ransomware
PostPosted: Thu May 14, 2020 9:57 pm 
Offline
Addict
Addict

Joined: Thu Apr 18, 2019 8:17 am
Posts: 894
Fred wrote:
it's not in every exe

Yes, it seems to be. I don't even use the ScintillaGadget(), but every exe information tool I use shows that my exe has been compiled with PureBasic and mentions "Neil Hogdson" with it. An example is here -> viewtopic.php?p=482487#p482487


Top
 Profile  
Reply with quote  
 Post subject: Re: Oh crap... PB ransomware
PostPosted: Thu May 14, 2020 11:04 pm 
Offline
Addict
Addict
User avatar

Joined: Sat Oct 17, 2009 10:51 pm
Posts: 1387
Location: Nashville
Beyond disturbing and one cannot expect our EUs to install our software with such alarms being set off.


Top
 Profile  
Reply with quote  
 Post subject: Re: Oh crap... PB ransomware
PostPosted: Sat May 16, 2020 7:41 pm 
Offline
Enthusiast
Enthusiast
User avatar

Joined: Sat Jul 23, 2011 1:13 am
Posts: 297
Location: Germany
BarryG wrote:
Fred wrote:
it's not in every exe

Yes, it seems to be. I don't even use the ScintillaGadget(), but every exe information tool I use shows that my exe has been compiled with PureBasic and mentions "Neil Hogdson" with it. An example is here -> viewtopic.php?p=482487#p482487


I just testes two programs with this PEStudio software and it says "n/a" in the field of "signature"
I'm running 5.70 LTS


Top
 Profile  
Reply with quote  
 Post subject: Re: Oh crap... PB ransomware
PostPosted: Sat May 16, 2020 9:46 pm 
Offline
User
User

Joined: Wed Aug 28, 2019 1:01 pm
Posts: 66
Just tested both 32 bit and 64 bit compilations of just the end keyword with pb 5.72 using exeInfo PE.
  • 32 bit:
    • Before scan: PureBasic v4.20 - v5.70 - EXE ( 2008-2019 ) Fantaisie Software - www.purebasic.com *ACM
    • After scan: Sign. 4145 : [PureBasic 4.x -> Neil Hodgson]
  • 64 bit:
    • before scan: 64 bit executable -> *** Unknown EXE - CPU : AMD Std Compiler section - GCC exeHeader or Asm demo/example [Signed]
    • after scan: Sign. 4376 : [x64 Pure Basic - Pelles C - sign A.S.L ( 64 bit ) ]
Quote:
BarryG: What? Why? PureBasic isn't infected or has malware. An executable compiled with it is. What you're saying is like banning Excel because someone made a bad spreadsheet.

That would be absolutely fine as long as the bad spreadsheet wouldn't cause absolutely all spreadsheets to be treated as malicious. This is exactly my worry, and I think this has to be taken very seriously, as it poses a threat to the language as a whole, because people would be less likely to run things made in it.
I love PB and I'm here to stay, but I'm really worried over the fact that antiviruses can target pb specifically just because of it being used for unsavory things by a few people.
:(


Top
 Profile  
Reply with quote  
 Post subject: Re: Oh crap... PB ransomware
PostPosted: Sun May 17, 2020 12:04 am 
Offline
Enthusiast
Enthusiast

Joined: Mon Apr 10, 2017 6:17 pm
Posts: 350
Location: Germany
Ok, you got me curious so i wanted to check one of my executables which doesnt use scintilla. Obviously if you use any third party software to analyse a PE file, the software could claim anything, so first i checked for a PE analyzer different to the PE Explorer commonly used.
This is the result:

CFF Explorer
Image
PE Detective
Image

Seems reasonable - they both dont seem to know purebasic and guess different C(++) compilers, probably because those where used to compile a library part that PB included.

ps: i am using kaspersky internet security and initially there was an issue with homebrew PB executables. So i contacted them, issued samples, they changed something and everything has been fine since that day.

_________________
webpage


Top
 Profile  
Reply with quote  
 Post subject: Re: Oh crap... PB ransomware
PostPosted: Sun May 17, 2020 4:21 pm 
Offline
Addict
Addict
User avatar

Joined: Sat Oct 17, 2009 10:51 pm
Posts: 1387
Location: Nashville
nsstudios wrote:
[*]After scan: Sign. 4145 : [PureBasic 4.x -> Neil Hodgson][/list]


*shakes head*


Top
 Profile  
Reply with quote  
 Post subject: Re: Oh crap... PB ransomware
PostPosted: Wed Jul 01, 2020 6:21 am 
Offline
User
User

Joined: Wed May 07, 2008 4:57 am
Posts: 73
Location: Adelaide, South Australia
There might be a new virus or malware about. In the last two weeks several of my users have reported PB compiled modules as infected. This happened last year but seemed to have settled down. They're usually quarantined or immediately closed. Avast and Bit-Defender and even McAfee have done it recently. Not Defender and luckily not Norton/Symanetc. Re-compiling as 64-bit significantly reduces the number of false positives (according to VirusTotal tests) even with the same source code. I do not think it is the Neil Hodgson bit that's being picked up. (I'm Dean Hodgson, no relation.) I've reported the FP's to several companies. Kapersky was quick to respond but the others were either slow or no reply. Bit-Defender clobbered most files regardless of 32/64-bit. I can't think of a good solution other than getting users to exclude files and folders.


Top
 Profile  
Reply with quote  
 Post subject: Re: Oh crap... PB ransomware
PostPosted: Wed Jul 01, 2020 2:36 pm 
Offline
Addict
Addict
User avatar

Joined: Tue Nov 09, 2010 10:15 pm
Posts: 1670
Send the exe to the av companies and ask then to whitelist it.

This is common any time you update code.


Top
 Profile  
Reply with quote  
 Post subject: Oh crap... PB ransomware
PostPosted: Wed Jul 01, 2020 10:28 pm 
Offline
Addict
Addict
User avatar

Joined: Sat Oct 09, 2010 3:47 am
Posts: 1656
Hi All,

Windows 10 / Windows Security

Not sure how much the following will help or if it has already been reported, but with a few of my programs the executable was flagged as containing a trojan and quarantined...

After selecting the Compiler Option > Request User mode for Windows Vista and above (no virtualization) the program was allowed to execute.

_________________

STATUS: Permanently Unavailable :: Downloads (disabled) moved to My PureBasic Stuff
_________________


Top
 Profile  
Reply with quote  
 Post subject: Re: Oh crap... PB ransomware
PostPosted: Thu Jul 02, 2020 8:43 am 
Offline
Addict
Addict

Joined: Thu Apr 18, 2019 8:17 am
Posts: 894
JHPJHP wrote:
After selecting the Compiler Option > Request User mode for Windows Vista and above (no virtualization) the program was allowed to execute.

Made no difference to my app, unfortunately. VirusTotal gives it 9/71 malware hits normally, and 10/72 with user mode enabled.


Top
 Profile  
Reply with quote  
 Post subject: Re: Oh crap... PB ransomware
PostPosted: Thu Jul 02, 2020 10:22 am 
Offline
Always Here
Always Here

Joined: Fri Oct 23, 2009 2:33 am
Posts: 6249
Location: Wales, UK
Quote:
even McAfee


McAfee is not the best AV software, finds false-positives just like Avast.

_________________
IdeasVacuum
If it sounds simple, you have not grasped the complexity.


Top
 Profile  
Reply with quote  
 Post subject: Re: Oh crap... PB ransomware
PostPosted: Thu Jul 02, 2020 10:47 am 
Offline
Enthusiast
Enthusiast
User avatar

Joined: Sun Jun 22, 2003 7:43 pm
Posts: 551
Location: Germany, Saarbrücken
Many Antiviruses or Security Suites drill more holes in your system than there are before. I can not count the occurences of security holes in such software anymore.
Just use Windows Defender and you brain. It's enough.
Also don't use mysterious browser extensions that scan you encrypted data by injecting their own root certificate into the operating systems thrust store. It's bullshit and dangerous.

_________________
The english grammar is freeware, you can use it freely - But it's not Open Source, i.e. you can not change it or publish it in altered way.


Top
 Profile  
Reply with quote  
 Post subject: Re: Oh crap... PB ransomware
PostPosted: Thu Jul 02, 2020 10:50 am 
Offline
Always Here
Always Here

Joined: Fri Oct 23, 2009 2:33 am
Posts: 6249
Location: Wales, UK
Good advice NicTheQuick 8)

_________________
IdeasVacuum
If it sounds simple, you have not grasped the complexity.


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 108 posts ]  Go to page Previous  1 ... 3, 4, 5, 6, 7, 8  Next

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 7 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum

Search for:
Jump to:  

 


Powered by phpBB © 2008 phpBB Group
subSilver+ theme by Canver Software, sponsor Sanal Modifiye