Oh crap... PB ransomware

For everything that's not in any way related to PureBasic. General chat etc...
Fred
Administrator
Administrator
Posts: 16621
Joined: Fri May 17, 2002 4:39 pm
Location: France
Contact:

Re: Oh crap... PB ransomware

Post by Fred »

BarryG wrote:
nsstudios wrote:how can antiviruses pinpoint PB specifically?
Because all PureBasic executables have the "Neil Hogdson" signature in them (a series of known bytes), so they're easily detectable as compiled with PureBasic, as opposed to compiled with C. The ransomware coded with PureBasic, called PureLocker, didn't help things.
Where did you get this info ? It might be the case if you use the ScintillaGadget() becase he wrote it, but it's not in every exe
User avatar
Tenaja
Addict
Addict
Posts: 1948
Joined: Tue Nov 09, 2010 10:15 pm

Re: Oh crap... PB ransomware

Post by Tenaja »

I doubt scintilla is the issue, more likely some standard library stuff. You get false flags even with the simplest of code without scintilla.
BarryG
Addict
Addict
Posts: 3294
Joined: Thu Apr 18, 2019 8:17 am

Re: Oh crap... PB ransomware

Post by BarryG »

Fred wrote:it's not in every exe
Yes, it seems to be. I don't even use the ScintillaGadget(), but every exe information tool I use shows that my exe has been compiled with PureBasic and mentions "Neil Hogdson" with it. An example is here -> viewtopic.php?p=482487#p482487
User avatar
Kuron
Addict
Addict
Posts: 1626
Joined: Sat Oct 17, 2009 10:51 pm
Location: Pacific Northwest

Re: Oh crap... PB ransomware

Post by Kuron »

Beyond disturbing and one cannot expect our EUs to install our software with such alarms being set off.
User avatar
Derren
Enthusiast
Enthusiast
Posts: 313
Joined: Sat Jul 23, 2011 1:13 am
Location: Germany

Re: Oh crap... PB ransomware

Post by Derren »

BarryG wrote:
Fred wrote:it's not in every exe
Yes, it seems to be. I don't even use the ScintillaGadget(), but every exe information tool I use shows that my exe has been compiled with PureBasic and mentions "Neil Hogdson" with it. An example is here -> viewtopic.php?p=482487#p482487
I just testes two programs with this PEStudio software and it says "n/a" in the field of "signature"
I'm running 5.70 LTS
nsstudios
Enthusiast
Enthusiast
Posts: 274
Joined: Wed Aug 28, 2019 1:01 pm
Location: Serbia
Contact:

Re: Oh crap... PB ransomware

Post by nsstudios »

Just tested both 32 bit and 64 bit compilations of just the end keyword with pb 5.72 using exeInfo PE.
  • 32 bit:
    • Before scan: PureBasic v4.20 - v5.70 - EXE ( 2008-2019 ) Fantaisie Software - www.purebasic.com *ACM
    • After scan: Sign. 4145 : [PureBasic 4.x -> Neil Hodgson]
  • 64 bit:
    • before scan: 64 bit executable -> *** Unknown EXE - CPU : AMD Std Compiler section - GCC exeHeader or Asm demo/example [Signed]
    • after scan: Sign. 4376 : [x64 Pure Basic - Pelles C - sign A.S.L ( 64 bit ) ]
BarryG: What? Why? PureBasic isn't infected or has malware. An executable compiled with it is. What you're saying is like banning Excel because someone made a bad spreadsheet.
That would be absolutely fine as long as the bad spreadsheet wouldn't cause absolutely all spreadsheets to be treated as malicious. This is exactly my worry, and I think this has to be taken very seriously, as it poses a threat to the language as a whole, because people would be less likely to run things made in it.
I love PB and I'm here to stay, but I'm really worried over the fact that antiviruses can target pb specifically just because of it being used for unsavory things by a few people.
:(
Bitblazer
Enthusiast
Enthusiast
Posts: 733
Joined: Mon Apr 10, 2017 6:17 pm
Location: Germany
Contact:

Re: Oh crap... PB ransomware

Post by Bitblazer »

Ok, you got me curious so i wanted to check one of my executables which doesnt use scintilla. Obviously if you use any third party software to analyse a PE file, the software could claim anything, so first i checked for a PE analyzer different to the PE Explorer commonly used.
This is the result:

CFF Explorer
Image
PE Detective
Image

Seems reasonable - they both dont seem to know purebasic and guess different C(++) compilers, probably because those where used to compile a library part that PB included.

ps: i am using kaspersky internet security and initially there was an issue with homebrew PB executables. So i contacted them, issued samples, they changed something and everything has been fine since that day.
webpage - discord chat links -> purebasic GPT4All
User avatar
Kuron
Addict
Addict
Posts: 1626
Joined: Sat Oct 17, 2009 10:51 pm
Location: Pacific Northwest

Re: Oh crap... PB ransomware

Post by Kuron »

nsstudios wrote: [*]After scan: Sign. 4145 : [PureBasic 4.x -> Neil Hodgson][/list]
*shakes head*
User avatar
DeanH
Enthusiast
Enthusiast
Posts: 223
Joined: Wed May 07, 2008 4:57 am
Location: Adelaide, South Australia
Contact:

Re: Oh crap... PB ransomware

Post by DeanH »

There might be a new virus or malware about. In the last two weeks several of my users have reported PB compiled modules as infected. This happened last year but seemed to have settled down. They're usually quarantined or immediately closed. Avast and Bit-Defender and even McAfee have done it recently. Not Defender and luckily not Norton/Symanetc. Re-compiling as 64-bit significantly reduces the number of false positives (according to VirusTotal tests) even with the same source code. I do not think it is the Neil Hodgson bit that's being picked up. (I'm Dean Hodgson, no relation.) I've reported the FP's to several companies. Kapersky was quick to respond but the others were either slow or no reply. Bit-Defender clobbered most files regardless of 32/64-bit. I can't think of a good solution other than getting users to exclude files and folders.
User avatar
Tenaja
Addict
Addict
Posts: 1948
Joined: Tue Nov 09, 2010 10:15 pm

Re: Oh crap... PB ransomware

Post by Tenaja »

Send the exe to the av companies and ask then to whitelist it.

This is common any time you update code.
JHPJHP
Addict
Addict
Posts: 2129
Joined: Sat Oct 09, 2010 3:47 am
Contact:

Oh crap... PB ransomware

Post by JHPJHP »

Hi All,

Windows 10 / Windows Security

Not sure how much the following will help or if it has already been reported, but with a few of my programs the executable was flagged as containing a trojan and quarantined...

After selecting the Compiler Option > Request User mode for Windows Vista and above (no virtualization) the program was allowed to execute.
BarryG
Addict
Addict
Posts: 3294
Joined: Thu Apr 18, 2019 8:17 am

Re: Oh crap... PB ransomware

Post by BarryG »

JHPJHP wrote:After selecting the Compiler Option > Request User mode for Windows Vista and above (no virtualization) the program was allowed to execute.
Made no difference to my app, unfortunately. VirusTotal gives it 9/71 malware hits normally, and 10/72 with user mode enabled.
IdeasVacuum
Always Here
Always Here
Posts: 6425
Joined: Fri Oct 23, 2009 2:33 am
Location: Wales, UK
Contact:

Re: Oh crap... PB ransomware

Post by IdeasVacuum »

even McAfee
McAfee is not the best AV software, finds false-positives just like Avast.
IdeasVacuum
If it sounds simple, you have not grasped the complexity.
User avatar
NicTheQuick
Addict
Addict
Posts: 1224
Joined: Sun Jun 22, 2003 7:43 pm
Location: Germany, Saarbrücken
Contact:

Re: Oh crap... PB ransomware

Post by NicTheQuick »

Many Antiviruses or Security Suites drill more holes in your system than there are before. I can not count the occurences of security holes in such software anymore.
Just use Windows Defender and you brain. It's enough.
Also don't use mysterious browser extensions that scan you encrypted data by injecting their own root certificate into the operating systems thrust store. It's bullshit and dangerous.
The english grammar is freeware, you can use it freely - But it's not Open Source, i.e. you can not change it or publish it in altered way.
IdeasVacuum
Always Here
Always Here
Posts: 6425
Joined: Fri Oct 23, 2009 2:33 am
Location: Wales, UK
Contact:

Re: Oh crap... PB ransomware

Post by IdeasVacuum »

Good advice NicTheQuick 8)
IdeasVacuum
If it sounds simple, you have not grasped the complexity.
Post Reply