Oh crap... PB ransomware

For everything that's not in any way related to PureBasic. General chat etc...
User avatar
Mijikai
Addict
Addict
Posts: 1360
Joined: Sun Sep 11, 2016 2:17 pm

Re: Oh crap... PB ransomware

Post by Mijikai »

Bitblazer wrote:...
Never connect computers with confidential information to the internet ;)
...
Exactly!
User avatar
Saki
Addict
Addict
Posts: 830
Joined: Sun Apr 05, 2020 11:28 am
Location: Pandora

Re: Oh Nebel... PB Ransomware

Post by Saki »

The greatest harm is often caused by getting people to hand over information that they would never voluntarily give to strangers.

Logically, computers or their users, which are attacked in this way, are connected to the Internet :shock: .

The average talented person learns from his mistakes.
The smart learns from the mistakes of others.
The stupid one knows everything better.

We say that although horses have bigger heads than people, they do not necessarily can think better.
But we also say, that exceptions confirm the rule !
地球上の平和
User avatar
NicTheQuick
Addict
Addict
Posts: 1223
Joined: Sun Jun 22, 2003 7:43 pm
Location: Germany, Saarbrücken
Contact:

Re: Oh crap... PB ransomware

Post by NicTheQuick »

I get really angry when I read here how people praise Windows XP to the skies. This shit shouldn't be connected to the internet anymore. And it's ridiculous to take the number of CVE reports as a comparison. It's a sign you guys don't know anything about security.
And backups have nothing to do with safety, they have to do with stupidity. Because if you don't do one, you're stupid. The biggest problem with outdated systems is the possibility that they themselves become a virus because they have been infected by bots.

Apart from that, Windows XP is super slow, and unless you have the 64-bit version, the 3 GB of memory will quickly fill up. Apart from that there are hardly any programs running on it anymore.
The english grammar is freeware, you can use it freely - But it's not Open Source, i.e. you can not change it or publish it in altered way.
User avatar
Saki
Addict
Addict
Posts: 830
Joined: Sun Apr 05, 2020 11:28 am
Location: Pandora

Re: Oh Mist... PB Ransomware

Post by Saki »

The argumentation for Windows XP contradicts all logic and reason.

It can't be that difficult to recognize reality ?

The motivations of the antivirus vendors are relatively easy to assess.

Just as easy as the motives of the creators of malware, phishing and scamming.
地球上の平和
User avatar
DeanH
Enthusiast
Enthusiast
Posts: 223
Joined: Wed May 07, 2008 4:57 am
Location: Adelaide, South Australia
Contact:

Re: Oh crap... PB ransomware

Post by DeanH »

FYI. Just some more experimenting.

I compiled the same source code using PureBasic Win 5.70, 5.71 and 5.72, all 32-bit. Each exe had a slightly different filename. The file size grew with each compilation. Then individually submitted the files to VirusTotal. Results:

5.70 3 detections out of 68
5.71 3 detections
5.72 13 detections

Compiling as 64-bit resulted in 1 detection, and of course it had to be Microsoft.
But wait! Microsoft was not in the hit-list for the 32-bit compilations.
BarryG
Addict
Addict
Posts: 3292
Joined: Thu Apr 18, 2019 8:17 am

Re: Oh crap... PB ransomware

Post by BarryG »

Don't forget to check those detections again (re-analyze) a day later. I've had 6 detections when first submitted, but this jumped to 18 the next day when re-analyzed with no changes. It seems VirusTotal dynamically changes their scans.
User avatar
DeanH
Enthusiast
Enthusiast
Posts: 223
Joined: Wed May 07, 2008 4:57 am
Location: Adelaide, South Australia
Contact:

Re: Oh crap... PB ransomware

Post by DeanH »

You are absolutely correct, Barry. I have seen this, too. Last week the 5.70 compilations were 13 but now 3.
User avatar
DeanH
Enthusiast
Enthusiast
Posts: 223
Joined: Wed May 07, 2008 4:57 am
Location: Adelaide, South Australia
Contact:

Re: Oh crap... PB ransomware

Post by DeanH »

On Sunday I submitted a recompiled 64-bit file to VT. Used PB 5.70. Only 1 hit...Microsoft. All the other AV systems reported "undetected". The very next day four of my users reported the same file had been deleted. All were using Defender. The file had not been changed on their system and was fine before the weekend. I do not believe this is a co-incidence! A false positive on VirusTotal and the next day Defender claims the files are infected. I have submitted the file along with its mates to MS to be whitelisted. Last time I did this with the 32-bit versions, MS reported them clean but even a week later users still reported the files being removed. And so it goes...
User avatar
Paul
PureBasic Expert
PureBasic Expert
Posts: 1243
Joined: Fri Apr 25, 2003 4:34 pm
Location: Canada
Contact:

Re: Oh crap... PB ransomware

Post by Paul »

I was told by a developer working at an AV company that when you submit a piece of software to a website like VirusTotal and even one AV platform flags your software as a virus/torojan, that info is then shared with all the other AV companies and the chances of the others starting to flag your software goes up. The more you submit, the more likely others will follow suit.

If this is the case, it's certainly something to think about. ;)
Image Image
User avatar
DeanH
Enthusiast
Enthusiast
Posts: 223
Joined: Wed May 07, 2008 4:57 am
Location: Adelaide, South Australia
Contact:

Re: Oh crap... PB ransomware

Post by DeanH »

That explains why the falsies multiplied. VirusTotal behaves like a virus itself by sharing results automatically. It also seems if the files are cleared by one AV company that does not seem to transfer to the others. Not right and not fair. I will not be using VirusTotal again. I did try Hybrid Analysis and the test files came back undetected - i.e. no problem. Bet that was not passed on. Three days later and I am still waiting for a reply from Microsoft.
User avatar
DeanH
Enthusiast
Enthusiast
Posts: 223
Joined: Wed May 07, 2008 4:57 am
Location: Adelaide, South Australia
Contact:

Re: Oh crap... PB ransomware

Post by DeanH »

Oh...crap! Malwarebytes is now flagging the PureBasic compilation file in the Windows AppData temp folder as having Malware.Heurisitic.1008. Just started today. Was fine yesterday Aug 22. I tried 32-bit PB versions 5.70, 5.71 and 5.72 and all quarantined the compilation0 file. It is not happening for 64-bit versions. When I press F5 to compile and run...wham! I have told my system the file is safe. However, without doing that I would no longer be able to use PureBasic. Anyone else run into this?
BarryG
Addict
Addict
Posts: 3292
Joined: Thu Apr 18, 2019 8:17 am

Re: Oh crap... PB ransomware

Post by BarryG »

DeanH wrote:Anyone else run into this?
All the time. I've pretty much stopped updating my apps for public use at the moment. I update them for myself only until I can decide where I want to go in life. I'm 50 now and not sure I have time for this malware dance anymore. There's better uses for my time.
User avatar
tj1010
Enthusiast
Enthusiast
Posts: 621
Joined: Mon Feb 25, 2013 5:51 pm
Location: US or Estonia
Contact:

Re: Oh crap... PB ransomware

Post by tj1010 »

I read somewhere that this is suspected of being developed by a government.. Encrypting files based on their extensions with PKI over http and sending it on emails is just too state of the art and robust for some lone math/CS prodigy to code..

definitely a FancyBear or Equation level operation
The truth hurts.
User avatar
NicTheQuick
Addict
Addict
Posts: 1223
Joined: Sun Jun 22, 2003 7:43 pm
Location: Germany, Saarbrücken
Contact:

Re: Oh crap... PB ransomware

Post by NicTheQuick »

Here's a funny guide in three steps to convince up to 25 virus scanners that there is no virus anymore: https://twitter.com/jeffmcjunkin/status ... 2252054528
The english grammar is freeware, you can use it freely - But it's not Open Source, i.e. you can not change it or publish it in altered way.
PrincieD
Enthusiast
Enthusiast
Posts: 642
Joined: Wed Aug 10, 2005 2:08 pm
Location: Yorkshire, England
Contact:

Re: Oh crap... PB ransomware

Post by PrincieD »

I've had the same issues guys with the ProGUI examples (Malwarebytes I've had direct dealings with), it really dampens your spirits. How this industry can exist that makes you liable without proof and by proof I mean how the AVs work (cracking an egg with a sledge hammer, *cough some malware has a fasm signature therfore all fasm = malware *cough :twisted:
ProGUI - Professional Graphical User Interface Library - http://www.progui.co.uk
Post Reply