Oh crap... PB ransomware

For everything that's not in any way related to PureBasic. General chat etc...
plouf
Enthusiast
Enthusiast
Posts: 250
Joined: Fri Apr 25, 2003 6:35 pm
Location: Athens,Greece

Re: Oh crap... PB ransomware

Post by plouf »

BarryG wrote: Sun Jun 04, 2023 10:05 pm
Fred wrote: Sun Jun 04, 2023 6:39 pmIf it's possible to submit a lot of exe to a virus test tool, we could write an exe generator to create one program per library command, and see if a specific command is flagged. Then I can try to modify the code to avoid this, but it's really silly if you ask me.
VirusTotal supports automatic submissions with their API support. Yes, it costs money and is silly and annoying for you, but what you suggested seems like something you might have to eventually do; otherwise PureBasic's reputation may get tarnished - people won't trust it to produce "clean" code. Look at DeanH's post - he's already started to lose government clients because of it.
makes no sense, you will work forever for "suspicions" virustools are stupid and getting stupider in order to "report"
more or less each developer is FORCED to send his exe to companeis for check

otherwise you will "guess" forever.
if 1 virus ever made with PB then its flaged in stupid detection methods forever....
Christos
User avatar
skywalk
Addict
Addict
Posts: 3972
Joined: Wed Dec 23, 2009 10:14 pm
Location: Boston, MA

Re: Oh crap... PB ransomware

Post by skywalk »

That's actually a pretty cool idea. :idea:
The number of commands are finite and an automated tool could rip them out for asm and cbe compilations.
Is this only a Windows problem?
The nice thing about standards is there are so many to choose from. ~ Andrew Tanenbaum
Fred
Administrator
Administrator
Posts: 16617
Joined: Fri May 17, 2002 4:39 pm
Location: France
Contact:

Re: Oh crap... PB ransomware

Post by Fred »

I checked the business Virus Total API price and it's like 20k$ a year (!). Big pass here haha
User avatar
Mijikai
Addict
Addict
Posts: 1360
Joined: Sun Sep 11, 2016 2:17 pm

Re: Oh crap... PB ransomware

Post by Mijikai »

Lets cry about 3rd party failures and incompetence but somehow its PBs that needs to do stuff thread...
I suggest a new subforum titled: Annual Drama Events
User avatar
skywalk
Addict
Addict
Posts: 3972
Joined: Wed Dec 23, 2009 10:14 pm
Location: Boston, MA

Re: Oh crap... PB ransomware

Post by skywalk »

Yup, that price is highly predatory.
Small business must do manual submissions.
The nice thing about standards is there are so many to choose from. ~ Andrew Tanenbaum
Fred
Administrator
Administrator
Posts: 16617
Joined: Fri May 17, 2002 4:39 pm
Location: France
Contact:

Re: Oh crap... PB ransomware

Post by Fred »

Might be a team effort then. We could split the libs in half, submit, if there is a false positive in one of them, split in half etc. Once the faulty lib(s) isolated, you could go to the command level.
User avatar
NicTheQuick
Addict
Addict
Posts: 1224
Joined: Sun Jun 22, 2003 7:43 pm
Location: Germany, Saarbrücken
Contact:

Re: Oh crap... PB ransomware

Post by NicTheQuick »

Keep in mind that this effort runs all under the assumption the scanners work purely on some pattern matching algorithms.
We already know that smaller programs can show a false-positive but as soon as they get bigger the false-positives slowly decrease.
The english grammar is freeware, you can use it freely - But it's not Open Source, i.e. you can not change it or publish it in altered way.
Fred
Administrator
Administrator
Posts: 16617
Joined: Fri May 17, 2002 4:39 pm
Location: France
Contact:

Re: Oh crap... PB ransomware

Post by Fred »

My bet is it flags some library function which doesn't change across version, if it was generated code switching to C backend or enabling/disabling optimizer should get ride of it. May be DeanH can try this: build several version of its exe (ASM backend, C backend, ASM backend + optimizer, C + optimizer, ASM debug, C Backend debug) and see if it yields any diff.
User avatar
DeanH
Enthusiast
Enthusiast
Posts: 223
Joined: Wed May 07, 2008 4:57 am
Location: Adelaide, South Australia
Contact:

Re: Oh crap... PB ransomware

Post by DeanH »

Can already provide some feedback. I tried recompiling using the C-backend as recently as two weeks ago. No difference. In fact, an additional module was flagged that was not picked up with the ASM backend. My guess is that not only is some type of pattern matching involved, but some of the AV system vendors actively share their hits. I watched the false positives rapidly multiply when I kept testing with VirusTotal, which is why I do not use it any more.
BarryG
Addict
Addict
Posts: 3292
Joined: Thu Apr 18, 2019 8:17 am

Re: Oh crap... PB ransomware

Post by BarryG »

DeanH wrote: Tue Jun 06, 2023 12:09 amI watched the false positives rapidly multiply when I kept testing with VirusTotal, which is why I do not use it any more.
That doesn't matter. Users will upload your exe to VirusTotal anyway, even if you don't. Happens to me all the time.
User avatar
DeanH
Enthusiast
Enthusiast
Posts: 223
Joined: Wed May 07, 2008 4:57 am
Location: Adelaide, South Australia
Contact:

Re: Oh crap... PB ransomware

Post by DeanH »

Hadn't thought of that. Good point. But then I have not heard of a user that has done it. Most would not even know VT exists.

My Department asked me to use something called Hybrid Analysis which did not produce any problems.

Just had another call today from a Victoria school in which exe files were quarantined.
User avatar
DeanH
Enthusiast
Enthusiast
Posts: 223
Joined: Wed May 07, 2008 4:57 am
Location: Adelaide, South Australia
Contact:

Re: Oh crap... PB ransomware

Post by DeanH »

I just ran one exe through Hybrid Analysis. It gave a threat score of 35/100 and pronounced it clean but there is a long list of suspicious things. Fred, I will PM you with the URL of the report.
BarryG
Addict
Addict
Posts: 3292
Joined: Thu Apr 18, 2019 8:17 am

Re: Oh crap... PB ransomware

Post by BarryG »

DeanH wrote: Wed Jun 07, 2023 2:08 amHybrid Analysis
That damn tool says my app is malicious because it reads the clipboard. It's madness.
benubi
Enthusiast
Enthusiast
Posts: 113
Joined: Tue Mar 29, 2005 4:01 pm

Re: Oh crap... PB ransomware

Post by benubi »

If that's so it proves there's no real way of fixing it on the PB side.

You can change all the standard libs, Mr. PureLocker compiles a new .exe and I guess it's then like russian roulette to what part of the virus will be taken as "the" signature. If AV's flag signed executables you can't even really buy your way out.

We may find work-arounds and restructure our code to make it more "acceptable" for the AV's, but the bad guys may follow and copy our techniques :(
User avatar
idle
Always Here
Always Here
Posts: 5042
Joined: Fri Sep 21, 2007 5:52 am
Location: New Zealand

Re: Oh crap... PB ransomware

Post by idle »

The Irony is Virus Total is owned by Google which is quite appropriate considering they've effectively planted spyware on everyone's devices they possibly can.
Post Reply