View Full Version : Warning! Trojans!
cocoflop
27-12-2007, 09:35
Hello guys!
I just found that the thin basic installers contain trojans! My security software Bit Defender 2008.
Versions of Thin Basic:
thinBasic 1.5.0.0: Installs OK, trojans are swept.
thinBasic 1.5.0.1: Failed to install, trojans are swept.
Below I will show you screens, captured during installation and edited for demonstration.
thinBasic 1.5.0.0 (http://www.imageshack.gr/view.php?file=k0cmme33k19suhnfh9s2.png)
thinBasic 1.5.0.1 (http://www.imageshack.gr/view.php?file=d5fqttslq11x8okguiun.png)
I hope this information helps to "cure" thinBasic distributions...
Cheers! ;)
ErosOlmi
27-12-2007, 10:17
Hi cocoflop.
Thanks for reporting this info. I will check BitDefender in next days because I'm 100% sure it is a false positive. I will contact them in order to get more info on how they check this.
When we create thinBasic distribution we do it on a PC that has installed: ZoneAlarm Pro, Trend Scan Corporate edition updated every hour.
We also install thinBasic distributions on other machines under AVG Pro, Symantec AV Corporate Edition, Avast.
My idea is that some of our modules (especially PC, INet, RAS) can be exchanged with possible virus because we use some Windows API that are commonly used by some kind of virus to perform bad actions. But in scripts the user decide if do that actions or not (like connecting with a RAS function)
Another possible reason is the fact that all our libraries are packed with UPX, very often used by malware to reduce size of spreaded objects.
Anyhow, we can guarantee all our software is tested and created under secure environment. I can guarantee there is nothing inside any thinBasic exe or dll that perform any action other than what's inside a script written by the user.
That said, falling into a false positive is quite common for automation utilities like thinBasic.
I will contact BitDefender asap to understand what is possible to do.
Ciao
Eros
RobertoBianchi
27-12-2007, 10:30
Hi cocoflop,
just some questions for understand better the problem.
Did you downloaded the installer from the web site? When?
Could you please give us the size and time stamp of thinBasic_1.5.0.1.exe executable?
As Eros said:
Anyhow, we can guarantee all our software is tested and created under secure environment. I can guarantee there is nothing inside any thinBasic exe or dll that perform any action other than what's inside a script written by the user.
That is how software is build, of course it's distribution can include others but I'm pretty sure that this case is a false positive especially due to the tmp files presence into the \thinbasic\lib folder.
Thank you very much,
Roberto
ErosOlmi
27-12-2007, 11:27
OK, I've just installed BitDefender Free Edition v10 OEM and executed a full thinBasic development directory scan.
Trojan.Zlob.2.Gen infection was found into the following dll: thinBasic_COMM.dll, thinBasic_PC.dll, thinBasic_TcpUdp.dll
Now, this is a good result for me because:
listed DLLs are 100% created by us and we have full control over them (we have sources)
listed DLLs are not 3rd party libraries, so we do not have to interface with others or remove any needed DLLs
we can try to understand why there is this false positive result only with BitDefender
quite sure the usage of a specific Windows API is firing this false positive
100% sure it is a false positive.
ErosOlmi
27-12-2007, 11:57
Here again.
Sorry about I'm so insisting but I do not like AV software seems having 100% credibility while they are just other piece of software doing some job that can fail for so many reasons.
I've analyzed thinBasic_COMM.dll, one of the false positive infected dll.
I've commented out all the code inside and, step by step, I've un-commented it in order to find the possible problem. I've found it is inside a function. This is the Power Basic source code:
function Exec_COMM_Recv() as ext
'---Syntax: COMM_Recv(hComm, nBytes, StringVariable)
dim eComm as ext
dim hComm as long
dim eNumberOfBytes as ext
dim sBuffer as string
local lVariablePtr1 as long
local lVariableAbsPos1 as long
local sResult1 as string
local eResult1 as ext
local lResult1 as long
if thinBasic_CheckOpenParens() then
thinBasic_ParseNumber eComm
hComm = eComm
if thinBasic_CheckComma() then
thinBasic_ParseNumber eNumberOfBytes
' if thinBasic_CheckComma() then
' thinBasic_VariableParse(lVariablePtr1, lVariableAbsPos1)
' if thinBasic_CheckCloseParens() then
if thinBasic_ErrorFree then
comm recv hComm, eNumberOfBytes, sResult1
thinBasic_ChangeVariableStringDirect (lVariablePtr1, lVariableAbsPos1, sResult1)
end if
' end if
' end if
end if
end if
end function
If I un-comment the 5 commented lines and rebuild the DLL, BitDefender think it is infected. If those 5 lines are commented-out, BitDefender reports no infections.
I've changed the above function using different routines in the following way and BitDefender now think thinBasic_COMM.dll is virus free:
function Exec_COMM_Recv() as ext
' Syntax: COMM_Recv(hComm, nBytes, StringVariable)
dim eComm as ext
dim hComm as long
dim eNumberOfBytes as ext
dim sBuffer as string
local lVariablePtr1 as long
local lVariableAbsPos1 as long
local sResult1 as string
local eResult1 as ext
local lResult1 as long
if thinBasic_CheckOpenParens_Mandatory then
thinBasic_ParseNumber eComm
hComm = eComm
if thinBasic_CheckComma() then
thinBasic_ParseNumber eNumberOfBytes
if thinBasic_CheckComma_Mandatory then
thinBasic_VariableParse(lVariablePtr1, lVariableAbsPos1)
if thinBasic_CheckCloseParens_Mandatory then
if thinBasic_ErrorFree then
comm recv hComm, eNumberOfBytes, sResult1
thinBasic_ChangeVariableStringDirect (lVariablePtr1, lVariableAbsPos1, sResult1)
end if
end if
end if
end if
end if
end function
This to demonstrate how even AV or protection softwares are just software and thay can produce false positive if certain sequence of bytes are present in byte code.
In any case I will do the same job for the other few dlls declared as infected by BitDefender.
Next thinBasic release will be "flase positive" free software ;D
Who protect us from False Positive? Maybe a new software family not already invented!
Ciao
Eros
PS: attached thinBasic_COMM module false positive free. Just in case.
cocoflop
27-12-2007, 12:01
So it was a false alarm... Nevermind, I am glad it solved ;).
@RobertoBianchi
I downloaded both of the files from the thinbasic website, today at 9 am (+2GMT).
ErosOlmi
27-12-2007, 12:06
Thanks cocoflop. Your report was important.
I will made the needed changes also in the other modules.
@Roberto:
Roberto, I will get property of PC module in order to find problematic piece of code.
While TcpUdp module is quite easy to test and amend, PC module is a little bit more complicated.
Ciao
Eros
Michael Hartlef
27-12-2007, 17:22
Hi Eros, if you are totally bored and up to some challenge again, then please look at the INET module. AVIRA Antivirus FREE is reporting the same thing about this module. I think I told you before. It's not a big deal but would be nice if you would find a similar solution. If I ever create an TB app/game that I distribute, it would make life so much easier.
Petr Schreiber
27-12-2007, 22:52
This is interesting situation,
I test any file coming in or out with AVG and AVG Antispyware and never got any problem so far.
( but they work ;D, I tested with them some diskettes I knew there was virus and AVG immediately reacted properly ).
So I am sure those problems are just false positives. Mike is right on other side - better to not tease customers with ( even false ) alarms.
Bye,
Petr
I am using avast free version and avg anti-spyware and have had no problems during installs.
The only problem like this I run in too is, while I was using AVG anti virus, I created a program in Delphi. Now that I have Avast, when I try to run that program it comes up with alarm and locks the program in quarantine. I did all sorts of scans on the program and know it is ok, so these things seem to happen with different anti virus programs.
Amazing to see how you are tracing the problem Eros. Thanks for sharing your process and progress!
Downloaded thinBasic version 1.5.0.1. Installed it and checked it with NOD32. No false readings.
ErosOlmi
01-01-2008, 14:28
Thanks a lot for all your tests.
Next preview version will be "BitDefender false positive free".
I've already fixed all relevant modules. In few cases I've solved the problem just inserting something like "1 = 1" line so the compiler will produce different machine code. This tells a lot about some ... scanners ... and how virus signatures are handled.
Mike, after this release I will work on INET module and AVIRA warning. At first I was thinking this problem was due to the API used by INET module but now I think it is something similar to BitDefender. At least I hope because it is easy to solve if it is a similar situation.
Ciao
Eros
Michael Hartlef
01-01-2008, 16:19
No problem, take your time.
ErosOlmi
02-01-2008, 23:18
OK, current on line stable and preview version should be "BitDefender ready".
Let me know if any other problems.
Ciao
Eros