From: Juan Castro (SAL-LA)
Sent: Friday, March 26, 2010 7:32:35 AM
Subject: NEWSBANK :: Antivirus and False Positives
Auto forwarded by a Rule
Antivirus and False Positives
Written by Kimberly
Friday, 26 March 2010 08:01
Antivirus and FP
Thursday, March 25, 2010 by S!Ri
I did a test on Virus Total Online Scanner with an inoffensive ASM code.
This is the source code:
.model flat, stdcall
And this is what the compiled binary looks like
00401000 >/$ 6A 00 PUSH 0 ; /ExitCode = 0
00401002 \. E8 01000000 CALL jmp.kernel32.exitprocess ; \ExitProcess
00401007 CC INT3
00401008 .- FF25 00204000 JMP DWORD PTR DS:[<kernel32.ExitProcess>]; kernel32.ExitProcess
The program just exit itself. No more, no less.
a-squared 126.96.36.199 2010.03.25 Backdoor.Poisonivy.E!IK
This test was done with an unpacked binary. Using a packer increase the results: 27/42 with FSG and 25/41 with MEW. Various Trojan names were listed such as: Vundo, Trojan-Downloader, Backdoor/RBot and so on.
With packed versions, some AV are detecting the file because of an heuristic routine: Trojan.Generic, Win32.Suspicious, Mal/EncPk-BA, Cryp_MEW-11.
Take care with Antivirus Results and learn to decode Trojan Names.
PS: I've edited the post, writing the conclusion in bold. Some people misinterpret this post: this is just a fun test, not a attack against AV vendors.
While I see S!Ri's post as educational (which was its intention), some antivirus companies don’t seem to perceive it like that unfortunately. It is not always easy for antivirus services to create detections but when you see that a harmless piece of code has been labeled PoisonIvy or High Risk Backdoor, I think it’s the perfect example of why you should always use your common sense instead of blindly relaying on antivirus definitions and their associated program with default settings.
False detections sooner or later lead to mini disasters (often accompanied by a financial cost to render the computer usable again) especially for unsavy users when critical system files get deleted.
Or more recently the Faulty Update for 64 bit Operating Systems. Not everyone is able to use the Windows Recovery option from the OS CD. Some ship with a recovery partition, not a bootable CD. Its nice to set up a page with recovery instructions but my PC just crashed and is now unbootable remember ... at this stage there's even 99% of chance that I wont be able to tell what did render it unsuable anyway.
A couple simple guidelines will save you already a lot of trouble.
· Keep your system up to date and tighten your browser’s security. Disable useless Add-Ons, uninstall them. Get rid of those so called helper toolbars, many have vulnerabilities and those are exploited daily by malware writers to push malware on your computer.
· Get your news from legitimate news websites rather than from any site popping up in your search results.
· Exercise caution on the sites visited using your browser, hover over the links so that you see where you are going next.
· Be careful with links in email and chat messages even if they come from your friends, ask yourself the question “Would they send that me” first, re-check with your friend on the legitimacy of the message instead of blindly following the link.
· Don’t open attachments from persons you don’t trust and exercise caution with those from friends. Remember, they can be infected with a spambot and thus send out copies to the contact list.
· If you get an email from your bank asking you to enter personal details, change a password etc … online, double check that the email really originated from them, give them a call eventually especially if you didn’t ask for a password reset or detail change. As a general rule try not to follow links in your mail, go to the website instead. If you absolutely need to follow the link, make sure that you will end up where you expected to be.
As for the anti-virus settings … don’t allow a file to be deleted, take control of your computer. If you are in doubt, upload the file to a service like virustotal. Seek assistance on the forums if you have trouble grabbing the file but don’t exclusively relay on a binary decision, on a piece of code that has no common sense at all, just 0 and 1‘s.