Author Topic: Malware or false positive?  (Read 4294 times)

Offline Rappaping

  • Jr. Member
  • **
  • Posts: 22
    • Personal Message (Offline)
Malware or false positive?
« on: July 06, 2011, 05:52:02 AM »
Dear staff,
first of all compliments for the fine avast antivirus free, the most complete antivirus of all free antiviruses.
Now, I've got a question about a little program I've downloaded. You can find it here:
http://www.mediafire.com/?tjz4uljz2vn
This program is a patch for Acer Launch manager written by a such Morris, as hemself describes in his blog at this web-page:
http://www.theacerguy.com/2009/05/aspire-5920g-launch-manager-patch/
The original Acer program have a "bug" that can't permit the program to recognize a button (bluetooth button) of the laptop, so that such button can't be used.
To fix this bug (and to add some other features), the patch need to do many changes to the system, so that Avast Antivirus Free recognize the program as a "Win32:Malware-gen". Also, I've scanned the file with Mcafee antivirus and it doesn't detect any malware.
My question it:
is this Morris' Launch Manager safe (in this cafe the Avast's alert would be a false positive detected, I think, with the heuristic method and caused by the changes that the patch would make in the system) or is it a real malware?
Thank you very much.
Best regards.

Offline Pondus

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 21645
  • Gender: Male
    • Personal Message (Offline)
Re: Malware or false positive?
« Reply #1 on: July 06, 2011, 06:02:12 AM »
well it is not only avast! that does not like it


VirusTotal - Morris' Launch Manager V11.0 x86+64-bit.exe - 29/43
http://www.virustotal.com/file-scan/report.html?id=f25873d7db340fa0618c7390527746515f2ea08aae341ab8598c3687eeb7514f-1309931650
Chief Wiggum: Uh, no, you got the wrong number. This is 9-1…2.


Offline Rappaping

  • Jr. Member
  • **
  • Posts: 22
    • Personal Message (Offline)
Re: Malware or false positive?
« Reply #2 on: July 06, 2011, 11:06:56 AM »
It is not a sufficient reason to say it's a malware. The patch, infact, acts deeply in the system files, so it could be possible (if not probable) that it is recognized as a malware but it isn't.
When a file scanned with an antivirus heuristic method is marked as a malware, it will be deeply analyzed from the antivirus programmers team to understand if it is a real malware or not, so that they will update heuristic alghorithm and implement it in the next realease of the antivirus program: in this way, AV programmers decrease the number of false-positive results, hence improving the product.
So, I'm asking some moderator for know if my file is a real malware or not.
However, any other kind of comment by forum's users is well appreciated (thank you Pondus for your very useful comment!).
Best regards.

Offline Altarir.

  • Full Member
  • ***
  • Posts: 181
  • Gender: Male
    • Personal Message (Offline)
Re: Malware or false positive?
« Reply #3 on: July 06, 2011, 12:02:42 PM »
my systems: windows XP sp3; linux PClinuxOS
for the sake of your own security, you should install WOT and NoScript in your browser.

Offline DavidR

  • avast! Überevangelist
  • Certainly Bot
  • *****
  • Posts: 69198
  • Gender: Male
  • No support PMs thanks
    • Personal Message (Offline)
Re: Malware or false positive?
« Reply #4 on: July 06, 2011, 12:44:24 PM »
@ Rappaping
I sympathise with your dilemma, but you appear to have made your mind up already, so I wonder why you bothered to ask about the file.

With such a high number of scanners finding this at the very least suspicious, I would be in no rush to use it. I would however be checking out Acer, surely they themselves have released this patch officially on the Acer website (since the Blog article is over two years old) ?

Not the unofficial Acer Blog, by someone on the inside, as they say it isn't UAC friendly and all of that is going to get many AVs twitching from all of these changes. So I rather doubt they are going to change their signatures based on what it does to system being very much like malware activity. The problem is one of intent, an AV has no way of knowing if these modifications are for good or evil purposes.

So the decision and acceptance of risk would have to be yours.
Core2Duo E8300/ 4GB Ram/ WinXP ProSP3/ avast! free 2014 9.0.2016/ Outpost Firewall Pro9.1/ Firefox 28.0, NoScript, RequestPolicy/ MailWasher Pro/ DropMyRights/ MalwareBytes AntiMalware Premium 2.0.1/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security

Offline polonus

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 20116
  • Gender: Male
  • malware fighter
    • Personal Message (Offline)
Re: Malware or false positive?
« Reply #5 on: July 06, 2011, 12:56:19 PM »
Hi Rappaping and DavidR,

The main concern here is the presence of x32.exe here, Application Layer Gateway Service, which is been looked upon as undesirable to say the least here: http://www.bleepingcomputer.com/startups/x32.exe-24090.html
x32.exe is considered to be a spyware trojan
So as DavidR says I would reconsider using the executable. Did you analyze the file through FileAlyzer and how was the file certified?

polonus
« Last Edit: July 06, 2011, 09:12:58 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Rappaping

  • Jr. Member
  • **
  • Posts: 22
    • Personal Message (Offline)
Re: Malware or false positive?
« Reply #6 on: July 06, 2011, 04:21:15 PM »
Thank you all for your help!

To David:
"I sympathise with your dilemma, but you appear to have made your mind up already, so I wonder why you bothered to ask about the file."

I haven't made my mind up already, because if I had, I'd have installed the patch on my system, but I've not.

"Not the unofficial Acer Blog, by someone on the inside, as they say it isn't UAC friendly"

I've looked for an official patch already, but there isn't, so the unofficial patch would be very useful for me.
UAC unfriendly is not synonym of malware.

"I rather doubt they are going to change their signatures based on what it does to system being VERY MUCH LIKE malware activity. The problem is one of intent, an AV has no way of knowing if these modifications are for good or evil purposes."

Actually, I don't understand you when you say "VERY MUCH LIKE malware activities", because a malware is, substantially, a program that offer an unauthorized service to itself (a worm, for example) or to an unauthorized person (backdoors give remote access, spywares collect and send private data, etc.), so a program is a malware or it is not! The only kind of "VERY MUCH LIKE malware activity" I can think to, is an easily exploitable program (for example because it was bad-coded), but it is not my interest in this topic. Also, when an antivirus find a malware with the heuristic method, the only way to know if it is a real malware or a false-positive is to analize the program's activity to understand what it really does. It is an important job for AV software houses, because if the program is a false-positive, they can understand where alghorithms used to detect the file are wrong and then they can improve them, so that false-positive detection will improve. At last, it is very important for a software house to improve false-positives detection by its Antivirus, for two main reasons:
1) false-positive programs are safe and probably useful programs that can't be used because labelled (by AV) as malicious software
2) antivirus software testers use to rate products also considering false-positive detection(you can see "Antivirus Comparatives Summary Report 2010", section D "False Positives winners" in the PDF at http://www.av-comparatives.org/comparativesreviews/summary-reports ): of course it is interest of software houses to reach the best possible rate in thouse tests.

What I asked for in this topic, is to know if my patch contains REAL malicious software.
Altarir (thank you very much!) offered us a great help, because he scanned every single file from the archive, so we now know what are safe files and what COULD BE malicious.
Polonus (thanks you too!) has confirmed that x32.exe IS a malware.

Now, I think I'd have to
1) look for the other suspicious files reports in internet to confirm or deny that they are malicious
2) delete confirmed malicious files from the archive
Then, it would become much more reasonable trying to install the patch, even though an analysis of files I couldn't confirm or deny by Avast programmers would be the top.

Note that not all TotalVirus Antiviruses has detected malware and that some of them are very good AV programs with (BETTER THAN OTHER?) heuristic visus scanneing feature implementedin the AV engine.
Best regards

Offline polonus

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 20116
  • Gender: Male
  • malware fighter
    • Personal Message (Offline)
Re: Malware or false positive?
« Reply #7 on: July 06, 2011, 05:00:43 PM »
Hi Rappaping,

What I should do is to load up the file to Anubis http://anubis.iseclab.org/ and report the analysis report url back here.
Now going over the whole discussion in your thread your final evaluation turns around the point: "Is this a risktool with malware-like aspects, but created by a developer with the best of intentions for it to be a desirable genuine software solution or is it a genuine looking software solution created to pose as such but with hidden malicious intent?"

If it was your intention to install this and you were aware of the risks and vulnerabilities involved, you could classify the whole issue as: Ïs this a PUP or not?"
A piece of software that is also being qualified as heuristic malware because of the way it behaves.

While malcreants and genuine software developers alike use the same methods for their creations like similar  genuine protection methods and in the case of malcreants stolen software certifications, it is rather difficult to rubber stamp it for what it really is.

An official mention by Acer's that this third party software is harmless and free of malcode would help you enormously here.

On the other hand we should all applaud a user here in the forums  that goes to such lengths as to establish the inevitable software fixes he needs are secure enough to use.
Reassuring was this scan: http://safeweb.norton.com/report/show?url=http%3A%2F%2Fwww.mediafire.com%2F%3Ftjz4uljz2vn

And this one: Checking: -http://connect.facebook.net/en_US/all.js#xfbml=1
File size: 126.14 KB
File MD5: 9c8ae137787710db4434da343b81ee4b

-http://connect.facebook.net/en_US/all.js#xfbml=1 - Ok

Checking: -http://www.mediafire.com//blank.html?tjz4uljz2vn
File size: 64 bytes
File MD5: 8257335b77d5beb3a4771a064a50518d

-http://www.mediafire.com//blank.html?tjz4uljz2vn - Ok

Checking: -http://cdn.mediafire.com/js/master_45144.js
File size: 234.54 KB
File MD5: a30e9e1bad3950a33b57edf6b08ba52b

-http://cdn.mediafire.com/js/master_45144.js - Ok

Checking: -https://ajax.googleapis.com/ajax/libs/jquery/1.5.2/jquery.js
File size: 214.09 KB
File MD5: 8c40d7e0c38ccbca24b7ba29a1db07e7

-https://ajax.googleapis.com/ajax/libs/jquery/1.5.2/jquery.js - Ok

Checking: -http://connect.facebook.net/en_US/all.js
File size: 126.14 KB
File MD5: 3e1aebc31749e591e771ea4f6eb9e33c

-http://connect.facebook.net/en_US/all.js - Ok

Checking: -http://www.facebook.com/plugins/likebox.php?href=http%3A%2F%2Fwww.facebook.com%2Fmediafire&width=210&colorscheme=light&connections=0&stream=false&header=true&height=62
File size: 7769 bytes
File MD5: d25e7b6651dcef405bbdffc084c5ee68

-http://www.facebook.com/plugins/likebox.php?href=http%3A%2F%2Fwww.facebook.com%2Fmediafire&width=210&colorscheme=light&connections=0&stream=false&header=true&height=62 - archive HTML
>-http://www.facebook.com/plugins/likebox.php?href=http%3A%2F%2Fwww.facebook.com%2Fmediafire&width=210&colorscheme=light&connections=0&stream=false&header=true&height=62/Script.0 - Ok
>-http://www.facebook.com/plugins/likebox.php?href=http%3A%2F%2Fwww.facebook.com%2Fmediafire&width=210&colorscheme=light&connections=0&stream=false&header=true&height=62/Script.1 - Ok
>-http://www.facebook.com/plugins/likebox.php?href=http%3A%2F%2Fwww.facebook.com%2Fmediafire&width=210&colorscheme=light&connections=0&stream=false&header=true&height=62/Script.2 - Ok
>-http://www.facebook.com/plugins/likebox.php?href=http%3A%2F%2Fwww.facebook.com%2Fmediafire&width=210&colorscheme=light&connections=0&stream=false&header=true&height=62/Script.3 - Ok
>-http://www.facebook.com/plugins/likebox.php?href=http%3A%2F%2Fwww.facebook.com%2Fmediafire&width=210&colorscheme=light&connections=0&stream=false&header=true&height=62/Script.4 - Ok
-http://www.facebook.com/plugins/likebox.php?href=http%3A%2F%2Fwww.facebook.com%2Fmediafire&width=210&colorscheme=light&connections=0&stream=false&header=true&height=62 - Ok

Checking: -http://www.mediafire.com/?tjz4uljz2vn
Engine version: 5.0.2.3300
Total virus-finding records: 2334176
File size: 57.13 KB
File MD5: 2a2940c7a67cd33188b6b570d6cd4b73

-http://www.mediafire.com/?tjz4uljz2vn - archive HTML
>-http://www.mediafire.com/?tjz4uljz2vn/Script.0 - Ok
>-http://www.mediafire.com/?tjz4uljz2vn/Script.1 - Ok
>-http://www.mediafire.com/?tjz4uljz2vn/Script.2 - Ok
>-http://www.mediafire.com/?tjz4uljz2vn/JavaScript.3 - Ok
>-http://www.mediafire.com/?tjz4uljz2vn/Script.4 - Ok
>-http://www.mediafire.com/?tjz4uljz2vn/JavaScript.5 - Ok
>-http://www.mediafire.com/?tjz4uljz2vn/Script.6 - Ok
>-http://www.mediafire.com/?tjz4uljz2vn/Script.7 - Ok
-http://www.mediafire.com/?tjz4uljz2vn - Ok

I will be waiting for that Anubis report link, I will gladly evaluate that for you  as best I can, if you like?

polonus
« Last Edit: July 06, 2011, 06:49:55 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Rappaping

  • Jr. Member
  • **
  • Posts: 22
    • Personal Message (Offline)
Re: Malware or false positive?
« Reply #8 on: July 06, 2011, 08:01:32 PM »
Without doubts I like, Polonus!

Also, really you understand all I've written.

Offline Pondus

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 21645
  • Gender: Male
    • Personal Message (Offline)
Re: Malware or false positive?
« Reply #9 on: July 06, 2011, 08:35:13 PM »
I uploaded the file (Morris' Launch Manager V11.0 x86+64-bit.exe) to NORMAN lab as a false positive case since it was detected in the VT

and i can now see it in the list of confirmed False Positives
Chief Wiggum: Uh, no, you got the wrong number. This is 9-1…2.


Offline polonus

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 20116
  • Gender: Male
  • malware fighter
    • Personal Message (Offline)
Re: Malware or false positive?
« Reply #10 on: July 06, 2011, 08:53:11 PM »
Hi Pondus,

I think that Rappaping will be glad to hear this. As the Anubis report comes in later, because again at this moment it is again as slow as molasses, it could well be that at the end of the day avast only detects this in PUP-mode, but that is for them to decide. But the NORMAN lab results show that my first hunch and feeling about this as I explained to Rappaping was right: "Suspicious at first glance, but genuine under the hood when tested",

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Pondus

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 21645
  • Gender: Male
    • Personal Message (Offline)
Re: Malware or false positive?
« Reply #11 on: July 06, 2011, 08:57:13 PM »
From NORMAN lab

Quote
Hi,

Since the file submitted is a false-positive our senior researcher confirmed it and removed that detection from our database.

The legit file was detected in the first case due to a heuristic detection in our engine. We have made necessary changes to rectify the same.

Thanks,
GD.
« Last Edit: July 07, 2011, 07:36:50 AM by Pondus »
Chief Wiggum: Uh, no, you got the wrong number. This is 9-1…2.


Offline Rappaping

  • Jr. Member
  • **
  • Posts: 22
    • Personal Message (Offline)
Re: Malware or false positive?
« Reply #12 on: July 07, 2011, 02:28:02 PM »
Hi guys!
Can we trust Norman senior researchers? I don't know. If yes, is bleepingcomputer report an error because the file is a false-positive, or is it another file with the same name of ours (x32.exe)?
Polonus, have you been noticed from Anubis?
P.S.: I've open urlquery link with Firefox with NoScript addon active, avast antivirus and mcafee security center active, but without any sandbox. Must I be worried?

Offline polonus

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 20116
  • Gender: Male
  • malware fighter
    • Personal Message (Offline)
Re: Malware or false positive?
« Reply #13 on: July 07, 2011, 03:44:34 PM »
Hi Rappaping,

I will give you the results as soon as they come in. With NoScript active in Fx and nothing specifically downloaded from that link, I would not worry about visiting that link at urlquery dot net. As long as you do not doubleclick or open things inside other software or download you will be OK.

What we have to look for in the first place is the functionality of that launch manager, and therefore I have based my evaluation on what we find in the ThreatExpert report that Altarir provided for us in the thread above.
1.
Packer nothing out of the ordinairy:  UPX

Now another scan to check against...
http://file.virscan.org/report/c877d2a75a5c33981b2820897f00fac5.html
latest results: http://file.virscan.org/report/8f84e6046e0273f9b8d06186e02eaeaa.html

2.
We also have this Dialer DNS Changer fuctionality to consider.
Rappaping will you please check this for us:
1) Start> Run> type in CMD and press Enter
2) At the command prompt, type IPCONFIG /ALL and press Enter
3) You should be presented with the bunch of information, find the section for your Internet connection. It may be entitled Ethernet Adapter Local Area Connection or something according to that line..
4) Find the DNS Server section and double-check the numbers.
Give them to us attached...
3.
What was further found at the analysis.. characteristics of a security risk, not necessary that it actually is such, I mean having trojan and bot like behaviour, that is will be executing unknown programs, like those 3 mentioned below as...
4.
as "bluetoothcfg.exe", interface,
5.
then "hidden start", and that hstart.exe was only found a threat in 6 procent of cases,
it is used to run console application and batch files,
not worth another thought then,
6.
and finally "nircmdc.exe" as malicious found in win32,agent,
for an evaluation of this esecutable see:
http://www.threatexpert.com/files/nircmdc.exe.html,
the nubmer of incidents where it was found to be a threat is zero,
so forget about that one too.

Overall personal conclusion -

Depending on the results of the above additional check,
my overall personal verdict would be:
-  "risktool" or "possible unwanted program",
 unless self-installed knowingly and intentionally
by the owner of the computer,

polonus
« Last Edit: July 07, 2011, 07:09:41 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 20116
  • Gender: Male
  • malware fighter
    • Personal Message (Offline)
Re: Malware or false positive?
« Reply #14 on: July 07, 2011, 07:07:59 PM »
Now we have to consider this report and the Wepawet scan of the link

-http://www.mediafire.com/?tjz4uljz2vn Rappaping gave, suspicious see:
http://wepawet.iseclab.org/view.php?hash=e72370fb8669182fe5310fb7d5f5de20&t=1310063241&type=js
Site ridden with sometimes dubious ad-trackers:

Various 0-0-0 hidden iFrames there, this one -http://cdn5.tribalfusion.com/media/common/pop/pop-11.js  reminding of data requested from a remote server of the Virut file infector and an Adware keygen; similar -http://trgca.opt.fimserve.com/ code (requested by Virut)

This is a bad request for a Fake-AV -http://audit.303br.net?anId=20&advId=1925&pubId=3346&campId=9685&vURL= (dead)

Link to malware domain -http://tracking.batanga.com/  adtracker
also CollectiveMedia.createAndAttachAd adtracker

code from -http://ad.turn.com Adtracking servers Security Benign

-UNDERDOGMEDIA Medium Rectangle MediaFire.com IFrame ADCODE START (bad WOT status)

polonus

« Last Edit: July 07, 2011, 07:14:39 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

 

Google Chrome

AVAST recommends using the FREE Google Chrome™ browser.

Download Google Chrome Now