Author Topic: Likely False Positive on Custom Software Installer  (Read 478 times)

0 Members and 1 Guest are viewing this topic.

Offline KDibble

  • Full Member
  • ***
  • Posts: 149
Likely False Positive on Custom Software Installer
« on: September 13, 2019, 05:44:42 PM »
The file in question is an .exe installer for custom (or "bespoke") software that is developed under the auspices of the New York State Department of Health. The software is an offline version of a web database for medical evaluations. Users conducting evaluations in locations where they have no internet access use the software to record the evaluation data, and later, when they have internet, they use it to upload that data to a secure New York State website.

avast! Endpoint Protection Suite version 8.0.1609 (pattern version 190913-2) issues multiple identical "threat detected" items when this file is scanned. They all reference an old Java exploit (CVE-2013-0422), which concerns dangers associated with file uploads. I'm attaching an image of the scan results. A major purpose of this software is to upload files to a secure website, so I guess that's why avast! is concerned. But this Java code is fully contained within a program that only has one, legitimate, function. It can't be used to upload files anywhere except to a specific secure government website.

VirusTotal finds nothing:

File: mobile-1.3.58-uasny-patch.[exe]

https://www.virustotal.com/gui/file/315ca0930da73855dc700571161e8558b5e380a26d3633e67fcd57779dafd56b/detection

I'm going to submit this to avast! as a false positive, but I can already anticipate the response: "The detection is correct", because it contains an old, vulnerable version of Java. While it's true that the JRE encapsulated in that software has a vulnerability, the software itself is not malware, and cannot be used for any malicious purpose. It should be white-listed.

 

Offline KDibble

  • Full Member
  • ***
  • Posts: 149
Re: Likely False Positive on Custom Software Installer
« Reply #1 on: September 13, 2019, 05:47:16 PM »
Okay.. I was going to submit this as a false positive report but that website only allows files of 50 mb and smaller. This file is about 280 mb. So I guess the only way to address this is to hope somebody monitoring this forum has another way to receive the file.

Offline Pondus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 36147
Re: Likely False Positive on Custom Software Installer
« Reply #2 on: September 13, 2019, 06:09:54 PM »
“Ah beer. The cause of and the solution to all of life’s problems.”

"Operator! Give me the number for 911!"

Offline KDibble

  • Full Member
  • ***
  • Posts: 149
Re: Likely False Positive on Custom Software Installer
« Reply #3 on: September 13, 2019, 07:23:56 PM »
FTP server only permits files of 50 mb or less also. I tried compressing it with 7-zip but didn't get any meaningful shrinkage.

Thanks.

Offline Michael (alan1998)

  • Massive Poster
  • ****
  • Posts: 2635
  • Volunteer
Re: Likely False Positive on Custom Software Installer
« Reply #4 on: September 14, 2019, 05:40:56 AM »
CVE-2013-0422 affects clients, by the way. So the people this would affect would be anyone EXE. And yes, while the file may not be malicious inherently, it still poses a security threat, hence the warning from Avast!. This is also done remotely, and we know (evidently, partially from this post) that nothing is safe online. (Governments are slow to adopt changes in technology, which only exacerbates this issue.) One compromised webpage, and that system is now compromised as well.

You're correct that Avast! is not likely to remove the detection. I'd suggest you whitelist it's application directory on your client(s). If you're using an central management system, you should consult https://forum.avast.com/index.php?board=77.0. If you must submit the files, you can always (zip them &) upload them to the cloud (Google, Dropbox etc) and give them a link in the description. Alternatively, I can draw the attention of Milos to this thread.

Also

Quote
the software itself is not malware, and cannot be used for any malicious purpose. It should be white-listed.
(This may be a little rude... I might come off as abrasive, but it's not intended this way.) That's nothing short of wishful thinking at best, and ignorance at worst. Any software can be used for malicious purposes, regardless of it's true intent. Your last paragraph is also a contradiction of itself, to be clear. You cannot be both vulnerable to attack, and be completely clear of malicious usage.
*Volunteer*.
Tier I SOC Analyst; Threat Hunter; Digital Forensics (no cert); HTB Competitor; Pentester (no cert).

4th Year BCS Student @ The University of New Brunswick.

Offline KDibble

  • Full Member
  • ***
  • Posts: 149
Re: Likely False Positive on Custom Software Installer
« Reply #5 on: September 16, 2019, 09:26:21 PM »
Your last paragraph is also a contradiction of itself, to be clear. You cannot be both vulnerable to attack, and be completely clear of malicious usage.

I wrote it the way I did to avoid getting back into the whole philosophical issue of whether avast! should issue alerts for stuff that can theoretically be exploited, or only for those things that are evidence of an actual exploit under way. I've already expressed my view elsewhere in these forums that alerts about merely potential dangers should only appear in a separate tool that is intended for software and/or website developers to use to test their products. Since I am not a developer, avast! should only be alerting me when it finds a known instance of actual malware that is attempting to do something unpleasant on my devices. I warned that failure to make this distinction risks training end users to ignore pop-up warnings, since many of them do not refer to an actual threat that is aimed at them. The fact that a component of a particular piece of software is outdated is not evidence that there is actual malicious code in that software. I also pointed out in a previous discussion that when a bajillion other anti-malware systems don't do this (see the VirusTotal results), and only avast! does, there just might be something wrong with avast's thinking on this topic. I lost that battle. But I reassert that the software in question can only be used to upload certain specific files to a certain specific website.

I will take your suggestion to use my console's ability to whitelist the software, especially since these update installers are issued on an irregular basis and likely each one would have to be whitelisted separately.

Offline Michael (alan1998)

  • Massive Poster
  • ****
  • Posts: 2635
  • Volunteer
Re: Likely False Positive on Custom Software Installer
« Reply #6 on: September 16, 2019, 11:50:00 PM »
Your last paragraph is also a contradiction of itself, to be clear. You cannot be both vulnerable to attack, and be completely clear of malicious usage.

I wrote it the way I did to avoid getting back into the whole philosophical issue of whether avast! should issue alerts for stuff that can theoretically be exploited, or only for those things that are evidence of an actual exploit under way. I've already expressed my view elsewhere in these forums that alerts about merely potential dangers should only appear in a separate tool that is intended for software and/or website developers to use to test their products. Since I am not a developer, avast! should only be alerting me when it finds a known instance of actual malware that is attempting to do something unpleasant on my devices. I warned that failure to make this distinction risks training end users to ignore pop-up warnings, since many of them do not refer to an actual threat that is aimed at them. The fact that a component of a particular piece of software is outdated is not evidence that there is actual malicious code in that software. I also pointed out in a previous discussion that when a bajillion other anti-malware systems don't do this (see the VirusTotal results), and only avast! does, there just might be something wrong with avast's thinking on this topic. I lost that battle. But I reassert that the software in question can only be used to upload certain specific files to a certain specific website.

I will take your suggestion to use my console's ability to whitelist the software, especially since these update installers are issued on an irregular basis and likely each one would have to be whitelisted separately.

I'm not discounting that the potential exists for users to ignore such warnings. However, in corporate settings, things are usually managed by a SOC department. If an internal one doesn't exist, an external is usually brought in, or consulted. Although my experience with Avast! is limited (in terms of a CMS), the CMS & SIEM systems I'm aware of do not push client notices. Rather, they get pushed to the SOC to be handled. from their, SOC can decide whether or not action must be taken. Again, most CMS systems I know of offer the ability to remotely deal with a threat. (Whether it's quarantine, or taking the system offline to be handled in person). Most notices I've gotten (as a SOC employee) are handled at SOC, and the end-user is none-the-wiser unless they must be spoken too.

Again, I'm viewing this from a SOC perspective. CVE tells me exploit, whether or not it's being abused is a different story. However, the limitations to detecting, and preventing exploits are much more difficult to manage then a simple malware infection. SIEM systems could be trained to deal with it, but an end-point AV isn't likely able to make that distinction. I would also go enough to mention the subconscious choosing of colors plays a role in message delivered. RED means STOP, BAD, DO NOT DO THAT. RED therefore usually means drop whatever your doing and seek technical assistance. It may be more appropriate to label is yellow as caution, but that's an internal discussion that Avast! can have.

Quote
The fact that a component of a particular piece of software is outdated is not evidence that there is actual malicious code in that software.
True, but that does not mean it cannot be used for malicious purposes.

Quote
I also pointed out in a previous discussion that when a bajillion other anti-malware systems don't do this (see the VirusTotal results), and only avast! does, there just might be something wrong with avast's thinking on this topic.
AV companies set their settings on VirusTotal. See the hover option on any of the AV names on VT.

"May differ from commercial off-the-shelf product. The company decides the particular settings with which the engine should run in VirusTotal. [sic]" As such, take VT's results with a grain of salt. Even Avast! does not detect your files on VT.

Quote
But I reassert that the software in question can only be used to upload certain specific files to a certain specific website.
Code: [Select]
public class LoginFrame {

private JFrame frmEvonyAgeIii;
private JTextField JTFUserName;
private JPasswordField pfPassword;
private JPasswordField pwConfirmPassword;
public JRadioButton rdbtnLogin;
public JRadioButton rdbtnCreateAccount;
private JLabel lblNewLabel;
private JLabel lblConnectionStatus;

/**
* Launch the application.
*/
public static void main(String[] args) {

EventQueue.invokeLater(new Runnable() {


/* Run the Application */
public void run() {
try {
LoginFrame window = new LoginFrame();
window.frmEvonyAgeIii.setVisible(true);
Image icon = Toolkit.getDefaultToolkit().getImage("C:\\Users\\Michael\\Desktop\\Icon.jpg");
window.frmEvonyAgeIii.setIconImage(icon);
}
catch (Exception e) {
e.printStackTrace();
}
}
});
}
/*
* Create the application.
*/
public LoginFrame() {
initialize();
}

/**
* Initialize the contents of the frame.
*/
private void initialize() {
frmEvonyAgeIii = new JFrame();
frmEvonyAgeIii.setTitle("Evony Age III Login");
frmEvonyAgeIii.setBounds(100, 100, 645, 357);
frmEvonyAgeIii.setDefaultCloseOperation(JFrame.EXIT_ON_CLOSE);
frmEvonyAgeIii.getContentPane().setLayout(null);
ButtonGroup gAccount = new ButtonGroup();


JTFUserName = new JTextField();
JTFUserName.setBounds(135, 63, 96, 20);
frmEvonyAgeIii.getContentPane().add(JTFUserName);
JTFUserName.setColumns(20);

pfPassword = new JPasswordField();
pfPassword.setBounds(135, 94, 96, 20);
frmEvonyAgeIii.getContentPane().add(pfPassword);

JLabel lblUsername = new JLabel("Email:");
lblUsername.setHorizontalAlignment(SwingConstants.RIGHT);
lblUsername.setBounds(60, 66, 65, 15);
frmEvonyAgeIii.getContentPane().add(lblUsername);

JLabel lblPassword = new JLabel("Password:");
lblPassword.setHorizontalAlignment(SwingConstants.RIGHT);
lblPassword.setBounds(60, 97, 65, 15);
frmEvonyAgeIii.getContentPane().add(lblPassword);

rdbtnLogin = new JRadioButton("Login to an Existing Account");
rdbtnLogin.setBounds(0, 7, 210, 23);
rdbtnLogin.setSelected(true);
frmEvonyAgeIii.getContentPane().add(rdbtnLogin);

rdbtnCreateAccount = new JRadioButton("Create a New Account");
rdbtnCreateAccount.setBounds(0, 33, 159, 23);
frmEvonyAgeIii.getContentPane().add(rdbtnCreateAccount);

JButton btnLoginCreate = new JButton("Login/Create Account");

btnLoginCreate.setBounds(75, 156, 210, 23);
frmEvonyAgeIii.getContentPane().add(btnLoginCreate);

pwConfirmPassword = new JPasswordField();
pwConfirmPassword.setEnabled(false);
pwConfirmPassword.setBounds(135, 125, 96, 20);
frmEvonyAgeIii.getContentPane().add(pwConfirmPassword);

JLabel lblConfirmPassword = new JLabel("Confirm Password:");
lblConfirmPassword.setHorizontalAlignment(SwingConstants.RIGHT);
lblConfirmPassword.setBounds(0, 128, 125, 15);
frmEvonyAgeIii.getContentPane().add(lblConfirmPassword);
gAccount.add(rdbtnLogin);
gAccount.add(rdbtnCreateAccount);

lblNewLabel = new JLabel("Hash Data");
lblNewLabel.setVerticalAlignment(SwingConstants.TOP);
lblNewLabel.setBounds(10, 203, 609, 20);
frmEvonyAgeIii.getContentPane().add(lblNewLabel);

lblConnectionStatus = new JLabel("Connection Status: ");
lblConnectionStatus.setBounds(237, 37, 382, 14);
frmEvonyAgeIii.getContentPane().add(lblConnectionStatus);



/* Action Listener for Radio Buttons */
rdbtnLogin.addActionListener(new ActionListener() {
@Override
public void actionPerformed(ActionEvent e) {
pwConfirmPassword.setEnabled(false);
}
});
rdbtnCreateAccount.addActionListener(new ActionListener() {
@Override
public void actionPerformed(ActionEvent e){
pwConfirmPassword.setEnabled(true);
}
});

btnLoginCreate.addActionListener(new ActionListener() {
String serverAddress = "142.162.21.9";
int serverPort = 3332;
@Override
public void actionPerformed(ActionEvent e) {
/* Hashing each password (SHA3 512) */
String password1= new String(pfPassword.getPassword());
String password2 = new String(pwConfirmPassword.getPassword());

/* Password Hashing */
String pw1Hashed = encryptData(password1);
String pw2Hashed = encryptData(password2);

/* Email */
String email = JTFUserName.getText();

/* Communication Variable Declaration */
Socket clientSocket = null;
BufferedInputStream bis = null;


try {
File authType = new File("authentication.sql");
BufferedWriter writer = new BufferedWriter(new FileWriter(authType));
writer.write("SELECT COUNT(*) FROM logintable WHERE username='" + email + "' and passwordHash='" + pw1Hashed + "';");
int size = (int)authType.length();
writer.close();

lblNewLabel.setText(pw1Hashed);
if(rdbtnCreateAccount.isSelected() == true) {
if(pw1Hashed.equals(pw2Hashed)) {
//Open Connections
/* Create User */
}
}
else if(rdbtnLogin.isSelected() == true) {
/* Send Login Request to server */
lblNewLabel.setText(pw1Hashed);

        try{
            clientSocket = new Socket(serverAddress, serverPort);
            byte[] bArray = new byte[(int) authType.length()];
            bis = new BufferedInputStream(new FileInputStream(authType));
            bis.read(bArray, 0, bArray.length);
            OutputStream outputStream = clientSocket.getOutputStream();
            outputStream.write(bArray, 0, bArray.length);
            outputStream.flush();
            outputStream.close();
            clientSocket.close();
        } catch (Exception excep) {
System.out.println("Unknown Exception Occurred");
        }

}
}
catch(IOException ioEx) {
System.out.println("File failed");
}

password1 = null;
password2 = null;
pw1Hashed = null;
pw2Hashed = null;
}
});

}

/* Encryption using 512bit SHA3. */
public String encryptData(String plaintextPW){
try {
MessageDigest digest = MessageDigest.getInstance("SHA3-512");
byte[] hashbytes = digest.digest(plaintextPW.getBytes(StandardCharsets.UTF_8));
String HPW = bytesToHex(hashbytes);
return HPW;
}
catch(NoSuchAlgorithmException e) {
System.out.println("Failed to create new Password.");
return null;
}

}

/* Credit to baeldung - https://www.baeldung.com/sha-256-hashing-java */
public static String bytesToHex(byte[] hash) {
    StringBuffer hexString = new StringBuffer();
    for (int i = 0; i < hash.length; i++) {
    String hex = Integer.toHexString(0xff & hash[i]);
    if(hex.length() == 1) hexString.append('0');
        hexString.append(hex);
    }
    return hexString.toString();
}
}
^^ This is no longer live, and is over a year out of date now. I don't typically post personal code, but fudge it. It has one purpose, take the U/N and Password you've created, and create an SQL statement and send it to my server. Server responds back, yay or nay. All this is done using hashed passwords, and encrypted sockets (no way to undo that short of brute force). That application was vulnerable to SQL injection, despite it's singular purpose. Your governments program is no different, unfortunately.

Note the server address (my actual IP Address, yes!) is hard coded. The port, is hard coded in. It can only go one place, and do one thing, and yet, that application was vulnerable.

« Last Edit: September 16, 2019, 11:53:08 PM by Michael (alan1998) »
*Volunteer*.
Tier I SOC Analyst; Threat Hunter; Digital Forensics (no cert); HTB Competitor; Pentester (no cert).

4th Year BCS Student @ The University of New Brunswick.

Offline LukasJ

  • Avast team
  • Jr. Member
  • *
  • Posts: 74
Re: Likely False Positive on Custom Software Installer
« Reply #7 on: September 17, 2019, 11:30:28 AM »
Hi,
File has been whitelisted.
Lukas

Offline Michael (alan1998)

  • Massive Poster
  • ****
  • Posts: 2635
  • Volunteer
Re: Likely False Positive on Custom Software Installer
« Reply #8 on: September 17, 2019, 02:37:40 PM »
Hi,
File has been whitelisted.
Lukas

I didn't see that one coming.
*Volunteer*.
Tier I SOC Analyst; Threat Hunter; Digital Forensics (no cert); HTB Competitor; Pentester (no cert).

4th Year BCS Student @ The University of New Brunswick.

Offline KDibble

  • Full Member
  • ***
  • Posts: 149
Re: Likely False Positive on Custom Software Installer
« Reply #9 on: September 17, 2019, 04:34:45 PM »
Thank you, Lucas.

Michael, just a couple of points.

SIEM systems (and security consultants, for that matter) are fiendishly expensive and you will likely see them only in the larger corporations. I suppose it looks like a promising field of endeavor, as we are constantly hearing about shortages of qualified staff, but I think we're going to find that unless and until the cost comes waaaay down, most organizations are not going to implement that stuff.

It's true that in the particular case of this file, I saw this as a result of a periodically-conducted manual scan. I don't know if anything popped up on the user's device. My remarks on the "boy who cried wolf" scenario were of a general nature.

As for your code's omission of steps to sanitize input before querying the database--I'm not sure what that has to do with the CVE vulnerability. Anybody can write insecure code with any programming language; there's no conceivable way to prevent that.