Author Topic: False Positive since latest update? nc.exe = netcat for windows  (Read 15162 times)

0 Members and 1 Guest are viewing this topic.

1st_Moon

  • Guest
Since October 2007 I've been using FBF Reconnect with my Fritzbox to ocasionally reset my box which gets me a new IP address. Since my last Avast Home Update the nc.exe which appears to be Netcat für Windows and suddenly is detected as Win32:Trojan-gen. The file is small so I've attached it as text. Thanks!

ADMIN: No such attachments here.
« Last Edit: April 07, 2008, 10:59:01 AM by kubecj »

onlysomeone

  • Guest
Re: False Positive since latest update? nc.exe = netcat for windows
« Reply #1 on: April 07, 2008, 11:28:33 AM »
hi 1st_Moon!

please try to upload and scan the file at
http://www.virustotal.com/
and post the results here...

so you can see if it's really a trojan horse or a false positive!

yours onlysomeone

Offline misak

  • Moderator
  • Sr. Member
  • *
  • Posts: 234
    • Personal page (CZE)
Re: False Positive since latest update? nc.exe = netcat for windows
« Reply #2 on: April 07, 2008, 12:38:39 PM »
It's detected by many other AV's... it could be abused as a part of malware, but this particular file is clean..

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33933
  • malware fighter
Re: False Positive since latest update? nc.exe = netcat for windows
« Reply #3 on: April 07, 2008, 05:34:07 PM »
Hi misak,
   
Tools
netcat (Windows)
by Hobbit
Platforms: Windows 95/98, Windows NT
Categories: Network, Utilities
Version:
URL: http://www.vulnwatch.org/netcat/
Windows NT/9x Netcat is the port of the simple Unix utility which reads and writes data across network connections, using TCP or UDP transport protocols.

Because it is a sort of Swiss multi purpose network utility, it can be abused by hackers, especially when you have not installed it yourself. That is why a lot of scanners are flagging it as a risktool.
You may not be aware of the fact but risktools, probing tools and pen testing tools or vulnerability testing tools are not tolerated anymore through new restrictive laws that were brought in for instance in Australia, in the German Bundesrepublik, see the following link: http://arstechnica.com/news.ars/post/20070814-german-anti-hacker-law-forcing-hacker-sites-to-relocate.html?rel
,and in the U.K. where the use of these tools can be prohibited by law and that is why they will go underground. In some cases these tools can be used in special settings (you are the owner of the network), and for educational purposes only. The file is clean but the tool is becoming unwanted, sign of the times, (just like we experienced it for reverse-engineering).
If you are allowed to use a risktool, and you feel it is legit to use, you can add it to the avast exclusion list, but that is your decision...
For those interested in the possibilities of netcat a to z:
http://www.searchlores.org/aznetcat.htm

polonus
« Last Edit: April 07, 2008, 05:58:26 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33933
  • malware fighter
Re: False Positive since latest update? nc.exe = netcat for windows
« Reply #4 on: April 07, 2008, 09:01:19 PM »
Hi malware fighters,

How Symantec did the 180 degrees turn on this security assesment tool:
Symantec bites the hand that feeds..

Just over twelve years ago (95-09-15) *Hobbit* wrote a little tool called netcat (aka nc), swiftly dubbed the “TCP/IP Swiss Army knife”. *Hobbit* was affiliated with the l0pht, which was later purchased by @stake, which was later purchased by Symantec. At some point (circa 1998), Weld Pond ported the netcat utility to Windows. Weld was an original member of the l0pht and later the Director of Research and Development with @stake. Weld’s version was distributed at @stake for some time. Suffice it to say, the l0pht, @stake and its members/employees supported netcat’s use and distribution.

Jump forward to today, and Symantec now classifies netcat on a system as a High Risk Impact. As aj reznor asked, “is that to say that SYM bought a company known then for offering naughty things?” Let us also remember that Symantec owns SecurityFocus which conveniently offers the tool in their tool repository.

Also amusing are Symantec’s “technical details” for this “hacker tool”:

    Hacktool.NetCat arrives as a tool commonly carried by malicious components and dropped on the compromised computer for remote exploitation.

    When Hacktool.NetCat is executed, it performs the following actions:

    1. Transmits data across network connections.

Yes, there is no number two on the list. Hopefully Symantec will have the foresight to classify TCP/IP stacks as “Hacktool.TCPIP” and label it a “High Risk Impact” if found on a system.
I did not like to withhold this interesting background information to ye all about how security tools are slowly being criminalized to-day, "security through obscurity in optima forma", (for looking at an admin page through netcat see picture..)

polonus
« Last Edit: April 07, 2008, 09:03:28 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

1st_Moon

  • Guest
Re: False Positive since latest update? nc.exe = netcat for windows
« Reply #5 on: April 08, 2008, 07:44:55 AM »
Well, thanks for the info that the file is clean. Like I said, I was simply astonished to see that Avast suddenly considered it malware after having ignored it for so long despite my regular use. Speaking of Symantec: is actually still anyone buying their crappy products? I stopped when they took over 'Ghost' and I never looked back.