Rockbox Technical Forums

Rockbox General => Rockbox General Discussion => Topic started by: marthirial on October 01, 2010, 10:29:22 AM

Title: Virus in Rockbox Utility 1.2.8 Installer
Post by: marthirial on October 01, 2010, 10:29:22 AM
The following threat has been detected inside the Utility Installer: Hoax.Win32.ArchSMS.iyq

The archive is located at http://download.rockbox.org/rbutil/win32/rockboxutility-v1.2.8.zip

More information about the threat here:
http://www.threatexpert.com/report.aspx?md5=288390c98f3394b6fd144acf249b0233
Title: Re: Virus in Rockbox Utility 1.2.8 Installer
Post by: saratoga on October 01, 2010, 10:33:48 AM
That report dates back to a file from before the current rbutil was released, so its probably just crappy antivirus software getting confused.
Title: Re: Virus in Rockbox Utility 1.2.8 Installer
Post by: marthirial on October 01, 2010, 10:35:18 AM
The crappy antivirus in question is Kaspersky Internet Security 2011 AND Microsoft Security Essentials.
Title: Re: Virus in Rockbox Utility 1.2.8 Installer
Post by: Chronon on October 01, 2010, 10:43:42 AM
What is your point?  They are both susceptible to either missing actual threats or misidentifying benign files as false positives.  You can inspect the source code for yourself, so please point out the virus in the code.
Title: Re: Virus in Rockbox Utility 1.2.8 Installer
Post by: marthirial on October 01, 2010, 10:53:35 AM
My point is that as a community-driven application, it is my part to inform about things that could be looked upon by the developers, in this case, even if it is a false positive, why is there a false positive in an installation package.

Calling an antivirus crappy for doing its job as solution to a somewhat serious issue only diminishes even more the confidence that this website or the software is not compromised, as it shows an attitude of inflexibility.

I wish I had the time or the knowledge to dissect and analyze the files but I don't, so I guess I just need to apologize for bringing this to attention.
Title: Re: Virus in Rockbox Utility 1.2.8 Installer
Post by: torne on October 01, 2010, 11:22:00 AM
Antivirus software *is* crappy. The job it does is a crappy job that cannot be done well and is best not done at all. So, yes, most developers are likely to be dismissive of AV false positives.
Title: Re: Virus in Rockbox Utility 1.2.8 Installer
Post by: gevaerts on October 01, 2010, 11:25:58 AM
My point is that as a community-driven application, it is my part to inform about things that could be looked upon by the developers, in this case, even if it is a false positive, why is there a false positive in an installation package.

Have you reported this to the people who are actually responsible for this issue, i.e. Kaspersky and Microsoft?
Title: Re: Virus in Rockbox Utility 1.2.8 Installer
Post by: saratoga on October 01, 2010, 11:33:38 AM
I like the description of the "threat":

"Downloads/requests other files from Internet."

Yes, I would think the tool for downloading rockbox from the internet probably does at some point download a file from the internet! 

Probably just some lazy AV vendors flagging a generic bit of code for downloading files as "virus like" without bothering to check if that bit of code is used in more then just malware. 
Title: Re: Virus in Rockbox Utility 1.2.8 Installer
Post by: marthirial on October 01, 2010, 12:13:00 PM
Well well... seems like the file has or was pulled from download. 

That's more constructive than talking platitudes about the reliability of antivirus software.

VirusTotal is reporting 3/47 results:

http://www.virustotal.com/file-scan/report.html?id=2f55445e74027eadc75152ad2286dc9ee0d4f1bd0b2395993857436eb3405272-1285949421
Title: Re: Virus in Rockbox Utility 1.2.8 Installer
Post by: Llorean on October 01, 2010, 12:19:01 PM
http://download.rockbox.org/rbutil/win32/RockboxUtility-v1.2.8.zip seems to still be there.

Basically it looks like there's something about this file that makes it "suspicious" without actually having anything wrong with it.

"Programs classified as Hoax do not directly inflict any damage on the victim computer. They do send messages saying that damage has been done or will be done, or warn the user of a threat that does not actually exist. These “bad jokes” include programs that frighten users with messages about reformatting their disk (although no formatting is actually taking place), and display messages typical of viruses, etc. depending on the program author’s “sense of humor”."
Title: Re: Virus in Rockbox Utility 1.2.8 Installer
Post by: saratoga on October 01, 2010, 12:58:31 PM
Well well... seems like the file has or was pulled from download. 

That's more constructive than talking platitudes about the reliability of antivirus software.

I don't understand why you're trying to defend this crap.  No one takes these automated heuristics seriously because they're not useful.  They're marketing crap designed to give gullible and uninformed people a sense of false security so they look at a few extra ads or cough up couple bucks for a subscription.
Title: Re: Virus in Rockbox Utility 1.2.8 Installer
Post by: torne on October 01, 2010, 01:04:53 PM
Well well... seems like the file has or was pulled from download. 
It hasn't been pulled, the link you put in your post just has the R and U of RockboxUtility in lower case, which is wrong.
Title: Re: Virus in Rockbox Utility 1.2.8 Installer
Post by: marthirial on October 01, 2010, 01:12:16 PM
It's just that I thought this was a serious Open Source software development team OPEN (!) to discussion about how to improve accessibility and satisfaction for the software.

Instead it turned into a AV bashing circlejerk distracting from the initial point: Is it 100% safe to download and install RB Utility 1.2.8 with the developers' knowledge that this false positive could occur?

Most software that may behave similar as a virus because of the resources it will access has a warning and disclaimer in the download page.  That may be also helpful in this case.

Is there a mature developer in this forum who can post an official statement a bit more reassuring than "I don't understand why you're trying to defend this crap." ?
Title: Re: Virus in Rockbox Utility 1.2.8 Installer
Post by: saratoga on October 01, 2010, 01:15:20 PM
It's just that I thought this was a serious Open Source software development team OPEN (!) to discussion about how to improve accessibility and satisfaction for the software.

It is, we're just interested in things a little more serious then this.

Is it 100% safe to download and install RB Utility 1.2.8 with the developers' knowledge that this false positive could occur?

Yes of course.  We all know that false positives occur and we still put up the link.  We wouldn't give you a download link if we thought there was a risk.

Most software that may behave similar as a virus because of the resources it will access has a warning and disclaimer in the download page.  That may be also helpful in this case.

"Warning:  if you use bad virus software, you should get better software before using this site"

Not sure thats really helpful.  :)

Is there a mature developer in this forum who can post an official statement a bit more reassuring than "I don't understand why you're trying to defend this crap." ?

Heres one:  stop being such a noob.  These things happen with every program on earth, no need to get so upset about them. 
Title: Re: Virus in Rockbox Utility 1.2.8 Installer
Post by: Llorean on October 01, 2010, 01:19:25 PM
You could attempt to show some maturity yourself. Posting on Reddit about how a virus was found in Rockbox's installer (when there is no solid evidence one actually is there right now) isn't the behaviour of someone who's just interested in a discussion of how to improve accessibility.

Have you gone to the antivirus software authors and told them about the false positive? Are you proactively trying to solve this, or just attempting to complain about a non-issue.

Basically, false positives happen. Our software doesn't behave similar to a virus (in the sense that it is in no way self replicating, does not attempt to hide its activity from the system, etc, etc) but does do some fundamentally low level things to certain players (that we make no secret of). What warning should we offer? We can't consistently predict when a virus scanner will get it wrong. Any behaviour could set it off.

The virus that has been detected is in the category "hoax" which is specifically non-harmful viruses which means it's not likely even any of our abnormal activity that triggered the warning, but rather some of our normal activity that shares a similar behaviour to some virus. It could be as simple as how we choose to download the builds from the master build server (plenty of malware downloads further things). The link to the virus description you posted on Reddit specifically says that all this type of program does is try to convince you to send SMS messages after claiming to be encrypted and requiring an unlock. Did you take the time to verify whether RBUtil does this before reporting on it, or blindly trust a virus scanner that says nothing more than it's "suspicious"?
Title: Re: Virus in Rockbox Utility 1.2.8 Installer
Post by: marthirial on October 01, 2010, 01:25:24 PM
Am I to assume that saratoga speaks for the whole RockBox development team and therefore it is an official stand of RockBox to insult users instead of offering any explanation whatsoever?

We have posted 13 times in this thread and not once an "expert" or "developer" has posted any explanation whatsoever.

This is my last post.  I posted thinking this would help "noobs" that come excited to get this otherwise nice software but instead I got sidetrack bashing and childish insults.

And it is not like this software is for MRI machines that will save lives, relax dudes.

Llorean:  Yes, posted to Reddit and guess what, they had better answers than the actual developers here. 

My issue, one more time, is not if false positive happens or if AV are reliable.  I was just looking for an adult who could explain, simply, why an exe file is giving a false positive.

Something like this, you know: 

"Rockbox access resources in your computer that are similar to the behavior of malware.  We are committed to security and quality of our product and can assure no malicious programs are included in the installation package".  -  Att. RockBox developer.

See.  It even sound official and serious and helps bring credibility to the software.
Title: Re: Virus in Rockbox Utility 1.2.8 Installer
Post by: AlexP on October 01, 2010, 01:29:57 PM
Am I to assume that saratoga speaks for the whole RockBox development team and therefore it is an official stand of RockBox to insult users instead of offering any explanation whatsoever?

No, for himself only, as are the views of everyone else.  I personally very much dislike the tone in this thread, and am sorry for that.

There isn't much of an explanation to give - Rockbox Utility downloads files and does some low level fiddling of hardware, but without access to the source code of the anti-virus software, we just don't know why they come up with this false positive.
Title: Re: Virus in Rockbox Utility 1.2.8 Installer
Post by: soap on October 01, 2010, 01:31:25 PM
Am I to assume that saratoga speaks for the whole RockBox development team and therefore it is an official stand of RockBox to insult users instead of offering any explanation whatsoever?

saratoga speaks for saratoga.  

We're an anarcho-syndicalist commune.  We take it in turns to act as a sort of executive officer for the week.  But all the decision of that officer have to be ratified at a special biweekly meeting.  By a simple majority in the case of purely internal affairs, but by a two-thirds majority in the case of more...

EDIT:

But seriously.
Rockbox is a loose collective of people who have been entrusted "not to fuck up the code".
There is no leader, there is no spokesperson, there is no target market.

Just a bunch of people who enjoy working on a software project and give access, gratis, to their work.

Expecting some sort of "official" response from a non-corporate OSS project is missing the point.

Title: Re: Virus in Rockbox Utility 1.2.8 Installer
Post by: Llorean on October 01, 2010, 01:35:05 PM
How is someone supposed to tell you why it's a false positive? We didn't write the anti-virus software. We don't have access to which of their various heuristics this set off.

It could be the code to fiddle with the MBR on iPods.

It could be the mere fact that it downloads updated builds.

It could even just be the content of one string happening to match exactly the content of a similar string in a virus.

There's a million things it could be. "It's a false positive" is all the answer one *can* give you without simply making things up or lying about it. Would you rather a truthful answer, or a more reassuring falsehood or guess?
Title: Re: Virus in Rockbox Utility 1.2.8 Installer
Post by: saratoga on October 01, 2010, 01:56:31 PM
We have posted 13 times in this thread and not once an "expert" or "developer" has posted any explanation whatsoever.

First reply to the thread:

Quote
That report dates back to a file from before the current rbutil was released, so its probably just crappy antivirus software getting confused.

Reviewing the replies this was repeated to you several more times, so i think its unfair to say no one tried to help you understand.  I certainly did.  You just didn't like the answer so you ignored it.

Something like this, you know: 

"Rockbox access resources in your computer that are similar to the behavior of malware.  We are committed to security and quality of our product and can assure no malicious programs are included in the installation package".  -  Att. RockBox developer.

Hey, I did just that!

Quote
I like the description of the "threat":

"Downloads/requests other files from Internet."

Yes, I would think the tool for downloading rockbox from the internet probably does at some point download a file from the internet

Probably just some lazy AV vendors flagging a generic bit of code for downloading files as "virus like" without bothering to check if that bit of code is used in more then just malware.

Thats exactly what you just said you wanted to hear.  Did you not read those posts?  It really seems to me that you're faulting a lot of the wrong people here.
Title: Re: Virus in Rockbox Utility 1.2.8 Installer
Post by: gbl08ma on October 01, 2010, 03:02:10 PM
Sorry, but for me it seems this whole discussion started at the point somebody (who relies too much on antivirus) got an antivirus warning saying that the Rockbox Utility file was a virus. Then that somebody got way too much alarmed and posted on Rockbox forums.

After that, the Rockbox community answers, trying to explain that false positives occur - and yes they don't show a good image to the newcomer, specially if you have one of those antivirus that delete the infected (or not so infected) file instantaneously once it is created.

As that somebody continues alarmed because of some antivirus warning, s/he keeps posting complaining there's no "official answer", I think is what s/he wants. Hey, like soap said, on non-corporate OSS projects there's no "official", there's a community that, ideally, acts like a family or a group of friends and works together to meet an objective.

In fact, I have already downloaded many OSS software from well known sites and publishers, and also some from not-so-well-known publishers, and many antivirus software classifies them as being malware. I'm also a software developer, and once I added an automated updater to my software (that doesn't download anything without previous user acknowledge and agreement), some antivirus software classified them as dangerous because it "downloaded files" (exactly what's happening with RB Util). Did I stop using that software (including mine) just because some antivirus said it is or contains a virus? No. At a maximum, when I don't trust the software in question, I go having a bit of work and look on the source code for dangerous operations - most of the times, I found that the point is on automated updaters and things like that. So, RB Utility is not immune to being classified as a virus.

Let's stop with this whole discussion - in fact now I think I have written too much. No one is obligated to use Rockbox, much less Rockbox Utility; in fact it voids your warranty in many (if not all) targets. The somebody that created the thread would have reasons to complain if s/he had paid for Rockbox or Rockbox Utility, but as an OSS project, you only use it if you want, and if you don't like it that way, you can change it.

"Somebody" is used on this post to demonstrate that cases like this can happen with anyone, and not to take away the honor of marthirial. In fact, what I described could not have happened with s/he, but it's a situation that actually can happen.

This is just my point of view! And no, you're not obligated to read this or agree with me.
Title: Re: Virus in Rockbox Utility 1.2.8 Installer
Post by: bluebrother on October 01, 2010, 06:36:33 PM
Llorean:  Yes, posted to Reddit and guess what, they had better answers than the actual developers here. 

What answer do you expect? Someone saying "it's a false positive"? People did that, plus why they can't say why it's impossible why it's a false positive. This still doesn't change the problem that you need to trust someone posting in these forums -- or trust your virus software. You are the one to decide who you want to trust.

Edit: I've just checked the result of the scan that was posted on Reddit. It shows 3 scanners out of 43 considering the file malicious, so 40 scanners think it's ok. Do you trust 40 scanners saying the same or 3 scanners saying something else (but not exactly the same)? I'm more likely to go with the majority ...
Title: Re: Virus in Rockbox Utility 1.2.8 Installer
Post by: M_Koga on October 09, 2010, 02:01:24 AM
PMJI (duck, cringe, etc.)

Not having a dog in the fight, trying to be a bit of a peacemaker, hoping for the best, and so on...

A long time ago, when the net was a far safer, friendlier place, I got infected -- the ONLY time I ever got infected -- by a COMMERCIAL PRODUCT by a top-tier company that shall remain nameless.  I don't remember if I was acting in the role of beta tester, or software review writer (this was a long time ago, I have forgotten more than I ever knew).

Fortunately, it was a relatively benign infection (a Word macro virus that shat upon every doc it could find, causing me lots of fun doing manual cleanup).  I notified the vendor who turned eleven shades of purple, thanked me profusely for informing them, and proceeded to do the same on their in-house machines.

Some time earlier, I did NOT get infected, because the "disease" I was sold was incapable of doing any damage to me, having "destroyed its host" before landing in my hand.  It as an updated motherboard BIOS (manufacturer shall remain nameless).  This was during the 286 era, when BIOSs were purchased as either masked ROMs, PROMs, or EPROMs (this was long before we were able to flash our own firmware -- we had to physically replace a pair of ROM chips).

When I installed the chip pair I'd purchased from the mobo mfgr, my machine would not boot.  After much "fun" I ended up writing a program that parsed both chips (original BIOS reinstalled, and suspect chips read in my PROM blaster), interleaved the hi/lo byte pairs, and extracted "likely ASCII" so that I could see what the hell was going on (suspicious sort that I was).

I stopped my investigation when I encountered a string that said something like "DISK KILLER TROJAN"

I then packed it in, and informed the mobo manufacturer, who proceeded to shit a pile of giant economy sized bricks, and tell me how bloody grateful they were to me for discovering that their machines were infected (the LIVE virus in their systems had corrupted the BIOS files before they burned them).

Of course, their talk of SHOWING me how grateful they were (there was some hinting about sending me a hot new mobo) amounted to naught. They had what they wanted, and I had to be satisfied with replacment chips (or maybe they only sent me the files so that I could burn my own, I don't remember, t'was a long time ago).

My point is that this sort of thing happened on occasion in a much more innocent age.  Nowadays, the image I see when I think of the Internet is like that scene from Pfeiffer's "Little Murders" where the guy opens the steel cover protecting the window in the highrise apartment, and INSTANTLY bullets start flying in, until he shuts the steel cover again.

This brand of ever-present abuse causes a lot of jangled nerves. People are jumpy, and predisposed to freaking out.  (This is why so many TRULY fraudulent "antivirus" crapwares are sold, many of which are nothing more than vectors OF infection themselves, with the less=noxious of them being "merely" garbageware that serves only to collect payment for the BELIEF of protection being provided.

It's a nasty, often brutal world, and getting worse by the moment.

To put this ALL into perspective, I have found Rockbox to be one of the MOST solid, stable, robust, well-designed pieces of software I have ever used.  I am amazed at how fantastic it is, and I only use a small fraction of its capability.

Code like this can ONLY be produced by people that TRULY CARE about what they are doing.  And, if there is ANY software I'd trust, Rockbox would be way at the top of that list.

Title: Re: Virus in Rockbox Utility 1.2.8 Installer
Post by: R3n4 on January 23, 2011, 11:40:37 PM
I had a similar experience when my anti-virus has also detected this threat. I just immediately submit this issue to my anti-virus lab. They found out that the virus is a false positive. There's no need to worry about this issue because there is no virus in the installer.

Title: Re: Virus in Rockbox Utility 1.2.8 Installer
Post by: wolftail on January 24, 2011, 10:24:44 AM
I have just scanned the file in Microsoft Security Essentials (with up to date definitions) and it found nothing. Also virustotal.com gives a 2.43% chance of being infected (only one out of 43 AVs, nProtect detects anything). So I would definitely call it a false positive.

http://www.virustotal.com/file-scan/report.html?id=c384f29391e169aee74920b18279914c8aa67b2e0fb039f472a9b1c5390d8cbc-1295882127