From: Lars Uffmann on
David H. Lipman wrote:
> However... Whenever you are suspicious of a file or it may be malicious *always*
> obfuscate the URL so it is NOT clickable such as I have done in my reply in case the URL
> is malicious.

My bad - didn't think of this in a newsgroup that is all about viruses
and in a posting stating I have a positive detection... But I see the point.

> I like AntiVir's declaration on this one.
> AntiVir 8.2.4.26 2010.07.28 JOKE/Deathwish
> Defining it is the class of Jokes and not malware.

It is strange that they would declare it as JOKE and still classify it
as something that should be detected by an antivirus software...


Cheers,

Lars
From: Lars Uffmann on
VanguardLH wrote:
> Submit the file(s) to virustotal.com to see if other AV programs also
> report the malware.

That's a case for my Linux box I guess - as the windows system here will
refuse to open the link as long as VirusScan is up :)

Otoh we already kinda know it's a false positive thanks to Ant, and
David also found it reported by AntiVir...

Edit: Virustotal reports a lot of false positives... Since the file has
been around for a loooong time, I kinda wonder if Operating Systems are
kind of flawed by design and if it's time for a different design
concept. I mean: If there's so many viruses that pose a threat, that you
cannot sensibly protect people against most of them without reporting
false positives, then something is wrong with operating systems :)

Maybe create the next generation OS of each type in a way that all
executables run in a sandbox with restrictive settings by default, that
only permits read access to input devices and write access to graphics
and sound output, as well as file creation rights in a sandbox folder
(or the program folder) and read rights to application-owned files...

Then implement a OS-specific file browser that handles read/write rights
(i.e. "open file" or "save as" not only forms an easy method of browsing
to a path location and submitting that, but also checks the users access
rights for the selected file/folder, and temporarily passes those on to
the application that called the OS-owned file browser).

E.g.: You work with Open Office's writer: you want to open a file, do so
via menu (or by opening the file directly in a system file browser), and
by using the system file browser to open it, this will pass your user
rights on the file to the OO writer, which in itself would otherwise not
have read/write rights to that file. This would of course imply that a
"history" of opened files in the file menu of untrusted applications
would not work.

That would cover most programs I can think of, and any other access
settings could be handled by global (default) and per-application
settings (network access, file access to certain folders, other devices
access).

What does everyone think? :)
Has something similar been done (I didn't name any OS on purpose, as I
am aware that Linux also has it's shortcomings)?

Best Regards,

Lars
From: David H. Lipman on
From: "Lars Uffmann" <aral(a)nurfuerspam.de>

| David H. Lipman wrote:
>> However... Whenever you are suspicious of a file or it may be malicious *always*
>> obfuscate the URL so it is NOT clickable such as I have done in my reply in case the
>> URL
>> is malicious.

| My bad - didn't think of this in a newsgroup that is all about viruses
| and in a posting stating I have a positive detection... But I see the point.

>> I like AntiVir's declaration on this one.
>> AntiVir 8.2.4.26 2010.07.28 JOKE/Deathwish
>> Defining it is the class of Jokes and not malware.

| It is strange that they would declare it as JOKE and still classify it
| as something that should be detected by an antivirus software...


In the actual Avira AntiVir application, you have to enable "Joke" files for this to be
detected.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp


From: VanguardLH on
Lars Uffmann wrote:

> VanguardLH wrote:
>
>> Submit the file(s) to virustotal.com to see if other AV programs also
>> report the malware.
>
> That's a case for my Linux box I guess - as the windows system here will
> refuse to open the link as long as VirusScan is up :)
>
> Otoh we already kinda know it's a false positive thanks to Ant, and
> David also found it reported by AntiVir...

Why was it a "false" positive if you find another highly regarded AV
program also alerting on the same suspect file? virustotal shows the
file was already submitted so I looked at the last report which showed
SEVERAL anti-malware products alerted on this file. I requested a
reanalyze and again SEVERAL anti-malware products alerted on this file.

I see nothing in Ant's or David's response that proves this file is not
infected or malware. Running through a debugger means looking at the
code as it currently chooses to execute. If the malware is currently
quiescent (i.e., it is dormant), the code won't proceed into the block
containing the malware. It may get triggered by some event later. Ant
did not claim to analyze all the code (unless that what was meant by
"file structure") but just traced its execution using a debugger as it
happened to run that time on his host.

With several anti-virus programs alerting on this file, it could still
be a false positive but not likely after 19 days later for when the
malware's signature was added to several AV programs and when more than
one AV program issues an alert.

What's so special about this 3rd party executable that you MUST have it?
It's possible the file is benign but with so many AV programs saying
otherwise then perhaps you should reevalute if you really need this file
or should get any more of them from that source.

> Edit: Virustotal reports a lot of false positives... Since the file has
> been around for a loooong time,

You said you JUST downloaded the file. I don't know what are
"messagemates" coming from a site titled screenmates. Since you are
downloading the file, how old it is (the one you presume that you are
downloading) is irrelevant. It could've been infected right before you
downloaded it or a second after the prior time you downloaded it. The
datestamp is irrelevant because, one, you are downloading the file and
will get a new timestamp and, two, the timestamp can be altered using
the touch or other similar command to alter that file attribute.

> If there's so many viruses that pose a threat, that you cannot
> sensibly protect people against most of them without reporting false
> positives, then something is wrong with operating systems :)

There is no problem with embedded, single-purpose, or closed operating
systems. You are using one of those. You are using a general-purpose
OS that is designed to be modified, adapted, or extended.

> Maybe create the next generation OS of each type in a way that all
> executables run in a sandbox with restrictive settings by default, that
> only permits read access to input devices and write access to graphics
> and sound output, as well as file creation rights in a sandbox folder
> (or the program folder) and read rights to application-owned files...

Sandboxes aren't perfect. Malware can detect they are running under a
virtualized environment and remain quiescent so the user and
anti-malware programs don't detect through heuristics their malicous
behavior. The user then moves the malware to their non-sandboxed
environment and then the malware engages. Sandboxes are just more
software and it is still possible to leak outside of a sandbox.

http://taviso.decsystem.org/virtsec.pdf
http://www.seclab.tuwien.ac.at/papers/detection.pdf

A little old but still applicable. I also watched a recorded seminar
where the speaker showed many principles possible (by malware) to detect
if running in a virtualized environment and also how to leak out of it.
(It was a webcast but several months later when I wanted to see it again
I couldn't find it again.)

The locks on your house doors and perhaps a siren alarm (and maybe even
connected to a security service) is probably all you use to protect your
home because it is sufficient security without getting excessively in
your way. Do you want to get out of your car or reach out a opened
window for a handprint reader at an electrified gate to enter your
premises, review or pay someone to monitor cameras all over your yard
and inside your house, turn off ground vibration and pressure sensors
and have guards run outside when you need to let the kids or dog out
into the yard, use a keypad to get from the garage into your house,
remember to use another keypad and retinal scanner once inside the house
to keep the alarms from going off, remember to reactivate the alarms and
be sure to run back to your bedroom before the timer expires for the
laser beams, infrared sensors, temperature change sensors, vibration
sensors, and motion sensors, replace all windows with bullet-proof glass
along with lining the walls with metal sheets to prevent assassination,
and so on just to go home? Well, all that is possible but it's not
reasonable or feasible for most of us.

You get a level of security with which you are comfortable and will
tolerate. Security should, at best, be transparent and not interfere
with your host. Since security and ease-of-use are the antithesis of
each other, you have to sacrifice one to have the other.

I do use anti-virus, HIPS, Returnil, daily image backups, VMs, LUA
tokens on Internet-facing apps, and some other methods for securing my
host. Most of that runs in the background without interferring with my
use of my computer. My purpose in using my host isn't to spend lots of
time on securing it and then having to maintain that security. My
purpose is to *use* my computer.

If the security gets in the way of me using my host then it gets
discarded. There is always the performance impact on a host when adding
security but that I'm willing to tolerate but only if the impact to
responsiveness is just noticeable. A general-purpose computer is
vulnerable. Sorry, but I don't want a fixed OS, like what might be in
my washing machine or TV, for use with most apps and games.

I don't really want to get into a lengthy discussion of how to prevent
malware but so securing a general-purpose OS that it becomes a burden or
near impossible for use by its owner. I just wanted to express my
opinion this one time. My original intent was only to address your
concern about the suspect file and that it appears more than one
anti-virus program is alerting on it and to ponder why you really think
you need this file which looks to be non-critical and perhaps not even
really that important.
From: VanguardLH on
Lars Uffmann wrote:

> It is strange that they would declare it as JOKE and still classify it
> as something that should be detected by an antivirus software...

"Joke" malware can be spyware. In most cases, joke malware doesn't
enact malicous behavior but creates a severe nuisance to the user. A
joke malware that emulates a blue screen of death (BSOD) crash of the
host will scare the user and waste their time trying to determine why
their host crashed when it really didn't. Having your mouse cursor go
bezerk can make your host unusable or just a damnable situation to do
anything useful. It may interrupt and prevent you from doing further
work on your host unless, say, you solve some puzzle. It could keep the
CPU very busy, like when you login, to take longer before you can start
using your host. It might phone-home to update a list of MOTDs (message
of the days) to spew out a randomly selected and randomly generated joke
window on your screen which becomes the foreground window and interferes
with whatever you were doing at the time.

Joke malware is to annoy you. It doesn't do [much] damage to your OS,
apps, or files and it usually isn't hard to terminate. Unless you enjoy
nuisances that waste your time instead of using your computer for the
tasks you intend, joke malware is still something to get rid of. If
someone snuck up to your house to somehow adapt your telephone wiring so
your phone rang everytime anyone's phone rang in a mile radius from your
home (and I'm not talking about a party line but just making your phone
ring), you don't think that is malicious behavior? It doesn't stop you
from receiving real phone calls made to you or you dialing out although
having to wade through all the incoming calls to see which ones actually
have a connection with someone calling you or trying to catch a lull
between rings to dial out would impact your use of your phone service.
Joke malware instigates nuisancesome behavior that you don't want.