Page 1 of 3 123 LastLast
Results 1 to 15 of 38

Thread: INFECTED FILE: LordPE download on the Collaborative RCE Tool library

  1. #1
    e-t172
    Guest

    Exclamation INFECTED FILE: LordPE download on the Collaborative RCE Tool library

    The previous version of the LordPE page on the Collaborative RCE Tool Library was actually infected by a virus (a trojan horse).

    See http://www.virustotal.com/analisis/354aa2ad5d67f8ce77497ccca2207be8f1bdc368bbe8bbed9689576951be1706-1277599879

    This is NOT a false positive: when I launched the executable the virus duplicated itself in several system directories and added itself to the Windows scheduled tasks to be launched each day at 14:00. I noticed something was wrong as the performance of my computer dropped to a nearly unusable state when the scheduled task started, starting tens of executable files doing God knows what.

    What makes this extremely dangerous is that this page is linked from Wikipedia , which means a lot of potential victims could get infected. ( see http://en.wikipedia.org/w/index.php?title=Portable_Executable&oldid=369380938#Import_Table )

    Consequently, I modified the Collaborative RCE Tool Library page and replaced the infected archive with a ZIP file containing nothing but a README file explaining everything, so as to avoid anyone else's computer getting hurt.

    If you own a clean copy of LordPE, by all means upload it to replace this dummy archive.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    Man, I really had to calm down a bit before replying to your post.
    And now in this calmed down mood let me ask you one thing: Are you crazy?
    You signed just up to a board where a great deal of the members are avid reversers and really skilled in reversing malware - and the first thing you did is deleting a file from the CRTL, obviously without contacting someone before. All that, because 6 (SIX!) out of 41 crappy AV-engines found some GENERIC malware? I'm using EXACTLY the same file for ages and believe me all is well with it!
    I will upload it again now and don't you dare to delete it again.
    There is NOTHING wrong with it.

  3. #3
    lol....

    this guy is great, but still the very best was this one:
    http://www.woodmann.com/forum/showthread.php?9287-Alright-what-is-DbgBreakPoint%28%29/page2

    :P
    Last edited by Maximus; June 28th, 2010 at 16:16.
    I want to know God's thoughts ...the rest are details.
    (A. Einstein)
    --------
    ..."a shellcode is a command you do at the linux shell"...

  4. #4
    e-t172
    Guest
    I think you're right. I downloaded the old package again (still had the old URL buried with a wget command in my shell history) and even though AVG indeed finds something, after executing it and monitoring everything using Process Monitor I didn't find anything out of the ordinary, and nothing was added to my scheduled tasks.

    After some digging through the Windows logs I found out that the scheduled tasks had been added some time around 2010-06-20 16:00. I don't know how they got there or how did I miss them all this time. Bottom line is, it didn't come from the LordPE download.

    Considering that I found out about these mysterious scheduled tasks about one hour after downloading LordPE, that LordPE was the only executable I downloaded today, and that some AVs considered the file infected, I jumped to conclusions a little too quickly and falsely accused your download package.

    Please accept my sincere apologies for the trouble that I caused. Next time I'll run the suspicious file in a "sandbox" virtual machine and see what happens before making false accusations.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  5. #5
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,114
    Blog Entries
    5
    I see you already posted a retraction e-t172, so all is OK, but I'll go ahead and post what I already wrote anyway..

    We certainly appreciate any report of infected files in the CRCETL. However in this case, I would definitely look elsewhere for the real source of your infection.

    The original LordPE-DLX package was the one put there by dELTA when the CRCETL was first created. It was version 1.41 (a microupdate known as Deluxe b that included a second lordpe.exe file - not the one you sent to virustotal) and hasn't been modified since.

    http://www.woodmann.com/collaborative/tools/images/Bin_LordPE_2007-10-21_1.48_LordPE_1.41_Deluxe_b.zip

    I did a byte check of the file in question with my old lordpe.exe obtained from the original y0da site (v 1.41 but not the "b" compile). The only difference was the SizeOfImage field (36000 vs 35E50 in the "b" compile).



    Darkelf, thanks for uploading the file again. However I think your version is the same old one as mine, and not the "b" version we had there originally. So I think we'll confer and maybe revert back to the last "b" version y0da had created. Appreciate the fixup though.

    If anyone feels more comfortable with the older version Darkelf uploaded, here it is:

    http://www.woodmann.com/collaborative/tools/images/Bin_LordPE_2010-6-28_22.0_LordPE_1.41_Deluxe.zip


    For the record, all additions and updates to the CRCETL go through a moderation queue where one of 4 or so of us confirm the entry. We don't necessarily do a virus scan on every file (though I have several times before OK'ing a new file), but we do assess the entry and its source. The majority of new or updated entries are from known and trusted members and we very much appreciate all additions.

    We "see" who does what and everyone who contributes (the essence of the "collaborative" part of the Collaborative Libraries) gets at least mental brownie points from the moderators. Thank you and you know who'ze you are


    Again e-t172, thanks for the concern but I'd seriously look closer for the source of your problem but you're welcome to point out where the virus code is in that LordPE package.

    Kayaker

  6. #6
    It's a toss up.

    Woodmann
    Learn Or Die.

  7. #7
    e-t172, yeah, things like that happen. No problem - you're welcome.

    Kayaker, I just saw that I also have the "b"-version from CRCETL on my disk. I will upload it in a couple of minutes so the former status-quo is restored.

    Regards

    Edit: Done

  8. #8
    reknihT esreveR SiGiNT's Avatar
    Join Date
    Sep 2004
    Location
    Wherever I am
    Posts
    750
    Jeesh!

    I didn't think anyone still believed that heuristic detection actually works! Actually a lot of reversing tools are listed as malware simply because the "do baddd things" like reverse engineer software.

    SiGiNT

    And no I didn't die - just been working my ass off for very little money - 16 hour days aint nice when your almost retirement age! :P

    Let me clarify a bit before disavowed jumps my ass, for everyday normal people type computer use heuristic is probably fine - unless they try to install PowerDVD. another problem is keygens most are flagged big time simply because they use out of the ordinary packers.
    Last edited by SiGiNT; June 29th, 2010 at 01:41.
    Unemployed old fart Geek - Self Employed Annoyance
    Team: Noobisco Crackers
    If someone can't do it for you, you'll never learn!

  9. #9
    *another problem is keygens most are flagged big time simply because they use out of the ordinary packers.
    Its certainly not only about packers,95% of keygens are flagged coz IT IS EMBEDED WITH TROJANS,VIRUS etc...to play safe,test it in a virtual machine before you want to use it
    esther


    Reverse the code,Reverse Your Minds First

  10. #10
    I'm with SiG on this one.

    I especially enjoy how some AV flag mal cleaners.

    Woodmann

    Hey SiG, I know someone on here that is older then you .
    And it aint JMI.

    No hijack intended.
    Learn Or Die.

  11. #11
    Well, all I can say to that is it isn't fun working 16 hours a day when you finally ARE retirement age ... but can't retire. On my current schedule, I will still be working for at least two weeks after I am dead and buried.

    Regards,
    JMI

  12. #12
    reknihT esreveR SiGiNT's Avatar
    Join Date
    Sep 2004
    Location
    Wherever I am
    Posts
    750
    Esther,

    I agree better safe than sorry, but. hackers and crackers are like water and oil. very seldom do you find both sets of skills in one person, crackers are all about making things that please people and hackers are the opposite, why go to the trouble of making a keygen, that's going to be obsolete within a month. when it's far easier to accomplish your dirty deed other ways - like making a replacement executable with your code embedded in it or a dll included in the installation, when anti-virii went heuristic, half the reversing tools I had been using for years were flagged with either a virus or trojan, but in reality I had neither, hell the patcher I'd been using forever was generating heuristic mis-calls when using the built in packer, but when not packed everything was fine - if a heuristic anti-virii encounters a packer it can't deal with it automatically generates a detection - looking it up usually yeilds the description generic - .... for instance, at least one release of ArmaGeddon was flagged as being infected.

    SiGiNT

    And hey Woody it aint the age it's the wear and tear!!!!! - obviously JMI has very little Which leads me to the belief that exposure to psychedelic and other drugs during the formative years leads to Engineers and reverse Engineers!
    Last edited by SiGiNT; July 3rd, 2010 at 02:16.
    Unemployed old fart Geek - Self Employed Annoyance
    Team: Noobisco Crackers
    If someone can't do it for you, you'll never learn!

  13. #13
    <script>alert(0)</script> disavowed's Avatar
    Join Date
    Apr 2002
    Posts
    1,281
    Quote Originally Posted by SiGiNT View Post
    I didn't think anyone still believed that heuristic detection actually works! Actually a lot of reversing tools are listed as malware simply because the "do baddd things" like reverse engineer software.
    ...
    Let me clarify a bit before disavowed jumps my ass, for everyday normal people type computer use heuristic is probably fine - unless they try to install PowerDVD. another problem is keygens most are flagged big time simply because they use out of the ordinary packers.
    Well I mostly agree
    Heuristic detections, if properly implemented, are better than nothing and can often catch "0-day" malware for which no specific signatures exist. However, if a heuristic detection detects LordPE as malware, then it is clearly *not* properly implemented.

    I'm okay with AV software detecting tools like http://www.microsoft.com/Security/portal/Threat/Encyclopedia/Entry.aspx?Name=HackTool:Win32/Passview as "HackTool" (Microsoft, Symantec) or "not-a-virus" (Kaspersky), etc., but they shouldn't automatically try to delete the program. Most AV software handles such detected files as they would a "suspicious" detection -- pop up a warning, but allow the user to keep the file.

  14. #14
    Condemned geezer
    Join Date
    Oct 2001
    Location
    Ankara, Turkey
    Posts
    138
    False positives have long been a nuisance. I chose to be the sheriff of my PC a long time ago. No need for deputies.

    Putting the outsiders behind bars and tampering from the inside is fun, and it's good both for technical hygiene and mental exercise.

    Hey SiG, I know someone on here that is older then you .
    And it aint JMI.
    Who else could possibly be older than JMI? Last time I checked he was on display at the Smithsonian's.

    Oh, my retirement! They kept me employed until just before the time I'd start submitting my Alzheimer's treatment & medication bills. On my last day they handed me a bond case full of $s as a token of their appreciation but I can't remember where I put it. So, still working now. I should have had them duplicated.

    Last edited by wbe; July 7th, 2010 at 08:27. Reason: sometimes you do it without reason

  15. #15
    Did your bond case have Euro's in it?

    Woodmann

    Oh, speaking of AV flagging other softs.
    I have a thumb drive with the usual tools for fixing dirty boxes
    and now Comodo is bitching about the winrar portable exe
    thats on the thumb drive.
    Learn Or Die.

Similar Threads

  1. Collaborative RCE Tool Library - official discussion thread
    By dELTA in forum Tools of Our Trade (TOT) Messageboard
    Replies: 60
    Last Post: August 15th, 2012, 01:12
  2. Replies: 10
    Last Post: July 6th, 2008, 08:21
  3. Replies: 1
    Last Post: February 24th, 2008, 18:27
  4. Collaborative RCE Tool Library contents so far
    By dELTA in forum Blogs Forum
    Replies: 7
    Last Post: January 5th, 2008, 12:06
  5. The Collaborative RCE Tool Library
    By Ring3 Circus in forum Blogs Forum
    Replies: 1
    Last Post: December 30th, 2007, 09:13

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •