Boost :

Date view	Thread view	Subject view	Author view

Subject: Re: [boost] [windows] Wni32/Vigorf.A trojan in boost_1_67_0-msvc-14.1-64.exe?
From: Geert Martin Ijewski (gm.ijewski_at_[hidden])
Date: 2018-05-24 09:59:26

Next message: Guido Vranken: "[boost] Boost multiprecision differential fuzzer running on Google's oss-fuzz"
Previous message: James E. King, III: "[boost] Boost.Signals deprecation and removal"
In reply to: Peter Dimov: "Re: [boost] [windows] Wni32/Vigorf.A trojan in boost_1_67_0-msvc-14.1-64.exe?"
Next in thread: Peter Dimov: "Re: [boost] [windows] Wni32/Vigorf.A trojan in boost_1_67_0-msvc-14.1-64.exe?"
Reply: Peter Dimov: "Re: [boost] [windows] Wni32/Vigorf.A trojan in boost_1_67_0-msvc-14.1-64.exe?"

Hello,

The VT Link checked the *URL* not the binary itself. As the executable
is above 20MB there's no way (AFAIK) to let it be checked by VT.

Vigorf.A is a "generic" detection[1] which basically means that it
classifies the program as malicious based on behaviour or other
heuristics --- thus there often is no definitive single thing that
causes the detection, it's a combination of many small factors. After
taking a quick look at the executable possible flags are:
* the data to be installed is appended to the executable (often called
overlay or EOF data). This is a technique often used by so called
"binders" which pack a legitimate and an malicious executable together
and execute both - so the user sees a legitimate programm running and
thinks that the whole executable was legitimate.
* the file itself has very high entropy (7.96), which indicates
encrypted or packed data. AV flag executables with an entropy higher 6
(thresholds may vary) because, well, encrypted or packed data (from the
POV of the AV) means that data is hidden and thus cannot be analyzed.

I'm not sure how to handle that situation, those are (basically)
necassary for the installer to function. Storing the data unpacked would
bloat the binary way beyond anything sensible, storing it any other way
(as a resource or in .data) won't help either. Not to mention that this
would require mucking around with InnoSetup.

Maybe MicroSoft is willing to create an exception but then this problem
would just resurface every new release. Another might be codesigning,
but that requires money, infrastructure and time.

[1]
https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=HackTool:Win32/Vigorf.A

Am 24.05.2018 um 10:24 schrieb Peter Dimov via Boost:
> Mateusz Loskot wrote:
>> Hi,
>>
>> One user reported via #boost at cpplang.slack.com that Windows
>> Defender reported trojan in the latest Windows binaries.
>> I checked myself and I can confirm the latest up-to-date Windows
>> Defender is detecting Vigorf.A in the installer archive.
>>
>> Is this false report?
>
> VirusTotal says clean:
> https://www.virustotal.com/#/url/b9ac08dd74b171f589b64bd91ba192986f7fe861fa4cf8abd3fad2fe499a2a00/detection
>
>
> _______________________________________________
> Unsubscribe & other changes:
> http://lists.boost.org/mailman/listinfo.cgi/boost
>

application/pgp-signature attachment: OpenPGP digital signature

Next message: Guido Vranken: "[boost] Boost multiprecision differential fuzzer running on Google's oss-fuzz"
Previous message: James E. King, III: "[boost] Boost.Signals deprecation and removal"
In reply to: Peter Dimov: "Re: [boost] [windows] Wni32/Vigorf.A trojan in boost_1_67_0-msvc-14.1-64.exe?"
Next in thread: Peter Dimov: "Re: [boost] [windows] Wni32/Vigorf.A trojan in boost_1_67_0-msvc-14.1-64.exe?"
Reply: Peter Dimov: "Re: [boost] [windows] Wni32/Vigorf.A trojan in boost_1_67_0-msvc-14.1-64.exe?"

Date view	Thread view	Subject view	Author view

Boost list run by bdawes at acm.org, gregod at cs.rpi.edu, cpdaniel at pacbell.net, john at johnmaddock.co.uk