neoLogger = Freegate.b ? Or is it a false positive?

Can you please confirm whether or not the freeware application neoLogger v2 ( http://neonew.ne.funpic.de/ger/neoLogger.html ) is correctly identified as an outdated backdoor called freegate.b?

neoLogger itself is not a backdoor but a malware analysis tool. Is the freegate.b backdoor secretly placed into this tool? Is it a false alert? Is neoLogger detected as malware because the author (neo) has close relations to the malware scene?

Background: not only TDS-3 but also KAV and Ewido detect neoLogger. NOD32 does not. The Kaspersky signature was recently created. I feel that this positive is probably not an ordinary "false alert". It must either be a real positive or it must be a false positive which was intentionally created.

 

Nod does not, because it's a tool which logs fileaccess, registry access etc.
Not malicious at all. ( at least this version which i tested )

 

Let's also wait for the response of DCS. Maybe it's a false alert (at least in respect of TDS) or an extremely well disguised trojan ...

@HappyBytes: How do you test malware (amateur-like or pro-like)? I admit that I have not (yet) carefully analysed this program with a disassembler but simply executed it on a test machine and looked at the behaviour.

 

what is so difficult to understand for you?
Just decrypt it ( the sections are encrypted with 069h ) after that unpack it with UPX --> Done.

 

@Happy Bytes

Thanks. It's not difficult to understand. I just didn't know you (at least I wasn't entirely sure ;-) and, therefore, I asked whether you performed a proper analysis. I am glad that you did.

 

Nautilus?

 

From time to time ... Michael?

Anyway ... I think this false positive is interesting.

I have the following questions:

1.
Who has initially created the signature and why was this program falsely classified as freegate.b or .c? (I consider it abusive to intentionally create false positives.)

2.
How does it come that a large number of AV/AT developers have included the same false positive into their signature database? Is there a common malware pool which can also be accessed by smaller AT developers like Ewido or DCS? Is the malware contained in such malware pool properly analyzed by each developer or is it only analyzed by the developer who submits malware to the pool?

 

FYI (Jotti's malware scan):


File: neoLogger.exe
Status:
INFECTED/MALWARE
MD5 10604f656652ec243f6be1ef5a736d5e
Packers detected:
PE-CRYPT.KNOWN, UPX

Scanner results

AntiVir
Found nothing

Avast
Found nothing

AVG Antivirus
Found nothing

BitDefender
Found nothing

ClamAV
Found nothing

Dr.Web
Found Trojan.Neologger

F-Prot Antivirus
Found nothing

Fortinet
Found nothing

Kaspersky Anti-Virus
Found Backdoor.Win32.Freegate.b

mks_vir
Found Trojan.Freegate.B

NOD32
Found nothing

Norman Virus Control
Found nothing

VBA32
Found Trojan.Neologger

 

from time to time
Neo did add the manifest file (for displaying XP Style buttons) to this tool...
Take a closer look after unpacking (or just simply make a memorydump) to the end of this file and you will see what i mean. beside of this this tool also hooks wsock32 dll calls - such libs are widely used in trojans. In this case it does nothing dangerous with it.
regarding all other questions... we can not discuss this here coz this is the DCS forum and i'm afraid it would be offtopic here...

 

Hey guys! Can we have a screenshot of the TDS detection? If TDS is detecting it heuristically, it just seems to me like it's doing its' job - alerting you to the fact that a given program exhibits possibly "trojan-like" behavior. (And it's been pointed out that the program does "beside of this this tool also hooks wsock32 dll calls - such libs are widely used in trojans." ).

The "...or it must be a false positive which was intentionally created." statement seems a little absurd to me - especially given the fact that three other scanners came up with the same result?

I'm going to have to work on bringing up my paranoia level, I guess. Pete

 

@spy1

1.
"If TDS is detecting it heuristically"

"Positive identification: RAT.Freegate.b"

2.
"statement seems a little absurd to me - especially given the fact that three"

Please read again. The current status of the paranoid idea is: first sig (false or intentionally false), following sigs not properly verified because malware stems from pool.

@Happy Bytes

"we can not discuss this here coz this is the DCS forum"

How about here: https://www.wilderssecurity.com/showthread.php?t=78850 ? Alternatively, you can also post completely anonymous in the one and only uncensored forum ;-)

 

This would be a "screenshot" . And now that it's been properly submitted for evaluation, we'll wait and see what the response from DCS is (after the weekend, of course! <g> ). Pete

* Back-up post made to the TDS Private forum. Installer and installed folder "Erased"

 

Should be a "tool" detection at the most, at least for the numbers game. Not really good when users ask "why isnt this detected"

I think KAV added it first, and probably for the same reason we add some things as Client/Editor/Tool sigs. Written by a trojan writer, and more than likely used by attackers. Not dangerous, but good to detect all sorts of things like this on a machine - the boss might want to know someone has hacktools, trojan clients, whatever on their machine

Nice to see you Michael !

 

@Gavin

Thanks for the reply! I would like to emphazise, however, that you (and others) have NOT added a signature for a virus-tool or something like that (e.g., a nuker, a hacktool etc.). By contrast, several AV/AT developers have added a signature for a security-related tool that can be used to analyze malware (i.e, a tool that combines features of well-known applications like Filemon, Regmon, etc.).

Moreover, you have not directly answered my question relating to the malware pool/the process of signature creation. How does it work? Is it just that you always add a signature for a file which you receive and which is already detected by Kaspersky? In such case, do you skip an indepth malware analysis (because it generally does not hurt to add a redundant signature) and simply use the name already chosen by Kaspersky? Or am I just too curious? ;-)

 

More on the redundant side in this case, to cover "why wasn't this detected" questions yes you are very curious.. the malware pool and signature creation methods are of course confidential. We do receive malware (and non malware) from many places

I might remove it yet, having only had a reasonably quick look at it I thought it was good to classify as a tool - even thought as you say you didn't put any such functionality in the program. Could it not be used to analyse something - in a way to find attacks against it very grey area, as with a lot of things these days. For example the Nullsoft installer includes a downloader option. Do you detect this small downloader ? do you not detect it ?! I think when riskware signatures are in use, it should be detected.. but not of course with standard detection signatures.

 

i think it is quite possible that i made this mess well at least it is possible that i was the one that have send this tool to various labs to analize it. if my memory servers me well mcafee was the first one to add it, second one was i think drweb, kaspersky came later... just now i have send a second email to all the av that are detecting it (antivir, drweb, kav, mcafee, vba, mks_vir), to warn them about a possible wrong detection.

 

most av have removed detection for this tool

 

Are you saying in your opinion that neoLogger = Freegate.b is indeed a False positive....and the cart was put before the horse ? If so....there's a lot of egg that someone must remove from face....and munching on crow must be in order.

 

Well, I don't know about anyone else, but if I should happen to unknowingly d/l a program authored by someone who writes malware too, then flagging the program as "riskware" - or "contains a downloader" - would certainly be appreciated on my end.

A/V and A/T developers all from time-to-time put out "false positives" - it's what's called a "mistake". When they freely own up to such a mistake and take immediate steps to rectify it, I hardly see it as anything sinister, nor do I believe that any public self-flagellation is required on their part.

If they didn't either admit it was a false positive or an in-correct detection - or they didn't change the detection after examining a properly submitted sample (hint, hint <g> ), then one would have cause to be upset, and question the reason why.

But certainly not in this case. Pete

 

This one is funny:

"An die Antiviren-Angestellten hier auf dem Board: seid ihr eigentlich bescheuert? Nicht jedes Programm, was hier zum Download zur Verfügung gestellt wird, ist automatisch Malware! Ich bitte euch herzlichst, dieses Programm NICHT in eure DB aufzunehmen, denn es ist nun wirklich genau zum Gegenteil entwickelt worden als eine Backdoor...

An alle anderen: Das Ding ist sicher nicht gebackdoored, eure AVs lügen

ciao und viel Spaß mit dem neuen Release, neonew"

[post from the developer dated May 19, 2005]

 

One addendum:

"Not every program made available for download HERE [ann.: here = in this trojan board ;-)] can be automatically considered malware."