Beware of Combofix - contains infected file

Discussion in 'ESET NOD32 Antivirus' started by Marcos, Jan 29, 2013.

Thread Status:
Not open for further replies.
  1. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,653
    Location:
    USA
    I'm sure I downloaded it before, and it was flagged by Eset. I don't know how this could be explained. Maybe Combofix had a build with an infected payload up for a brief period before replacing it by chance. I do not know.
     
  2. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    3,966
    Marcos,
    In the first place: thanks for the heads-up !

    It seems to have been fixed. Post by Grinler:
    http://www.bleepingcomputer.com/forums/topic483431.html
    Read more at that link.

    I downloaded it:
    ComboFix.exe
    Version 13.1.30.4
    SHA256: a1ed6bc74db51c219c08d6126d7de5c60570b2f76c60ce602bf602096d2f85a1
    MD5: 4f973e9d3fdaeb5347243e8e169714e7

    Marcos, can you guys confirm it is clean? (I scanned it at VT)
     
  3. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    3,966
    Now that the issue with ComboFix on BleepingComputer seems to have been resolved, the question has to be asked again "How could this happen in the first place"? You would think that BleepingComputer should have caught this. Yes, they are doing a great job over there with the one-on-one cleaning help, no doubt. Yes, it was quickly removed from the site. Nevertheless it raises questions about the security of that site. Why could this happen in the first place? And which actions have they taken to prevent this to happen again?
     
  4. anytimemoIsha

    anytimemoIsha Registered Member

    Joined:
    Jan 30, 2013
    Posts:
    2
    Yes, where is the "answer" to what happened?

    How can anyone ever trust the developer or bleepingsomputers when they have NOT told anyone what happened?

    Great Grinder, you fix it. Wonderful. But, who was hacked? Was bleeping computers hacked or was Subs? Clearly someone was. If you deny it, then, we know you don't care about the truth.

    SOMEONE WAS HACKED!!

    Who was it?

    Lie or tell the truth, Your future depends upon it!!!
     
  5. The Red Moon

    The Red Moon Registered Member

    Joined:
    May 17, 2012
    Posts:
    4,055
    Bitdefenders site got hacked...what do you suggest?...boycott bitdefender.?
    Give the guy a break.something awful happened and he has rectified it.it happens to us all at some point.:ninja:
     
  6. anytimemoIsha

    anytimemoIsha Registered Member

    Joined:
    Jan 30, 2013
    Posts:
    2
    Huh? What does the bitdefender hack have to so with Subs and combofix being hacked?

    Are you saying that we do not deserve to know why or how one of the most used malware cleaning tools (combofix) was infected and we can not even ask the question? So, what, we are slaves or tools of some govt or mega corp and we can't even ASK the question?

    Again, how did this happen? Grinler? Are you a man or a mouse? Was your server hacked or not? Or, as this guy above says, are we NOT ALLOWED TO EVEN ASK YOU THE QUESTION??
     
  7. Grinler

    Grinler Security Expert

    Joined:
    Jun 20, 2004
    Posts:
    21
    Previous versions have been examined and were not infected. Regardless of what people say this was a specific instance and not something that has been going on for a while. There have always been false positives in ComboFix and other home grown programs being offered at BC and sites like it. When creating non-commercial programs programs that contains malware signatures and have routines that can emulate malware behavior (process termination, registry modifications, etc) false positives will always appear. I know its a real PITA dealing with AV companies to get FPs removed from my programs. CF, though, was not infected with sality before this.

    Let's just calm down a little bit. This clearly sucks, no one involved is happy, and we are doing our best to help those affected.

    For me it has been a busy 2 days with what happened to ComboFix, rl jobs, and other priorities I have when running BC. I am not hiding anything, but just havn't had a chance to get back to all of the topics.

    I am sure this won't be the answer some of you are looking for, but all I can say is that BleepingComputer.com was not hacked or compromised.

    We have multiple av scanners scanning the files offered for download. Unfortunately, the scanners trigger every 12 hours and the infected version went live in between one of those scans and after I had retired for the night. The minute I found out about it, I pulled the file without sUBs knowledge and then made sure he knew.

    I have learned a lesson from this and that is to have the public files scanned more often (hourly). I will then be issued an alarm, regardless of hour, if there are any changes from a previous scan so I can pull the file. This process is being reconfigured and I have been working on it all day. Hopefully that will pick up on infected files before there is too much exposure.

    On a last note, I would have responded to this sooner, but I had not received a notification. I found this by manually checking the topic.
     
    Last edited: Jan 30, 2013
  8. littlebits

    littlebits Registered Member

    Joined:
    Jul 7, 2006
    Posts:
    262
    So the question remains how did the file get infected if the default download was not compromised?

    Here are the only reasons that I can think of:

    1. sUBs development system was infected with Sality virus and the virus was able to copy over to his installer package. (Since Sality is an older virus, this is unlikely.)

    2. sUBs might have had a copy sample of Sality virus used for testing and accidentally packaged it into his installer. (Possible but very neglectful and irresponsible). Malware samples should always be placed in an area where they can not contaminate your development work.

    3. sUBs intentionally placed the Sality virus into his installer package for some unknown reason. ( I would say this is possible because nobody knows anything about this developer, he doesn't have his own website or doesn't have any known credentials to his name.) He doesn't even go by his real name, he uses his forum display name on BleepingComputer. We don't know if he uses a secure system to develop Combofix or uses the same system to test malware samples.

    Another example of his trust:

    Instead of working on a statement to say how Combofix got infected, he works on the next release to get it live again?

    So we have no way of knowing if his latest version has some unknown malware that will go undetected or if it is to be trusted.

    If this same thing was to happen to other popular removal tools like McAfee Stinger, Kaspersky Virus Removal Tool, Norton Power Eraser, Dr Web CureIt, Malwarebytes, Microsoft Malicious Software Removal Tool, Emsisoft Emergency Kit, Comodo Cleaning Essentials, HitmanPro, etc.

    Would you ever trust those tools again without any good reasons stated on how they got infected?

    BleepingComputer acts like they are just going to try to sweep this problem under the rug by allowing a replacement file to be uploaded without any good reason how the previous file got infected.

    For all of you so-called malware removal specialist, stop recommending Combofix and stop copying removal guides that recommend using it.

    There are many alternatives that are developed by trusted developers.

    Thanks.:)
     
  9. agoretsky

    agoretsky Eset Staff Account

    Joined:
    Apr 4, 2006
    Posts:
    4,034
    Location:
    California
    Hello,

    The author of ComboFix has posted a short message here explaining what happened, and I feel confident that the issue has been resolved, and in a speedy and transparent fashion as well.

    No matter how careful you are, no matter what policies and procedures you have in place, accidents do happen.

    In 1991, when I was one of maybe ten people working at McAfee Associates, my work computer became infected with the Tequila virus when I booted it with an infected floppy diskette in the drive that had been left there by a colleague from the night shift. He should not have left that diskette in the floppy diskette drive, and I should have checked the floppy diskette drive for floppy diskettes before applying power to the system.

    The problem was quickly solved, but it is important to remember that when you are a small company, you are not necessarily going to have the policies and procedures in place to deal with such things until they happen. The ComboFix team has been delivering a valuable—and, I might add, uninfected—program to the community free-of-charge for years now, and I expect that to continue for many years into the future, or as long as there is malware to be fought.

    Regards,

    Aryeh Goretsky
     
  10. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,361
    Location:
    The Netherlands
    I can only second what Aryeh just said.

    As for

    ... that is emphatically out of the question as well as simply not true.

    Not only has sUBs been a highly valuable member of the anti-malware community for a dozen years or more, deeply respected by his peers, he also works for MBAM as a research engineer
     
  11. The Red Moon

    The Red Moon Registered Member

    Joined:
    May 17, 2012
    Posts:
    4,055
    Works for malwarebytes.
    good enough credentials to me.
     
  12. er34

    er34 Guest

    I kind of agree with and support what littlebits writes about.

    I am sure though that what sUBs did was not intentional. What would he have achieved with this - some infected guys, he wins nothing. If he wanted to achieve something, he could have built a real malware (hidden peace of rootkit/bootkit/malware) and spread it very easily to many.

    People visit some forum, they simply close their eyes, they blindly trust and perform some instructions with "closed" unsigned utilities and it would have taken some time until the majority of us discover that the utility was bad. But many would have become infected and perhaps zombies or whatever the author wanted.

    I agree with Aryeh and TonyKlein - yes, sUBs and many others were/are valuable members of the anti-malware community but this is only what is shown UP. What we know about this community? It seems too underground to me. On the ground it seems it does a good job but the majority of regular people don't know anything about it. And this case brings many questions and problems - we have to think about them. I don't speak about the community or about sUBs - I mean everything like that.

    Any security expert - IT security professional will tell you that running unsigned executable from somebody you don't know is considered HIGH risk ! What we actually know about sUBs ? We know nothing - we never saw his photo, we don't know what country he lives in, he doesn't have web site. We know some nickname, some forum posts and the red tiger/lion/whatever animal ComboFix icon. Oh, yeah, we know he works for Malwarebytes. But what is Malwarebytes? Some years ago they were extremely hidden - even now almost nothing has changed. Visiting MBAM site we can read that this is not a company, it is a community.

    They do have company (corpotation) but we can't find their offices, we can't see their faces, we can't call them, we can't get in touch with them physically. We don't even trade with them directly because their trading is done via Cleverbridge system. So the same is with sUBs.

    Aryeh, being small is not an excuse. There are many small businesses but they all have offices opened for clients and can always be reached in real world. When you try to ask such questions - it looks like they are home office workers.

    So, basically, running anything from any forum, from anybody you don't know, or even from Malwarebytes (where sUBs works) is somehow risky and should be taken with a pinch of salt. The software is provided as-is but what about businesses - what if anything seriously happens - who will you contact - the web site or the real person ?



    Have a look at Spybout S&D - perhaps even smaller company but have legal information on the web site - MBAM /sUBs doesn't:
    Safer-Networking Ltd.
    Watson & Johnson Centre
    Mill Road, Greystones
    Co Wicklow, Ireland
    CRO Dublin 377893

    What about the other competitor - HitmanPro and SurfRight - small company, too, but still they are real. They have valid VAT ID, they have visiting address at The Netherlands. If I want or need to, I can reach them in two hours - just a plane short distance - real people.http://www.surfright.nl/en/home/contact

    Malwarebytes, Bleepingcomputers, sUBs - all other - hidden underground community.

    Other big companies such as Symantec, ESET, McAfee, Kaspersky, Microsoft, etc - we know them. So big that we don't know them but at the same time they are real and we can somehow trust them. We can contact them and thus the trust level is a lot HIGHER - they are real - not the same for a community.

    Dear Aryeh,

    I have used ComboFix in the past and I know it as a utility,

    But every information security expert will tell you it is against ANY standart, against ANY rule to use something from somebody you don't know anything about.

    So, as littlebits writes, we have no way of knowing if his latest version has some unknown malware that will go undetected or if it is to be trusted - simply because they are virtual people.

    Having said that, people (for example anytimemoIsha) can't keep them in charge for time because there is absolutely nobody to be kept in charge. Just their reputation will keep them in charge or not. What would have happened if SurfRight or Symantec have by accident distributed Sality infected program? We know the answer and the situation would have been totally different. If it was a massive incident, I am sure at least few people would be able to contact the vendors physically and someone would be in charge for the problem.


    P.S. By writing this I do not mean to insult anybody - do not feel angry, do not feel put down or insulted.And remember, I am virtual and you can't contact me to give a good fight.:D

     
  13. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,441
    I think it's time to move the discussion about Combofix to the BleepingsComputer forum. The aim of this thread was merely to warn users after discovering the infected version of Combofix which is undoubtedly a very popular tool.
     
  14. AlexC

    AlexC Registered Member

    Joined:
    Apr 4, 2009
    Posts:
    1,288
    For those who might missed agoretsky post, here´s sUBs explanation:

    http://www.bleepingcomputer.com/forums/topic483431.html/page__st__30__p__2962903#entry2962903

     
    Last edited: Jan 31, 2013
  15. Grinler

    Grinler Security Expert

    Joined:
    Jun 20, 2004
    Posts:
    21
    Thanks again Marcos for letting everyone know about CF.

    For the rest of the discussion, if anyone wants to continue talking about it I would be happy to host the discussion at BC or you can create separate thread here. There were definitely some recent comments I just don't agree with.
     
    Last edited: Jan 31, 2013
  16. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    3,966
    Thanks for the reply Grinler.
    I didn't want to let the discussion get heated by my post. If I did so, I do apologize.

    So, to end this all: keep up the good work, BleepingComputer and sUBs.
     
  17. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    18,253
    Location:
    New England
    As the virus warning event is now over, this is no longer a topic relevant to the ESET forum section.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.