neoLogger = Freegate.b ? Or is it a false positive?

Discussion in 'Trojan Defence Suite' started by Freegate, May 6, 2005.

Thread Status:
Not open for further replies.
  1. Freegate

    Freegate Guest

    Can you please confirm whether or not the freeware application neoLogger v2 ( http://neonew.ne.funpic.de/ger/neoLogger.html ) is correctly identified as an outdated backdoor called freegate.b?

    neoLogger itself is not a backdoor but a malware analysis tool. Is the freegate.b backdoor secretly placed into this tool? Is it a false alert? Is neoLogger detected as malware because the author (neo) has close relations to the malware scene?

    Background: not only TDS-3 but also KAV and Ewido detect neoLogger. NOD32 does not. The Kaspersky signature was recently created. I feel that this positive is probably not an ordinary "false alert". It must either be a real positive or it must be a false positive which was intentionally created.
     
  2. Happy Bytes

    Happy Bytes Guest

    Nod does not, because it's a tool which logs fileaccess, registry access etc.
    Not malicious at all. ( at least this version which i tested )
     
  3. Freegate

    Freegate Guest

    Let's also wait for the response of DCS. Maybe it's a false alert (at least in respect of TDS) or an extremely well disguised trojan ...

    @HappyBytes: How do you test malware (amateur-like or pro-like)? I admit that I have not (yet) carefully analysed this program with a disassembler but simply executed it on a test machine and looked at the behaviour.
     
  4. Happy Bytes

    Happy Bytes Guest

    what is so difficult to understand for you?
    Just decrypt it ( the sections are encrypted with 069h ) after that unpack it with UPX --> Done.
     

    Attached Files:

    • 123.jpg
      123.jpg
      File size:
      39.6 KB
      Views:
      581
  5. Freegate

    Freegate Guest

    @Happy Bytes

    Thanks. It's not difficult to understand. I just didn't know you (at least I wasn't entirely sure ;-) and, therefore, I asked whether you performed a proper analysis. I am glad that you did.
     
  6. Happy Bytes

    Happy Bytes Guest

    Nautilus?
     
  7. Freegate

    Freegate Guest

    From time to time ... Michael?

    Anyway ... I think this false positive is interesting.

    I have the following questions:

    1.
    Who has initially created the signature and why was this program falsely classified as freegate.b or .c? (I consider it abusive to intentionally create false positives.)

    2.
    How does it come that a large number of AV/AT developers have included the same false positive into their signature database? Is there a common malware pool which can also be accessed by smaller AT developers like Ewido or DCS? Is the malware contained in such malware pool properly analyzed by each developer or is it only analyzed by the developer who submits malware to the pool?
     
  8. Freegate

    Freegate Guest

    FYI (Jotti's malware scan):


    File: neoLogger.exe
    Status:
    INFECTED/MALWARE
    MD5 10604f656652ec243f6be1ef5a736d5e
    Packers detected:
    PE-CRYPT.KNOWN, UPX

    Scanner results

    AntiVir
    Found nothing

    Avast
    Found nothing

    AVG Antivirus
    Found nothing

    BitDefender
    Found nothing

    ClamAV
    Found nothing

    Dr.Web
    Found Trojan.Neologger

    F-Prot Antivirus
    Found nothing

    Fortinet
    Found nothing

    Kaspersky Anti-Virus
    Found Backdoor.Win32.Freegate.b

    mks_vir
    Found Trojan.Freegate.B

    NOD32
    Found nothing

    Norman Virus Control
    Found nothing

    VBA32
    Found Trojan.Neologger
     
  9. Happy Bytes

    Happy Bytes Guest

    from time to time :D
    Neo did add the manifest file (for displaying XP Style buttons) to this tool...
    Take a closer look after unpacking (or just simply make a memorydump) to the end of this file and you will see what i mean. beside of this this tool also hooks wsock32 dll calls - such libs are widely used in trojans. In this case it does nothing dangerous with it.
    regarding all other questions... we can not discuss this here coz this is the DCS forum and i'm afraid it would be offtopic here...
     
  10. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Hey guys! Can we have a screenshot of the TDS detection? If TDS is detecting it heuristically, it just seems to me like it's doing its' job - alerting you to the fact that a given program exhibits possibly "trojan-like" behavior. (And it's been pointed out that the program does "beside of this this tool also hooks wsock32 dll calls - such libs are widely used in trojans." ).

    The "...or it must be a false positive which was intentionally created." statement seems a little absurd to me - especially given the fact that three other scanners came up with the same result?

    I'm going to have to work on bringing up my paranoia level, I guess. :D Pete
     
  11. Freegate

    Freegate Guest

    @spy1

    1.
    "If TDS is detecting it heuristically"

    "Positive identification: RAT.Freegate.b"

    2.
    "statement seems a little absurd to me - especially given the fact that three"

    Please read again. The current status of the paranoid idea is: first sig (false or intentionally false), following sigs not properly verified because malware stems from pool.

    @Happy Bytes

    "we can not discuss this here coz this is the DCS forum"

    How about here: https://www.wilderssecurity.com/showthread.php?t=78850 ? Alternatively, you can also post completely anonymous in the one and only uncensored forum ;-)
     
  12. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    This would be a "screenshot" . And now that it's been properly submitted for evaluation, we'll wait and see what the response from DCS is (after the weekend, of course! <g> ). Pete

    * Back-up post made to the TDS Private forum. Installer and installed folder "Erased"
     

    Attached Files:

    Last edited: May 7, 2005
  13. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Should be a "tool" detection at the most, at least for the numbers game. Not really good when users ask "why isnt this detected"

    I think KAV added it first, and probably for the same reason we add some things as Client/Editor/Tool sigs. Written by a trojan writer, and more than likely used by attackers. Not dangerous, but good to detect all sorts of things like this on a machine - the boss might want to know someone has hacktools, trojan clients, whatever on their machine

    Nice to see you Michael ! :)
     
  14. Freegate

    Freegate Guest

    @Gavin

    Thanks for the reply! I would like to emphazise, however, that you (and others) have NOT added a signature for a virus-tool or something like that (e.g., a nuker, a hacktool etc.). By contrast, several AV/AT developers have added a signature for a security-related tool that can be used to analyze malware (i.e, a tool that combines features of well-known applications like Filemon, Regmon, etc.).

    Moreover, you have not directly answered my question relating to the malware pool/the process of signature creation. How does it work? Is it just that you always add a signature for a file which you receive and which is already detected by Kaspersky? In such case, do you skip an indepth malware analysis (because it generally does not hurt to add a redundant signature) and simply use the name already chosen by Kaspersky? Or am I just too curious? ;-)
     
  15. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    More on the redundant side in this case, to cover "why wasn't this detected" questions :) yes you are very curious.. the malware pool and signature creation methods are of course confidential. We do receive malware (and non malware) from many places

    I might remove it yet, having only had a reasonably quick look at it I thought it was good to classify as a tool - even thought as you say you didn't put any such functionality in the program. Could it not be used to analyse something - in a way to find attacks against it ;) very grey area, as with a lot of things these days. For example the Nullsoft installer includes a downloader option. Do you detect this small downloader ? do you not detect it ?! I think when riskware signatures are in use, it should be detected.. but not of course with standard detection signatures.
     
  16. saso

    saso Guest

    i think it is quite possible that i made this mess :) well at least it is possible that i was the one that have send this tool to various labs to analize it. if my memory servers me well mcafee was the first one to add it, second one was i think drweb, kaspersky came later... just now i have send a second email to all the av that are detecting it (antivir, drweb, kav, mcafee, vba, mks_vir), to warn them about a possible wrong detection.
     
  17. saso

    saso Guest

    most av have removed detection for this tool
     
  18. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    Are you saying in your opinion that neoLogger = Freegate.b is indeed a False positive....and the cart was put before the horse ? If so....there's a lot of egg that someone must remove from face....and munching on crow must be in order.
     
  19. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Well, I don't know about anyone else, but if I should happen to unknowingly d/l a program authored by someone who writes malware too, then flagging the program as "riskware" - or "contains a downloader" - would certainly be appreciated on my end.

    A/V and A/T developers all from time-to-time put out "false positives" - it's what's called a "mistake". When they freely own up to such a mistake and take immediate steps to rectify it, I hardly see it as anything sinister, nor do I believe that any public self-flagellation is required on their part.

    If they didn't either admit it was a false positive or an in-correct detection - or they didn't change the detection after examining a properly submitted sample (hint, hint <g> ), then one would have cause to be upset, and question the reason why.

    But certainly not in this case. Pete
     
  20. Freegate

    Freegate Guest

    This one is funny:

    "An die Antiviren-Angestellten hier auf dem Board: seid ihr eigentlich bescheuert? Nicht jedes Programm, was hier zum Download zur Verfügung gestellt wird, ist automatisch Malware! Ich bitte euch herzlichst, dieses Programm NICHT in eure DB aufzunehmen, denn es ist nun wirklich genau zum Gegenteil entwickelt worden als eine Backdoor...

    An alle anderen: Das Ding ist sicher nicht gebackdoored, eure AVs lügen

    ciao und viel Spaß mit dem neuen Release, neonew"

    [post from the developer dated May 19, 2005]
     
  21. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    An English translation would have been nice as well as apropriate:

    To all antivirus company members on this board: are you out of your mind? Not every program available for download is malware by nature! I do ask your from the bottom of soul to REFRAIN from databasing this program, since it has been developed for all reasons apart from being a Backdoor...

    To all: this thing isn't backdoored for sure, your Antiviruses are lying.

    Ciao and have fun with the new release, neonew"


    regards.

    paul
     
  22. Freegate

    Freegate Guest

    One addendum:

    "Not every program made available for download HERE [ann.: here = in this trojan board ;-)] can be automatically considered malware."
     
  23. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Thanks. Now, translation isn't that difficult to do, is it? ;)

    regards,

    paul
     
Thread Status:
Not open for further replies.