Returnil being detected as Worm by Avast

Discussion in 'Returnil Betas' started by beethoven, Aug 18, 2009.

Thread Status:
Not open for further replies.
  1. beethoven

    beethoven Registered Member

    Joined:
    Dec 27, 2004
    Posts:
    1,043
    I have been running the Lab version of Returnil for several months with no issues whatsoever.

    This morning Avast came up with a warning that the file rvssvr.exe is detected as a worm: win32: Induc.
    I ignored this and reported it back as a likely FP.

    I then tried to upload the file to jotti and virustotal but strangely this did not work - either service said the file has 0 bytes. How is that possible, the files show up normally in explorer with their respective file sizes?
    I then renamed the file and this allowed me to use virustotal - 15 /41 show this file as w32/induc.A or similar - given this result I am concerned now.

    Over the next few minutes several other returnil program files (gui, uninstall etc) all were flagged by avast with the same alert. Anyone else having the same issue?
     
    Last edited: Aug 18, 2009
  2. Coldmoon

    Coldmoon Returnil Moderator

    Joined:
    Sep 18, 2006
    Posts:
    2,981
    Location:
    USA
    Hi beethoven,
    This is the first report we have recieved of this. Please try uninstalling the 2010 Beta and then reinstall with Avast deactivated (just in case). Complete the reboot and then see if you can perform a scan with your AV for just detection (set the configurations to do nothing when a detection is made - just log). Please let me know the complete list of the RVS files detected and then put them into your exclusion list until this can be sorted with their research team (please let them know the entire list of FPs as well).

    Thanks
    Mike
     
  3. beethoven

    beethoven Registered Member

    Joined:
    Dec 27, 2004
    Posts:
    1,043
    Mike,

    I am happy to do so but I just updated my original thread (not checking that you had already answered) and after renaming the file was able to use virustotal. It appears it's not just Avast getting crazy but 15 AV in total.

    I just checked and uploaded the original exe.file for the installation of Returnil and this file too is now being flagged (11/41). So it should be easy for your team to work on this file and reproduce my results and hopefully clear this up quickly.
     
    Last edited: Aug 18, 2009
  4. Coldmoon

    Coldmoon Returnil Moderator

    Joined:
    Sep 18, 2006
    Posts:
    2,981
    Location:
    USA
    Not getting any results on the installer at VT nor anything found at Jotti - are you sure?
     
  5. beethoven

    beethoven Registered Member

    Joined:
    Dec 27, 2004
    Posts:
    1,043
    PM sent
     
  6. Coldmoon

    Coldmoon Returnil Moderator

    Joined:
    Sep 18, 2006
    Posts:
    2,981
    Location:
    USA
    The current release 2.0.1 version and the 2010 Beta are not being flagged so it appears to be related only to a FP on the LAB build. We recommend that those using the LAB version add all detected RVS files to their AV's exclusion list and send a request to their provider to investigate a false positive detection.

    For those still having the same issue after submitting a report to the provider in question, please let us know and we will follow up to request a resolution.

    Thanks
    Mike
     
  7. Windchild

    Windchild Registered Member

    Joined:
    Jun 16, 2009
    Posts:
    571
    There's an odd virus out, apparently, that targets some versions of Delphi. With the AV companies hurrying to detect these infections, there's a pretty decent chance we'll be seeing a whole load of false positives on random things in addition to the actually valid detections. 15 AVs reporting the same false positive on the same file sounds pretty unusual, though. I've often seen four or five AVs make the same false positive (due to sharing the same engines and all) but seldom 15 AVs at once. It'll be interesting to see how this one turns out.

    http://www.viruslist.com/en/weblog?weblogid=208187826
     
  8. Coldmoon

    Coldmoon Returnil Moderator

    Joined:
    Sep 18, 2006
    Posts:
    2,981
    Location:
    USA
    First and foremost: Our software is clean and it would go against everything we believe in to have it otherwise. We are dedicated to fighting malware.

    If they are rushing to include it, it also means that it is safe to assume they may be failing to test their signatures adequately prior to release. The real question is whether this is related to the summary you cited or to something else.

    Mike
     
  9. Windchild

    Windchild Registered Member

    Joined:
    Jun 16, 2009
    Posts:
    571
    I think it's pretty sure that it's at least somehow related, considering the original poster said the AVs detect w32/induc.A and this "new" Delphi-infecting virus is called exactly that by the AV companies: http://www.sophos.com/blogs/sophoslabs/?p=6117

    I'm sure we've all seen this stuff before: AV companies rush out definitions for a new malware, and end up causing a huge pile of false positives, which they then slowly correct over the next few days and weeks. And by that time, of course, they've had time to develop entirely new false positives. :)
     
  10. beethoven

    beethoven Registered Member

    Joined:
    Dec 27, 2004
    Posts:
    1,043
  11. Windchild

    Windchild Registered Member

    Joined:
    Jun 16, 2009
    Posts:
    571
    Apparently the virus has been spreading for several months without being detected by any AV. Nice example of how "well" blacklist protection can work against new malware. ;)

    Did you happen to report this as a probable false positive to Avast? If so, what was their reply?
     
  12. beethoven

    beethoven Registered Member

    Joined:
    Dec 27, 2004
    Posts:
    1,043
    I submitted the initial detection but have not had any reply. Based on the thread above and the number of submissions, I don't expect any specific reply anymore.
    Now I am wondering what damage this virus may already have done.
     
  13. Windchild

    Windchild Registered Member

    Joined:
    Jun 16, 2009
    Posts:
    571
    According to the analysis of multiple AV companies, the virus does not have a dangerous malicious payload: it doesn't try to delete files or destroy data, it does not modify existing executable files, or perform any trojan-like actions like stealing data. Basically, it's harmless - a proof of concept or test, or perhaps a statement of some kind to show that some developers aren't keeping their development environments safe and secure (meaning, any developer who gets infected with this). So, the only damage it should do is to developers who will now have to clean up their systems, recompile clean versions of their software and then explain to their customers why they were shipping infected code. Not fun, but it could be far worse! So, even if you were infected with this one you wouldn't have to go into panic mode, so to speak. All you'd have to do is wait for developers to release new, clean versions of their software that are not infected with Induc.

    As for your case, though, Coldmoon says their software is clean, so you were probably just bitten by false positives from multiple AV companies. You could always send false positive reports to some of the other AV companies detecting the file as infected and see if they can be bothered to reply and fix any possible false positives. In a case like this where a security software is detected as infected, it would be irresponsible from an AV company to ignore false positive reports and fail to confirm whether their detection is a mistake or not, and of course also prove it. Every time an AV falsely detects a legit software as infected or malicious, it has an effect on the reputation of that legit software, so AV companies should correct their mistakes with apologies. And of course, it works the other way around as well.
     
  14. beethoven

    beethoven Registered Member

    Joined:
    Dec 27, 2004
    Posts:
    1,043
    I think Coldmoon meant that their software is intended to be clean, ie they are a reputable company and would not put malware in there intentionally. Given the reports I have seen now, I don't think that my alert was a FP. I believe the version I had been using which was not a version for general release but used for beta/ testing purposes may have been compiled with delphi affected by this problem. Fortunately the normal release versions or the latest versions don't suffer the same issue.
     
  15. Windchild

    Windchild Registered Member

    Joined:
    Jun 16, 2009
    Posts:
    571
    Ah, I interpreted his post to mean that this is just a false positive and they're sure of it. I don't know how it is - I've not seen the files in question - but if a test/beta version of their software was actually infected with this, that would be a pretty decent sized mistake, showing that someone in the dev team needs to be a lot more careful. This virus is fortunately pretty harmless, but some are not.
     
  16. 19monty64

    19monty64 Registered Member

    Joined:
    Apr 10, 2006
    Posts:
    1,302
    Location:
    Nunya, BZ
    Avast spotted the same thing in my LAB-build and I, too, thought it was a FP! I'll never be sure if it was, or not, as I had to re4mat! (long overdue) OFF-TOPIC: Could one revert back to RVS_'08_FREE for now, Coldmoon?
     
  17. Coldmoon

    Coldmoon Returnil Moderator

    Joined:
    Sep 18, 2006
    Posts:
    2,981
    Location:
    USA
    Hi all,
    first, please forgive any inconvenience this incident may have caused. We have discovered that the detection was not a false positive. One of our development systems had an infected Delphi file and this caused the testing version of LABS to be infected as well. We have thoroughly rechecked all systems and can report no further sign of this malware.

    Please uninstall your current version of LABS and perform a thorough scan of your system to be sure the malware is removed. Once you have verified that the system is clean, you can download a new (clean) copy of LABS using the following link:

    http://www.returnilvirtualsystem.com/returnil-labs

    File Size: 2118144 byte
    MD5 : 2afb055ff7e217c85e3e01f9ef5231c0
    SHA1 : b8c93a7afc81aa6bba1ab032aa847d7924fc837f

    Mike
     
Thread Status:
Not open for further replies.