It is currently Mon Dec 18, 2017 10:36 am

All times are UTC - 8 hours




Post new topic Reply to topic  [ 7 posts ] 
Author Message
 Post subject: Addressing malware
PostPosted: Fri Sep 22, 2017 2:14 pm 
Offline
User avatar

Joined: Wed Apr 11, 2007 8:06 pm
Posts: 7431
Location: US, Texas
As was discussed recently, the very popular CCleaner recently got infiltrated by malware. This isn't the first time this has come up, but it may be one of the most popular programs this has affected, harming the widest group of people. I've begun to wonder if the site doesn't need to take some additional steps for our visitors.

The problem

It doesn't matter that this is still exceedingly rare and that Windows is much better than many other platforms for freeware. It also doesn't matter that for years I didn't even run anti-virus on my machine while still testing hundreds of programs. Malware developers are increasingly targeting freeware, that's alienating users and tarnishing the efforts of a lot of good people who give away their work for free. I have had far too many conversations about this with people over the past two years.

The solution

I'd like to suggest addressing that on the website in some way. I've hesitated on this in the past because it seemed that putting a warning at the top of the site was just another way to make people think that freeware was unsafe, but now I'm starting to wonder if it's worse to not clearly address it. We might do that through recommending use of VirusTotal, anti-virus, and tested, reliable backups tools.

Suggestions?

I'm still thinking about what that might look like but I wanted to post something here and see if anyone had ideas about how to approach that.

_________________
Supporting Net Neutrality - BattleForTheNet | Why this matters | More from EFF.org


Last edited by webfork on Fri Sep 22, 2017 2:17 pm, edited 2 times in total.
(improved wording)


Top
 Profile  
 
 Post subject: Re: Addressing malware
PostPosted: Fri Sep 22, 2017 6:49 pm 
Offline

Joined: Sun Feb 16, 2014 10:54 pm
Posts: 237
I think personally if I were looking at an entry or browsing I'd appreciate a program's entry bumped to the front page and note in the entry's description regarding known malware-affected versions of software with a link to a level-headed article with more info, at the date of the infection. Given a period after the malware has been removed it's probably less necessary to remain in the description and could just be left in the form of an entry comment.

That would be mostly only useful for new visits/downloaders and such an updated message mightn't reach existing users but it's better than nothing. News of high profile programs infected with malware will likely reach users' attention other ways via other channels like articles and internet word of mouth.

In CCleaner's case there was really no way a user could have predicted this. It was signed using their own keys IIRC and pushed as a regular update. The only takeaway as a user would be to keep an eye out for news about updates of programs you use and if you're cautious to disable auto-updates (which for portable programs is kind of the normal state anyway, at least in my experience).


Top
 Profile  
 
 Post subject: Re: Addressing malware
PostPosted: Fri Sep 22, 2017 8:57 pm 
Offline
User avatar

Joined: Sat Feb 09, 2008 9:57 am
Posts: 2902
Location: Romania
Ideally, for me, every database entry would have another field (named "threat level" or whatever) based on VirusTotal analysis.

For CCleaner v5.33, here are the VT results for the entire archive and for the 32 bit executable:
https://www.virustotal.com/en/file/6f78 ... 506119965/

https://www.virustotal.com/en/file/e710 ... 506111834/

As you can see, they have over half worrying results and that would translate into a RED label (or 5 red exclamation marks or whatever) in the threat field. A green label would mean safe (0 VT warnings), a yellow one (1-5 VT warnings) - be careful, read more etc...

However, the problem is that not all packages can be scanned on VT, or the db updater may not have the time to do the scans, etc. In that case the label should be some indicator that the program's threat lvl has not been established yet (grey color?, pink?).
Also, a warning should be put in place stating that a VT score of 0 doesn't equal an absolutely safe package!

Or something along those lines...

P.S. of course, one may argue what's the point of listing a package with a RED label, instead of the previous safe version, but I, for one, would prefer to know the current version's state of affairs, 'cause i can always find the previous version if i really need it.

_________________
My Tox ID


Top
 Profile  
 
 Post subject: Re: Addressing malware
PostPosted: Fri Sep 22, 2017 10:41 pm 
Offline
User avatar

Joined: Sat Jul 31, 2010 1:19 am
Posts: 1719
Location: Helsinki, Finland
joby_toss wrote:
Ideally, for me, every database entry would have another field (named "threat level" or whatever) based on VirusTotal analysis.

For CCleaner v5.33, here are the VT results for the entire archive and for the 32 bit executable:
https://www.virustotal.com/en/file/6f78 ... 506119965/

https://www.virustotal.com/en/file/e710 ... 506111834/

As you can see, they have over half worrying results and that would translate into a RED label (or 5 red exclamation marks or whatever) in the threat field. A green label would mean safe (0 VT warnings), a yellow one (1-5 VT warnings) - be careful, read more etc...


It would still be only of limited help. AFAIK, antivirus programs didn't detect CCleaner 5.33 as malicious at the time it was released.

_________________
My YouTube channel | Release date of my 11th playlist: January 26, 2018


Top
 Profile  
 
 Post subject: Re: Addressing malware
PostPosted: Fri Sep 22, 2017 10:53 pm 
Offline

Joined: Sun Feb 16, 2014 10:54 pm
Posts: 237
SYSTEM wrote:
It would still be only of limited help. AFAIK, antivirus programs didn't detect CCleaner 5.33 as malicious at the time it was released.


AVs aren't a perfect way of telling if a program contains malicious code, yeah. There's also the issue of false positives for even harmless software.

A dev wrote a blog post on how they could bypass AV detection rather simply (0/56 on VirtusTotal) last year which was useful to at least see that such scans aren't necessary a trustworthy metric. That said I still check archives of programs against it from time to time since if you take into account false positives and the information listed per AV you can make up your own mind about what it reports, along with any user reports I might read online. It does have its uses, though I'm not sure the score alone is something I'd rely on unless AVs have been updated to find specific, known malware (as happened later with that CCleaner version).


Top
 Profile  
 
 Post subject: Re: Addressing malware
PostPosted: Fri Sep 22, 2017 11:59 pm 
Offline
User avatar

Joined: Sat Jul 31, 2010 1:19 am
Posts: 1719
Location: Helsinki, Finland
Specular wrote:
A dev wrote a blog post on how they could bypass AV detection rather simply (0/56 on VirtusTotal) last year which was useful to at least see that such scans aren't necessary a trustworthy metric.


:shock:

I would never have expected that such a simple shellcode obfuscation technique would fly past AVs. Not in a million years. Just what on Earth are AV vendors doing?

_________________
My YouTube channel | Release date of my 11th playlist: January 26, 2018


Top
 Profile  
 
 Post subject: Re: Addressing malware
PostPosted: Sat Sep 23, 2017 10:39 am 
Online
User avatar

Joined: Mon Dec 07, 2009 7:09 am
Posts: 3888
Location: Sol3
I would suggest publishing hashes (or possibly auto-hashing) as the quickest and simplest solution -- BTW, Virustotal links are based on a SHA-256 hash.

Certificate checking would be the way for taking that further but I'm afraid there's nothing simple about it.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 7 posts ] 

All times are UTC - 8 hours


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  

Protected by Anti-Spam ACP Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group