Jump to content
Sign in to follow this  
Voyager-NO-

ArmA Extended Dll

Recommended Posts

As Antivir had a heuristic hit on the File "run.exe" from the downloaded archive, we made an upload to http://virusscan.jotti.org (online malware scan) and this is the result of it:

File: run.exe

Status: INFECTED/MALWARE

MD5: ff4e472319522dc08aff5c29252dd68f

Packers detected: PE_PATCH, UPACK

Bit9 reports: Low threat detected (more info)

Scanner results

Scan taken on 13 Oct 2007 14:01:48 (GMT)

A-Squared Found nothing

AntiVir Found HEUR/Malware

ArcaVir Found Heur.Win32

Avast Found Win32:Trojan-gen. {Other}

AVG Antivirus Found nothing

BitDefender Found nothing

ClamAV Found PUA.Packed.UPack-2

CPsecure Found nothing

Dr.Web Found nothing

F-Prot Antivirus Found nothing

F-Secure Anti-Virus Found nothing

Fortinet Found nothing

Kaspersky Anti-Virus Found nothing

NOD32 Found nothing

Norman Virus Control Found W32/Suspicious_U.gen

Panda Antivirus Found Generic

Rising Antivirus Found nothing

Sophos Antivirus Found Mal/Packer

VirusBuster Found nothing

VBA32 Found nothing

Does anyone actually have this ArmA Extended dll working?

Share this post


Link to post
Share on other sites

Source code should be released, similarly as to what kegetys did with his fwatch.

Then people can go and read the source code, and compile it, to ensure what the program does.

It is not impossible to get a false alert from an antivirus program. It is possible that the way this program works, is also the way how many viruses work. Thus, antivirus programs can flag it as a virus to be on the safe side.

But we do not know for sure! That is definitely a problem. Releasing source code could help. Otherwise, many people will never touch this program, just to be on the safe side.

Share this post


Link to post
Share on other sites
Source code should be released, similarly as to what kegetys did with his fwatch.

Then people can go and read the source code, and compile it, to ensure what the program does.

It is not impossible to get a false alert from an antivirus program. It is possible that the way this program works, is also the way how many viruses work. Thus, antivirus programs can flag it as a virus to be on the safe side.

But we do not know for sure! That is definitely a problem. Releasing source code could help. Otherwise, many people will never touch this program, just to be on the safe side.

Correct, you nailed the problem on the head. The actual report is a different matter, it points to the manner in which the application is packaged, ie it loads itself into memory in a similar way to how many malware packages are also packaged. That's not immediately a problem, rather just a suspicious way of having a wrapper package load another package into the system.

The real concern is that not raised in the scan report, and that is the operational behavior of the program. The whole basic premise of this type of application is to monitor a target for a specific activity, then inject a suitable response. As no direct method exists, it can only do this by exploiting malformed calls, or more nefarious means. Functionally, it is no different than KFC apps modifying memory space to change ammo classnames as they are fired, or other such activity.

Obviously releasing 'the code' would allow it to be audited to confirm that the application does not have improper behavior or any other nasties hiding in it. However, that doesn't validate that the distributed package actually conforms to the code released. The only way to confirm that, is for everyone to compile their own. And that then swings the nightmare back, in that you have no mechanism to tell if someone else hasn't tinkered with their version to add in much bad things.

This whole premise is the reason behind the draconian control systems like WoW's Guardian, Valve's Vac, and fully-implemented client-server Punkbuster. You can't just secure and monitor the target application, you have to secure and monitor the environment that the application resides in. Whether you agree with that or no on privacy grounds is a different matter, I refer solely to the technical dilemma of guaranteeing that there's no leeches subverting the system.

Share this post


Link to post
Share on other sites

ArmA Extended Dll does not contain any malware. Just run.exe is packed by WinUpack 0.39.

Share this post


Link to post
Share on other sites

Thanks for giving me a look into the sourcecode.

There seems to be no MALWARE in it. smile_o.gif

Would it be possible for you to add a few functions which i find quite useful in the next version? (if you are going to release a newer version)

- Importing System Timestamp

- Read from URL (if not already possible !??)

Share this post


Link to post
Share on other sites

Just to clarify, 'packer' modules in this sense are like 'zipped' exec's. It is a common practice by malware authors to use packers as a means of hiding their code from scanners, or also legitimately by developers as a rather futile effort to hide their program's executable code from those who wish to attack it.

Share this post


Link to post
Share on other sites

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
Sign in to follow this  

×