Oh crap... PB ransomware

For everything that's not in any way related to PureBasic. General chat etc...
User avatar
DeanH
Enthusiast
Enthusiast
Posts: 223
Joined: Wed May 07, 2008 4:57 am
Location: Adelaide, South Australia
Contact:

Re: Oh crap... PB ransomware

Post by DeanH »

A new flood of false positives has hit. McAfee is now reporting them and clobbering things. I now have users completely out of action. My Department's cyber security ran a file through Hybrid Analysis. I don't know if this helps or not but some of the suspected areas look suspicious. Example: why is ftp@example coming up? Why is that even in a compiled program? Fred & Team, can you have a look please? Even going to 64-bit now does not help.

https://www.hybrid-analysis.com/sample/ ... 050c4fbb78
User avatar
Lunasole
Addict
Addict
Posts: 1091
Joined: Mon Oct 26, 2015 2:55 am
Location: UA
Contact:

Re: Oh crap... PB ransomware

Post by Lunasole »

Purelocker... nice :D
"W̷i̷s̷h̷i̷n̷g o̷n a s̷t̷a̷r"
User avatar
DeanH
Enthusiast
Enthusiast
Posts: 223
Joined: Wed May 07, 2008 4:57 am
Location: Adelaide, South Australia
Contact:

Re: Oh crap... PB ransomware

Post by DeanH »

A bit more info. I just recompiled one module and sent it to Virus Total. The module uses HTTPRequest to send data to my website that users have updated. Removing HTTPPRoxy and HTTPRequest not only reduced the size of the exe from 340k down to 88k, but it also reduced the number of false positives, too, from 8 to 6. Is there any PB code about that can do the same sort of thing but without using the library?
User avatar
Saki
Addict
Addict
Posts: 830
Joined: Sun Apr 05, 2020 11:28 am
Location: Pandora

Re: Oh crap... PB ransomware

Post by Saki »

Lunasole wrote:Purelocker... nice :D
Unfortunately, it's absolutely not nice.

In addition to the considerable financial damage, people can die when computers in hospitals,
traffic control systems, power plants, military installations and others are paralysed or damaged.
It is a serious crime and the death of people is knowingly accepted just to get money.

Where does the know-how and important code components of the Purelocker come from, you should think about that.

There are signs that say : "Don't feed the monkeys"

If you do this anyway, you do not have to complain afterwards !
地球上の平和
User avatar
Lunasole
Addict
Addict
Posts: 1091
Joined: Mon Oct 26, 2015 2:55 am
Location: UA
Contact:

Re: Oh crap... PB ransomware

Post by Lunasole »

Saki wrote:
Lunasole wrote:Purelocker... nice :D
Unfortunately, it's absolutely not nice.

In addition to the considerable financial damage, people can die when computers in hospitals,
traffic control systems, power plants, military installations and others are paralysed or damaged.
It is a serious crime and the death of people is knowingly accepted just to get money.

Where does the know-how and important code components of the Purelocker come from, you should think about that.

There are signs that say : "Don't feed the monkeys"

If you do this anyway, you do not have to complain afterwards !

To be exact I was laughing at how they named it, "Purelocker" ^^

Yes, by fact it may be harmful and not that funny. But I don't agree that some knowledge about such things must be limited.
In a large scale it works like "the better peoples know about how it works (and more of them know), the better defense they can build". Someone can learn such examples and get interested to became a good security expert, for example.
And anyway some limits never stopping those who make such soft from making it successfully, if someone motivated enough in something criminal there is always a way.
"W̷i̷s̷h̷i̷n̷g o̷n a s̷t̷a̷r"
User avatar
Saki
Addict
Addict
Posts: 830
Joined: Sun Apr 05, 2020 11:28 am
Location: Pandora

Re: Oh crap... PB ransomware

Post by Saki »

Sample Post from boyoss

Replies: 115
Views: 47622

just one more question, how can i delete all restore points?

:shock:

Think it over !

I'm out of that thread now.
地球上の平和
Bitblazer
Enthusiast
Enthusiast
Posts: 733
Joined: Mon Apr 10, 2017 6:17 pm
Location: Germany
Contact:

Re: Oh crap... PB ransomware

Post by Bitblazer »

Somebody should write a purebasic program which uses the commandline compiler to create a binary of the resulting executable for every single command example of the purebasic help. If any AV picks the binary up - automatically report it as a false positive. That may create a flood of requests for some AV companies, but its their fault of having such braindead detection ;)

A fun new project for a bored purebasic developer:
  1. take every example from the purebasic help pages
  2. run them through the commandline compiler
  3. run the resulting executable through virustotal
  4. report every resulting false positive automatically
Sure the AV companies support might puke due to the amount of resulting requests, but maybe that helps us in the long run and makes them aware of a fundamental problem.

Let's stop being on the receiving end of lazy AV companies.

During this process, i am sure some companies will not react or are unbelievable slow. Thats why somebody could document the whole interaction and later compile a nice table with the best and worst AV companies reaction times. These results can later be used to contact an IT news service. Bad publicity can be a powerful motivation, especially as the readers of those IT news are also the ones who usually have a strong influence about which AV is being used in the companies we work in/with/for.

ps: to get an easier start, do this with the compiler examples folder, add your own personal projects and any other source you can find and where you definately know they do not contain malicious code.
pps: install the most common purebasic compiler versions from the past and do it for their commandline compilers too ;)
webpage - discord chat links -> purebasic GPT4All
BarryG
Addict
Addict
Posts: 3294
Joined: Thu Apr 18, 2019 8:17 am

Re: Oh crap... PB ransomware

Post by BarryG »

Bitblazer wrote:Somebody should write a purebasic program which uses the commandline compiler to create a binary of the resulting executable for every single command example of the purebasic help. If any AV picks the binary up - automatically report it as a false positive.
That won't work. Open the IDE, have NO source code at all, and turn off ALL compiler options. Then create an exe and upload it to VirusTotal. It gets 17 malware hits!

https://www.virustotal.com/gui/file/0b1 ... /detection

So if a do-nothing executable built from zero source code (0 bytes, not even a comment!) gets flagged so badly, what hope do our real-world apps have?
BitBlazer wrote:some companies will not react or are unbelievable slow. Thats why somebody could document the whole interaction and later compile a nice table with the best and worst AV companies reaction times. These results can later be used to contact an IT news service. Bad publicity can be a powerful motivation
This has literally been done before (I'll try to find the link). Bad publicity and comparisons didn't help. Some AVs do not want to remove false-positives because it makes their detection rate look worse. In other words, the more "viruses" they find, the better they look for potential customers, so they leave it in. It's better business for them.
Bitblazer
Enthusiast
Enthusiast
Posts: 733
Joined: Mon Apr 10, 2017 6:17 pm
Location: Germany
Contact:

Re: Oh crap... PB ransomware

Post by Bitblazer »

BarryG wrote:Open the IDE, have NO source code at all, and turn off ALL compiler options. Then create an exe and upload it to VirusTotal. It gets 17 malware hits!

So if a do-nothing executable built from zero source code (0 bytes, not even a comment!) gets flagged so badly, what hope do our real-world apps have?
That is a good example. Make this part of the reporting.
BarryG wrote:Some AVs do not want to remove false-positives because it makes their detection rate look worse. In other words, the more "viruses" they find, the better they look for potential customers, so they leave it in. It's better business for them.
That is a very obscure opinion. A false positive is as much of a technical fail as missing a real malware. In both situations, the detection failed. In which way should an increased number of false positives be an advantage for any AV software?

Btw. from my personal experience, every single report of false positives for my own software was removed with the next AV update. False positives happen, but reporting works. Ignoring the problem will just make the situation worse and harm the business of Fantaisie Software in the future.
webpage - discord chat links -> purebasic GPT4All
BarryG
Addict
Addict
Posts: 3294
Joined: Thu Apr 18, 2019 8:17 am

Re: Oh crap... PB ransomware

Post by BarryG »

Bitblazer wrote:In which way should an increased number of false positives be an advantage for any AV software?
Marketing. Think about it: AV Company #1 compares itself with AV Company #2, but is able to say: "Our advanced detection found 50 malware compared to only 20 that Company #2 could detect - don't risk malware being missed!". Makes their product look better.
Bitblazer
Enthusiast
Enthusiast
Posts: 733
Joined: Mon Apr 10, 2017 6:17 pm
Location: Germany
Contact:

Re: Oh crap... PB ransomware

Post by Bitblazer »

BarryG wrote:
Bitblazer wrote:In which way should an increased number of false positives be an advantage for any AV software?
Marketing. Think about it: AV Company #1 compares itself with AV Company #2, but is able to say: "Our advanced detection found 50 malware compared to only 20 that Company #2 could detect - don't risk malware being missed!". Makes their product look better.
That could easily backfire once somebody actually verifies that claim and finds out that the software did not find more hits, but it actually just spotted more false positives. If you think that works - i suggest you develop a next gen super AV software which basically reports every unknown file as some obscure malware or "suspicious". That way you will have the only AV product which will "spot" the next super malware that nobody else found. It is just a matter of time, till that malware shows up ;)

But i don't think the product will sell well, because you have to make up obscure vague reasons for the detection of basically every possible file you scan.

I guess thats how some AV products work by now. They don't detect malware, but actually detect non-malware and simply report everything else for some obscure vauge reason ;)

ps: advertise it as being based on the latest AI methods and you have guaranteed sales ;) At least for the first 3 to 6 months...
webpage - discord chat links -> purebasic GPT4All
BarryG
Addict
Addict
Posts: 3294
Joined: Thu Apr 18, 2019 8:17 am

Re: Oh crap... PB ransomware

Post by BarryG »

Bitblazer wrote:I guess thats how some AV products work by now. They don't detect malware, but actually detect non-malware and simply report everything else for some obscure vauge reason
In my other discussions in these forums you'll read how my app is "malware-like" because it monitors the clipboard and checks the date/time often. AV companies are the pits. Worse than car dealers and real estate agents, and that's really saying something.
User avatar
Lunasole
Addict
Addict
Posts: 1091
Joined: Mon Oct 26, 2015 2:55 am
Location: UA
Contact:

Re: Oh crap... PB ransomware

Post by Lunasole »

Bitblazer wrote:Somebody should write a purebasic program which uses the commandline compiler to create a binary of the resulting executable for every single command example of the purebasic help. If any AV picks the binary up - automatically report it as a false positive. That may create a flood of requests for some AV companies, but its their fault of having such braindead detection ;)

A fun new project for a bored purebasic developer:
  1. take every example from the purebasic help pages
  2. run them through the commandline compiler
  3. run the resulting executable through virustotal
  4. report every resulting false positive automatically
Sure the AV companies support might puke due to the amount of resulting requests, but maybe that helps us in the long run and makes them aware of a fundamental problem.

Let's stop being on the receiving end of lazy AV companies.

During this process, i am sure some companies will not react or are unbelievable slow. Thats why somebody could document the whole interaction and later compile a nice table with the best and worst AV companies reaction times. These results can later be used to contact an IT news service. Bad publicity can be a powerful motivation, especially as the readers of those IT news are also the ones who usually have a strong influence about which AV is being used in the companies we work in/with/for.

ps: to get an easier start, do this with the compiler examples folder, add your own personal projects and any other source you can find and where you definately know they do not contain malicious code.
pps: install the most common purebasic compiler versions from the past and do it for their commandline compilers too ;)

:mrgreen:
Nice idea.

I think it may be even possible for PB owners to sue with some AV vendors, like they causing reputational and financial damage for company because of massive false-positives. Generally for anyone who struggles false-positives would be really nice to get some compensation from those vendors and force them to be more accurate.
Not sure of course, but maybe some lawyer shark will find a way to get some cash from this, and this even might become loud case in IT-news.
"W̷i̷s̷h̷i̷n̷g o̷n a s̷t̷a̷r"
BarryG
Addict
Addict
Posts: 3294
Joined: Thu Apr 18, 2019 8:17 am

Re: Oh crap... PB ransomware

Post by BarryG »

Bitblazer wrote:i don't think the product will sell well, because you have to make up obscure vague reasons for the detection of basically every possible file you scan.
In my experience, I've had customers who complain about anything and everything that my app does. One guy in particular is ultra-paranoid and always asks me things like "Why is it reading the clipboard?" and "Why does it use a CHM file for help when CHM is insecure and deprecated by Microsoft?" and so on. So I could literally write an app that detects all these types of thing and he would readily buy it as a "security" product because it would identify and warn him about apps like mine. I'm serious. There'd be a market for it because if he's like that, then many other people are like that.
User avatar
DeanH
Enthusiast
Enthusiast
Posts: 223
Joined: Wed May 07, 2008 4:57 am
Location: Adelaide, South Australia
Contact:

Re: Oh crap... PB ransomware

Post by DeanH »

The last week has been a nightmare. I have had to field over 200 calls from schools because their PB-compiled library software is being deleted by their AV system. First by McAfee and Bit-Defender then last Tuesday Windows Defender began to do this. I saw it happen on my own workstation, too. The false detections have become worse and by more AV systems. It is so bad it could put me out of business.

What is weird, however, is that older versions of the same compiled programs are not being quarrantined. Some research. (Fred & Team, you might be interested in the results.)

I compiled one 6Mb module using different versions of PureBasic and then uploaded it to VirusTotal.

PB 5.72x86 (32 bit), 15 detections of 72, including Microsoft. (Reports a Trojan, Fuery)
PB 5.72x64 (64 bit), 1 detection. Guess who? Microsoft.
PB 5.70x86, 14 detections, Not including Microsoft!
PB 5.70x64, 0 detections
PB 5.61x86, 7 detections including Microsoft
PB 5.31x86, 3 detections, including Microsoft (reports a PUA Puwaders)

I use HttpRequest in this program, so I remarked out all references to it. Had to do that to test 5.61 and 5.31. Made no difference if compiled using 5.72 but it did with 5.70.

I feel there is not much the PureBasic team can do about this. Kaspersky even apologizes for the false detections on their submission page, saying they cannot be avoided. I think the only thing we can do is to submit files. Like many of you my experience with this is patchy. Somes of them make it difficult to submit, too, which does not help.

Is there any PB source code that does the same thing as HttpRequest and upload?
Post Reply