Opened 7 years ago

Closed 7 years ago

#8430 closed defect (fixed)

PyInstaller binaries detected as malware

Reported by: dcf Owned by: erinn
Priority: Medium Milestone:
Component: Applications/Tor bundles/installation Version:
Severity: Keywords:
Cc: asn, aallai Actual Points:
Parent ID: Points:
Reviewer: Sponsor:


This is a summary of discussion about malware detection that happened mostly in email.

Blog comment showing VirusTotal analysis for obfsproxy.exe from the 2.4.7-alpha-1 flashproxy+pyobfsproxy bundles. The purported malware detected is variants of "Backdoor/Win32.Swrort.gen."

The bundles being detected as malware were built by Alex. David independently built his own and they had similar malware results. A trivial "hello, world" executable built by David had similar malware results.
David's obfsproxy.exe:
David's hello.exe:

We traced the issue to PyInstaller upstream. This is their ticket for the "Swrort" detection.

Alex and David built new 2.4.10-alpha-2 bundles
(Alex, David) using PyInstaller commit 555e9f7f, which has a fix for the antivirus issue 603. (The 2.4.7-alpha-1 binaries were built with the PyInstaller 2.0 release.) However, they now test positive for different malware ("Gen:Variant.Strictor.20210").
Alex pyobfsproxy.exe:
David pyobfsproxy.exe:

Binaries from Nmap built with py2exe do not show any malware detection. Here is ndiff.exe from
Alex is testing py2exe to see if it works for the pluggable transports bundles.

Child Tickets

Change History (3)

comment:1 Changed 7 years ago by dcf

PyInstaller's ticket for the new malware reports (commit 555e97f, "Strictor").
Runa contacted the antivirus companies involved and got a reply from at least F-Secure.

comment:2 Changed 7 years ago by runa

I contacted GData and BitDefender on Twitter, but have yet to hear back. BitDefender asked me to send them an email, which I did, but they have not confirmed that they have seen/read it. F-Secure is working on a fix (might be fixed at this point, actually).

comment:3 Changed 7 years ago by dcf

Resolution: fixed
Status: newclosed

py2exe seems to get rid of the false positives.

Note: See TracTickets for help on using tickets.