PyInstaller binaries detected as malware
This is a summary of discussion about malware detection that happened mostly in email.
Blog comment showing VirusTotal analysis for obfsproxy.exe
from the 2.4.7-alpha-1 flashproxy+pyobfsproxy bundles. The purported malware detected is variants of "Backdoor/Win32.Swrort.gen."
https://blog.torproject.org/blog/combined-flash-proxy-pyobfsproxy-browser-bundles#comment-18759
https://www.virustotal.com/en/file/b9c9357a2923520fbcecd1044e0aa58a323d4d3c94c08799415b61c0cfbe31b6/analysis/1361218309/
The bundles being detected as malware were built by Alex. David independently built his own and they had similar malware results. A trivial "hello, world" executable built by David had similar malware results.
David's obfsproxy.exe
: https://www.virustotal.com/en/file/cdabf1ca98becd88392cd8249047efb3802d4142e922f04b23acbda6d08872ab/analysis/
David's hello.exe
: https://www.virustotal.com/en/file/147eed31da492c98b0908f208e74be1c36136edbee81708a5940d11e3cd10760/analysis/
We traced the issue to PyInstaller upstream. This is their ticket for the "Swrort" detection. http://www.pyinstaller.org/ticket/603
Alex and David built new 2.4.10-alpha-2 bundles
(Alex, David) using PyInstaller commit 555e9f7f, which has a fix for the antivirus issue 603. (The 2.4.7-alpha-1 binaries were built with the PyInstaller 2.0 release.) However, they now test positive for different malware ("Gen:Variant.Strictor.20210").
Alex pyobfsproxy.exe
: https://www.virustotal.com/en/file/9a12fc0773e939c246ff2269f930ce1e3cf903ddb81810e4f10d924da6c37e2d/analysis/
David pyobfsproxy.exe
: https://www.virustotal.com/en/file/5f2675b7d19d412c47655203273e2babc07ce1be31521a80ba9d579b70b07e15/analysis/
Binaries from Nmap built with py2exe do not show any malware detection. Here is ndiff.exe
from http://nmap.org/dist/nmap-6.25-setup.exe:
https://www.virustotal.com/en/file/fee79b95d1e4439ce7b0a676943e5551c2cca56b72a0954ec206897c683676db/analysis/
Alex is testing py2exe to see if it works for the pluggable transports bundles.