Opened 7 years ago

Closed 7 years ago

#8430 closed defect (fixed)

PyInstaller binaries detected as malware

Reported by: dcf Owned by: erinn
Priority: Medium Milestone:
Component: Applications/Tor bundles/installation Version:
Severity: Keywords:
Cc: asn, aallai Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

This is a summary of discussion about malware detection that happened mostly in email.

Blog comment showing VirusTotal analysis for obfsproxy.exe from the 2.4.7-alpha-1 flashproxy+pyobfsproxy bundles. The purported malware detected is variants of "Backdoor/Win32.Swrort.gen."
https://blog.torproject.org/blog/combined-flash-proxy-pyobfsproxy-browser-bundles#comment-18759
https://www.virustotal.com/en/file/b9c9357a2923520fbcecd1044e0aa58a323d4d3c94c08799415b61c0cfbe31b6/analysis/1361218309/

The bundles being detected as malware were built by Alex. David independently built his own and they had similar malware results. A trivial "hello, world" executable built by David had similar malware results.
David's obfsproxy.exe: https://www.virustotal.com/en/file/cdabf1ca98becd88392cd8249047efb3802d4142e922f04b23acbda6d08872ab/analysis/
David's hello.exe: https://www.virustotal.com/en/file/147eed31da492c98b0908f208e74be1c36136edbee81708a5940d11e3cd10760/analysis/

We traced the issue to PyInstaller upstream. This is their ticket for the "Swrort" detection.
http://www.pyinstaller.org/ticket/603

Alex and David built new 2.4.10-alpha-2 bundles
(Alex, David) using PyInstaller commit 555e9f7f, which has a fix for the antivirus issue 603. (The 2.4.7-alpha-1 binaries were built with the PyInstaller 2.0 release.) However, they now test positive for different malware ("Gen:Variant.Strictor.20210").
Alex pyobfsproxy.exe: https://www.virustotal.com/en/file/9a12fc0773e939c246ff2269f930ce1e3cf903ddb81810e4f10d924da6c37e2d/analysis/
David pyobfsproxy.exe: https://www.virustotal.com/en/file/5f2675b7d19d412c47655203273e2babc07ce1be31521a80ba9d579b70b07e15/analysis/

Binaries from Nmap built with py2exe do not show any malware detection. Here is ndiff.exe from http://nmap.org/dist/nmap-6.25-setup.exe:
https://www.virustotal.com/en/file/fee79b95d1e4439ce7b0a676943e5551c2cca56b72a0954ec206897c683676db/analysis/
Alex is testing py2exe to see if it works for the pluggable transports bundles.

Child Tickets

Change History (3)

comment:1 Changed 7 years ago by dcf

PyInstaller's ticket for the new malware reports (commit 555e97f, "Strictor").
http://www.pyinstaller.org/ticket/680
Runa contacted the antivirus companies involved and got a reply from at least F-Secure.

comment:2 Changed 7 years ago by runa

I contacted GData and BitDefender on Twitter, but have yet to hear back. BitDefender asked me to send them an email, which I did, but they have not confirmed that they have seen/read it. F-Secure is working on a fix (might be fixed at this point, actually).

comment:3 Changed 7 years ago by dcf

Resolution: fixed
Status: newclosed

py2exe seems to get rid of the false positives.

Note: See TracTickets for help on using tickets.