Haskell Platform 8.2.2 - virus? - ghc-devs - Haskell.org

newer
RE: Haskell Platform 8.2.2 - virus?

Haskell Platform 8.2.2 - virus?

older
How do I build basic GHC packages...

Matthew Lamari

28 Dec 2017 28 Dec '17

3:28 p.m.

New Haskell install was tripping my Bitdefender like crazy and in weird ways - not new as that's how bitdefender rolls. However, I retested in a clean test, with (free) Hitman Pro I started from a base case with 2 clean windows 8 VMs. New 8.2.2 install - has virus Old 8.0.2 Jan 2017 - no virus According to Hitman Pro, touchy.exe, haddock-8.2.2, ghc-8.2.2.exe, and unlit.exe have some problem post-install. I went no further on the VMs. "Detection Names Kaspersky Trojan-Downloader.Win32.Paph.fsv " Bitdefender didn't get it on install but would lock the whole thing down on the first run of "Cabal".

Reply

Sign in to reply online Use email software

Show replies by date

lonetiger＠gmail.com

28 Dec 28 Dec

4 p.m.

Upload one of the binaries it flagged to https://www.virustotal.com/en/ and send the link. As far as I can tell, they’re all clean https://www.virustotal.com/en/file/9cc2a6032dde8d8ab572f9491041242ab4c76d2b7... https://www.virustotal.com/en/file/5ffdaa7da4381637ab2a0ec327118cd933398a477... From: Matthew Lamari Sent: Thursday, December 28, 2017 20:29 To: ghc-devs@haskell.org Subject: Haskell Platform 8.2.2 - virus? New Haskell install was tripping my Bitdefender like crazy and in weird ways - not new as that's how bitdefender rolls. However, I retested in a clean test, with (free) Hitman Pro I started from a base case with 2 clean windows 8 VMs. New 8.2.2 install - has virus Old 8.0.2 Jan 2017 - no virus According to Hitman Pro, touchy.exe, haddock-8.2.2, ghc-8.2.2.exe, and unlit.exe have some problem post-install. I went no further on the VMs. "Detection Names Kaspersky Trojan-Downloader.Win32.Paph.fsv " Bitdefender didn't get it on install but would lock the whole thing down on the first run of "Cabal". _______________________________________________ ghc-devs mailing list ghc-devs@haskell.org http://mail.haskell.org/cgi-bin/mailman/listinfo/ghc-devs

Reply

Sign in to reply online Use email software

Matthew Lamari

4:15 p.m.

The site gave me the 5ffdaa sha256 you have below for touchy.exe. That said, I still have the 2 builds yield different results from Hitman Pro on the clean boxes. And Bitdefender, on my machine, (albeit being obtuse) chucks a fit over it. It doesn't detect the EXE files; but detects secondary consequences of them running. *I really think something is afoot here.* On 12/28/2017 3:00 PM, lonetiger@gmail.com wrote:

Upload one of the binaries it flagged to https://www.virustotal.com/en/ and send the link.

As far as I can tell, they’re all clean

https://www.virustotal.com/en/file/9cc2a6032dde8d8ab572f9491041242ab4c76d2b7...

https://www.virustotal.com/en/file/5ffdaa7da4381637ab2a0ec327118cd933398a477...

*From: *Matthew Lamari mailto:matt.lamari@gmail.com *Sent: *Thursday, December 28, 2017 20:29 *To: *ghc-devs@haskell.org mailto:ghc-devs@haskell.org *Subject: *Haskell Platform 8.2.2 - virus?

New Haskell install was tripping my Bitdefender like crazy and in weird

ways - not new as that's how bitdefender rolls. However, I retested in a

clean test, with (free) Hitman Pro

I started from a base case with 2 clean windows 8 VMs.

New 8.2.2 install - has virus

Old 8.0.2 Jan 2017 - no virus

According to Hitman Pro, touchy.exe, haddock-8.2.2, ghc-8.2.2.exe, and

unlit.exe have some problem post-install. I went no further on the VMs.

"Detection Names

Kaspersky Trojan-Downloader.Win32.Paph.fsv

"

Bitdefender didn't get it on install but would lock the whole thing down

on the first run of "Cabal".

_______________________________________________

ghc-devs mailing list

ghc-devs@haskell.org

http://mail.haskell.org/cgi-bin/mailman/listinfo/ghc-devs

Reply

Sign in to reply online Use email software

Brandon Allbery

4:29 p.m.

This wouldn't be the first time some program that uses heuristic execution patterns to detect malware decided it didn't like the STG. On Thu, Dec 28, 2017 at 4:15 PM, Matthew Lamari wrote:

The site gave me the 5ffdaa sha256 you have below for touchy.exe.

That said, I still have the 2 builds yield different results from Hitman Pro on the clean boxes. And Bitdefender, on my machine, (albeit being obtuse) chucks a fit over it. It doesn't detect the EXE files; but detects secondary consequences of them running.

*I really think something is afoot here.*

On 12/28/2017 3:00 PM, lonetiger@gmail.com wrote:

Upload one of the binaries it flagged to https://www.virustotal.com/en/ and send the link.

As far as I can tell, they’re all clean

https://www.virustotal.com/en/file/9cc2a6032dde8d8ab572f949104124 2ab4c76d2b7d36eea5283c82cf9bf9fd69/analysis/

https://www.virustotal.com/en/file/5ffdaa7da4381637ab2a0ec327118c d933398a477430e2f5d94e9d53c53f2782/analysis/

*From: *Matthew Lamari *Sent: *Thursday, December 28, 2017 20:29 *To: *ghc-devs@haskell.org *Subject: *Haskell Platform 8.2.2 - virus?

New Haskell install was tripping my Bitdefender like crazy and in weird

ways - not new as that's how bitdefender rolls. However, I retested in a

clean test, with (free) Hitman Pro

I started from a base case with 2 clean windows 8 VMs.

New 8.2.2 install - has virus

Old 8.0.2 Jan 2017 - no virus

According to Hitman Pro, touchy.exe, haddock-8.2.2, ghc-8.2.2.exe, and

unlit.exe have some problem post-install. I went no further on the VMs.

"Detection Names

Kaspersky Trojan-Downloader.Win32.Paph.fsv

"

Bitdefender didn't get it on install but would lock the whole thing down

on the first run of "Cabal".

_______________________________________________

ghc-devs mailing list

ghc-devs@haskell.org

http://mail.haskell.org/cgi-bin/mailman/listinfo/ghc-devs

_______________________________________________ ghc-devs mailing list ghc-devs@haskell.org http://mail.haskell.org/cgi-bin/mailman/listinfo/ghc-devs

-- brandon s allbery kf8nh sine nomine associates allbery.b@gmail.com ballbery@sinenomine.net unix, openafs, kerberos, infrastructure, xmonad http://sinenomine.net

Reply

Sign in to reply online Use email software

lonetiger＠gmail.com

5:01 p.m.

Yes, AV software, especially HitmanPro are not gospel. 67 other AVs came out clean. But let’s say for the sake of argument that they’re all wrong. “Trojan-Downloader” is a class of Trojan that downloads a payload. Which means they need to use a socket somehow. $ sha256sum.exe ghc-8.2.2/lib/bin/touchy.exe 5ffdaa7da4381637ab2a0ec327118cd933398a477430e2f5d94e9d53c53f2782 *ghc-8.2.2/lib/bin/touchy.exe Is the binary I’m looking it, it matches the hash on the total virus link and yours. This is the source of touchy https://github.com/ghc/ghc/blob/ghc-8.2/utils/touchy/touchy.c The application does not import Winsock, so networking seems more unlikely, but it imports GetProcAddress, so let’s say for the sake of argument it’s Dynamically binding to the socket library. http://lpaste.net/3408264924009332736 is the full string table. Which contains no ascii string starting with “WSA”. So unlikely since you need to name the function you want to call, and you need to initialize the sockets, so WSA. This is the full disassembly of touchy.exe http://lpaste.net/7667888088021991424 Below you’ll find an inline copy of main, it pretty much follows the source in touchy.c. I’m pretty confident that HitmanPro is just throwing a false positive, I won’t be going through the CRT startup code. Here’s main: 00000000004015c0 <main>: 4015c0: 41 57 push %r15 4015c2: 41 56 push %r14 4015c4: 41 55 push %r13 4015c6: 41 54 push %r12 4015c8: 55 push %rbp 4015c9: 57 push %rdi 4015ca: 56 push %rsi 4015cb: 53 push %rbx 4015cc: 48 83 ec 68 sub $0x68,%rsp 4015d0: 89 ce mov %ecx,%esi 4015d2: 48 89 d7 mov %rdx,%rdi 4015d5: e8 e6 02 00 00 callq 4018c0 <__main> 4015da: 83 fe 01 cmp $0x1,%esi 4015dd: 74 10 je 4015ef 4015df: b8 00 00 00 00 mov $0x0,%eax 4015e4: 83 fe 01 cmp $0x1,%esi 4015e7: 0f 8e 4d 01 00 00 jle 40173a 4015ed: eb 26 jmp 401615 4015ef: 48 8b 1f mov (%rdi),%rbx 4015f2: ff 15 1c 6d 00 00 callq *0x6d1c(%rip) # 408314 <__imp___iob_func> 4015f8: 48 8d 48 60 lea 0x60(%rax),%rcx 4015fc: 49 89 d8 mov %rbx,%r8 4015ff: 48 8d 15 2a 2a 00 00 lea 0x2a2a(%rip),%rdx # 404030 <.rdata> 401606: e8 65 17 00 00 callq 402d70 <fprintf> 40160b: b8 01 00 00 00 mov $0x1,%eax 401610: e9 25 01 00 00 jmpq 40173a 401615: 48 8d 5f 08 lea 0x8(%rdi),%rbx 401619: 8d 46 fe lea -0x2(%rsi),%eax 40161c: 4c 8d 7c c7 10 lea 0x10(%rdi,%rax,8),%r15 401621: 4c 8b 2d ec 6b 00 00 mov 0x6bec(%rip),%r13 # 408214 <__imp_CreateFileA> 401628: 48 8d 7c 24 50 lea 0x50(%rsp),%rdi 40162d: 4c 8b 25 30 6c 00 00 mov 0x6c30(%rip),%r12 # 408264 <__imp_GetSystemTimeAsFileTime> 401634: 48 8b 2d 71 6c 00 00 mov 0x6c71(%rip),%rbp # 4082ac <__imp_SetFileTime> 40163b: 4c 8b 35 ca 6b 00 00 mov 0x6bca(%rip),%r14 # 40820c <__IAT_start__> 401642: 48 89 5c 24 48 mov %rbx,0x48(%rsp) 401647: 48 c7 44 24 30 00 00 movq $0x0,0x30(%rsp) 40164e: 00 00 401650: c7 44 24 28 80 00 00 movl $0x80,0x28(%rsp) 401657: 00 401658: c7 44 24 20 04 00 00 movl $0x4,0x20(%rsp) 40165f: 00 401660: 41 b9 00 00 00 00 mov $0x0,%r9d 401666: 41 b8 00 00 00 00 mov $0x0,%r8d 40166c: ba 00 00 00 40 mov $0x40000000,%edx 401671: 48 8b 0b mov (%rbx),%rcx 401674: 41 ff d5 callq *%r13 401677: 48 89 c6 mov %rax,%rsi 40167a: 48 83 f8 ff cmp $0xffffffffffffffff,%rax 40167e: 75 2b jne 4016ab 401680: 48 8b 44 24 48 mov 0x48(%rsp),%rax 401685: 48 8b 18 mov (%rax),%rbx 401688: ff 15 86 6c 00 00 callq *0x6c86(%rip) # 408314 <__imp___iob_func> 40168e: 48 8d 48 60 lea 0x60(%rax),%rcx 401692: 49 89 d8 mov %rbx,%r8 401695: 48 8d 15 a7 29 00 00 lea 0x29a7(%rip),%rdx # 404043 <.rdata+0x13> 40169c: e8 cf 16 00 00 callq 402d70 <fprintf> 4016a1: b9 01 00 00 00 mov $0x1,%ecx 4016a6: e8 cd 16 00 00 callq 402d78 <exit> 4016ab: 48 89 f9 mov %rdi,%rcx 4016ae: 41 ff d4 callq *%r12 4016b1: 49 89 f9 mov %rdi,%r9 4016b4: 41 b8 00 00 00 00 mov $0x0,%r8d 4016ba: ba 00 00 00 00 mov $0x0,%edx 4016bf: 48 89 f1 mov %rsi,%rcx 4016c2: ff d5 callq *%rbp 4016c4: 85 c0 test %eax,%eax 4016c6: 75 2b jne 4016f3 4016c8: 48 8b 44 24 48 mov 0x48(%rsp),%rax 4016cd: 48 8b 18 mov (%rax),%rbx 4016d0: ff 15 3e 6c 00 00 callq *0x6c3e(%rip) # 408314 <__imp___iob_func> 4016d6: 48 8d 48 60 lea 0x60(%rax),%rcx 4016da: 49 89 d8 mov %rbx,%r8 4016dd: 48 8d 15 74 29 00 00 lea 0x2974(%rip),%rdx # 404058 <.rdata+0x28> 4016e4: e8 87 16 00 00 callq 402d70 <fprintf> 4016e9: b9 01 00 00 00 mov $0x1,%ecx 4016ee: e8 85 16 00 00 callq 402d78 <exit> 4016f3: 48 89 f1 mov %rsi,%rcx 4016f6: 41 ff d6 callq *%r14 4016f9: 85 c0 test %eax,%eax 4016fb: 75 2b jne 401728 4016fd: 48 8b 44 24 48 mov 0x48(%rsp),%rax 401702: 48 8b 18 mov (%rax),%rbx 401705: ff 15 09 6c 00 00 callq *0x6c09(%rip) # 408314 <__imp___iob_func> 40170b: 48 8d 48 60 lea 0x60(%rax),%rcx 40170f: 49 89 d8 mov %rbx,%r8 401712: 48 8d 15 62 29 00 00 lea 0x2962(%rip),%rdx # 40407b <.rdata+0x4b> 401719: e8 52 16 00 00 callq 402d70 <fprintf> 40171e: b9 01 00 00 00 mov $0x1,%ecx 401723: e8 50 16 00 00 callq 402d78 <exit> 401728: 48 83 c3 08 add $0x8,%rbx 40172c: 4c 39 fb cmp %r15,%rbx 40172f: 0f 85 0d ff ff ff jne 401642 401735: b8 00 00 00 00 mov $0x0,%eax 40173a: 48 83 c4 68 add $0x68,%rsp 40173e: 5b pop %rbx 40173f: 5e pop %rsi 401740: 5f pop %rdi 401741: 5d pop %rbp 401742: 41 5c pop %r12 401744: 41 5d pop %r13 401746: 41 5e pop %r14 401748: 41 5f pop %r15 40174a: c3 retq 40174b: 90 nop 40174c: 90 nop 40174d: 90 nop 40174e: 90 nop 40174f: 90 nop From: Brandon Allbery Sent: Thursday, December 28, 2017 21:29 To: Matthew Lamari Cc: lonetiger@gmail.com; ghc-devs@haskell.org Subject: Re: Haskell Platform 8.2.2 - virus? This wouldn't be the first time some program that uses heuristic execution patterns to detect malware decided it didn't like the STG. On Thu, Dec 28, 2017 at 4:15 PM, Matthew Lamari wrote: The site gave me the 5ffdaa sha256 you have below for touchy.exe. That said, I still have the 2 builds yield different results from Hitman Pro on the clean boxes. And Bitdefender, on my machine, (albeit being obtuse) chucks a fit over it. It doesn't detect the EXE files; but detects secondary consequences of them running. I really think something is afoot here. On 12/28/2017 3:00 PM, lonetiger@gmail.com wrote: Upload one of the binaries it flagged to https://www.virustotal.com/en/ and send the link. As far as I can tell, they’re all clean https://www.virustotal.com/en/file/9cc2a6032dde8d8ab572f9491041242ab4c76d2b7... https://www.virustotal.com/en/file/5ffdaa7da4381637ab2a0ec327118cd933398a477... From: Matthew Lamari Sent: Thursday, December 28, 2017 20:29 To: ghc-devs@haskell.org Subject: Haskell Platform 8.2.2 - virus? New Haskell install was tripping my Bitdefender like crazy and in weird ways - not new as that's how bitdefender rolls. However, I retested in a clean test, with (free) Hitman Pro I started from a base case with 2 clean windows 8 VMs. New 8.2.2 install - has virus Old 8.0.2 Jan 2017 - no virus According to Hitman Pro, touchy.exe, haddock-8.2.2, ghc-8.2.2.exe, and unlit.exe have some problem post-install. I went no further on the VMs. "Detection Names Kaspersky Trojan-Downloader.Win32.Paph.fsv " Bitdefender didn't get it on install but would lock the whole thing down on the first run of "Cabal". _______________________________________________ ghc-devs mailing list ghc-devs@haskell.org http://mail.haskell.org/cgi-bin/mailman/listinfo/ghc-devs _______________________________________________ ghc-devs mailing list ghc-devs@haskell.org http://mail.haskell.org/cgi-bin/mailman/listinfo/ghc-devs -- brandon s allbery kf8nh sine nomine associates allbery.b@gmail.com ballbery@sinenomine.net unix, openafs, kerberos, infrastructure, xmonad http://sinenomine.net

Reply

Sign in to reply online Use email software

2700

Age (days ago)

2700

Last active (days ago)

Download

4 comments

3 participants

tags

participants (3)

Brandon Allbery
lonetiger＠gmail.com
Matthew Lamari