Haskell Platform 8.2.2 - virus?
lonetiger at gmail.com
lonetiger at gmail.com
Thu Dec 28 22:01:17 UTC 2017
Yes, AV software, especially HitmanPro are not gospel.
67 other AVs came out clean. But let’s say for the sake of argument that they’re all wrong.
“Trojan-Downloader” is a class of Trojan that downloads a payload. Which means they need to use a socket somehow.
$ sha256sum.exe ghc-8.2.2/lib/bin/touchy.exe
5ffdaa7da4381637ab2a0ec327118cd933398a477430e2f5d94e9d53c53f2782 *ghc-8.2.2/lib/bin/touchy.exe
Is the binary I’m looking it, it matches the hash on the total virus link and yours.
This is the source of touchy https://github.com/ghc/ghc/blob/ghc-8.2/utils/touchy/touchy.c
The application does not import Winsock, so networking seems more unlikely, but it imports GetProcAddress, so let’s say for the sake of argument it’s
Dynamically binding to the socket library.
http://lpaste.net/3408264924009332736 is the full string table. Which contains no ascii string starting with “WSA”. So unlikely since you need to name the function
you want to call, and you need to initialize the sockets, so WSA.
This is the full disassembly of touchy.exe
http://lpaste.net/7667888088021991424
Below you’ll find an inline copy of main, it pretty much follows the source in touchy.c.
I’m pretty confident that HitmanPro is just throwing a false positive, I won’t be going through the CRT startup code.
Here’s main:
00000000004015c0 <main>:
4015c0: 41 57 push %r15
4015c2: 41 56 push %r14
4015c4: 41 55 push %r13
4015c6: 41 54 push %r12
4015c8: 55 push %rbp
4015c9: 57 push %rdi
4015ca: 56 push %rsi
4015cb: 53 push %rbx
4015cc: 48 83 ec 68 sub $0x68,%rsp
4015d0: 89 ce mov %ecx,%esi
4015d2: 48 89 d7 mov %rdx,%rdi
4015d5: e8 e6 02 00 00 callq 4018c0 <__main>
4015da: 83 fe 01 cmp $0x1,%esi
4015dd: 74 10 je 4015ef <main+0x2f>
4015df: b8 00 00 00 00 mov $0x0,%eax
4015e4: 83 fe 01 cmp $0x1,%esi
4015e7: 0f 8e 4d 01 00 00 jle 40173a <main+0x17a>
4015ed: eb 26 jmp 401615 <main+0x55>
4015ef: 48 8b 1f mov (%rdi),%rbx
4015f2: ff 15 1c 6d 00 00 callq *0x6d1c(%rip) # 408314 <__imp___iob_func>
4015f8: 48 8d 48 60 lea 0x60(%rax),%rcx
4015fc: 49 89 d8 mov %rbx,%r8
4015ff: 48 8d 15 2a 2a 00 00 lea 0x2a2a(%rip),%rdx # 404030 <.rdata>
401606: e8 65 17 00 00 callq 402d70 <fprintf>
40160b: b8 01 00 00 00 mov $0x1,%eax
401610: e9 25 01 00 00 jmpq 40173a <main+0x17a>
401615: 48 8d 5f 08 lea 0x8(%rdi),%rbx
401619: 8d 46 fe lea -0x2(%rsi),%eax
40161c: 4c 8d 7c c7 10 lea 0x10(%rdi,%rax,8),%r15
401621: 4c 8b 2d ec 6b 00 00 mov 0x6bec(%rip),%r13 # 408214 <__imp_CreateFileA>
401628: 48 8d 7c 24 50 lea 0x50(%rsp),%rdi
40162d: 4c 8b 25 30 6c 00 00 mov 0x6c30(%rip),%r12 # 408264 <__imp_GetSystemTimeAsFileTime>
401634: 48 8b 2d 71 6c 00 00 mov 0x6c71(%rip),%rbp # 4082ac <__imp_SetFileTime>
40163b: 4c 8b 35 ca 6b 00 00 mov 0x6bca(%rip),%r14 # 40820c <__IAT_start__>
401642: 48 89 5c 24 48 mov %rbx,0x48(%rsp)
401647: 48 c7 44 24 30 00 00 movq $0x0,0x30(%rsp)
40164e: 00 00
401650: c7 44 24 28 80 00 00 movl $0x80,0x28(%rsp)
401657: 00
401658: c7 44 24 20 04 00 00 movl $0x4,0x20(%rsp)
40165f: 00
401660: 41 b9 00 00 00 00 mov $0x0,%r9d
401666: 41 b8 00 00 00 00 mov $0x0,%r8d
40166c: ba 00 00 00 40 mov $0x40000000,%edx
401671: 48 8b 0b mov (%rbx),%rcx
401674: 41 ff d5 callq *%r13
401677: 48 89 c6 mov %rax,%rsi
40167a: 48 83 f8 ff cmp $0xffffffffffffffff,%rax
40167e: 75 2b jne 4016ab <main+0xeb>
401680: 48 8b 44 24 48 mov 0x48(%rsp),%rax
401685: 48 8b 18 mov (%rax),%rbx
401688: ff 15 86 6c 00 00 callq *0x6c86(%rip) # 408314 <__imp___iob_func>
40168e: 48 8d 48 60 lea 0x60(%rax),%rcx
401692: 49 89 d8 mov %rbx,%r8
401695: 48 8d 15 a7 29 00 00 lea 0x29a7(%rip),%rdx # 404043 <.rdata+0x13>
40169c: e8 cf 16 00 00 callq 402d70 <fprintf>
4016a1: b9 01 00 00 00 mov $0x1,%ecx
4016a6: e8 cd 16 00 00 callq 402d78 <exit>
4016ab: 48 89 f9 mov %rdi,%rcx
4016ae: 41 ff d4 callq *%r12
4016b1: 49 89 f9 mov %rdi,%r9
4016b4: 41 b8 00 00 00 00 mov $0x0,%r8d
4016ba: ba 00 00 00 00 mov $0x0,%edx
4016bf: 48 89 f1 mov %rsi,%rcx
4016c2: ff d5 callq *%rbp
4016c4: 85 c0 test %eax,%eax
4016c6: 75 2b jne 4016f3 <main+0x133>
4016c8: 48 8b 44 24 48 mov 0x48(%rsp),%rax
4016cd: 48 8b 18 mov (%rax),%rbx
4016d0: ff 15 3e 6c 00 00 callq *0x6c3e(%rip) # 408314 <__imp___iob_func>
4016d6: 48 8d 48 60 lea 0x60(%rax),%rcx
4016da: 49 89 d8 mov %rbx,%r8
4016dd: 48 8d 15 74 29 00 00 lea 0x2974(%rip),%rdx # 404058 <.rdata+0x28>
4016e4: e8 87 16 00 00 callq 402d70 <fprintf>
4016e9: b9 01 00 00 00 mov $0x1,%ecx
4016ee: e8 85 16 00 00 callq 402d78 <exit>
4016f3: 48 89 f1 mov %rsi,%rcx
4016f6: 41 ff d6 callq *%r14
4016f9: 85 c0 test %eax,%eax
4016fb: 75 2b jne 401728 <main+0x168>
4016fd: 48 8b 44 24 48 mov 0x48(%rsp),%rax
401702: 48 8b 18 mov (%rax),%rbx
401705: ff 15 09 6c 00 00 callq *0x6c09(%rip) # 408314 <__imp___iob_func>
40170b: 48 8d 48 60 lea 0x60(%rax),%rcx
40170f: 49 89 d8 mov %rbx,%r8
401712: 48 8d 15 62 29 00 00 lea 0x2962(%rip),%rdx # 40407b <.rdata+0x4b>
401719: e8 52 16 00 00 callq 402d70 <fprintf>
40171e: b9 01 00 00 00 mov $0x1,%ecx
401723: e8 50 16 00 00 callq 402d78 <exit>
401728: 48 83 c3 08 add $0x8,%rbx
40172c: 4c 39 fb cmp %r15,%rbx
40172f: 0f 85 0d ff ff ff jne 401642 <main+0x82>
401735: b8 00 00 00 00 mov $0x0,%eax
40173a: 48 83 c4 68 add $0x68,%rsp
40173e: 5b pop %rbx
40173f: 5e pop %rsi
401740: 5f pop %rdi
401741: 5d pop %rbp
401742: 41 5c pop %r12
401744: 41 5d pop %r13
401746: 41 5e pop %r14
401748: 41 5f pop %r15
40174a: c3 retq
40174b: 90 nop
40174c: 90 nop
40174d: 90 nop
40174e: 90 nop
40174f: 90 nop
From: Brandon Allbery
Sent: Thursday, December 28, 2017 21:29
To: Matthew Lamari
Cc: lonetiger at gmail.com; ghc-devs at haskell.org
Subject: Re: Haskell Platform 8.2.2 - virus?
This wouldn't be the first time some program that uses heuristic execution patterns to detect malware decided it didn't like the STG.
On Thu, Dec 28, 2017 at 4:15 PM, Matthew Lamari <matt.lamari at gmail.com> wrote:
The site gave me the 5ffdaa sha256 you have below for touchy.exe.
That said, I still have the 2 builds yield different results from Hitman Pro on the clean boxes. And Bitdefender, on my machine, (albeit being obtuse) chucks a fit over it. It doesn't detect the EXE files; but detects secondary consequences of them running.
I really think something is afoot here.
On 12/28/2017 3:00 PM, lonetiger at gmail.com wrote:
Upload one of the binaries it flagged to https://www.virustotal.com/en/ and send the link.
As far as I can tell, they’re all clean
https://www.virustotal.com/en/file/9cc2a6032dde8d8ab572f9491041242ab4c76d2b7d36eea5283c82cf9bf9fd69/analysis/
https://www.virustotal.com/en/file/5ffdaa7da4381637ab2a0ec327118cd933398a477430e2f5d94e9d53c53f2782/analysis/
From: Matthew Lamari
Sent: Thursday, December 28, 2017 20:29
To: ghc-devs at haskell.org
Subject: Haskell Platform 8.2.2 - virus?
New Haskell install was tripping my Bitdefender like crazy and in weird
ways - not new as that's how bitdefender rolls. However, I retested in a
clean test, with (free) Hitman Pro
I started from a base case with 2 clean windows 8 VMs.
New 8.2.2 install - has virus
Old 8.0.2 Jan 2017 - no virus
According to Hitman Pro, touchy.exe, haddock-8.2.2, ghc-8.2.2.exe, and
unlit.exe have some problem post-install. I went no further on the VMs.
"Detection Names
Kaspersky Trojan-Downloader.Win32.Paph.fsv
"
Bitdefender didn't get it on install but would lock the whole thing down
on the first run of "Cabal".
_______________________________________________
ghc-devs mailing list
ghc-devs at haskell.org
http://mail.haskell.org/cgi-bin/mailman/listinfo/ghc-devs
_______________________________________________
ghc-devs mailing list
ghc-devs at haskell.org
http://mail.haskell.org/cgi-bin/mailman/listinfo/ghc-devs
--
brandon s allbery kf8nh sine nomine associates
allbery.b at gmail.com ballbery at sinenomine.net
unix, openafs, kerberos, infrastructure, xmonad http://sinenomine.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.haskell.org/pipermail/ghc-devs/attachments/20171228/660f49fe/attachment-0001.html>
More information about the ghc-devs
mailing list