Wireshark-users: Re: [Wireshark-users] Trojans associate with Wireshark, WinPCap, etc
From: Gerald Combs <gerald@xxxxxxxxxxxxx>
Date: Sun, 1 Nov 2015 10:54:10 -0800
Have you uploaded them to virustotal.com? What does it say? On 11/1/15 10:45 AM, gedropi@xxxxxxxxxxx wrote: > So the puzzle is about the remaining trojans. The trojans associated > with the other networking tools. Here is my version info per > Help>About: > main = 55 > daily = 21031 > updated = Oct 30, 2015 > > > On Sun, Nov 1, 2015, at 10:41 AM, Gerald Combs wrote: >> The only report I've seen so far on the buildbots is >> Win.Adware.Outbrowse-1168 in the NSIS uninstaller: >> >> C:\[...]\build\cmbuild\run\RelWithDebInfo\uninstall.exe: >> Win.Adware.Outbrowse-1168 FOUND >> >> On 11/1/15 10:38 AM, gedropi@xxxxxxxxxxx wrote: >>> Are you referring to only the Wireshark/WinPCap trojan or all of the >>> trojans? Thanks >>> >>> On Sun, Nov 1, 2015, at 10:32 AM, Gerald Combs wrote: >>>> That should've been: >>>> >>>> ---- >>>> Sun Nov 1 17:29:10 2015 -> ClamAV update process started at Sun Nov 1 >>>> 17:29:10 2015 >>>> Sun Nov 1 17:29:10 2015 -> main.cld is up to date (version: 55, sigs: >>>> 2424225, f-level: 60, builder: neo) >>>> Sun Nov 1 17:29:10 2015 -> daily.cld is up to date (version: 21032, >>>> sigs: 1645531, f-level: 63, builder: shurley) >>>> Sun Nov 1 17:29:10 2015 -> bytecode.cld is up to date (version: 269, >>>> sigs: 47, f-level: 63, builder: anvilleg) >>>> ---- >>>> >>>> That is, daily.cld version 21032 does not report the trojan. 21031 does. >>>> IIRC 21030 reported the trojan on Friday as well. >>>> >>>> On 11/1/15 10:25 AM, gedropi@xxxxxxxxxxx wrote: >>>>> ClamAV update process started at Sun Nov 01 05:58:39 2015 >>>>> >>>>> main.cvd is up to date (version: 55, sigs: 2424225, f-level: 60, >>>>> builder: neo) >>>>> daily.cld is up to date (version: 21031, sigs: 1645560, f-level: 63, >>>>> builder: neo) >>>>> bytecode.cld is up to date (version: 269, sigs: 47, f-level: 63, >>>>> builder: anvilleg) >>>>> >>>>> Thanks for your response. >>>>> >>>>> >>>>> On Sun, Nov 1, 2015, at 10:14 AM, Gerald Combs wrote: >>>>>> Which versions of the main, daily, and bytecode databases are you using? >>>>>> On Friday clamscan was reporting that Win.Adware.Outbrowse-1168 was >>>>>> present in some of the 32-bit Windows installers. >>>>>> >>>>>> If I run clamscan today with the following database versions on the same >>>>>> files the scans come up clean: >>>>>> >>>>>> ---- >>>>>> Sun Nov 1 08:27:42 2015 -> ClamAV update process started at Sun Nov 1 >>>>>> 08:27:42 2015 >>>>>> Sun Nov 1 08:27:43 2015 -> main.cld is up to date (version: 55, sigs: >>>>>> 2424225, f-level: 60, builder: neo) >>>>>> Sun Nov 1 08:27:43 2015 -> daily.cld is up to date (version: 21031, >>>>>> sigs: 1645560, f-level: 63, builder: neo) >>>>>> Sun Nov 1 08:27:43 2015 -> bytecode.cld is up to date (version: 269, >>>>>> sigs: 47, f-level: 63, builder: anvilleg) >>>>>> ---- >>>>>> >>>>>> >>>>>> Note that AV false positives happen often enough that we maintain a list: >>>>>> >>>>>> https://wiki.wireshark.org/FalsePositives >>>>>> >>>>>> As does the NSIS team (which tends to impact the Wireshark and WinPcap >>>>>> installers): >>>>>> >>>>>> http://nsis.sourceforge.net/NSIS_False_Positives >>>>>> >>>>>> >>>>>> On 11/1/15 9:46 AM, gedropi@xxxxxxxxxxx wrote: >>>>>>> Yes I am. But these trojans were not present a on the 28th of October. >>>>>>> Meaning that the database update since the 28th would have had to have >>>>>>> contained this misinformation. I have contacted ClamAV but they have not >>>>>>> responded yet. SANS is involved in this issue as well. >>>>>>> >>>>>>> On Sun, Nov 1, 2015, at 09:12 AM, Pascal Quantin wrote: >>>>>>>> 2015-11-01 17:58 GMT+01:00 <gedropi@xxxxxxxxxxx>: >>>>>>>> >>>>>>>>> >>>>>>>>> After discovering the attached trojans during a scan on the 30th, I >>>>>>>>> removed infected files, scrubbed the registry, repeated the scan. Nada. >>>>>>>>> Then, I needed to replace the networking tools by downloading fresh >>>>>>>>> copies of the removed, infected exe files. Upon downloading various >>>>>>>>> tools from their respective websites, I repeated the virus scan to be >>>>>>>>> sure. All newly downloaded exe files were again infected with the same >>>>>>>>> trojans. >>>>>>>>> >>>>>>>>> Since all the Wireshark & WinPCap files were affected, I was wondering >>>>>>>>> if any of you out there have had the same experience? >>>>>>>>> >>>>>>>>> I hope that someone can help me brainstorm for a fix. I need to use the >>>>>>>>> tools of the trade. >>>>>>>>> >>>>>>>>> Thanks for any ideas. >>>>>>>>> >>>>>>>> >>>>>>>> Hi, >>>>>>>> >>>>>>>> Are you using ClamAV by any chance? as reported by Gerald Comb >>>>>>>> (Wireshark's >>>>>>>> leader) on the development list ( >>>>>>>> https://www.wireshark.org/lists/wireshark-dev/201510/msg00125.html) this >>>>>>>> seems to be a false positive reported to clamav.net. >>>>>>>> >>>>>>>> Best regards, >>>>>>>> Pascal. >>>>>>>> ___________________________________________________________________________ >>>>>>>> Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx> >>>>>>>> Archives: https://www.wireshark.org/lists/wireshark-users >>>>>>>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users >>>>>>>> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe >>>>>>> ___________________________________________________________________________ >>>>>>> Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx> >>>>>>> Archives: https://www.wireshark.org/lists/wireshark-users >>>>>>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users >>>>>>> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe >>>>>>> >>>>>> >>>>>> ___________________________________________________________________________ >>>>>> Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx> >>>>>> Archives: https://www.wireshark.org/lists/wireshark-users >>>>>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users >>>>>> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe >>>>> ___________________________________________________________________________ >>>>> Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx> >>>>> Archives: https://www.wireshark.org/lists/wireshark-users >>>>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users >>>>> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe >>>>> >>>> >>>> ___________________________________________________________________________ >>>> Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx> >>>> Archives: https://www.wireshark.org/lists/wireshark-users >>>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users >>>> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe >>>> >>>> >>>> ___________________________________________________________________________ >>>> Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx> >>>> Archives: https://www.wireshark.org/lists/wireshark-users >>>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users >>>> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe >> >> ___________________________________________________________________________ >> Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx> >> Archives: https://www.wireshark.org/lists/wireshark-users >> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users >> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe > ___________________________________________________________________________ > Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx> > Archives: https://www.wireshark.org/lists/wireshark-users > Unsubscribe: https://wireshark.org/mailman/options/wireshark-users > mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe >
- Follow-Ups:
- References:
- [Wireshark-users] Trojans associate with Wireshark, WinPCap, etc
- From: gedropi
- Re: [Wireshark-users] Trojans associate with Wireshark, WinPCap, etc
- From: Pascal Quantin
- Re: [Wireshark-users] Trojans associate with Wireshark, WinPCap, etc
- From: gedropi
- Re: [Wireshark-users] Trojans associate with Wireshark, WinPCap, etc
- From: Gerald Combs
- Re: [Wireshark-users] Trojans associate with Wireshark, WinPCap, etc
- From: gedropi
- Re: [Wireshark-users] Trojans associate with Wireshark, WinPCap, etc
- From: Gerald Combs
- Re: [Wireshark-users] Trojans associate with Wireshark, WinPCap, etc
- From: gedropi
- Re: [Wireshark-users] Trojans associate with Wireshark, WinPCap, etc
- From: Gerald Combs
- Re: [Wireshark-users] Trojans associate with Wireshark, WinPCap, etc
- From: gedropi
- [Wireshark-users] Trojans associate with Wireshark, WinPCap, etc
- Prev by Date: Re: [Wireshark-users] Trojans associate with Wireshark, WinPCap, etc
- Next by Date: Re: [Wireshark-users] Trojans associate with Wireshark, WinPCap, etc
- Previous by thread: Re: [Wireshark-users] Trojans associate with Wireshark, WinPCap, etc
- Next by thread: Re: [Wireshark-users] Trojans associate with Wireshark, WinPCap, etc
- Index(es):
- Get Wireshark
- Download
- Code of Conduct