Wireshark-dev: Re: [Wireshark-dev] Wireshark and TeslaCrypt

From: Graham Bloice <graham.bloice@xxxxxxxxxxxxx>
Date: Thu, 3 Mar 2016 18:10:57 +0000


On 3 March 2016 at 17:50, Rich Rauenzahn <rrauenza@xxxxxxxxx> wrote:
Hi,

I downloaded Wireshark a month or more ago to our Windows computer,
but I think I didn't install it -- I think I had an older version
already installed, and so left it as is in my Download folder.

This morning Malwarebytes detected the Wireshark installer (I believe
its the installer -- I'm getting this 2nd hand from home) as
containing TeslaCrypt.  (I've also downloaded the latest WireShark
installer here at work as well and it passes the scan.)

I think the binary was removed, not quarantined, but I'll check in
more detail when I get home this evening.  If I can find the actual
binary, I could submit it to Malwarebytes for false positive
verification.

I suspect its a false positive, but it seems important enough that I
ought to query here.  Is it possible that Wireshark has TeslaCrypt
signatures embedded in it for its own TeslaCrypt traffic detection?

Rich


Likely to be another false positive, see the wiki page here for more info: https://wiki.wireshark.org/FalsePositives

Wireshark, to my knowledge, doesn't have dissectors for malware so is unlikely to have their signatures in the binaries.

--
Graham Bloice