Wireshark-users: Re: [Wireshark-users] Trojans associate with Wireshark, WinPCap, etc

From: Gerald Combs <gerald@xxxxxxxxxxxxx>
Date: Sun, 1 Nov 2015 10:54:10 -0800
Have you uploaded them to virustotal.com? What does it say?

On 11/1/15 10:45 AM, gedropi@xxxxxxxxxxx wrote:
> So the puzzle  is about the remaining trojans.  The trojans associated
> with the other networking tools.  Here is my version info per
> Help>About:
> main = 55
> daily = 21031
> updated = Oct 30, 2015
> 
> 
> On Sun, Nov 1, 2015, at 10:41 AM, Gerald Combs wrote:
>> The only report I've seen so far on the buildbots is
>> Win.Adware.Outbrowse-1168 in the NSIS uninstaller:
>>
>> C:\[...]\build\cmbuild\run\RelWithDebInfo\uninstall.exe:
>> Win.Adware.Outbrowse-1168 FOUND
>>
>> On 11/1/15 10:38 AM, gedropi@xxxxxxxxxxx wrote:
>>> Are you referring to only the Wireshark/WinPCap trojan or all of the
>>> trojans?  Thanks
>>>
>>> On Sun, Nov 1, 2015, at 10:32 AM, Gerald Combs wrote:
>>>> That should've been:
>>>>
>>>> ----
>>>> Sun Nov  1 17:29:10 2015 -> ClamAV update process started at Sun Nov  1
>>>> 17:29:10 2015
>>>> Sun Nov  1 17:29:10 2015 -> main.cld is up to date (version: 55, sigs:
>>>> 2424225, f-level: 60, builder: neo)
>>>> Sun Nov  1 17:29:10 2015 -> daily.cld is up to date (version: 21032,
>>>> sigs: 1645531, f-level: 63, builder: shurley)
>>>> Sun Nov  1 17:29:10 2015 -> bytecode.cld is up to date (version: 269,
>>>> sigs: 47, f-level: 63, builder: anvilleg)
>>>> ----
>>>>
>>>> That is, daily.cld version 21032 does not report the trojan. 21031 does.
>>>> IIRC 21030 reported the trojan on Friday as well.
>>>>
>>>> On 11/1/15 10:25 AM, gedropi@xxxxxxxxxxx wrote:
>>>>> ClamAV update process started at Sun Nov 01 05:58:39 2015
>>>>>
>>>>> main.cvd is up to date (version: 55, sigs: 2424225, f-level: 60,
>>>>> builder: neo)
>>>>> daily.cld is up to date (version: 21031, sigs: 1645560, f-level: 63,
>>>>> builder: neo)
>>>>> bytecode.cld is up to date (version: 269, sigs: 47, f-level: 63,
>>>>> builder: anvilleg)
>>>>>
>>>>> Thanks for your response.
>>>>>
>>>>>
>>>>> On Sun, Nov 1, 2015, at 10:14 AM, Gerald Combs wrote:
>>>>>> Which versions of the main, daily, and bytecode databases are you using?
>>>>>> On Friday clamscan was reporting that Win.Adware.Outbrowse-1168 was
>>>>>> present in some of the 32-bit Windows installers.
>>>>>>
>>>>>> If I run clamscan today with the following database versions on the same
>>>>>> files the scans come up clean:
>>>>>>
>>>>>> ----
>>>>>> Sun Nov  1 08:27:42 2015 -> ClamAV update process started at Sun Nov  1
>>>>>> 08:27:42 2015
>>>>>> Sun Nov  1 08:27:43 2015 -> main.cld is up to date (version: 55, sigs:
>>>>>> 2424225, f-level: 60, builder: neo)
>>>>>> Sun Nov  1 08:27:43 2015 -> daily.cld is up to date (version: 21031,
>>>>>> sigs: 1645560, f-level: 63, builder: neo)
>>>>>> Sun Nov  1 08:27:43 2015 -> bytecode.cld is up to date (version: 269,
>>>>>> sigs: 47, f-level: 63, builder: anvilleg)
>>>>>> ----
>>>>>>
>>>>>>
>>>>>> Note that AV false positives happen often enough that we maintain a list:
>>>>>>
>>>>>> https://wiki.wireshark.org/FalsePositives
>>>>>>
>>>>>> As does the NSIS team (which tends to impact the Wireshark and WinPcap
>>>>>> installers):
>>>>>>
>>>>>> http://nsis.sourceforge.net/NSIS_False_Positives
>>>>>>
>>>>>>
>>>>>> On 11/1/15 9:46 AM, gedropi@xxxxxxxxxxx wrote:
>>>>>>> Yes I am.  But these trojans were not present a on the 28th of October. 
>>>>>>> Meaning that the database update since the 28th would have had to have
>>>>>>> contained this misinformation. I have contacted ClamAV but they have not
>>>>>>> responded yet.  SANS is involved in this issue as well.
>>>>>>>
>>>>>>> On Sun, Nov 1, 2015, at 09:12 AM, Pascal Quantin wrote:
>>>>>>>> 2015-11-01 17:58 GMT+01:00 <gedropi@xxxxxxxxxxx>:
>>>>>>>>
>>>>>>>>>
>>>>>>>>> After discovering the attached trojans during a scan on the 30th, I
>>>>>>>>> removed infected files, scrubbed the registry, repeated the scan. Nada.
>>>>>>>>> Then, I needed to replace the networking tools by downloading fresh
>>>>>>>>> copies of the removed, infected exe files.  Upon downloading various
>>>>>>>>> tools from their respective websites, I repeated the virus scan to be
>>>>>>>>> sure. All newly downloaded exe files were again infected with the same
>>>>>>>>> trojans.
>>>>>>>>>
>>>>>>>>> Since all the Wireshark & WinPCap files were affected, I was wondering
>>>>>>>>> if any of you out there have had the same experience?
>>>>>>>>>
>>>>>>>>> I hope that someone can help me brainstorm for a fix.  I need to use the
>>>>>>>>> tools of the trade.
>>>>>>>>>
>>>>>>>>> Thanks for any ideas.
>>>>>>>>>
>>>>>>>>
>>>>>>>> Hi,
>>>>>>>>
>>>>>>>> Are you using ClamAV by any chance? as reported by Gerald Comb
>>>>>>>> (Wireshark's
>>>>>>>> leader) on the development list (
>>>>>>>> https://www.wireshark.org/lists/wireshark-dev/201510/msg00125.html) this
>>>>>>>> seems to be a false positive reported to clamav.net.
>>>>>>>>
>>>>>>>> Best regards,
>>>>>>>> Pascal.
>>>>>>>> ___________________________________________________________________________
>>>>>>>> Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
>>>>>>>> Archives:    https://www.wireshark.org/lists/wireshark-users
>>>>>>>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>>>>>>>>              mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
>>>>>>> ___________________________________________________________________________
>>>>>>> Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
>>>>>>> Archives:    https://www.wireshark.org/lists/wireshark-users
>>>>>>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>>>>>>>              mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
>>>>>>>
>>>>>>
>>>>>> ___________________________________________________________________________
>>>>>> Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
>>>>>> Archives:    https://www.wireshark.org/lists/wireshark-users
>>>>>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>>>>>>              mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
>>>>> ___________________________________________________________________________
>>>>> Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
>>>>> Archives:    https://www.wireshark.org/lists/wireshark-users
>>>>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>>>>>              mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
>>>>>
>>>>
>>>> ___________________________________________________________________________
>>>> Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
>>>> Archives:    https://www.wireshark.org/lists/wireshark-users
>>>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>>>>              mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
>>>>
>>>>
>>>> ___________________________________________________________________________
>>>> Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
>>>> Archives:    https://www.wireshark.org/lists/wireshark-users
>>>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>>>>              mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
>>
>> ___________________________________________________________________________
>> Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
>> Archives:    https://www.wireshark.org/lists/wireshark-users
>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>>              mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
> ___________________________________________________________________________
> Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
> Archives:    https://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>              mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
>