Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

C++ programs flagged as trojan


  • Please log in to reply
18 replies to this topic

#1 wkid

wkid

  • Members
  • 771 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Heart Land
  • Local time:09:44 AM

Posted 15 August 2010 - 10:08 PM

Dell inspiron 531s
Windows XP Home SP3
Dev-C++ 4.9.x
Ad-Aware free version (among others)

I'm probably trying to bite off more than I can chew. As a comparative newbie, I'm trying to learn C++, XP home SP3, and various security programs in a self paced independent manner.

To facilitate the coding process, I have written, compiled, and saved a couple of programming scaffolds. This saves me the time and trouble of typing all the preprocessor directives every time I start coding a new program. I am pretty new at this; so the programs are real trivial, and my knowledge base is rather shallow.

Ad-Aware (free version) flags these two scaffolds as trojans on every full scan. I have placed them on the Ignore List every time, only to have them return in the scan results again. My understanding is that security programs use fingerprints or signatures to detect certain known or potentially harmful behaviors, and this is why the scaffolds have been flagged.

Once again , my knowledge base is rather shallow. My take is that the scaffolds are flagged because, as executable files, other code can attach itself to these files. Then malware of some sort could be birthed and begin a life of its own. Is my understanding correct?

If the answer to the previous is "yes", I still think I am pretty secure. My security is provided by the following third party programs (all up to date):
Zone Alarm Pro
Avast free
Malwarebytes free
Ad-Aware free
Spybot Search and Destroy free
Super Anti-spyware free
Spyware Blaster free

Do I have a potential security problem which begs me to remove these scaffolds?

Any insight will be appreciated.

wkid
An ounce of prevention is worth a pound of cure. - Benjamin Franklin

BC AdBot (Login to Remove)

 


#2 Synetech

Synetech

  • Members
  • 149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:11:44 AM

Posted 20 August 2010 - 07:37 PM

Itís pretty hard for anyone to know since we donít know whatís in those source files. Youíll have to look through them and figure out if any of your code looks like something that a malware writer might use (is there anything that modifies executables or memory? does it use system hooks? does it use kernel API calls?, etc.)

What you can try is to make an empty program that does nothing but return (whether itís a Windows or DOS app, have it do nothing but quite). That way you can be sure to narrow it down to your framework. Once youíve done that, you can try commenting out blocks of related code to narrow it down even further.

When youíve got it down to the specific lines/functions/etc. that are being flagged and still cannot figure out why it is considered suspicious code, then you can post it here to get some advice on why it might be triggering your security apps.

HTH
****** *** ****** * ****; * ***** **** ** *** **** ******* *** ****** ************ ****.

-- Synetech

#3 wkid

wkid
  • Topic Starter

  • Members
  • 771 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Heart Land
  • Local time:09:44 AM

Posted 21 August 2010 - 10:04 AM

Synetech,

I'm not trying to cause you any problems indicated in your signature line. I'm just responding to your reply.

I have reviewed the source code and the exectables. They appear to be unchanged. As for analysis, I'll have to wait until my training provides me with the knowledge to give a more critical inspection.

My biggest imponderable is why ignored files are not ignored.

wkid
An ounce of prevention is worth a pound of cure. - Benjamin Franklin

#4 Synetech

Synetech

  • Members
  • 149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:11:44 AM

Posted 21 August 2010 - 01:41 PM

I'm not trying to cause you any problems indicated in your signature line. I'm just responding to your reply.

Thatís not directed at you, itís just a general disclaimer for this site because you can get into trouble (or even have your account suspended) if you offer help without being authorized to do so.


Anyway, what exactly is Ad-Aware detecting as bad? The source files (.CPP, .H) or the compiled files (.EXE)? What could have happened (and I have experienced this with some softwares before) is that you set some kind of rules and exclusions, but then an update wipes them out and resets things, possibly by accident, possibly because the old settings are incompatible with the new version, or possibly because the author thinks that the new version is better or immune to old stuff or whatever. Try scanning those files, then add them to the ignore list (you are sure that you correctly added them to the ignore list right? :thumbsup:), then do another scan right away without updating. Does it still detect them? If not, try restarting Ad-Aware and scanning them (again without updating). Still? If not, then it was probably just an update that re-included them (ie removed them from the exclusion list).

As for the code itself, did you try commenting out blocks to narrow down exactly what lines/functions/etc. Ad-Aware doesnít like?
****** *** ****** * ****; * ***** **** ** *** **** ******* *** ****** ************ ****.

-- Synetech

#5 wkid

wkid
  • Topic Starter

  • Members
  • 771 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Heart Land
  • Local time:09:44 AM

Posted 22 August 2010 - 09:58 AM

Thanks Synetech,

The flagged files are .exe files. The preprocessor directives include a header file written by none other than the C++ guru, Bjarne Stroustrup. It is about 160 lines long.

Since I update any security program I use before running it every time, I'm betting that the update may be the culprit as you mentioned. Some of the experts I have contact with have said that Ad-Aware has fallen out of favor with them for various reasons. Maybe this is one of the reasons.

As for commenting out the various lines to single out the offender(s), I'll have to tinker with that as spare time permits. Meanwhile I'll just deal with it.

Any conversation including the words "spare time" should start out with " Once upon a time..." and conclude with "... ,and they lived happily ever after." --> if you know what I mean.

Thanks again.

wkid
An ounce of prevention is worth a pound of cure. - Benjamin Franklin

#6 wkid

wkid
  • Topic Starter

  • Members
  • 771 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Heart Land
  • Local time:09:44 AM

Posted 22 August 2010 - 12:19 PM

Synetech,

I just completed a full scan without updating. The scan was clean. I believe your troubleshooting indicating updates as a probable cause is correct.

Thanks again.

wkid
An ounce of prevention is worth a pound of cure. - Benjamin Franklin

#7 Synetech

Synetech

  • Members
  • 149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:11:44 AM

Posted 28 August 2010 - 04:19 PM

Well it sounds like this may indeed be one of the reasons that Ad-Aware has fallen out of favor. I recently looked at the latest version and it certainly is not what it used to be. For starters it is huge compared to the old version I still have knocking about on my drive. And it sounds like updates are troublesome at best.

You could try contacting them to let them know about the false positives and see if they have any advice. In fact, the ignore list getting reset with each update could even be a bug, and by notifying them, you get them to fix it. :thumbsup:
****** *** ****** * ****; * ***** **** ** *** **** ******* *** ****** ************ ****.

-- Synetech

#8 chromebuster

chromebuster

  • Members
  • 899 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:the crazy city of Boston, In the North East reaches of New England
  • Local time:11:44 AM

Posted 04 September 2010 - 03:16 PM

I have also some insight into this. From what I've read about various malware variants (I'm not implying that you're trying to fool around with malware), C++ is a common language for malware authors to use. Some particular families such as Win32/Sality, the authors wrote that horendous program in C++. Think why. It's probably because they can take advantage of the lack of garbage collection features so that their program is purposely bugged. They don't fix the bugs in the program for those people are really mean at heart and so they want to see data destroyed on their victims systems. And so my thought is that your security software programs are seeing something like that, that they don't like. This is why I do not like C++. I use .net for the exact reason. It is harder to have those kind of bugs passing through.

The AccessCop Network is just me and my crew. 

Some call me The Queen of Cambridge


#9 Synetech

Synetech

  • Members
  • 149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:11:44 AM

Posted 04 September 2010 - 07:45 PM

Thereís a problem with your theory. The malware scanners are not static analysis tools (they donít scan source code for bugs like buffer under/overflow errors, memory leaks, etc.) They only detect blocks of code that are common in malware, something such as format("c:\\");, and likely only in scripts as opposed to text files that need compiling (though I think I have seen virus scanners detect ASM/CPP text files in the past, but then only specific lines that were from a specific virus, not generic sequences of code).
****** *** ****** * ****; * ***** **** ** *** **** ******* *** ****** ************ ****.

-- Synetech

#10 chromebuster

chromebuster

  • Members
  • 899 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:the crazy city of Boston, In the North East reaches of New England
  • Local time:11:44 AM

Posted 11 September 2010 - 12:45 AM

Oh oops. Maybe I wasn't thinking straight. It just made total sense at the moment.

The AccessCop Network is just me and my crew. 

Some call me The Queen of Cambridge


#11 wkid

wkid
  • Topic Starter

  • Members
  • 771 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Heart Land
  • Local time:09:44 AM

Posted 11 September 2010 - 09:12 PM

The subject has become moot. Apparently the logs I have forwarded have resulted in further updates actually ignoring the "ignored" files.

If you wish to continue for purely academic purposes, I'm willing provided the moderators see no harm in this. I may learn something from the exercise.

The program scaffolds I am referring to are quite trivial because I am a rank beginner. I have used them to facilitate the writing of code for trivial programs to learn the principles of programming in C++. They are console applications, not GUI. From a little reading I have done, I wonder if heuristics are identifying the impliled purpose of the programs as malware.

As a safe way for you to inspect the code, I am providing a link to screen shots of the code. Maybe you can provide some insight.


http://www.screencast.com/t/ZDc3MTMxYjY
An ounce of prevention is worth a pound of cure. - Benjamin Franklin

#12 Synetech

Synetech

  • Members
  • 149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:11:44 AM

Posted 14 September 2010 - 04:37 PM

If the two small programs you showed are what is triggering it, then sheesh! it looks like Ad-Aware has some serious false-positive issues to deal with. No wonder itís falling out of favor. Those two apps are essentially do-nothing skeletons.

The only thing that I can think of is that perhaps one of your include files has gotten infected with some lines of code that should not be there, other than that, there is no reason for Ad-Aware to nag about those. :thumbsup:
****** *** ****** * ****; * ***** **** ** *** **** ******* *** ****** ************ ****.

-- Synetech

#13 wkid

wkid
  • Topic Starter

  • Members
  • 771 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Heart Land
  • Local time:09:44 AM

Posted 15 September 2010 - 01:07 AM

Synetech,

Those two apps are essentially do-nothing skeletons.


That is what I meant when I referred to them as trivial program scaffolds. The entry std_lib_facilities.h is directly from Bjarne Stroustrup. It is way too long (about 160 lines) to share as a screen shot, and I have not tinkered with document sharing sites yet. It can be found in the www.stroustrup.com web site. If you wish, I can research the exact address and provide it to you for inspection.

wkid
An ounce of prevention is worth a pound of cure. - Benjamin Franklin

#14 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:09:44 AM

Posted 15 September 2010 - 08:15 AM

The only thing that I can think of is that perhaps one of your include files has gotten infected with some lines of code that should not be there, other than that, there is no reason for Ad-Aware to nag about those.


Anti-Malware applications also employ heuristics to try and guess the intent of code also. That is how anti-malware software can (sometimes) detect 0-day threats before malware definitions have been created. Since Ad-Aware also employs heuristics, then it is completely reasonable that the code could be flagged as suspicious.

While false positives may be annoying, I would rather have a false positive than a missed piece of malware.

Edited by groovicus, 15 September 2010 - 09:19 AM.


#15 wkid

wkid
  • Topic Starter

  • Members
  • 771 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Heart Land
  • Local time:09:44 AM

Posted 15 September 2010 - 10:14 AM

Synetech,

My apologies. I made some sort of mistake when providing the link. Manually typing the link works for the home page, or click here. The direct link to std_lib_facilities.h takes me to a download. I have to navigate links to get there. If you prefer to view instead of downloading, navigate from the home page > scroll to Support for "Programming: Principles and Practice using C++" > scroll to Standard library access header.

Groovicus,

You answered my previously posed question about heuristics and probable intent of code. Thanks.

Am I correct in guessing that the heuristics may say, "gee, anything can tag a ride with this!"? Forgive me for giving human attributes to a program. It provided me with an analysis of the method employed.

I would rather have a false positive than a missed piece of malware.


I agree 100%. My initial concern included ignored files not being ignored, now a moot subject.

wkid
An ounce of prevention is worth a pound of cure. - Benjamin Franklin




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users