Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

False positive?


  • Please log in to reply
10 replies to this topic

#1 RazulAntiwield

RazulAntiwield

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:52 PM

Posted 22 January 2016 - 11:39 PM

A while ago, before the servers shut down, I used to play the MMO Need for Speed World. Turns out that it can still be played in singleplayer by forcing the client into an offline server.

According to my virus total scan here: https://www.virustotal.com/en/file/0dceea1fe89bb8080918df8931f1c477a081937dc82bbafc4b39aeb2392a583f/analysis/1453461307/

the modified client to force it into such server from here: http://www.elitepvpers.com/forum/need-speed-world/3767890-nfs-world-offline-server.html

is a virus, and three people agree with it. My antivirus, Avast finds nothing wrong with it.

 

Elitepvpers seems to be a disreputable site. I downloaded it from the PC gaming wiki from here instead: https://drive.google.com/folderview?id=0Bwbb_Yiw_IWNfkZCQ3dJUkRsU2hvd3R2Q2hZWjN2VElvS3lQRWN6VWdMeUExVFpJa2p6WGs&usp=sharing&tid=0Bwbb_Yiw_IWNfmplMnN1cXZZWkNpZEljdkJmeFF3eGY5b3EwNFNMSkRFalV5V2FoQi1fTVE#list

 

In your opinion, is this a false positive?

 



BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,964 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:52 AM

Posted 23 January 2016 - 07:08 AM

A Virustotal analysis of elitepvpers indicates it is a clean site...see here.

The first six detections are more generic detections for unknown or suspicious files. For example...Artemis technology is the "Active Protection" component of McAfee's Security Center which uses a combination of signature and behavior analysis to check with McAfee servers in real-time to identify possible new malware threats. This is accomplished by adding heuristics to the virus database. McAfee then uses this heuristic detection to analyze the cataloged behaviors and assess the likelihood of possible new variants of malware before the vendor can get samples and update the program's definitions for detection. This process is similar to Symantec's Bloodhound Technology. Artemis is not the name of an actual virus, but an alert displayed by McAfee when it thinks it may have found a new virus. Artemis is included in the detection name for any file that is quarantined or blocked by McAfee's Global Threat Intelligence (GTI) technology for enhanced detection of unknown threats based on the file's behavior. Thus, Artemis detections may or may not be malicious.

In general, heuristics uses non-specific detection methods to find new or unknown malware which allows the anti-virus to detect and stop if before doing any harm to your system. Heuristic scanning methods vary depending on the vendor. Some claim to allow emulation of the file's activities in a virtual sandbox. Others scan the file more intensively, searching line by line inspecting the code in a file to see if it contains virus-like characteristics. If the number of these characteristics/instructions exceeds a pre-defined threshold, the file is flagged as a possible virus. The disadvantage to using heuristics is that it is not as reliable as signature-based detection (blacklisting) and can potentially increase the chances that a non-malicious program is flagged as malicious. With heuristics, there is always a potential risk for a "false positive" when the heuristic analysis flags a file as suspicious or infected that contains no malware. On the other hand, there is also the risk of a "false negative".

A more definitive answer to your question could be provided by an expert like Didier Stevens who could actually examine the file more closely. Didier Stevens is an IT Security Professional and expert on network environments, a Wireshark Certified Network Analyst and SANS ISC Handler who has much more knowledge in this area than most of us here at Bleeping Computer. Perhaps Didler will see this topic and offer his assessment.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 RazulAntiwield

RazulAntiwield
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:52 PM

Posted 23 January 2016 - 08:15 PM

Hmm, I will contact him then, see what he thinks.



#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,964 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:52 AM

Posted 23 January 2016 - 09:23 PM

He provides answers to questions in topics posted here when he visits and reads them. If you contact him directly, just provide a link to this topic.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 RazulAntiwield

RazulAntiwield
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:52 PM

Posted 24 January 2016 - 12:57 AM

Yep, that is what I did. Waiting for a reply now.



#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,964 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:52 AM

Posted 24 January 2016 - 06:11 AM

Ok then.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,641 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:52 AM

Posted 24 January 2016 - 06:15 AM

I'll take a look, but it will take some time as I see it's a RAR file that contains many files.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#8 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,641 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:52 AM

Posted 24 January 2016 - 12:15 PM

The rar file contains 827 files. Only one of these files triggers alerts on VT: rand.exe https://www.virustotal.com/en/file/2a9c031857624a5729b50ac7573651dc0c55f3ccc49b314277a311476020a66b/analysis/

 

rand.exe patches the process of executable nfsw.exe (it changes a couple of bytes).

I assume nfsw.exe is the game Need For Speed World?


Edited by Didier Stevens, 24 January 2016 - 12:25 PM.

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#9 RazulAntiwield

RazulAntiwield
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:52 PM

Posted 24 January 2016 - 08:02 PM

Yes.



#10 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,641 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:52 AM

Posted 25 January 2016 - 03:42 PM

For me these detections are false positives: https://www.virustotal.com/en/file/2a9c031857624a5729b50ac7573651dc0c55f3ccc49b314277a311476020a66b/analysis/

 

The program looks for process nfsw.exe, opens the process' memory and changes some bytes.

Presumably to change the behavior of the nfsw.exe process (I've not tested that): that you can use it offline.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#11 RazulAntiwield

RazulAntiwield
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:52 PM

Posted 25 January 2016 - 08:28 PM

After trying to launch it, the offline server asks for you to find nfsw.exe in the directory. I can't find it, only nfsw-server.jar. I have downloaded the original from elitepvpers instead of someone's Google drive, to see if nfsw.exe is in there. I have heard reports of people saying that elitepvpers takes your login information and uses it to try and login to other websites, so I made a new email account and completely new passwords and signed up.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users