False positive trojan detection: InoculateIT

[Confuzzled]

InoculateIT (current version 23.69.76) detects Win32/SecDrop.140954!Trojan on AUTOIT3\AUT2EXE\AUTOITSC.BIN during compile. This has only happened in the last day or so. Downloaded and re-installed the production version dated April 7th 2005 again from this website and did a full re-install. Doing a scan on the file is OK, but when you go to compile, it gets zapped due to signature recognition.

I've reported it to Computer Associates and await further clarification.

For information (in case you find your compiles are not working) and you have the current version of eTrust InoculateIT running on your machine...

[FuryCell]

Yes. Stuff like this has happend before. It is most likely becuase an evil-minded Autoit user wrote a trojan with AutoIt and then ETrust labeled AutoIt itself as a trojan. I hate it when people try to tarnish AutoIts reputation.

See this post.

http://www.autoitscript.com/forum/index.php?showtopic=11709

Edited July 2, 2005 by SolidSnake

[Guest SteveRacer]

It is most likely becuase an evil-minded Autoit user    wrote a trojan with AutoIt and then ETrust labeled AutoIt itself as a trojan.

You've got it exactly right. I had the same scenario this morning, and because I'm paranoid, every compiled AutoIt executable on my machine was deleted by the CA InnoculateIT engine, along with the autoitsc.bin file.

Reinstalling AutoIt won't help because the autoitsc.bin file is detected realtime and deleted again. You could set to ignore that .bin, but you'd also have to exclude every compiled .exe as well, since you can't change the signature and every .exe is perceived as a different file.

Some "person(s)" wrote backdoor trojan(s) to install adware using AutoIt. Unfortunately CA sloppily decided that the AutoIt core code was the easy trigger for the signature.

Here's a McAfee reference to just such an animal:

http://us.mcafee.com/virusInfo/default.asp...&virus_k=132851

I suppose I'll have to wait for CA to respond. My other compilers are probably next to suffer this scenario.

Does paranoia with good reason still deserve to be labeled paranoid?

-steve

[w0uter]

you could try using the beta.

[FuryCell]

You've got it exactly right.  I had the same scenario this morning, and because I'm paranoid, every compiled AutoIt executable on my machine was deleted by the CA InnoculateIT engine, along with the autoitsc.bin file.

Reinstalling AutoIt won't help because the autoitsc.bin file is detected realtime and deleted again.  You could set to ignore that .bin, but you'd also have to exclude every compiled .exe as well, since you can't change the signature and every .exe is perceived as a different file.

Some "person(s)" wrote  backdoor trojan(s) to install adware using AutoIt.  Unfortunately CA sloppily decided that the AutoIt core code was the easy trigger for the signature.

Here's a McAfee reference to just such an animal:

http://us.mcafee.com/virusInfo/default.asp...&virus_k=132851

I suppose I'll have to wait for CA to respond.  My other compilers are probably next to suffer this scenario.

Does paranoia with good reason still deserve to be labeled paranoid? 

-steve

<{POST_SNAPBACK}>

ty. Just looked at the link. I wonder why it uses MD5.dll.I know Au3xtra.dll is most likely used for it's tcp funcs.

[MSLx Fanboy]

Their HTML coding is screwed up

Wonder if they would hyperlink AutoIt Script to the website

I'd have to say, that's pretty funny (atleast to me) that they put that up...considering people could write a trojan in just about any programming/scripting language that has TCP or UDP support

[jpm]

As It is not an AutoIt prolem I move it in Support

[JSThePatriot]

Okay, I was going to contact McAfee myself, but thought it might be best if a moderator does it. Below is an excerpt I pulled from their "Contact Us" page.

Inquiries or Appeals from Vendors Regarding Detection of Software

AVERT: vendor_questions@mcafee.com

For more contacts, please visit McAfee Worldwide Contacts.

I hope someone can run with this. We need to defend the AutoIt core.

JS

[jpm]

Okay, I was going to contact McAfee myself, but thought it might be best if a moderator does it. Below is an excerpt I pulled from their "Contact Us" page.

I hope someone can run with this. We need to defend the AutoIt core.

JS

<{POST_SNAPBACK}>

I just moderate the bug report section so I cannot do to much with McAfee I am using Norton.

I write to JON to understand what we can do. :">

[Confuzzled]

I just moderate the bug report section so I cannot do to much with McAfee I am using Norton.

I write to JON to understand what we can do. :">

<{POST_SNAPBACK}>

I submitted my compiled file for analysis by the Computer Associates automated engine 'Virtue' as I use their Vet and InoculateIT anti-virus engines for protection. Vet produced no 'false positive' but the resident InoculateIT did and removed all occurrences of the AUTOITSC.BIN file and associated compiled versions that included it.

The automated response was:

Dear customer,

This is to notify you of the results of your submission, issue number #######.

The file "XYZ.exe" looks suspicious. We will analyse this file and notify you of the conclusion. Until further analysis is complete, we recommend that you do NOT forward this file to anyone else. We also recommend that you limit your email usage and pay special attention to any abnormal computer behaviour.

This automated scanning service "Virtue" complements our regular technical support service. It is not a replacement for it. If the automatic responses you receive are incomplete or irrelevant to your query, a technician will contact you. If you have further queries, please submit them with reference number ###### to EZ_AVSupport@ca.com.

If you would like to comment on the quality of this automated service, please send your suggestion to virtue.feedback@ca.com.

CA Security Advisor

------------------------------------------------------------------------

For the latest security advisories, including detailed analysis of the latest vulnerabilities, viruses, trojans, worms and spyware, and for complete information on how to protect yourself or your organization, please visit http://www.ca.com/securityadvisor

This was followed about 14 hours later with this:

This is to notify you of the results of your submission, issue number ######.

FILE CONCLUSION

------------------------------------------------------------------------

XYZ.zip clean

------------------------------------------------------------------------

XYZ.exe confirmed clean

------------------------------------------------------------------------

Please see below for further details.

This automated scanning service "Virtue" complements our regular technical support service. It is not a replacement for it. If the automatic responses you receive are incomplete or irrelevant to your query, a technician will contact you. If you have further queries, please submit them with reference number ###### to EZ_AVSupport@ca.com.

If you would like to comment on the quality of this automated service, please send your suggestion to virtue.feedback@ca.com.

CA Security Advisor

------------------------------------------------------------------------

For the latest security advisories, including detailed analysis of the latest vulnerabilities, viruses, trojans, worms and spyware, and for complete information on how to protect yourself or your organization, please visit http://www.ca.com/securityadvisor

FILE

------------------------------------------------------------------------

XYZ.zip

------------------------------------------------------------------------

The PkWare Zip Archive file "XYZ.zip" has been determined to be clean. For the results of files contained please see below.

FILE

------------------------------------------------------------------------

XYZ.exe

------------------------------------------------------------------------

The Windows PE (I386,EXE) file "XYZ.exe" has been determined to be clean. Our researchers have analysed the file and found nothing suspicious.

Text of a followup email I have sent to Computer Associates:

Please refer to http://www.autoitscript.com/forum/index.php?showtopic=13133 - this has put InoculateIT in a very poor light and affected a number of other programmers.

I'm a Vet fan, having used the software since Roger was the sole proprietor. I note it has been difficult to get Vet to recognise the file as a trojan, but am having problems getting Vet to be the only resident AV software.

Please ensure future signature patterns do not result in a 'hit' for legitimate compilers. If recognition signatures for trojans and viruses are to include compiled AutoIT scripts, please ensure that the fixed/common component is not part of the signature.

This has severely hampered my ability to release timely legitimate software.

Can I have some indication when it is safe to re-install my compiler and continue with my software development?

This was sent 23 hours ago, and no reply yet. Given there might be a delay due to the 4th July holiday, I'm being patient...

For information...

[Guest SteveRacer]

Okay, I was going to contact McAfee myself, . . .

Before anybody complains to McAfee, I should clarify that this isn't a McAfee problem.

I should have explained the link I posted further - that was only an example of how various trojans have been written with AutoIt, and how the anti-virus companies tend to name names, even when the compiler vendor isn't to blame. I discovered the link with a search of keywords "autoit trojan"

As far as I know, it's a Computer Associates problem in their signature file. I cannot confirm McAfee has the same problem, but I seriously doubt they do.

Thanks Confuzzled for taking the "bull" by the horns. It may be a few days after everyone uses up their fireworks, but I'm certain the solution is closer at hand because of your initiative. Bravo!

I'm sending you my complete list of problems with Windows XP to you as well. It's a huge text file, but after zip compression it's only 16.7 megabytes. Obviously I don't expect you to solve all of them this week, but if you could take a crack at the first couple of hundred . . .

Just kidding. Sort of.

best-

-steve

[JSThePatriot]

Yes the problem isnt McAfee's except they're blaming an innocent. They should do a bit more research before which time they call out a compiler. I dont see them downing Micro$oft. I wonder why.

VBS is the most widely used malware creator... lets think about this.

JS

Edited July 5, 2005 by JSThePatriot

[Jon]

What bugs me is that this happens at least once a month with some AV vendor or other. They are all totally incompetent - I even wrote to most of them to offer details of the AutoIt file format to enable easier detection. But incompetence is nothing new with AV software. If you have an unstable system 9 times out of 10 it is related to AV software. Had three problems with servers at work this week with odd things occuring and files getting locked. AV software to blame.

[Confuzzled]

I have not received a reply from Computer Associates, but can confirm that the false positive has disappeared since yesterday on InoculateIT anti-virus.

A re-install of AutoIT enables me to compile again and my programs are not being zapped any more.

[JSThePatriot]

What bugs me is that this happens at least once a month with some AV vendor or other.  They are all totally incompetent - I even wrote to most of them to offer details of the AutoIt file format to enable easier detection.  But incompetence is nothing new with AV software.  If you have an unstable system 9 times out of 10 it is related to AV software.  Had three problems with servers at work this week with odd things occuring and files getting locked.  AV software to blame.

<{POST_SNAPBACK}>

I am sorry to hear that. I would be more than happy to help in any way I can Jon.

I generally have hated AV software because of everything you have mentioned above, but AntiVir seems to be serving its purpose and keeping me clean without interfering with anything I have.

JS