Question Rufus 3.17 downloads malware!? Am I being over paranoid!?

Status
Not open for further replies.

Logic

New Member
Thread author
Aug 27, 2020
4
Hi Everyone :)
Longtime lurker

When it comes to apps that write into the MBR etc of highly portable media you want to use to write into the MBR etc of the media on which you plan to install an operating system;
being paranoid is a very good idea IMHO.

So
Rufus 3.17
downloaded from the official site:
Comes up clear on VirusTotal right:

But then Rufus wants do download various things related to booting media.
So one looks at VirusTotal's 'Relations'.
Contacted hosts in particular:

And there one sees some red flags!
The contacted hosts dont look quite as reassuring:

Time to upload the file to Hybrid Analysis!
Here things look rosey, exept for the 1 malicious indicator and 30 suspicios indicators in Falcon sandbox.
Clicking there brings up:

Now that brings up some unsettling reading!
Especially Network Analysis where:
DNS Requests from Domain rufus.ie, at Address 85.199.111.153
Contacs Hosts at IP Address 185.199.111.153

Clicking on
OSINT
there brings up:

Where there are 6 malicious files and 4 suspicious files,
with links back to what VT thinks of those!
eg:
Where file MinHookD is detected as follows:
Ad-Aware - Gen:Variant.Razy.621036
ALYac - Gen:Variant.Razy.621036
BitDefender - Gen:Variant.Razy.621036
eGambit - Unsafe.AI_Score_87%
Emsisoft - Gen:Variant.Razy.621036 (B)
eScan - Gen:Variant.Razy.621036
ESET-NOD32 - A Variant Of Win64/Packed.Themida.L Suspicious
FireEye - Gen:Variant.Razy.621036
GData - Gen:Variant.Razy.621036
Gridinsoft - Trojan.Heur!.03210022
MAX - Malware (ai Score=80)
SecureAge APEX - Malicious
SentinelOne (Static ML) - Static AI - Malicious PE
Sophos - Generic ML PUA (PUA)

So...!
Is Rufus a nice safe bootable media maker..?
I'd love to get some Educated opinions plz.

Further analysis is heading out of my depth...


(RMPrep looks about the same, so I'm not pointing fingures at any one direction.
 
Last edited:

roger_m

Level 37
Verified
Top poster
Content Creator
Dec 4, 2014
2,695
You are being paranoid. Rufus is a very well known and trusted to tool to create bootable flash drives.

Take, for example, your last VirusTotal link. Many of the scanners have detected is a generic threat, rather than specifically detecting it as being malicious. The only scanners which have labelled it as being an actual threat, rather than a generic or heuristic detection, are the ones using AI. The AI based scanners are known for having excessive false positives. If you click on Details, you can see that the file was first scanned on the 23rd of October. If it was actually malicious, scanners such as Kaspersky would have added signatures to detect it by now.
 

Logic

New Member
Thread author
Aug 27, 2020
4
You are being paranoid. Rufus is a very well known and trusted to tool to create bootable flash drives.

Take, for example, your last VirusTotal link. Many of the scanners have detected is a generic threat, rather than specifically detecting it as being malicious. The only scanners which have labelled it as being an actual threat, rather than a generic or heuristic detection, are the ones using AI. The AI based scanners are known for having excessive false positives. If you click on Details, you can see that the file was first scanned on the 23rd of October. If it was actually malicious, scanners such as Kaspersky would have added signatures to detect it by now.

I'm pretty sure Rufus is clean Roger, but the fact that it downloads files form IP 85.199.111.153 AFTER scans and instalation is whats worrying as that IP does NOT have a good rep!

I do hope you're right, but I am aware of MITRE attacks etc that dont use any malware:
Theyt use the domain and remote access tools built into windows and arent picked up by any scanners!

A good eg is HDDTurbo by Hummer studios.
It looks clean on VT, untill you sign up on VT and then:

HDDTurbo.jpg
 
Last edited by a moderator:

roger_m

Level 37
Verified
Top poster
Content Creator
Dec 4, 2014
2,695
I'm pretty sure Rufus is clean Roger, but the fact that it downloads files form IP 85.199.111.153 AFTER scans and instalation is whats worrying as that IP does NOT have a good rep!
It's certainly possible for a domain to be used for malware and legitimate downloads too. Also, it's worth nothing that Rufus doesn't install, it's portable.
 

upnorth

Moderator
Verified
Staff member
Malware Hunter
Well-known
Jul 27, 2015
5,234
I'm pretty sure Rufus is clean Roger, but the fact that it downloads files form IP 85.199.111.153 AFTER scans and instalation is whats worrying as that IP does NOT have a good rep!

As member @roger_m trying his best to inform you, your over-reacting and I agree. If anyone start to click on the last Hybrid-Analysis link you kindly supplied, and personal I know very well those tests take time, even that shows a Clean Green verdict. The referred IP ( highlighted in the quote ) is wrong, because one number is missing. This is the correct one: 185.199.111.153


That IP points to Github, and yes Github is for sure from time to time being used and abused by malware, just as Youtube, Google etc, that is also what the so called " Artifacts " in that Hybrid-Analysis points to. An Artifact, does not automatic suddenly makes and rules the official Rufus as malicious or suspicious. One also needs to understand the basic what Servers are and can be used for. Sending and receiving Data that for example can help a developer and it's software and it's users. In this case, GitHub:



Another important and good to know key factor. Rufus even have a official blue text " Known Distributors " mark/tag on VirusTotal.
at VirusTotal we have also seen how the inclusion of AI/ML in detection engines has led to more false positives, and, most importantly to increasing lack of context. Many detections these days do not include any malware family/toolkit label and since they are ML-powered, the analyst is provided with no additional information beyond a red flag, which in some cases might be misleading. By incorporating the Known Distributors details along with VirusTotal’s wealth of contextual information, security teams can overcome the shortcomings of noisy detection mechanisms

A correct malicious assessment needs much better proof, but sure I always recommend being vigilante.
 

Logic

New Member
Thread author
Aug 27, 2020
4
As member @roger_m trying his best to inform you, your over-reacting and I agree. If anyone start to click on the last Hybrid-Analysis link you kindly supplied, and personal I know very well those tests take time, even that shows a Clean Green verdict. The referred IP ( highlighted in the quote ) is wrong, because one number is missing. This is the correct one: 185.199.111.153


That IP points to Github, and yes Github is for sure from time to time being used and abused by malware, just as Youtube, Google etc, that is also what the so called " Artifacts " in that Hybrid-Analysis points to. An Artifact, does not automatic suddenly makes and rules the official Rufus as malicious or suspicious. One also needs to understand the basic what Servers are and can be used for. Sending and receiving Data that for example can help a developer and it's software and it's users. In this case, GitHub:



Another important and good to know key factor. Rufus even have a official blue text " Known Distributors " mark/tag on VirusTotal.


A correct malicious assessment needs much better proof, but sure I always recommend being vigilante.


Much thx upnorth
and @Roger too.

Thx for the shared knowledge
and the talosintelligence.com link to! Bookmarked.

My bad on the incorrect link!! 😊

Could you plz help me get a better understanding of things like:
Modifies Software Policy Settings
Installs hooks/patches the running process
For Rufus, Here:

I really need to get off this para-horse!!
It all started with result for HDDTurbo by Hummer studios, AFTER I signed up on VT.
RAT by Chinese govt
and
Ransomware
etc
See the attached pic in post 3.
Plz can I have your opinion on it?


Said file somehow Unleashed Readyboost and is something I'd really like to keep!??

RB important rows columns s.jpg

NB that Windows I/O is 66% Random 4K at Q1 80% of the time and Mixed simultanious.
So a notebook HDD with the highlighted #s beats about all SSDs..! 66% of the time.
The other #s are due to HDDTurbo's (small) DRAM caching, but the R4K #s drop vs HDDT's DRAM caching when the 1 then 2; 32GB ReadyBoost caches are deployed.
64GB of R4K files is 16 000 000 to 32 000 000 files. (RB compression) More ALL of them than a cache Making RB+HDDTurbo well worth having from my testing.
 
Last edited:
  • Like
Reactions: roger_m

MacDefender

Level 16
Verified
Top poster
Oct 13, 2019
792
Most of this was discussed and analyzed in this thread: Rufus 3.8 | Infected with malware?

And we even had the Rufus author come here and confirm a lot of the analysis! Basically, Rufus does trigger a lot of malware analysis tools by messing with AutoRuns and removable drive policies, but it does so because the process of Windows reacting to the intermediate steps of formatting a bootable USB drive interfere with the ability for Rufus to continue formatting it.

And its reputation tends to be bad because the Internet is full of malware-laced fake copies of Rufus which drop malware in addition to running Rufus. So you gotta be careful you get it from the author's site but the app itself is open source and doesn't do anything different from what the source code says.
 
Status
Not open for further replies.
Top