Advice Request Rufus 3.17 downloads malware!? Am I being over paranoid!?

[Logic]

Hi Everyone
Longtime lurker

When it comes to apps that write into the MBR etc of highly portable media you want to use to write into the MBR etc of the media on which you plan to install an operating system;
being paranoid is a very good idea IMHO.

So
Rufus 3.17
downloaded from the official site:

Rufus - Create bootable USB drives the easy way

Rufus: Create bootable USB drives the easy way

rufus.ie

Comes up clear on VirusTotal right:

VirusTotal

VirusTotal

www.virustotal.com

But then Rufus wants do download various things related to booting media.
So one looks at VirusTotal's 'Relations'.
Contacted hosts in particular:

VirusTotal

VirusTotal

www.virustotal.com

And there one sees some red flags!
The contacted hosts dont look quite as reassuring:

VirusTotal

VirusTotal

www.virustotal.com

VirusTotal

VirusTotal

www.virustotal.com

Time to upload the file to Hybrid Analysis!

Free Automated Malware Analysis Service - powered by Falcon Sandbox

Submit malware for free analysis with Falcon Sandbox and Hybrid Analysis technology. Hybrid Analysis develops and licenses analysis tools to fight malware.

www.hybrid-analysis.com

Here things look rosey, exept for the 1 malicious indicator and 30 suspicios indicators in Falcon sandbox.
Clicking there brings up:

https://www.hybrid-analysis.com/sample/6d362897059df29d9674112a43e68dbc549ba4c25e7036dd9fae7c92bfafda02/6176f9dc0536b966a003fd6d

Now that brings up some unsettling reading!
Especially Network Analysis where:
DNS Requests from Domain rufus.ie, at Address 85.199.111.153
Contacs Hosts at IP Address 185.199.111.153
Clicking on
OSINT
there brings up:

https://www.hybrid-analysis.com/sample/6d362897059df29d9674112a43e68dbc549ba4c25e7036dd9fae7c92bfafda02/6176f9dc0536b966a003fd6d

Where there are 6 malicious files and 4 suspicious files,
with links back to what VT thinks of those!
eg:

VirusTotal

VirusTotal

www.virustotal.com

Where file MinHookD is detected as follows:
Ad-Aware - Gen:Variant.Razy.621036
ALYac - Gen:Variant.Razy.621036
BitDefender - Gen:Variant.Razy.621036
eGambit - Unsafe.AI_Score_87%
Emsisoft - Gen:Variant.Razy.621036 (B)
eScan - Gen:Variant.Razy.621036
ESET-NOD32 - A Variant Of Win64/Packed.Themida.L Suspicious
FireEye - Gen:Variant.Razy.621036
GData - Gen:Variant.Razy.621036
Gridinsoft - Trojan.Heur!.03210022
MAX - Malware (ai Score=80)
SecureAge APEX - Malicious
SentinelOne (Static ML) - Static AI - Malicious PE
Sophos - Generic ML PUA (PUA)

So...!
Is Rufus a nice safe bootable media maker..?
I'd love to get some Educated opinions plz.

Further analysis is heading out of my depth...


(RMPrep looks about the same, so I'm not pointing fingures at any one direction.

 

[roger_m]

You are being paranoid. Rufus is a very well known and trusted to tool to create bootable flash drives.

Take, for example, your last VirusTotal link. Many of the scanners have detected is a generic threat, rather than specifically detecting it as being malicious. The only scanners which have labelled it as being an actual threat, rather than a generic or heuristic detection, are the ones using AI. The AI based scanners are known for having excessive false positives. If you click on Details, you can see that the file was first scanned on the 23rd of October. If it was actually malicious, scanners such as Kaspersky would have added signatures to detect it by now.

 

[Logic]

You are being paranoid. Rufus is a very well known and trusted to tool to create bootable flash drives.

Take, for example, your last VirusTotal link. Many of the scanners have detected is a generic threat, rather than specifically detecting it as being malicious. The only scanners which have labelled it as being an actual threat, rather than a generic or heuristic detection, are the ones using AI. The AI based scanners are known for having excessive false positives. If you click on Details, you can see that the file was first scanned on the 23rd of October. If it was actually malicious, scanners such as Kaspersky would have added signatures to detect it by now.

I'm pretty sure Rufus is clean Roger, but the fact that it downloads files form IP 85.199.111.153 AFTER scans and instalation is whats worrying as that IP does NOT have a good rep!

https://www.hybrid-analysis.com/sample/6d362897059df29d9674112a43e68dbc549ba4c25e7036dd9fae7c92bfafda02/6176f9dc0536b966a003fd6d

I do hope you're right, but I am aware of MITRE attacks etc that dont use any malware:
Theyt use the domain and remote access tools built into windows and arent picked up by any scanners!

A good eg is HDDTurbo by Hummer studios.
It looks clean on VT, untill you sign up on VT and then:

 

[roger_m]

I'm pretty sure Rufus is clean Roger, but the fact that it downloads files form IP 85.199.111.153 AFTER scans and instalation is whats worrying as that IP does NOT have a good rep!

It's certainly possible for a domain to be used for malware and legitimate downloads too. Also, it's worth nothing that Rufus doesn't install, it's portable.

 

[upnorth]

I'm pretty sure Rufus is clean Roger, but the fact that it downloads files form IP 85.199.111.153 AFTER scans and instalation is whats worrying as that IP does NOT have a good rep!

https://www.hybrid-analysis.com/sample/6d362897059df29d9674112a43e68dbc549ba4c25e7036dd9fae7c92bfafda02/6176f9dc0536b966a003fd6d

As member @roger_m trying his best to inform you, your over-reacting and I agree. If anyone start to click on the last Hybrid-Analysis link you kindly supplied, and personal I know very well those tests take time, even that shows a Clean Green verdict. The referred IP ( highlighted in the quote ) is wrong, because one number is missing. This is the correct one: 185.199.111.153

https://talosintelligence.com/reputation_center/lookup?search=185.199.111.153

That IP points to Github, and yes Github is for sure from time to time being used and abused by malware, just as Youtube, Google etc, that is also what the so called " Artifacts " in that Hybrid-Analysis points to. An Artifact, does not automatic suddenly makes and rules the official Rufus as malicious or suspicious. One also needs to understand the basic what Servers are and can be used for. Sending and receiving Data that for example can help a developer and it's software and it's users. In this case, GitHub:



Another important and good to know key factor. Rufus even have a official blue text " Known Distributors " mark/tag on VirusTotal.

at VirusTotal we have also seen how the inclusion of AI/ML in detection engines has led to more false positives, and, most importantly to increasing lack of context. Many detections these days do not include any malware family/toolkit label and since they are ML-powered, the analyst is provided with no additional information beyond a red flag, which in some cases might be misleading. By incorporating the Known Distributors details along with VirusTotal’s wealth of contextual information, security teams can overcome the shortcomings of noisy detection mechanisms

Introducing ‘Known Distributors’

Providing more context about file provenance and distribution These days many security operations center (SOC) teams are overwhelmed by hu...

blog.virustotal.com

A correct malicious assessment needs much better proof, but sure I always recommend being vigilante.

 

[Stas]

Rufus doesn't need internet you can block it with firewall if you are paranoid

 

[Logic]

As member @roger_m trying his best to inform you, your over-reacting and I agree. If anyone start to click on the last Hybrid-Analysis link you kindly supplied, and personal I know very well those tests take time, even that shows a Clean Green verdict. The referred IP ( highlighted in the quote ) is wrong, because one number is missing. This is the correct one: 185.199.111.153

https://talosintelligence.com/reputation_center/lookup?search=185.199.111.153

That IP points to Github, and yes Github is for sure from time to time being used and abused by malware, just as Youtube, Google etc, that is also what the so called " Artifacts " in that Hybrid-Analysis points to. An Artifact, does not automatic suddenly makes and rules the official Rufus as malicious or suspicious. One also needs to understand the basic what Servers are and can be used for. Sending and receiving Data that for example can help a developer and it's software and it's users. In this case, GitHub:



Another important and good to know key factor. Rufus even have a official blue text " Known Distributors " mark/tag on VirusTotal.

Introducing ‘Known Distributors’

Providing more context about file provenance and distribution These days many security operations center (SOC) teams are overwhelmed by hu...

blog.virustotal.com

A correct malicious assessment needs much better proof, but sure I always recommend being vigilante.

Much thx upnorth
and @Roger too.

Thx for the shared knowledge
and the talosintelligence.com link to! Bookmarked.

My bad on the incorrect link!!

Could you plz help me get a better understanding of things like:
Modifies Software Policy Settings
Installs hooks/patches the running process
For Rufus, Here:

https://www.hybrid-analysis.com/sample/6d362897059df29d9674112a43e68dbc549ba4c25e7036dd9fae7c92bfafda02/6176f9dc0536b966a003fd6d

I really need to get off this para-horse!!
It all started with result for HDDTurbo by Hummer studios, AFTER I signed up on VT.
RAT by Chinese govt
and
Ransomware
etc
See the attached pic in post 3.
Plz can I have your opinion on it?

VirusTotal

VirusTotal

www.virustotal.com

Said file somehow Unleashed Readyboost and is something I'd really like to keep!??

NB that Windows I/O is 66% Random 4K at Q1 80% of the time and Mixed simultanious.
So a notebook HDD with the highlighted #s beats about all SSDs..! 66% of the time.
The other #s are due to HDDTurbo's (small) DRAM caching, but the R4K #s drop vs HDDT's DRAM caching when the 1 then 2; 32GB ReadyBoost caches are deployed.
64GB of R4K files is 16 000 000 to 32 000 000 files. (RB compression) More ALL of them than a cache Making RB+HDDTurbo well worth having from my testing.

 

[MacDefender]

Most of this was discussed and analyzed in this thread: Rufus 3.8 | Infected with malware?

And we even had the Rufus author come here and confirm a lot of the analysis! Basically, Rufus does trigger a lot of malware analysis tools by messing with AutoRuns and removable drive policies, but it does so because the process of Windows reacting to the intermediate steps of formatting a bootable USB drive interfere with the ability for Rufus to continue formatting it.

And its reputation tends to be bad because the Internet is full of malware-laced fake copies of Rufus which drop malware in addition to running Rufus. So you gotta be careful you get it from the author's site but the app itself is open source and doesn't do anything different from what the source code says.