Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Security
Malware Analysis
Virus Total did not flag malicious
Message
<blockquote data-quote="struppigel" data-source="post: 1020047" data-attributes="member: 86910"><p>This program uses a bootloader by Thinstall. When I search on Virustotal for applications with the same bootloader they all have 12+ detections. So the bootloader is likely the detected component.</p><p></p><p>Although Thinstall is a legitimate program, it seems to have been abused for malware and cracking which often leads to automatic detection of the bootloader and injection component (I exclude manual signature creation here because a human would know this to be legitimate and would more likely use concrete detection names). The major vendors either have better FP protection in place or are more likely to be contacted by the Thinstall company if false positives occur, which would explain why they don't have a detection on the Thinstall bootloader.</p><p></p><p>I find it noteworthy that there is a Yara match on <a href="http://rce.co/knockin-on-heavens-gate-dynamic-processor-mode-switching/" target="_blank">Heaven's Gate </a>code which is normally not used by legitimate applications.</p><p></p><p>[ATTACH=full]272143[/ATTACH]</p><p></p><p>The original setup of this application is signed: <a href="https://www.virustotal.com/gui/file/68e09a997cdc71028fa4fce20b4880241dfd53f149ab3f1568eea2ccaee1bca7/detection" target="_blank">VirusTotal</a></p><p>Whereas the files contained in this archive are not signed. That is unusual. If the vendor of the program already have a signing process in place, they would use it on detected files to prevent the detections. Might be because this is an older version or because it was modified. However, the version numbers are not far apart: Newest version is 5.1.1. and the one you have there is 5.1.0.233</p><p></p><p>I see two possibilities here (you don't need to tell me which one it is):</p><ol> <li data-xf-list-type="ol">The actual vendor used Thinstall to create a portable application and this is an old version that was not signed yet. They do not fix detections by contacting vendors because it is an old version.</li> <li data-xf-list-type="ol">This is a cracked version of the program that uses the bootloader to circumvent the protection and licensing system. Such programs are treated as "don't care" by antivirus vendors. A discussion about legitimacy of cracked programs is not allowed here on MalwareTips.</li> </ol><p>In case 1 you need to use the updated version. In case 2 you better not use it.</p><p>So actually in both cases you better don't use the exact program you linked here.</p></blockquote><p></p>
[QUOTE="struppigel, post: 1020047, member: 86910"] This program uses a bootloader by Thinstall. When I search on Virustotal for applications with the same bootloader they all have 12+ detections. So the bootloader is likely the detected component. Although Thinstall is a legitimate program, it seems to have been abused for malware and cracking which often leads to automatic detection of the bootloader and injection component (I exclude manual signature creation here because a human would know this to be legitimate and would more likely use concrete detection names). The major vendors either have better FP protection in place or are more likely to be contacted by the Thinstall company if false positives occur, which would explain why they don't have a detection on the Thinstall bootloader. I find it noteworthy that there is a Yara match on [URL='http://rce.co/knockin-on-heavens-gate-dynamic-processor-mode-switching/']Heaven's Gate [/URL]code which is normally not used by legitimate applications. [ATTACH type="full" alt="hg.png"]272143[/ATTACH] The original setup of this application is signed: [URL='https://www.virustotal.com/gui/file/68e09a997cdc71028fa4fce20b4880241dfd53f149ab3f1568eea2ccaee1bca7/detection']VirusTotal[/URL] Whereas the files contained in this archive are not signed. That is unusual. If the vendor of the program already have a signing process in place, they would use it on detected files to prevent the detections. Might be because this is an older version or because it was modified. However, the version numbers are not far apart: Newest version is 5.1.1. and the one you have there is 5.1.0.233 I see two possibilities here (you don't need to tell me which one it is): [LIST=1] [*]The actual vendor used Thinstall to create a portable application and this is an old version that was not signed yet. They do not fix detections by contacting vendors because it is an old version. [*]This is a cracked version of the program that uses the bootloader to circumvent the protection and licensing system. Such programs are treated as "don't care" by antivirus vendors. A discussion about legitimacy of cracked programs is not allowed here on MalwareTips. [/LIST] In case 1 you need to use the updated version. In case 2 you better not use it. So actually in both cases you better don't use the exact program you linked here. [/QUOTE]
Insert quotes…
Verification
Post reply
Top
