Wireshark · Wireshark-users: Re: [Wireshark-users] Trojans associate with Wireshark, WinPCap, etc

Wireshark-users: Re: [Wireshark-users] Trojans associate with Wireshark, WinPCap, etc

Date: Sun, 01 Nov 2015 16:24:09 -0800

No I have removed them.

On Sun, Nov 1, 2015, at 10:54 AM, Gerald Combs wrote:
> Have you uploaded them to virustotal.com? What does it say?
> 
> On 11/1/15 10:45 AM, gedropi@xxxxxxxxxxx wrote:
> > So the puzzle  is about the remaining trojans.  The trojans associated
> > with the other networking tools.  Here is my version info per
> > Help>About:
> > main = 55
> > daily = 21031
> > updated = Oct 30, 2015
> > 
> > 
> > On Sun, Nov 1, 2015, at 10:41 AM, Gerald Combs wrote:
> >> The only report I've seen so far on the buildbots is
> >> Win.Adware.Outbrowse-1168 in the NSIS uninstaller:
> >>
> >> C:\[...]\build\cmbuild\run\RelWithDebInfo\uninstall.exe:
> >> Win.Adware.Outbrowse-1168 FOUND
> >>
> >> On 11/1/15 10:38 AM, gedropi@xxxxxxxxxxx wrote:
> >>> Are you referring to only the Wireshark/WinPCap trojan or all of the
> >>> trojans?  Thanks
> >>>
> >>> On Sun, Nov 1, 2015, at 10:32 AM, Gerald Combs wrote:
> >>>> That should've been:
> >>>>
> >>>> ----
> >>>> Sun Nov  1 17:29:10 2015 -> ClamAV update process started at Sun Nov  1
> >>>> 17:29:10 2015
> >>>> Sun Nov  1 17:29:10 2015 -> main.cld is up to date (version: 55, sigs:
> >>>> 2424225, f-level: 60, builder: neo)
> >>>> Sun Nov  1 17:29:10 2015 -> daily.cld is up to date (version: 21032,
> >>>> sigs: 1645531, f-level: 63, builder: shurley)
> >>>> Sun Nov  1 17:29:10 2015 -> bytecode.cld is up to date (version: 269,
> >>>> sigs: 47, f-level: 63, builder: anvilleg)
> >>>> ----
> >>>>
> >>>> That is, daily.cld version 21032 does not report the trojan. 21031 does.
> >>>> IIRC 21030 reported the trojan on Friday as well.
> >>>>
> >>>> On 11/1/15 10:25 AM, gedropi@xxxxxxxxxxx wrote:
> >>>>> ClamAV update process started at Sun Nov 01 05:58:39 2015
> >>>>>
> >>>>> main.cvd is up to date (version: 55, sigs: 2424225, f-level: 60,
> >>>>> builder: neo)
> >>>>> daily.cld is up to date (version: 21031, sigs: 1645560, f-level: 63,
> >>>>> builder: neo)
> >>>>> bytecode.cld is up to date (version: 269, sigs: 47, f-level: 63,
> >>>>> builder: anvilleg)
> >>>>>
> >>>>> Thanks for your response.
> >>>>>
> >>>>>
> >>>>> On Sun, Nov 1, 2015, at 10:14 AM, Gerald Combs wrote:
> >>>>>> Which versions of the main, daily, and bytecode databases are you using?
> >>>>>> On Friday clamscan was reporting that Win.Adware.Outbrowse-1168 was
> >>>>>> present in some of the 32-bit Windows installers.
> >>>>>>
> >>>>>> If I run clamscan today with the following database versions on the same
> >>>>>> files the scans come up clean:
> >>>>>>
> >>>>>> ----
> >>>>>> Sun Nov  1 08:27:42 2015 -> ClamAV update process started at Sun Nov  1
> >>>>>> 08:27:42 2015
> >>>>>> Sun Nov  1 08:27:43 2015 -> main.cld is up to date (version: 55, sigs:
> >>>>>> 2424225, f-level: 60, builder: neo)
> >>>>>> Sun Nov  1 08:27:43 2015 -> daily.cld is up to date (version: 21031,
> >>>>>> sigs: 1645560, f-level: 63, builder: neo)
> >>>>>> Sun Nov  1 08:27:43 2015 -> bytecode.cld is up to date (version: 269,
> >>>>>> sigs: 47, f-level: 63, builder: anvilleg)
> >>>>>> ----
> >>>>>>
> >>>>>>
> >>>>>> Note that AV false positives happen often enough that we maintain a list:
> >>>>>>
> >>>>>> https://wiki.wireshark.org/FalsePositives
> >>>>>>
> >>>>>> As does the NSIS team (which tends to impact the Wireshark and WinPcap
> >>>>>> installers):
> >>>>>>
> >>>>>> http://nsis.sourceforge.net/NSIS_False_Positives
> >>>>>>
> >>>>>>
> >>>>>> On 11/1/15 9:46 AM, gedropi@xxxxxxxxxxx wrote:
> >>>>>>> Yes I am.  But these trojans were not present a on the 28th of October. 
> >>>>>>> Meaning that the database update since the 28th would have had to have
> >>>>>>> contained this misinformation. I have contacted ClamAV but they have not
> >>>>>>> responded yet.  SANS is involved in this issue as well.
> >>>>>>>
> >>>>>>> On Sun, Nov 1, 2015, at 09:12 AM, Pascal Quantin wrote:
> >>>>>>>> 2015-11-01 17:58 GMT+01:00 <gedropi@xxxxxxxxxxx>:
> >>>>>>>>
> >>>>>>>>>
> >>>>>>>>> After discovering the attached trojans during a scan on the 30th, I
> >>>>>>>>> removed infected files, scrubbed the registry, repeated the scan. Nada.
> >>>>>>>>> Then, I needed to replace the networking tools by downloading fresh
> >>>>>>>>> copies of the removed, infected exe files.  Upon downloading various
> >>>>>>>>> tools from their respective websites, I repeated the virus scan to be
> >>>>>>>>> sure. All newly downloaded exe files were again infected with the same
> >>>>>>>>> trojans.
> >>>>>>>>>
> >>>>>>>>> Since all the Wireshark & WinPCap files were affected, I was wondering
> >>>>>>>>> if any of you out there have had the same experience?
> >>>>>>>>>
> >>>>>>>>> I hope that someone can help me brainstorm for a fix.  I need to use the
> >>>>>>>>> tools of the trade.
> >>>>>>>>>
> >>>>>>>>> Thanks for any ideas.
> >>>>>>>>>
> >>>>>>>>
> >>>>>>>> Hi,
> >>>>>>>>
> >>>>>>>> Are you using ClamAV by any chance? as reported by Gerald Comb
> >>>>>>>> (Wireshark's
> >>>>>>>> leader) on the development list (
> >>>>>>>> https://www.wireshark.org/lists/wireshark-dev/201510/msg00125.html) this
> >>>>>>>> seems to be a false positive reported to clamav.net.
> >>>>>>>>
> >>>>>>>> Best regards,
> >>>>>>>> Pascal.
> >>>>>>>> ___________________________________________________________________________
> >>>>>>>> Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
> >>>>>>>> Archives:    https://www.wireshark.org/lists/wireshark-users
> >>>>>>>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
> >>>>>>>>              mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
> >>>>>>> ___________________________________________________________________________
> >>>>>>> Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
> >>>>>>> Archives:    https://www.wireshark.org/lists/wireshark-users
> >>>>>>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
> >>>>>>>              mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
> >>>>>>>
> >>>>>>
> >>>>>> ___________________________________________________________________________
> >>>>>> Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
> >>>>>> Archives:    https://www.wireshark.org/lists/wireshark-users
> >>>>>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
> >>>>>>              mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
> >>>>> ___________________________________________________________________________
> >>>>> Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
> >>>>> Archives:    https://www.wireshark.org/lists/wireshark-users
> >>>>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
> >>>>>              mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
> >>>>>
> >>>>
> >>>> ___________________________________________________________________________
> >>>> Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
> >>>> Archives:    https://www.wireshark.org/lists/wireshark-users
> >>>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
> >>>>              mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
> >>>>
> >>>>
> >>>> ___________________________________________________________________________
> >>>> Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
> >>>> Archives:    https://www.wireshark.org/lists/wireshark-users
> >>>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
> >>>>              mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
> >>
> >> ___________________________________________________________________________
> >> Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
> >> Archives:    https://www.wireshark.org/lists/wireshark-users
> >> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
> >>              mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
> > ___________________________________________________________________________
> > Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
> > Archives:    https://www.wireshark.org/lists/wireshark-users
> > Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
> >              mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
> > 
> 
> ___________________________________________________________________________
> Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
> Archives:    https://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>              mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe

References:
- [Wireshark-users] Trojans associate with Wireshark, WinPCap, etc
  - From: gedropi
- Re: [Wireshark-users] Trojans associate with Wireshark, WinPCap, etc
  - From: Pascal Quantin
- Re: [Wireshark-users] Trojans associate with Wireshark, WinPCap, etc
  - From: gedropi
- Re: [Wireshark-users] Trojans associate with Wireshark, WinPCap, etc
  - From: Gerald Combs
- Re: [Wireshark-users] Trojans associate with Wireshark, WinPCap, etc
  - From: gedropi
- Re: [Wireshark-users] Trojans associate with Wireshark, WinPCap, etc
  - From: Gerald Combs
- Re: [Wireshark-users] Trojans associate with Wireshark, WinPCap, etc
  - From: gedropi
- Re: [Wireshark-users] Trojans associate with Wireshark, WinPCap, etc
  - From: Gerald Combs
- Re: [Wireshark-users] Trojans associate with Wireshark, WinPCap, etc
  - From: gedropi
- Re: [Wireshark-users] Trojans associate with Wireshark, WinPCap, etc
  - From: Gerald Combs

Prev by Date: Re: [Wireshark-users] Trojans associate with Wireshark, WinPCap, etc
Next by Date: [Wireshark-users] test
Previous by thread: Re: [Wireshark-users] Trojans associate with Wireshark, WinPCap, etc
Next by thread: Re: [Wireshark-users] Trojans associate with Wireshark, WinPCap, etc
Index(es):
- Date
- Thread