Wireshark mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Trojans associate with Wireshark, WinPCap, etc

From: Gerald Combs <gerald () wireshark org>
Date: Sun, 1 Nov 2015 10:56:21 -0800
After updating ClamWin to daily.cld 21032 both the 32-bit and 64-bit
Windows buildbots pass the ClamWin step.

On 11/1/15 10:41 AM, Gerald Combs wrote:

The only report I've seen so far on the buildbots is
Win.Adware.Outbrowse-1168 in the NSIS uninstaller:

C:\[...]\build\cmbuild\run\RelWithDebInfo\uninstall.exe:
Win.Adware.Outbrowse-1168 FOUND

On 11/1/15 10:38 AM, gedropi () allmail net wrote:

Are you referring to only the Wireshark/WinPCap trojan or all of the
trojans?  Thanks

On Sun, Nov 1, 2015, at 10:32 AM, Gerald Combs wrote:

That should've been:

----
Sun Nov  1 17:29:10 2015 -> ClamAV update process started at Sun Nov  1
17:29:10 2015
Sun Nov  1 17:29:10 2015 -> main.cld is up to date (version: 55, sigs:
2424225, f-level: 60, builder: neo)
Sun Nov  1 17:29:10 2015 -> daily.cld is up to date (version: 21032,
sigs: 1645531, f-level: 63, builder: shurley)
Sun Nov  1 17:29:10 2015 -> bytecode.cld is up to date (version: 269,
sigs: 47, f-level: 63, builder: anvilleg)
----

That is, daily.cld version 21032 does not report the trojan. 21031 does.
IIRC 21030 reported the trojan on Friday as well.

On 11/1/15 10:25 AM, gedropi () allmail net wrote:

ClamAV update process started at Sun Nov 01 05:58:39 2015

main.cvd is up to date (version: 55, sigs: 2424225, f-level: 60,
builder: neo)
daily.cld is up to date (version: 21031, sigs: 1645560, f-level: 63,
builder: neo)
bytecode.cld is up to date (version: 269, sigs: 47, f-level: 63,
builder: anvilleg)

Thanks for your response.


On Sun, Nov 1, 2015, at 10:14 AM, Gerald Combs wrote:

Which versions of the main, daily, and bytecode databases are you using?
On Friday clamscan was reporting that Win.Adware.Outbrowse-1168 was
present in some of the 32-bit Windows installers.

If I run clamscan today with the following database versions on the same
files the scans come up clean:

----
Sun Nov  1 08:27:42 2015 -> ClamAV update process started at Sun Nov  1
08:27:42 2015
Sun Nov  1 08:27:43 2015 -> main.cld is up to date (version: 55, sigs:
2424225, f-level: 60, builder: neo)
Sun Nov  1 08:27:43 2015 -> daily.cld is up to date (version: 21031,
sigs: 1645560, f-level: 63, builder: neo)
Sun Nov  1 08:27:43 2015 -> bytecode.cld is up to date (version: 269,
sigs: 47, f-level: 63, builder: anvilleg)
----


Note that AV false positives happen often enough that we maintain a list:

https://wiki.wireshark.org/FalsePositives

As does the NSIS team (which tends to impact the Wireshark and WinPcap
installers):

http://nsis.sourceforge.net/NSIS_False_Positives


On 11/1/15 9:46 AM, gedropi () allmail net wrote:

Yes I am.  But these trojans were not present a on the 28th of October. 
Meaning that the database update since the 28th would have had to have
contained this misinformation. I have contacted ClamAV but they have not
responded yet.  SANS is involved in this issue as well.

On Sun, Nov 1, 2015, at 09:12 AM, Pascal Quantin wrote:

2015-11-01 17:58 GMT+01:00 <gedropi () allmail net>:



After discovering the attached trojans during a scan on the 30th, I
removed infected files, scrubbed the registry, repeated the scan. Nada.
Then, I needed to replace the networking tools by downloading fresh
copies of the removed, infected exe files.  Upon downloading various
tools from their respective websites, I repeated the virus scan to be
sure. All newly downloaded exe files were again infected with the same
trojans.

Since all the Wireshark & WinPCap files were affected, I was wondering
if any of you out there have had the same experience?

I hope that someone can help me brainstorm for a fix.  I need to use the
tools of the trade.

Thanks for any ideas.



Hi,

Are you using ClamAV by any chance? as reported by Gerald Comb
(Wireshark's
leader) on the development list (
https://www.wireshark.org/lists/wireshark-dev/201510/msg00125.html) this
seems to be a false positive reported to clamav.net.

Best regards,
Pascal.
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe



___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe



___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe


___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe


___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe



___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Previous By Date Next
Previous By Thread Next

Current thread: