Today's antiviruses' false positives. Detection problem or intentionally overlooked?

(work in progress) Getting started with a programming language and writing you own applications is really fascinating for all the beginners. I remember when I wrote my first lines of code in gwbasic. It was really exciting being able to talk to the computer and get responses that you have just programmed in. Even more exciting was the look on your friends face when they were surprised how you did that. Nowadays, a significant amount of people are familiar with programming languages and there is no magic to in any more. Programming languages have evolved sincerely since then and depending on what you need to do and make your life easier, you just come up with an algorithm and write/compile it in your favorite programming language or you choose the most appropriate programming language for this particular task. Usually, after a little bit of debugging and adding a couple of things at the last minute, which were not in the original design as you started thinking it will look a little bit better if they were included, you end up with a custom made application. Of course, you are quite proud for putting it together and the next thing you want to do is, you guessed it, tell your friend about it. Thats where your modern day problems begin. Your friends reply to you that the application you sent them is malicious, or contained a Trojan, or they never received it as their email antivirus deleted the attached file. This is where you try to convince them that what they see is a false positive alert. Good luck with that, you just became the bad guy that tried to deceive them and send them a malicious piece of software. The ones who can review your source code, they agree with you that it is a false positive but, for the rest of them, it is a lost cause. The quickest and easiest way to analyze the file is to upload it to a website such as Virus Total and assess the outcome. This problem with custom made applications initiate the idea for looking closer to this issue of false positives and the decision was made to investigate it. In order to do that, three custom made application were chosen which are not malicious is any case and I would be more than happy to provide you the source code to verify it, upon written request. These applications used for investigation are: xip.exe, OnlineFileProperties.exe, wget.exe and KeepMeIn.exe. [xip.exe] In the first case, six out of forty-two results classified the application xip.exe as a threat. More specifically:
SHA256: SHA1: MD5: File size: File name: File type: Detection ratio: Analysis date: AntiVir Emsisoft Ikarus 9757cac64238c14d5f970711f3f67465cc4be04161070fe0e65c7e428cf95546 8af15a14bd4ad06c0a9fbdec14a43a67539e61c3 50ee45f4855257f978f4a442b3823bce 7.0 KB ( 7168 bytes ) xIP.exe Win32 EXE 6 / 42 2012-07-12 07:51:18 UTC TR/VB.Downloader.Gen Trojan-PWS.Win32.QQPass!IK Trojan-PWS.Win32.QQPass

G.Fragkos Aug/2012

PCTools Symantec TheHacker

HeurEngine.ZeroDayThreat Suspicious.Emit Posible_Worm32

The Description: This is a tiny command line tool that the only thing it does is to perform a web request in order to display as a response on the console, your external IP address. More specifically, in order to do that there is a specific webpage hardcoded in the source code which upon request, it displays your external IP address using PHP. Thus, the output of this specific webpage is parsed and displayed on the command line as output.

[OnlineFileProperties.exe] In the next case, three out of forty-two results classified the application OnlineFileProperties.exe as threat. More specifically:
SHA256: SHA1: MD5: File size: File name: File type: Detection ratio: Analysis date: BitDefender F-Secure GData bbef0d99e39a844191d14f6c54d3228ca4c2df9d09c329d24ea42592ce9af7c4 630f0adab6376b4985c35282efd446561ecd44da c9e75ef93de9910b42a15120102f1c29 36.0 KB ( 36864 bytes ) OnlineFileProperties.exe Win32 EXE 3 / 42 2012-07-12 08:11:22 UTC Gen:Trojan.Heur.VB.cm0@d0TVztdi Gen:Trojan.Heur.VB.cm0@d0TVztdi Gen:Trojan.Heur.VB.cm0@d0TVztdi

The Description: Another simple application with a GUI which accepts as input a URL such as e.g. http://www.iana.org/, performs a request to the server and returns the HEADER information of the reply.

[wget.exe] In this case, three out of forty-two results classified the application wget.exe as threat. More specifically:
SHA256: SHA1: MD5: File size: File name: File type: Detection ratio: Analysis date: Emsisoft Ikarus TheHacker f55ac16a01c9e8ab10c904d12f20f2d2958eb935b264bc2abfc7e9ec19e5c012 30bc522efacd3bf5fa37358ed39973c4fe0e0956 7016f0d536593b4f0a560f1a08e523c5 7.0 KB ( 7168 bytes ) wget.exe Win32 EXE 3 / 40 2012-07-12 08:38:42 UTC Trojan-Spy.Win32.VB!IK Trojan-Spy.Win32.VB Posible_Worm32

The Description: This is a Windows implementation of the wget command line tool under Linux. More specifically, given a web address of a file as argument, the tool downloads that file to your local system.

G.Fragkos Aug/2012

[KeepMeIn.exe] Last but not least, one out of forty-two results classified the application KeepMeIn.exe as threat. More specifically:
SHA256: SHA1: MD5: File size: File name: File type: Detection ratio: Analysis date: TheHacker 17fe25e856a706ec6c31368131f04333b08497125c4646d841578e18d309054b 7eb9db1e297b613ed5aa54c8bd7a6fa16d7ebb8d 77e6d7a1c8b63efe7c0e22bc20e5fa61 6.0 KB ( 6144 bytes ) KeepMeIn.exe Win32 EXE 1 / 42 2012-07-12 08:47:38 UTC Posible_Worm32

The Description: This application, in contract to the previous ones does not access the Internet. It runs locally and does only one and simple task. It performs mouse events in regular intervals, in order to stop the screensaver from running when you are not using your computer. On the other hand, a test was made by creating a larger in file-size application, composed of a large number of functions which in their turn had many lines of code to execute. Part of the programmed tasks was to access a couple of web-pages and return some info after processing the response. The application werent doing anything suspicious and the antivirus vendors classified it as not a threat. To give you an example, an application as such would access a number of weather websites and return average values of the temperature from a number of predefined locations. However, the application had way to manipulate the response from the WebPages it was accessing in order to execute a command on the clients side. Thus, that behavior classifies it as malicious of course. The point that needs to be made here is that it seems to me that antivirus vendors have a generic rule that says if it small and weird, even though you dont have proof, classify it as threat. If it is massive and seems to do a lot of stuff that I dont really get as I dont want to waste my time looking into it in detail, just classify it as legitimate and time will show. However, this hypothetical behavior, which I again say is just a personal assumption, has a serious effect on people who just want to make legitimate applications for everyday use, which are also free to download and distribute, and they are also willing to prove it by releasing the source code. Yes, you can go and report a false positive to the respective antivirus vendor(s), but sometimes they are just too many to keep doing that for every little piece of software someone develops. The real problem starts when the antivirus vendor comes back to you and said that they are right, and the application reported as false positive is still classified as such. In some cases maybe the developer has no problem to disclosure the source code to the antivirus vendor for an actual test but this is not a realistic solution as it wont be long before all unknown custom made application without a paid certificate will be classified as threats as long as the developer releases the source code to the antivirus vendor(s). Oh, wait, is that what actually happens today, already? Well, there is no significant proof about that but this is my general filling.

G.Fragkos Aug/2012

http://www.wired.com/wiredenterprise/2012/03/antivirus/?utm_source=Contextly&ut m_medium=RelatedLinks&utm_campaign=Previous

G.Fragkos Aug/2012