Click here to Skip to main content
Click here to Skip to main content

Tagged as

The Case of Evil WinMain

, 1 Jun 2014 CPOL
Rate this:
Please Sign up or sign in to vote.
Story about how two thirds of all Antivirus programs gone crazy for no obvious reason

  TheCaseOfEvilWinMain/FirstDay.PNGTheCaseOfEvilWinMain/NextDay.PNG
Source of this image on vtotal                                                  Next day it got worse 

 

 

#include <windows.h>

int WINAPI WinMain(HINSTANCE inst,HINSTANCE prev,LPSTR cmd,int show) {
    return 0;
}

EmptyWinMainFalsePositive.zip

 

 

Introduction 

 

 

One day I noticed in forum of one of my articles strange post from one scared codeproject
member that my sample is blocked from execution by Norton AV and moved to quarantine.
"Hmm that's strange" I said myself.
So I took the sample and posted it to virustotal.com to see what is going on. Now Virustotal.com is one excelent site wich will scan your binary by all possible uptodate Antivirus software and give you back an report about what each av thinks about the file.
And Indeed. The report I got really contained an virus detected by symantec as "suspicious-insight".

Suspicious-insight

Later I found on the web that symantec is using cloud based scanner technology called "Insight". And that this cloud based scanner is driven mainly by heuristics. So I thought

"Ok clearly some part of my code was considered by him as suspicious"

I started building exe with (around 30 lines of code) from this mine article
virustotal result: virus "suspicious-insight".

Let's remove half of the code.
virustotal result: virus "suspicious-insight".

"Hmm strange"

Let's remove remaining half of the code so only empty winmain is left.

virustotal result: virus "suspicious-insight".
BUT now also 9 from 38 AV (as you can see on firs image of article) were now screaming things like "Trojan Downloader"

Update:
After 2 years its 26 from 42 reporting it as trojan so things definitly got worse.
thats like 2/3 of av  now
 


"Hmm. What ? Trojan Downloader ? Where did this come from? Wasn't removing all code supposed to remove suspicius in the first place?" 

Update:
Good news is that symantec no longer reports it as  "suspicious-insight" 
Bad news is that now it reports it as  "Backdoor.Trojan"
 ;D

Update:
After 2 years  nothing changed 
 still  "Backdoor.Trojan" for symantec  

So what caused 2 thirds of AV vendors to go NUTS ?

I am starting to feel that they simply started to search for malware in libc itself.  If so than that's kinda strange coz there is not that many versions of libc linked to nearly everything under the sun over and over.


Here is the mentioned VS 2008 ProjectFile + source + resulting binary not doing anything along with vtotal results for it.

But please go ahead create EMPTY c++ project to see it yourself.
Add cpp file with this empty winmain doing nothing build release

I found that following switches were making my poor old dsp different from default VS2008 project settings.

Use static libc                                          ( Multi-threaded (/MT) or any other static lib switch)
Disable Whole Program Optimization         ( set to No )
Disable Generate Debug Info                    ( set to No )
Set Randomized Base Address to Default   ( set it to default ) 


And watch that havoc on virustotal.com ;D.

Now those switches were in my project file loong time ago and what they cause is pure coincidence that materialized by poor fella in my forum and started it all . So only god knows what other switch combinations will make  all AV go even more crazy.

Which is kinda suspicious ;D and it seems like all Delphi guys are recently suspicious too. 

Solution ? 

Well. The question now is not what should we remove from sample code but what junk should we add to samples to not be suspicious and blocked by AV that is so paranoid that it would probably treat even it's own binaries as suspicious ;D. 
I am also interested in feedback from you guys.
How much of your small samples/programs are treated like "suspicious-insight" or alike. Just throw it on vtotal.
Anyway. I will append list of Ideas to solve issues like this here as I will find them
along with ideas from forum or av companies if any will react. 

Virustotal history:

EmptyWinmainFalsePos.zip File size: 20009 bytes

MD5   : c516b5f8e194c0f00994178c7db9b717
SHA1  : b187b95bd95ca157e4b75039c19ab1dbd571160a


https://www.virustotal.com/file/fec02ba14a85a04690b5c38a431153749565b018fc17b5e0fb06d36642d0f9a3/analysis/  -> insert  unix timestamp number  mentioned bellow <- /  

1270576549 2010.04.06 17:55:49  9/39 (23.08%)


Aappend unix timestamp number starting each of lines with dates to url above to get working link. Later I stopped sending exe in zip due to some av not catching anything in zip so here is non ziped file history

-[non zipped exe]-----------------------------------------------------------------------------------------

EmptyWinmainFalsePos.exe File size: 37888 bytes

MD5   : 92ccffff01d936f577b17028387dba62
SHA1  : 14c055acf4c8ee62e849affdd601375d613b792d

https://www.virustotal.com/file/fec02ba14a85a04690b5c38a431153749565b018fc17b5e0fb06d36642d0f9a3/analysis/ -> insert  unix timestamp number  mentioned bellow <- / 

1270576274 2010.04.06 17:51:14 10/39 (25.64%)
1270658787 2010.04.07 16:46:27 15/39 (38.46%)
1270668484 2010.04.07 19:28:04 14/39 (35.90%)
1271059131 2010.04.12 07:58:51 17/39 (43.59%)
1271417958 2010.04.16 11:39:18 20/40 (50.00%)
1272215218 2010.04.25 17:06:58 17/39 (43.59%)
1272534527 2010.04.29 09:48:47 19/39 (48.72%)
1273146379 2010.05.06 11:46:19 20/41 (48.78%)
1273946647 2010.05.15 18:04:07 19/41 (46.35%)
1282724966 2010.08.25 08:29:26 23/42 (54.80%)
1346440377 2012.08.31 19:12:57 26/42 (61.90%)
...

Update 2014.06.01:
1401646480 2014.06.01 18:14:40 36/53 (67.92%)
 

 

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Share

About the Author

Ladislav Nevery
Software Developer (Senior)
Slovakia Slovakia
Past Projects:
[Siemens.sk]Mobile network software: HLR-Inovation for telering.at (Corba)
Medical software: CorRea module for CT scanner
[cauldron.sk]Computer Games:XboxLive/net code for Conan, Knights of the temple II, GeneTroopers, CivilWar, Soldier of fortune II
[www.elveon.com]Computer Games:XboxLive/net code for Elveon game based on Unreal Engine 3
ESET Reasearch.
Looking for job

Comments and Discussions

 
GeneralMy vote of 1 PingroupPaul_Williams10-Jun-14 6:52 
QuestionYou're correct PinprofessionalManikandan103-Jun-14 3:11 
QuestionSolution PinmvpMichael Haephrati5-Mar-13 11:30 
AnswerRe: Solution PinmemberLadislav Nevery5-Mar-13 12:49 
GeneralMy vote of 5 PinmvpMichael Haephrati5-Mar-13 1:31 
GeneralMy vote of 2 PinmemberCorvus Corax20-Oct-12 18:21 
GeneralMy vote of 4 PinmemberChristian Amado2-Sep-12 5:11 
GeneralImage file looks ok Pinmembermarc ochsenmeier31-Aug-10 6:27 
GeneralNot bad: only 6 of 42 today on virustotal [modified] Pinmemberalexkiri17-May-10 20:37 
GeneralRe: Not bad: only 6 of 42 today on virustotal PinmemberLadislav Nevery25-May-10 3:39 
GeneralRe: Not bad: only 6 of 42 today on virustotal [modified] PinmemberCristian Amarie6-Apr-12 12:05 
GeneralIt reminds me of.... Pinmemberedwig17-May-10 19:42 
GeneralFiles checked are different Pinmemberowillebo13-May-10 23:34 
GeneralRe: Files checked are different PinmemberLadislav Nevery15-May-10 1:39 
Questionwhat if your computer has a virus PinmemberGevorg13-May-10 18:06 
AnswerRe: what if your computer has a virus PinmemberLadislav Nevery15-May-10 1:29 
AnswerRe: what if your computer has a virus Pinmemberxliqz15-May-10 9:09 
GeneralHmmm.... PinmemberTomas Brennan13-May-10 14:42 
QuestionEntry points? Pinmemberxawari1-May-10 8:46 
GeneralSignature Pinmemberswarup25-Apr-10 9:24 
GeneralRe: Signature Pinmembermavric21228-Aug-11 16:31 
Generaleven worse now lol PinmemberDruuler11-Apr-10 8:22 
GeneralRe: even worse now lol PinmemberLadislav Nevery16-Apr-10 7:36 
GeneralSymantec is known for false positives Pinmemberstringtheory_x8-Apr-10 22:05 
GeneralIt is Symantec's new reputation based software Pinmember_RobotDog8-Apr-10 9:11 
GeneralHeuristic scanning is to blame PinmemberNikola Knezevic7-Apr-10 21:35 
GeneralRe: Heuristic scanning is to blame PinmemberCristian Amarie6-Apr-12 12:07 
GeneralPersonal favorite Pinmemberxliqz7-Apr-10 7:43 
GeneralMeantime situation got worse PinmemberLadislav Nevery7-Apr-10 7:17 
GeneralRe: Meantime situation got worse PinmemberLadislav Nevery9-Apr-10 19:44 
GeneralSome thoughts PinmemberJim Crafton7-Apr-10 4:59 
GeneralRe: Some thoughts PinmemberLadislav Nevery7-Apr-10 7:15 
GeneralRe: Some thoughts PinmemberJim Crafton7-Apr-10 8:33 
GeneralRe: Some thoughts [modified] PinmemberLadislav Nevery7-Apr-10 9:10 
GeneralMaybe... PinmemberMarcelo de Aguiar7-Apr-10 1:42 
GeneralI Have a theory ... Pinmemberemilio_grv7-Apr-10 1:28 
GeneralRe: I Have a theory ... PinmemberLadislav Nevery7-Apr-10 10:08 
GeneralRe: I Have a theory ... PinmemberCristian Amarie6-Apr-12 12:02 
GeneralRe: I Have a theory ... PinmemberEmilio Garavaglia6-Apr-12 22:45 
GeneralRe: I Have a theory ... PinmemberCristian Amarie6-Apr-12 23:41 
GeneralRe: I Have a theory ... PinmemberEmilio Garavaglia7-Apr-12 3:17 
GeneralRe: I Have a theory ... PinmemberCristian Amarie7-Apr-12 6:26 
GeneralRe: I Have a theory ... PinmemberEmilio Garavaglia7-Apr-12 6:34 
GeneralInteresting PinmemberJitendra Zaa6-Apr-10 22:49 
GeneralRe: Interesting Pinmemberemilio_grv7-Apr-10 1:31 
GeneralRe: Interesting PinmemberJitendra Zaa7-Apr-10 1:45 
GeneralRe: Interesting Pinmemberrajas8-Apr-10 4:23 
GeneralSpam filters Pinmemberyarp6-Apr-10 18:52 
GeneralCome back Peter PinmemberMauro Leggieri6-Apr-10 17:21 
GeneralRe: Come back Peter PinmemberPablo Aliskevicius6-Apr-10 21:35 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.

| Advertise | Privacy | Terms of Use | Mobile
Web01 | 2.8.141030.1 | Last Updated 1 Jun 2014
Article Copyright 2010 by Ladislav Nevery
Everything else Copyright © CodeProject, 1999-2014
Layout: fixed | fluid