Bitcoin Forum

Bitcoin => Development & Technical Discussion => Topic started by: casascius on April 29, 2011, 12:29:22 AM


Title: F-Secure alerted on Bitcoin.exe (0.3.21): "harmful"
Post by: casascius on April 29, 2011, 12:29:22 AM
I just upgraded to Bitcoin.exe 0.3.21 which I downloaded directly from SourceForge.

F-Secure popped up and told me this program is "harmful" (red color and bold is how popup was displayed), asked me if I really wanted to run the program, also offered to send a sample of the program for analysis.

It did not suggest the program was a "virus" or any similar notation.  Nothing shows in the "Virus and spyware history" screen of F-Secure's UI.

I allowed the program to run.  The MD5 hash of my Bitcoin.exe is ff24783f67e7827546b8c5d8a1961398

It occurred to me that someone may be mining with a botnet, and in the process of doing so, sending the entire Bitcoin client to victims (though not sure why doing this would be desirable to the botnet operator, unless perhaps it's going out with a pre-seeded wallet file with keys known to the bot herder).  But if this is the case, it would make sense why it might be getting flagged by antivirus if it is appearing as unwanted "crap" on people's computers.

Title: Re: F-Secure alerted on Bitcoin.exe (0.3.21): "harmful"
Post by: theymos on April 29, 2011, 12:44:04 AM
It's probably just a false positive. The bitcoin.exe I downloaded had the same MD5, so it probably wasn't intercepted at your end, at least.

Title: Re: F-Secure alerted on Bitcoin.exe (0.3.21): "harmful"
Post by: casascius on April 29, 2011, 12:52:21 AM
I agree, false positive.  But the concern would be the possibility that Bitcoin.exe is being spread via botnets to people who don't want it (ostensibly for the purpose of stealing some CPU mining time).  That'll make it "false positive" on virtually every antivirus platform out there after not too long, if it becomes known as something that "appears" on infected computers.

Maybe we should have a separate build of "Bitcoin, Botnet Edition" with the UI removed so those who want to go infect computers with it won't get the normal client tagged on AV vendors' lists of unwanted software. (tongue in cheek suggestion)

Title: Re: F-Secure alerted on Bitcoin.exe (0.3.21): "harmful"
Post by: Mike Hearn on April 29, 2011, 09:31:58 AM
The problems with AV false positives are probably due to a mix of:

  • Not signing the binaries. This is now standard practice in the Windows world.
  • So every binary has a new, unknown reputation (just like viruses).
  • The fact that it contains code to connect to IRC is a big red flag. Many bots have worked that way in the past and legitimate programs rarely if ever do it.

The solution is for Gavin to sign the binaries with a key he controls, so that cert can establish a good reputation. Then these alerts will start going away. Moving away from IRC based peer discovery would help too - it's not a very scalable mechanism anyway. Fortunately Jeff has done some good work on DNS based discovery, it's just not quite ready to replace IRC yet.

Title: Re: F-Secure alerted on Bitcoin.exe (0.3.21): "harmful"
Post by: HostFat on April 29, 2011, 09:40:05 AM
Quote from: [mike] on April 29, 2011, 09:31:58 AM
Fortunately Jeff has done some good work on DNS based discovery, it's just not quite ready to replace IRC yet.
Can you give me a link to some documentations? How does this way to find peers works?

Title: Re: F-Secure alerted on Bitcoin.exe (0.3.21): "harmful"
Post by: LZ on April 29, 2011, 09:57:54 AM
Does not it just connect to bitseed.xf2.org and bitseed.bitcoin.org.uk?

Title: Re: F-Secure alerted on Bitcoin.exe (0.3.21): "harmful"
Post by: Mike Hearn on April 29, 2011, 12:03:47 PM
Yes, but I want to integrate it as the default mechanism in BitCoinJ. I think at our current rate of progress by the end of the summer there'll be at least one and maybe two Android clients, and my plan is that they'll be using DNS rather than IRC. So don't give up on it :-)

Title: Re: F-Secure alerted on Bitcoin.exe (0.3.21): "harmful"
Post by: just_someguy on April 29, 2011, 02:24:21 PM
Vladimir,
I'm the guy who submitted the recent peer discovery stuff to bitcoinj and I plan on doing some work on dns discovery this weekend. ([mike] pointed me in the right direction.) It will most likely end up in bitcoinj pretty soon.

Title: Re: F-Secure alerted on Bitcoin.exe (0.3.21): "harmful"
Post by: Matt Corallo on April 29, 2011, 04:59:50 PM
For reference, virus total output:
Code:
Complete scanning result of "bitcoin.exe", processed in VirusTotal at 04/29/2011 18:58:40 (CET).

[ file data ]
* name..: bitcoin.exe
* size..: 7490048
* md5...: ff24783f67e7827546b8c5d8a1961398
* sha1..: bb7d7410ce62c10609b648fd6841b1a535da8866
* peid..: -

[ scan result ]
AhnLab-V3       2011.04.29.01/20110429  found nothing
AntiVir 7.11.7.87/20110429      found nothing
Antiy-AVL       2.0.3.7/20110429        found nothing
Avast   4.8.1351.0/20110429     found nothing
Avast5  5.0.677.0/20110429      found nothing
AVG     10.0.0.1190/20110429    found nothing
BitDefender     7.2/20110429    found nothing
CAT-QuickHeal   11.00/20110429  found nothing
ClamAV  0.97.0.0/20110429       found nothing
Commtouch       5.3.2.6/20110429        found nothing
Comodo  8520/20110429   found nothing
DrWeb   5.0.2.03300/20110429    found nothing
Emsisoft        5.1.0.5/20110429        found nothing
eSafe   7.0.17.0/20110428       found nothing
eTrust-Vet      36.1.8298/20110429      found nothing
F-Prot  4.6.2.117/20110429      found nothing
F-Secure        9.0.16440.0/20110429    found nothing
Fortinet        4.2.257.0/20110429      found nothing
GData   22/20110429     found nothing
Ikarus  T3.1.1.103.0/20110429   found nothing
Jiangmin        13.0.900/20110429       found nothing
K7AntiVirus     9.98.4519/20110429      found nothing
Kaspersky       9.0.0.837/20110429      found nothing
McAfee  5.400.0.1158/20110429   found nothing
McAfee-GW-Edition       2010.1D/20110429        found nothing
Microsoft       1.6802/20110429 found nothing
NOD32   6081/20110429   found nothing
Norman  6.07.07/20110429        found nothing
Panda   10.0.3.5/20110429       found nothing
PCTools 7.0.3.5/20110429        found nothing
Prevx   3.0/20110429    found nothing
Rising  23.55.04.03/20110429    found nothing
Sophos  4.64.0/20110429 found nothing
SUPERAntiSpyware        4.40.0.1006/20110429    found nothing
Symantec        20101.3.2.89/20110429   found nothing
TheHacker       6.7.0.1.184/20110429    found nothing
TrendMicro      9.200.0.1012/20110429   found nothing
TrendMicro-HouseCall    9.200.0.1012/20110429   found nothing
VBA32   3.12.16.0/20110429      found nothing
VIPRE   9154/20110429   found nothing
ViRobot 2011.4.29.4437/20110429 found nothing
VirusBuster     13.6.327.1/20110429     found nothing

[ notes ]
F-Secure DeepGuard: Suspicious:W32/Malware!Gemini http://www.f-secure.com/v-descs/suspicious_w32_malware!gemini.shtml
Symantec Reputation Network: Suspicious.Insight http://www.symantec.com/security_response/writeup.jsp?docid=2010-021223-0550-99

Title: Re: F-Secure alerted on Bitcoin.exe (0.3.21): "harmful"
Post by: just_someguy on April 29, 2011, 07:08:52 PM
Are there dns servers for testnet or just the production network?


Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines