Bitcoin Forum
November 17, 2024, 01:13:36 AM *
News: Check out the artwork 1Dq created to commemorate this forum's 15th anniversary
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: Versions of bitcoin core?  (Read 1618 times)
PeterTheGrape (OP)
Sr. Member
****
Offline Offline

Activity: 462
Merit: 250


View Profile
April 13, 2017, 08:02:02 PM
 #1

Downloaded the zipped and installable bitcoin qt's and noticed they had different hashes, though otherwise very similar

https://virustotal.com/en/file/822240e8e036cec48137ca64c3407f58cbfa877d0b5c6b08a2028c4a2fd86818/analysis/1492112786/

https://virustotal.com/en/file/2b050cffb91137d756a3860d699e15130dfda5b0defc9ea0063526d24df2a0f0/analysis/1492112839/

Then clicked on the other virustotal uploads that included the qt

https://virustotal.com/en/file/f260d52cf2fe91c4be99ed6fcf8aa0de669ff326c5da920b7ed3a3e2ec981e0a/analysis/

https://virustotal.com/en/file/415693ed81cfc4960bbfcb815529003405aefbf839ef8fc901b0a2c4ef5317d0/analysis/

https://virustotal.com/en/file/78589e5a0929056611f2dcc2ac0380382f1bbbdc4a88b85e10e915f99b9d1f0b/analysis/

https://virustotal.com/en/file/7996a8d3c0a9e4e6af75fe91a4ef6cb1afd7e2e62a79428031f88d16088afb10/analysis/

https://virustotal.com/en/file/cce4f2c01fe6b6bb7fbd5cdc0827c73ee5f1b3f05b2fc9951104f586a2be12b1/analysis/

Should a person be concerned that there are two different hashes for the same bitcoin-qt.exe 0.14.0.0, i.e., the first two virustotals above?
achow101
Moderator
Legendary
*
expert
Offline Offline

Activity: 3542
Merit: 6886


Just writing some code


View Profile WWW
April 13, 2017, 09:52:56 PM
Merited by ABCbits (1)
 #2

This is normal and completely fine. You can replicate the results yourself if you go through the gitian build process. The reason this happens is because one is in the installer and gets a couple of extra things because of NSIS and the other is just the plain binary file that comes straight out of compiling.

PeterTheGrape (OP)
Sr. Member
****
Offline Offline

Activity: 462
Merit: 250


View Profile
April 14, 2017, 03:34:28 PM
 #3

Just got an alert from Antivirus that this malware Trojan:Win32Rundas.B was found inside the Bitcoin core bitcoind.

https://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?name=Trojan%3aWin32%2fRundas.B&threatid=2147720787&enterprise=0
achow101
Moderator
Legendary
*
expert
Offline Offline

Activity: 3542
Merit: 6886


Just writing some code


View Profile WWW
April 14, 2017, 03:38:03 PM
 #4

Just got an alert from Antivirus that this malware Trojan:Win32Rundas.B was found inside the Bitcoin core bitcoind.

https://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?name=Trojan%3aWin32%2fRundas.B&threatid=2147720787&enterprise=0
As long as you have verified the binary when you downloaded it from bitcoin.org, it is safe and legitimate. Antivirus software will often flag Bitcoin Core as a virus because it contains mining code (to allow you to mine on testnet and regtest) and looks for a wallet.dat file (that's the wallet file that Core uses and creates).

PeterTheGrape (OP)
Sr. Member
****
Offline Offline

Activity: 462
Merit: 250


View Profile
April 14, 2017, 05:09:21 PM
 #5

Just got an alert from Antivirus that this malware Trojan:Win32Rundas.B was found inside the Bitcoin core bitcoind.

https://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?name=Trojan%3aWin32%2fRundas.B&threatid=2147720787&enterprise=0
As long as you have verified the binary when you downloaded it from bitcoin.org, it is safe and legitimate. Antivirus software will often flag Bitcoin Core as a virus because it contains mining code (to allow you to mine on testnet and regtest) and looks for a wallet.dat file (that's the wallet file that Core uses and creates).

The hashes were the ones I posted. It was listed as safe on virustotal.

Category: Trojan

Description: This program is dangerous and executes commands from an attacker.

Recommended action: Remove this software immediately.

Items:
containerfile:C:\Users\xxxxx\Downloads\bitcoin-0.14.0-win64.zip
file:C:\Users\xxxxx\Downloads\bitcoin-0.14.0-win64.zip->bitcoin-0.14.0/bin/bitcoind.exe

Get more information about this item online.
achow101
Moderator
Legendary
*
expert
Offline Offline

Activity: 3542
Merit: 6886


Just writing some code


View Profile WWW
April 14, 2017, 05:12:33 PM
 #6

The hashes were the ones I posted.
Then there is no problem and you can ignore the warning and tell your antivirus that it is a false positive.

PeterTheGrape (OP)
Sr. Member
****
Offline Offline

Activity: 462
Merit: 250


View Profile
April 17, 2017, 04:01:15 AM
 #7

The hashes were the ones I posted.
Then there is no problem and you can ignore the warning and tell your antivirus that it is a false positive.

1) This looks like a real virus https://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?name=Trojan%3aWin32%2fRundas.B&threatid=2147720787&enterprise=0

2) I downloaded several versions, the zipped, the installer etc.

3) The virus was found only in the zipped copy.

4) All were downloaded directly from the bitcoin.org website https://bitcoin.org/en/download

5) It was the 'bitcoind' file specifically that Windows defender said had a problem. That was the part of the file that Armory used.

I reinstalled the operating system now but still it seems like things are pretty low tech for a program that people are expected to trust a lot of money with. A bare minimum add on to bitcoin might be some program that automatically checks the hashes of certain files that don't change, like bitcoind. I've been using coins for a while but stopped using bitcoin wallets when they got above 10gb, the only reason I use it now is to get the functionality of Armory.

If it were a false positive then it seems like it would have alerted on the other bitcoind files? Coins are great but a lot of people are  going to be too trusting as they attach to strangers' computers to try and download 100+ gb.
achow101
Moderator
Legendary
*
expert
Offline Offline

Activity: 3542
Merit: 6886


Just writing some code


View Profile WWW
April 17, 2017, 04:08:43 AM
 #8

1) This looks like a real virus https://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?name=Trojan%3aWin32%2fRundas.B&threatid=2147720787&enterprise=0

2) I downloaded several versions, the zipped, the installer etc.

3) The virus was found only in the zipped copy.

4) All were downloaded directly from the bitcoin.org website https://bitcoin.org/en/download

5) It was the 'bitcoind' file specifically that Windows defender said had a problem. That was the part of the file that Armory used.

I reinstalled the operating system now but still it seems like things are pretty low tech for a program that people are expected to trust a lot of money with. A bare minimum add on to bitcoin might be some program that automatically checks the hashes of certain files that don't change, like bitcoind. I've been using coins for a while but stopped using bitcoin wallets when they got above 10gb, the only reason I use it now is to get the functionality of Armory.

If it were a false positive then it seems like it would have alerted on the other bitcoind files? Coins are great but a lot of people are  going to be too trusting as they attach to strangers' computers to try and download 100+ gb.
If the hash of the zip file matches the hash published on Bitcoin.org and the ones published here: https://github.com/bitcoin-core/gitian.sigs/tree/master/0.14.0-win-unsigned, then I can guarantee you that there is no virus whatsoever. The distributed binaries are built deterministically (meaning that everyone who builds it using the same build process will always get identical binaries) by multiple people, and the hashes are checked and signed by the PGP keys of those people. If the hash that you get from the download matches the hashes of the files built by everyone in the build process (including myself), then the download is genuine and there is no virus.

If you don't trust that there is no virus there, you can even build it yourself and generate the same results.

PeterTheGrape (OP)
Sr. Member
****
Offline Offline

Activity: 462
Merit: 250


View Profile
April 17, 2017, 02:51:11 PM
 #9

1) This looks like a real virus https://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?name=Trojan%3aWin32%2fRundas.B&threatid=2147720787&enterprise=0

2) I downloaded several versions, the zipped, the installer etc.

3) The virus was found only in the zipped copy.

4) All were downloaded directly from the bitcoin.org website https://bitcoin.org/en/download

5) It was the 'bitcoind' file specifically that Windows defender said had a problem. That was the part of the file that Armory used.

I reinstalled the operating system now but still it seems like things are pretty low tech for a program that people are expected to trust a lot of money with. A bare minimum add on to bitcoin might be some program that automatically checks the hashes of certain files that don't change, like bitcoind. I've been using coins for a while but stopped using bitcoin wallets when they got above 10gb, the only reason I use it now is to get the functionality of Armory.

If it were a false positive then it seems like it would have alerted on the other bitcoind files? Coins are great but a lot of people are  going to be too trusting as they attach to strangers' computers to try and download 100+ gb.
If the hash of the zip file matches the hash published on Bitcoin.org and the ones published here: https://github.com/bitcoin-core/gitian.sigs/tree/master/0.14.0-win-unsigned, then I can guarantee you that there is no virus whatsoever. The distributed binaries are built deterministically (meaning that everyone who builds it using the same build process will always get identical binaries) by multiple people, and the hashes are checked and signed by the PGP keys of those people. If the hash that you get from the download matches the hashes of the files built by everyone in the build process (including myself), then the download is genuine and there is no virus.

If you don't trust that there is no virus there, you can even build it yourself and generate the same results.

So, in my situation, the advice you would give to a new person is to tell the antivirus to ignore the alert?

I'll remind you again
I had just downloaded at least two versions of bitcoin from the bitcoin website.
About a day later one of the two alerted on an antivirus as having Rundas.b

Asking again
Your advice to a new person would be "Ignore the alert" / "tell the anti virus not to delete the alerted program"?

http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Trojan:Win32/Rundas.B

https://bitcointalk.org/index.php?topic=1651017.msg17069334#msg17069334

From 2 days ago https://forum.ethereum.org/discussion/11946/windows-defender-detectet-rundas-b-troyan-in-ethminer-exe
achow101
Moderator
Legendary
*
expert
Offline Offline

Activity: 3542
Merit: 6886


Just writing some code


View Profile WWW
April 17, 2017, 02:59:29 PM
Merited by ABCbits (1)
 #10

So, in my situation, the advice you would give to a new person is to tell the antivirus to ignore the alert?

I'll remind you again
I had just downloaded at least two versions of bitcoin from the bitcoin website.
About a day later one of the two alerted on an antivirus as having Rundas.b

Asking again
Your advice to a new person would be "Ignore the alert" / "tell the anti virus not to delete the alerted program"?

http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Trojan:Win32/Rundas.B

https://bitcointalk.org/index.php?topic=1651017.msg17069334#msg17069334

From 2 days ago https://forum.ethereum.org/discussion/11946/windows-defender-detectet-rundas-b-troyan-in-ethminer-exe
My advice is that you fully verify that the binary is legitimate by downloading the SHA256SUMS.asc file, verifying the GPG signature with Wladimir's release key, and then check that the sha256 of the binary package you download matches what is in the SHA256SUMS.asc. If that all matches and verifies, then yes, ignore the antivirus and tell it that it is a false positive.

This is not a new issue. This has happened for all versions of Bitcoin Core. Antivirus software will always flag Bitcoin Core as a virus, especially with new versions since people haven't reported the false positive for the new version yet.

How many times do I need to repeat myself? If you fully verify that the download is legitimate, then the antivirus is wrong and it is a false positive.

I have already stated why antivirus software do this.

PeterTheGrape (OP)
Sr. Member
****
Offline Offline

Activity: 462
Merit: 250


View Profile
April 17, 2017, 04:06:44 PM
 #11

So, in my situation, the advice you would give to a new person is to tell the antivirus to ignore the alert?

I'll remind you again
I had just downloaded at least two versions of bitcoin from the bitcoin website.
About a day later one of the two alerted on an antivirus as having Rundas.b

Asking again
Your advice to a new person would be "Ignore the alert" / "tell the anti virus not to delete the alerted program"?

http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Trojan:Win32/Rundas.B

https://bitcointalk.org/index.php?topic=1651017.msg17069334#msg17069334

From 2 days ago https://forum.ethereum.org/discussion/11946/windows-defender-detectet-rundas-b-troyan-in-ethminer-exe
My advice is that you fully verify that the binary is legitimate by downloading the SHA256SUMS.asc file, verifying the GPG signature with Wladimir's release key, and then check that the sha256 of the binary package you download matches what is in the SHA256SUMS.asc. If that all matches and verifies, then yes, ignore the antivirus and tell it that it is a false positive.

This is not a new issue. This has happened for all versions of Bitcoin Core. Antivirus software will always flag Bitcoin Core as a virus, especially with new versions since people haven't reported the false positive for the new version yet.

How many times do I need to repeat myself? If you fully verify that the download is legitimate, then the antivirus is wrong and it is a false positive.

I have already stated why antivirus software do this.

I have been downloading coin wallets for 4 years and have downloaded many dozens of wallets and tested lots in virustotal and elsewhere.

I am highly suspicious that two different versions of bitcoind would come bundled in two installs at the same time from bitcoin.org, one testing hot the other not.

It tested bad on a specific trojan, not on heuristics. Something is not right.
achow101
Moderator
Legendary
*
expert
Offline Offline

Activity: 3542
Merit: 6886


Just writing some code


View Profile WWW
April 17, 2017, 05:07:50 PM
 #12

I have been downloading coin wallets for 4 years and have downloaded many dozens of wallets and tested lots in virustotal and elsewhere.

I am highly suspicious that two different versions of bitcoind would come bundled in two installs at the same time from bitcoin.org, one testing hot the other not.

It tested bad on a specific trojan, not on heuristics. Something is not right.
Some people who are strongly anti-core have submitted some binaries of Core to antivirus vendors to list them as viruses in order to discourage people from using Core. Since they probably don't want to go through the effort of installing Core and then uninstalling it, they probably just used the binaries from the zip files. Because the binaries from the zip files are different from the ones in the installer due to NSIS, those are the ones that are flagged as viruses and not the ones in the installer.

If you still think that it is a virus, you can check that it is not for yourself. Checkout the 0.14.0 source code and examine it for yourself that there is no virus in there. Then perform the same gitian deterministic build process and release process for yourself and see if the output matches. The way that gitian works is that it will always produce the same exact binaries for the same exact code (normally the binaries will differ even with the same code due to timestamps and other sources of non-determinism). If it matches, then there is no virus. If it does not match, then either you have done something wrong, or the binaries on bitcoin.org are not legitimate. However, that is likely not the case as the hashes of those on bitcoin.org matches the hashes built by the multiple independent gitian builders.

PeterTheGrape (OP)
Sr. Member
****
Offline Offline

Activity: 462
Merit: 250


View Profile
April 18, 2017, 05:50:05 AM
 #13

...
Some people who are strongly anti-core have submitted some binaries of Core to antivirus vendors to list them as viruses in order to discourage people from using Core. Since they probably don't want to go through the effort of installing Core and then uninstalling it, they probably just used the binaries from the zip files. Because the binaries from the zip files are different from the ones in the installer due to NSIS, those are the ones that are flagged as viruses and not the ones in the installer.

If you still think that it is a virus, you can check that it is not for yourself. Checkout the 0.14.0 source code and examine it for yourself that there is no virus in there. Then perform the same gitian deterministic build process and release process for yourself and see if the output matches. The way that gitian works is that it will always produce the same exact binaries for the same exact code (normally the binaries will differ even with the same code due to timestamps and other sources of non-determinism). If it matches, then there is no virus. If it does not match, then either you have done something wrong, or the binaries on bitcoin.org are not legitimate. However, that is likely not the case as the hashes of those on bitcoin.org matches the hashes built by the multiple independent gitian builders.

Your first paragraph would explain things to my satisfaction, if that's what happens. Coins are becoming dirty pool but I guess with billions of dollars at stake it's the same as any business. I'm not going to go through all the technical efforts in your second paragraph but you obviously have some expertise so that works. Thanks.
Pages: [1]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!