Bitcoin Forum
December 08, 2016, 12:19:33 AM *
News: Latest stable version of Bitcoin Core: 0.13.1  [Torrent].
 
   Home   Help Search Donate Login Register  
Pages: [1]
  Print  
Author Topic: F-Secure alerted on Bitcoin.exe (0.3.21): "harmful"  (Read 2151 times)
casascius
Mike Caldwell
VIP
Legendary
*
Offline Offline

Activity: 1344


The Casascius 1oz 10BTC Silver Round (w/ Gold B)


View Profile WWW
April 29, 2011, 12:29:22 AM
 #1

I just upgraded to Bitcoin.exe 0.3.21 which I downloaded directly from SourceForge.

F-Secure popped up and told me this program is "harmful" (red color and bold is how popup was displayed), asked me if I really wanted to run the program, also offered to send a sample of the program for analysis.

It did not suggest the program was a "virus" or any similar notation.  Nothing shows in the "Virus and spyware history" screen of F-Secure's UI.

I allowed the program to run.  The MD5 hash of my Bitcoin.exe is ff24783f67e7827546b8c5d8a1961398

It occurred to me that someone may be mining with a botnet, and in the process of doing so, sending the entire Bitcoin client to victims (though not sure why doing this would be desirable to the botnet operator, unless perhaps it's going out with a pre-seeded wallet file with keys known to the bot herder).  But if this is the case, it would make sense why it might be getting flagged by antivirus if it is appearing as unwanted "crap" on people's computers.

Companies claiming they got hacked and lost your coins sounds like fraud so perfect it could be called fashionable.  I never believe them.  If I ever experience the misfortune of a real intrusion, I declare I have been honest about the way I have managed the keys in Casascius Coins.  I maintain no ability to recover or reproduce the keys, not even under limitless duress or total intrusion.  Remember that trusting strangers with your coins without any recourse is, as a matter of principle, not a best practice.  Don't keep coins online. Use paper wallets instead.
1481156373
Hero Member
*
Offline Offline

Posts: 1481156373

View Profile Personal Message (Offline)

Ignore
1481156373
Reply with quote  #2

1481156373
Report to moderator
1481156373
Hero Member
*
Offline Offline

Posts: 1481156373

View Profile Personal Message (Offline)

Ignore
1481156373
Reply with quote  #2

1481156373
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
theymos
Administrator
Legendary
*
expert
Offline Offline

Activity: 2492


View Profile
April 29, 2011, 12:44:04 AM
 #2

It's probably just a false positive. The bitcoin.exe I downloaded had the same MD5, so it probably wasn't intercepted at your end, at least.

1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
casascius
Mike Caldwell
VIP
Legendary
*
Offline Offline

Activity: 1344


The Casascius 1oz 10BTC Silver Round (w/ Gold B)


View Profile WWW
April 29, 2011, 12:52:21 AM
 #3

I agree, false positive.  But the concern would be the possibility that Bitcoin.exe is being spread via botnets to people who don't want it (ostensibly for the purpose of stealing some CPU mining time).  That'll make it "false positive" on virtually every antivirus platform out there after not too long, if it becomes known as something that "appears" on infected computers.

Maybe we should have a separate build of "Bitcoin, Botnet Edition" with the UI removed so those who want to go infect computers with it won't get the normal client tagged on AV vendors' lists of unwanted software. (tongue in cheek suggestion)

Companies claiming they got hacked and lost your coins sounds like fraud so perfect it could be called fashionable.  I never believe them.  If I ever experience the misfortune of a real intrusion, I declare I have been honest about the way I have managed the keys in Casascius Coins.  I maintain no ability to recover or reproduce the keys, not even under limitless duress or total intrusion.  Remember that trusting strangers with your coins without any recourse is, as a matter of principle, not a best practice.  Don't keep coins online. Use paper wallets instead.
Mike Hearn
Legendary
*
expert
Offline Offline

Activity: 1526


View Profile
April 29, 2011, 09:31:58 AM
 #4

The problems with AV false positives are probably due to a mix of:

  • Not signing the binaries. This is now standard practice in the Windows world.
  • So every binary has a new, unknown reputation (just like viruses).
  • The fact that it contains code to connect to IRC is a big red flag. Many bots have worked that way in the past and legitimate programs rarely if ever do it.

The solution is for Gavin to sign the binaries with a key he controls, so that cert can establish a good reputation. Then these alerts will start going away. Moving away from IRC based peer discovery would help too - it's not a very scalable mechanism anyway. Fortunately Jeff has done some good work on DNS based discovery, it's just not quite ready to replace IRC yet.
HostFat
Staff
Legendary
*
Offline Offline

Activity: 2296


I support freedom of choice


View Profile WWW
April 29, 2011, 09:40:05 AM
 #5

Fortunately Jeff has done some good work on DNS based discovery, it's just not quite ready to replace IRC yet.
Can you give me a link to some documentations? How does this way to find peers works?

Eternity Wall: Messages lasting forever - The Rock Trading (ref): A good exchange / gateway Ripple, with support for multisig, since 2007. 
https://bitcointa.lk: Bitcointalk backup if offline - Bitcoin Foundation Italia - Blog: http://theupwind.blogspot.it
LZ
Staff
Legendary
*
Offline Offline

Activity: 1456


Satoshi everywhere!


View Profile WWW
April 29, 2011, 09:57:54 AM
 #6

Does not it just connect to bitseed.xf2.org and bitseed.bitcoin.org.uk?

"Never invest unless you can afford to lose your entire investment." © S3052
Mike Hearn
Legendary
*
expert
Offline Offline

Activity: 1526


View Profile
April 29, 2011, 12:03:47 PM
 #7

Yes, but I want to integrate it as the default mechanism in BitCoinJ. I think at our current rate of progress by the end of the summer there'll be at least one and maybe two Android clients, and my plan is that they'll be using DNS rather than IRC. So don't give up on it :-)
just_someguy
Full Member
***
Offline Offline

Activity: 125


View Profile
April 29, 2011, 02:24:21 PM
 #8

Vladimir,
I'm the guy who submitted the recent peer discovery stuff to bitcoinj and I plan on doing some work on dns discovery this weekend. ([mike] pointed me in the right direction.) It will most likely end up in bitcoinj pretty soon.
Matt Corallo
Hero Member
*****
expert
Offline Offline

Activity: 751


View Profile
April 29, 2011, 04:59:50 PM
 #9

For reference, virus total output:
Code:
Complete scanning result of "bitcoin.exe", processed in VirusTotal at 04/29/2011 18:58:40 (CET).

[ file data ]
* name..: bitcoin.exe
* size..: 7490048
* md5...: ff24783f67e7827546b8c5d8a1961398
* sha1..: bb7d7410ce62c10609b648fd6841b1a535da8866
* peid..: -

[ scan result ]
AhnLab-V3       2011.04.29.01/20110429  found nothing
AntiVir 7.11.7.87/20110429      found nothing
Antiy-AVL       2.0.3.7/20110429        found nothing
Avast   4.8.1351.0/20110429     found nothing
Avast5  5.0.677.0/20110429      found nothing
AVG     10.0.0.1190/20110429    found nothing
BitDefender     7.2/20110429    found nothing
CAT-QuickHeal   11.00/20110429  found nothing
ClamAV  0.97.0.0/20110429       found nothing
Commtouch       5.3.2.6/20110429        found nothing
Comodo  8520/20110429   found nothing
DrWeb   5.0.2.03300/20110429    found nothing
Emsisoft        5.1.0.5/20110429        found nothing
eSafe   7.0.17.0/20110428       found nothing
eTrust-Vet      36.1.8298/20110429      found nothing
F-Prot  4.6.2.117/20110429      found nothing
F-Secure        9.0.16440.0/20110429    found nothing
Fortinet        4.2.257.0/20110429      found nothing
GData   22/20110429     found nothing
Ikarus  T3.1.1.103.0/20110429   found nothing
Jiangmin        13.0.900/20110429       found nothing
K7AntiVirus     9.98.4519/20110429      found nothing
Kaspersky       9.0.0.837/20110429      found nothing
McAfee  5.400.0.1158/20110429   found nothing
McAfee-GW-Edition       2010.1D/20110429        found nothing
Microsoft       1.6802/20110429 found nothing
NOD32   6081/20110429   found nothing
Norman  6.07.07/20110429        found nothing
Panda   10.0.3.5/20110429       found nothing
PCTools 7.0.3.5/20110429        found nothing
Prevx   3.0/20110429    found nothing
Rising  23.55.04.03/20110429    found nothing
Sophos  4.64.0/20110429 found nothing
SUPERAntiSpyware        4.40.0.1006/20110429    found nothing
Symantec        20101.3.2.89/20110429   found nothing
TheHacker       6.7.0.1.184/20110429    found nothing
TrendMicro      9.200.0.1012/20110429   found nothing
TrendMicro-HouseCall    9.200.0.1012/20110429   found nothing
VBA32   3.12.16.0/20110429      found nothing
VIPRE   9154/20110429   found nothing
ViRobot 2011.4.29.4437/20110429 found nothing
VirusBuster     13.6.327.1/20110429     found nothing

[ notes ]
F-Secure DeepGuard: Suspicious:W32/Malware!Gemini http://www.f-secure.com/v-descs/suspicious_w32_malware!gemini.shtml
Symantec Reputation Network: Suspicious.Insight http://www.symantec.com/security_response/writeup.jsp?docid=2010-021223-0550-99

Bitcoin Ubuntu PPA maintainer - donate to me personally: 1JBMattRztKDF2KRS3vhjJXA7h47NEsn2c
http://bitcoinrelaynetwork.org maintainer
PGP ID: 07DF 3E57 A548 CCFB 7530  7091 89BB B866 3E2E65CE
just_someguy
Full Member
***
Offline Offline

Activity: 125


View Profile
April 29, 2011, 07:08:52 PM
 #10

Are there dns servers for testnet or just the production network?
Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!