casascius (OP)
Mike Caldwell
VIP
Legendary
Offline
Activity: 1386
Merit: 1140
The Casascius 1oz 10BTC Silver Round (w/ Gold B)
|
|
April 29, 2011, 12:29:22 AM Last edit: April 29, 2011, 05:28:23 PM by casascius |
|
I just upgraded to Bitcoin.exe 0.3.21 which I downloaded directly from SourceForge.
F-Secure popped up and told me this program is "harmful" (red color and bold is how popup was displayed), asked me if I really wanted to run the program, also offered to send a sample of the program for analysis.
It did not suggest the program was a "virus" or any similar notation. Nothing shows in the "Virus and spyware history" screen of F-Secure's UI.
I allowed the program to run. The MD5 hash of my Bitcoin.exe is ff24783f67e7827546b8c5d8a1961398
It occurred to me that someone may be mining with a botnet, and in the process of doing so, sending the entire Bitcoin client to victims (though not sure why doing this would be desirable to the botnet operator, unless perhaps it's going out with a pre-seeded wallet file with keys known to the bot herder). But if this is the case, it would make sense why it might be getting flagged by antivirus if it is appearing as unwanted "crap" on people's computers.
|
Companies claiming they got hacked and lost your coins sounds like fraud so perfect it could be called fashionable. I never believe them. If I ever experience the misfortune of a real intrusion, I declare I have been honest about the way I have managed the keys in Casascius Coins. I maintain no ability to recover or reproduce the keys, not even under limitless duress or total intrusion. Remember that trusting strangers with your coins without any recourse is, as a matter of principle, not a best practice. Don't keep coins online. Use paper or hardware wallets instead.
|
|
|
theymos
Administrator
Legendary
Offline
Activity: 5334
Merit: 13305
|
|
April 29, 2011, 12:44:04 AM |
|
It's probably just a false positive. The bitcoin.exe I downloaded had the same MD5, so it probably wasn't intercepted at your end, at least.
|
1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
|
|
|
casascius (OP)
Mike Caldwell
VIP
Legendary
Offline
Activity: 1386
Merit: 1140
The Casascius 1oz 10BTC Silver Round (w/ Gold B)
|
|
April 29, 2011, 12:52:21 AM |
|
I agree, false positive. But the concern would be the possibility that Bitcoin.exe is being spread via botnets to people who don't want it (ostensibly for the purpose of stealing some CPU mining time). That'll make it "false positive" on virtually every antivirus platform out there after not too long, if it becomes known as something that "appears" on infected computers.
Maybe we should have a separate build of "Bitcoin, Botnet Edition" with the UI removed so those who want to go infect computers with it won't get the normal client tagged on AV vendors' lists of unwanted software. (tongue in cheek suggestion)
|
Companies claiming they got hacked and lost your coins sounds like fraud so perfect it could be called fashionable. I never believe them. If I ever experience the misfortune of a real intrusion, I declare I have been honest about the way I have managed the keys in Casascius Coins. I maintain no ability to recover or reproduce the keys, not even under limitless duress or total intrusion. Remember that trusting strangers with your coins without any recourse is, as a matter of principle, not a best practice. Don't keep coins online. Use paper or hardware wallets instead.
|
|
|
Mike Hearn
Legendary
Offline
Activity: 1526
Merit: 1134
|
|
April 29, 2011, 09:31:58 AM |
|
The problems with AV false positives are probably due to a mix of: - Not signing the binaries. This is now standard practice in the Windows world.
- So every binary has a new, unknown reputation (just like viruses).
- The fact that it contains code to connect to IRC is a big red flag. Many bots have worked that way in the past and legitimate programs rarely if ever do it.
The solution is for Gavin to sign the binaries with a key he controls, so that cert can establish a good reputation. Then these alerts will start going away. Moving away from IRC based peer discovery would help too - it's not a very scalable mechanism anyway. Fortunately Jeff has done some good work on DNS based discovery, it's just not quite ready to replace IRC yet.
|
|
|
|
HostFat
Staff
Legendary
Offline
Activity: 4256
Merit: 1208
I support freedom of choice
|
|
April 29, 2011, 09:40:05 AM |
|
Fortunately Jeff has done some good work on DNS based discovery, it's just not quite ready to replace IRC yet.
Can you give me a link to some documentations? How does this way to find peers works?
|
|
|
|
LZ
Legendary
Offline
Activity: 1722
Merit: 1072
P2P Cryptocurrency
|
|
April 29, 2011, 09:57:54 AM |
|
Does not it just connect to bitseed.xf2.org and bitseed.bitcoin.org.uk?
|
My OpenPGP fingerprint: 5099EB8C0F2E68C63B4ECBB9A9D0993E04143362
|
|
|
Mike Hearn
Legendary
Offline
Activity: 1526
Merit: 1134
|
|
April 29, 2011, 12:03:47 PM |
|
Yes, but I want to integrate it as the default mechanism in BitCoinJ. I think at our current rate of progress by the end of the summer there'll be at least one and maybe two Android clients, and my plan is that they'll be using DNS rather than IRC. So don't give up on it :-)
|
|
|
|
just_someguy
|
|
April 29, 2011, 02:24:21 PM |
|
Vladimir, I'm the guy who submitted the recent peer discovery stuff to bitcoinj and I plan on doing some work on dns discovery this weekend. ([mike] pointed me in the right direction.) It will most likely end up in bitcoinj pretty soon.
|
|
|
|
Matt Corallo
|
|
April 29, 2011, 04:59:50 PM |
|
For reference, virus total output: Complete scanning result of "bitcoin.exe", processed in VirusTotal at 04/29/2011 18:58:40 (CET).
[ file data ] * name..: bitcoin.exe * size..: 7490048 * md5...: ff24783f67e7827546b8c5d8a1961398 * sha1..: bb7d7410ce62c10609b648fd6841b1a535da8866 * peid..: -
[ scan result ] AhnLab-V3 2011.04.29.01/20110429 found nothing AntiVir 7.11.7.87/20110429 found nothing Antiy-AVL 2.0.3.7/20110429 found nothing Avast 4.8.1351.0/20110429 found nothing Avast5 5.0.677.0/20110429 found nothing AVG 10.0.0.1190/20110429 found nothing BitDefender 7.2/20110429 found nothing CAT-QuickHeal 11.00/20110429 found nothing ClamAV 0.97.0.0/20110429 found nothing Commtouch 5.3.2.6/20110429 found nothing Comodo 8520/20110429 found nothing DrWeb 5.0.2.03300/20110429 found nothing Emsisoft 5.1.0.5/20110429 found nothing eSafe 7.0.17.0/20110428 found nothing eTrust-Vet 36.1.8298/20110429 found nothing F-Prot 4.6.2.117/20110429 found nothing F-Secure 9.0.16440.0/20110429 found nothing Fortinet 4.2.257.0/20110429 found nothing GData 22/20110429 found nothing Ikarus T3.1.1.103.0/20110429 found nothing Jiangmin 13.0.900/20110429 found nothing K7AntiVirus 9.98.4519/20110429 found nothing Kaspersky 9.0.0.837/20110429 found nothing McAfee 5.400.0.1158/20110429 found nothing McAfee-GW-Edition 2010.1D/20110429 found nothing Microsoft 1.6802/20110429 found nothing NOD32 6081/20110429 found nothing Norman 6.07.07/20110429 found nothing Panda 10.0.3.5/20110429 found nothing PCTools 7.0.3.5/20110429 found nothing Prevx 3.0/20110429 found nothing Rising 23.55.04.03/20110429 found nothing Sophos 4.64.0/20110429 found nothing SUPERAntiSpyware 4.40.0.1006/20110429 found nothing Symantec 20101.3.2.89/20110429 found nothing TheHacker 6.7.0.1.184/20110429 found nothing TrendMicro 9.200.0.1012/20110429 found nothing TrendMicro-HouseCall 9.200.0.1012/20110429 found nothing VBA32 3.12.16.0/20110429 found nothing VIPRE 9154/20110429 found nothing ViRobot 2011.4.29.4437/20110429 found nothing VirusBuster 13.6.327.1/20110429 found nothing
[ notes ] F-Secure DeepGuard: Suspicious:W32/Malware!Gemini http://www.f-secure.com/v-descs/suspicious_w32_malware!gemini.shtml Symantec Reputation Network: Suspicious.Insight http://www.symantec.com/security_response/writeup.jsp?docid=2010-021223-0550-99
|
|
|
|
just_someguy
|
|
April 29, 2011, 07:08:52 PM |
|
Are there dns servers for testnet or just the production network?
|
|
|
|
|