Jump to content

Sky Slate Blueberry Blackcurrant Watermelon Strawberry Orange Banana Apple Emerald Chocolate
Photo

Enough with the UPX packed virus false alarms -- ENOUGH


  • Please log in to reply
19 replies to this topic
mouser
  • Members
  • 9 posts
  • Last active: Jan 09 2010 08:39 PM
  • Joined: 03 Oct 2008
Forgive me if i sound mad..

Every month the new false positives start coming in and people freak out thinking we are serving up malware because of the false positive alerts on compiled AHK scripts.

I'm exhausted from having to put out these false positive alarm fires every %&(*% month.

I'm exhausted from all of these websites warning people that our site hosts malware, and contacting them and fixing it and then having it happen all over again the next month.

I've fought against these irresponsible antivirus companies and felt always like "why aren't the AHK people doing more to address this recurring problem".. maybe you guys are trying to get this solved i don't know, but as much as we love AHK on donationcoder, this is just getting ridiculous, and it has to stop.

My suggestion:

If these recurring false positives always have to do with UPX-packed apps being flagged as malware, then STOP packing compiled ahk's with UPX. As soon as humanely possible.

If you want to make some option to do it with a huge warning that using this is very likely guarantee that your application is going to be flagged as a virus in a few weeks, fine.

But in my opinion, until someone puts a stop to this farce of false positives, the UPX packing when compiling ahk executables should cease immediately.

Again, i apologize for the tone -- we love AHK at donationcoder, i'm just at my wits end dealing with this stuff over and over and over and seeing our site show up in warnings for serving malware and having it always be ahk applications that are causing it. I know its not AHK fault, i know its the antivirus companies being retarded. But let's fight and get them to stop doing this, or else do the one thing that you do have control over -- stop packing with upx.

sincerely, and with love for AHK,
-mouser from donationcoder.com

mouser
  • Members
  • 9 posts
  • Last active: Jan 09 2010 08:39 PM
  • Joined: 03 Oct 2008
There has been some suggestion that its the compiled AHK itself, not merely the UPX that is to blame. If this is true, then the problem is much worse than i thought. Have you ahk people done a systematic analysis to determine what specifically is constantly causing the malware detection software to flag these executables as malware?

SoLong&Thx4AllTheFish
  • Members
  • 4999 posts
  • Last active:
  • Joined: 27 May 2007
I assume you are aware you can simply remove UPX from compiler directory and your own scripts are no longer compiled with UPX so that would take of some of your problems. Given the fact autohotkey has mouse and keyboard hooks (way over my head this so bare with me) I can only assume that there is always a chance it will be flagged by an AV no matter what changes are made to AHK (and of course virii and malware can be written in AHK so some might even be valid)

And of course, distrubute your script not the compiled exe :-) The avarage donation coder has AHK installed anyway don't they?

See also <!-- m -->http://www.autohotke... ... sc&start=0<!-- m -->

and several threads related to virii and UPX on the forum.

SoLong&Thx4AllTheFish
  • Members
  • 4999 posts
  • Last active:
  • Joined: 27 May 2007

Have you ahk people

Just to clarify there is only one: Chris. Other people are working on other version of AHK but these are not "official" some features of these other version find their way into the official release afaik.

mouser
  • Members
  • 9 posts
  • Last active: Jan 09 2010 08:39 PM
  • Joined: 03 Oct 2008
hi hugov,

yeah, we've already posted instructions on our forum for coders on how to delete/rename the upx executable.

it's excellent that this can be done so easily (though they need to remember to do every time they update).

But it does mean that we have to go around every time someone uploads or posts a compiled ahk script, download it, check it, and then educate them about this issue and get them to rebuild and re-upload, and do that on a constant basis.

Since this happens so regularly, and so predictably, and so consistently, I really think this should be changed to not be default behavior in ahk.

mouser
  • Members
  • 9 posts
  • Last active: Jan 09 2010 08:39 PM
  • Joined: 03 Oct 2008
Again I just want to emphasize, we love AHK on donationcoder; we've donated to ahk before, we've recommended it, we have some serious ahk coders on our forum.

Chris has done an amazing job with it.

And that's why this is so frustrating to me.. I'm just begging Chris and others at AHK to make a higher priority of figuring out a way to stop these false positives -- by any means necessary.

tidbit
  • Administrators
  • 2709 posts
  • Hates playing Janitor
  • Last active: Jan 15 2016 11:37 PM
  • Joined: 09 Mar 2008

by any means necessary.

-----------------

I assume you are aware you can simply remove UPX from compiler directory and your own scripts are no longer compiled with UPX

And of course, distrubute your script not the compiled exe

also: any language can cause false-positives. you can't stop them 100%. it just depends on how anal the AntiVirus program is.

rawr. be very afraid
*poke*
. Populate the AutoHotkey city. Pointless but somewhat fun. .


mouser
  • Members
  • 9 posts
  • Last active: Jan 09 2010 08:39 PM
  • Joined: 03 Oct 2008

any language can cause false-positives. you can't stop them 100%.


this is true enough -- but does not address the fact that compiled ahk programs are consistently, reliably, and almost without exception declared (falsely) to be viruses, over and over again, month after month, year after year.

it would be comical if not for the fact that it causes so much stress to novice users and increasingly leads to web-based trust rating sites marking a website as hosting malware.

no one can prevent antivirus companies from occasionally marking a program as malware.

but the situation we have now is that compiled AHK utilities are *ALWAYS* marked (falsely) as viruses and trojans, nearly 100% of the time. (not on their initial release but always a few weeks after they have been in the wild).

this is what has to stop.. the ahk community's open letter and our own efforts to wake up the antivirus companies does not seem to be having an effect, and it's not within our power to force them to.

what i'm asking is that AHK realize how serious a problem this is and take this seriously enough to try to do something about it on this end, during the building of the compiled ahk scripts.

nod5
  • Guests
  • Last active:
  • Joined: --
Let me tag on a question: why is UPX used by default by autohotkey when compiling? Are there advantages that outweigh the false positive problems?

Related:
EndGunner has a list of some false positive forum posts:
http://www.autohotke... ... 027#140027
DerRaphael's Open Letter to AV companies initiative:
http://www.autohotke... ... px&start=0

tidbit
  • Administrators
  • 2709 posts
  • Hates playing Janitor
  • Last active: Jan 15 2016 11:37 PM
  • Joined: 09 Mar 2008
felt like doing this for fun:
File deadly_virus.exe received on 2010.01.08 22:02:11 (UTC)
Antivirus        Version        Last Update        Result
a-squared        4.5.0.48        2010.01.08        -
AhnLab-V3        5.0.0.2        2010.01.08        -
AntiVir        7.9.1.130        2010.01.08        -
Antiy-AVL        2.0.3.7        2010.01.08        Trojan/Win32.Vapsup.gen
Authentium        5.2.0.5        2010.01.08        -
Avast        4.8.1351.0        2010.01.08        -
AVG        8.5.0.430        2010.01.04        -
BitDefender        7.2        2010.01.08        -
CAT-QuickHeal        10.00        2010.01.08        -
ClamAV        0.94.1        2010.01.08        -
Comodo        3514        2010.01.08        -
DrWeb        5.0.1.12222        2010.01.08        -
eSafe        7.0.17.0        2010.01.07        -
eTrust-Vet        35.2.7226        2010.01.08        -
F-Prot        4.5.1.85        2010.01.08        -
F-Secure        9.0.15370.0        2010.01.08        -
Fortinet        4.0.14.0        2010.01.08        -
GData        19        2010.01.08        -
Ikarus        T3.1.1.80.0        2010.01.08        -
Jiangmin        13.0.900        2010.01.08        -
K7AntiVirus        7.10.942        2010.01.08        -
Kaspersky        7.0.0.125        2010.01.08        -
McAfee        5855        2010.01.08        -
McAfee+Artemis        5855        2010.01.08        -
McAfee-GW-Edition        6.8.5        2010.01.08        Heuristic.BehavesLike.Win32.Packed.C
Microsoft        1.5302        2010.01.08        -
NOD32        4755        2010.01.08        -
Norman        6.04.03        2010.01.08        -
nProtect        2009.1.8.0        2010.01.08        -
Panda        10.0.2.2        2010.01.08        -
PCTools        7.0.3.5        2010.01.08        -
Prevx        3.0        2010.01.08        -
Rising        22.29.04.04        2010.01.08        -
Sophos        4.49.0        2010.01.08        -
Sunbelt        3.2.1858.2        2010.01.08        -
Symantec        20091.2.0.41        2010.01.08        -
TheHacker        6.5.0.3.142        2010.01.08        -
TrendMicro        9.120.0.1004        2010.01.08        -
VBA32        3.12.12.1        2010.01.06        -
ViRobot        2010.1.8.2128        2010.01.08        -
VirusBuster        5.0.21.0        2010.01.08        -

Additional information
File size: 207261 bytes
MD5...: 1505065f6558b18d792793bfbbd1d48a
SHA1..: a017cfabc6782c3725713fcbab3c86067af17d5e
SHA256: 3ac19630b45c0949c36bfb311406898b808c5b0b41fb4ebdd05f8553092b8fc4
ssdeep: 6144:mCbitvA8lUcv6Jvr03OWAgCC7RSKDkoShu:mC+tvA8pv6e3OSCCFSKDkoSA<BR>
PEiD..: -
PEInfo: PE Structure information<BR><BR>( base data )<BR>entrypointaddress.: 0x71ed0<BR>timedatestamp.....: 0x49fde251 (Sun May 03 18:28:33 2009)<BR>machinetype.......: 0x14c (I386)<BR><BR>( 3 sections )<BR>name        viradd    virsiz   rawdsiz  ntrpy  md5<BR>UPX0        0x1000   0x41000       0x0   0.00  d41d8cd98f00b204e9800998ecf8427e<BR>UPX1       0x42000   0x31000   0x30c00   8.00  6cd9aa2547f27ae976665aae461e8c77<BR>.rsrc      0x73000    0x2000    0x1800   4.79  5ae503e98038550ace366a5d500b6507<BR><BR>( 12 imports )  <BR>> KERNEL32.DLL: LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess<BR>> ADVAPI32.dll: RegCloseKey<BR>> COMCTL32.dll: -<BR>> comdlg32.dll: GetOpenFileNameA<BR>> GDI32.dll: BitBlt<BR>> ole32.dll: CoInitialize<BR>> OLEAUT32.dll: -<BR>> SHELL32.dll: DragFinish<BR>> USER32.dll: GetDC<BR>> VERSION.dll: VerQueryValueA<BR>> WINMM.dll: mixerOpen<BR>> WSOCK32.dll: -<BR><BR>( 0 exports ) <BR>
RDS...: NSRL Reference Data Set<BR>-
packers (Kaspersky): UPX
sigcheck:<BR>publisher....: n/a<BR>copyright....: <BR>product......: <BR>description..: <BR>original name: <BR>internal name: <BR>file version.: 1, 0, 48, 03<BR>comments.....: n/a<BR>signers......: -<BR>signing date.: -<BR>verified.....: Unsigned<BR>
pdfid.: -
trid..: UPX compressed Win32 Executable (39.5%)<BR>Win32 EXE Yoda's Crypter (34.3%)<BR>Win32 Executable Generic (11.0%)<BR>Win32 Dynamic Link Library (generic) (9.8%)<BR>Generic Win/DOS Executable (2.5%)
packers (F-Prot): UPX_LZMA
and here is the AHK file (compiled as deadly_virus.exe):
#NoEnv  ; Recommended for performance and compatibility with future AutoHotkey releases.
SendMode Input  ; Recommended for new scripts due to its superior speed and reliability.
SetWorkingDir %A_ScriptDir%  ; Ensures a consistent starting directory.
#singleInstance force
CoordMode, mouse, screen
#InstallKeybdHook
#InstallMouseHook

j::
msgbox, I AM A DEADLY VIRUS!, DETECT ME YOU CRAPPY ANTIVIRUS PROGRAMS, OR YOU FAIL!`n`n Click OK to feel my wrath!
click, 92, 412
send, P
Return

rawr. be very afraid
*poke*
. Populate the AutoHotkey city. Pointless but somewhat fun. .


Lexikos
  • Administrators
  • 9844 posts
  • AutoHotkey Foundation
  • Last active:
  • Joined: 17 Oct 2006
I think it would be no great loss if upx.exe was removed from the installer or disabled by default.

nod5,
Reduced size is obviously the only advantage. On slow storage devices it can speed up loading by a very small amount, but some have said it otherwise slows down loading.

tidbit,
Anti-virus software isn't psychic, and mostly isn't intelligent. Your compiled script executable will contain code to register the keyboard/mouse hooks, delete files, shutdown the PC etc. regardless of what content the actual script has. Anti-virus software would have to interpret the script to figure out what it really does. Furthermore, keyboard/mouse hooks are obviously a legitimate feature of Windows, so it mightn't be common to detect them. Any reasonable A/V (and some unreasonable A/V's) would notify the user if and when it detected installation of the hook rather than marking any executable which uses it as a potential virus. Lastly, "viruses" self-replicate; your script does not.

HotKeyIt
  • Moderators
  • 7439 posts
  • Last active: Jun 22 2016 09:14 PM
  • Joined: 18 Jun 2008

I think it would be no great loss if upx.exe was removed from the installer or disabled by default.


I fully agree it should be easily removed, since upx'd exe isn't any different when it is loaded I do not see any advantage of it.
Windows also cashes AutoHotkey.exe when it's loaded from usb disk or similar so it loads only first time slower.

tidbit
  • Administrators
  • 2709 posts
  • Hates playing Janitor
  • Last active: Jan 15 2016 11:37 PM
  • Joined: 09 Mar 2008
Lexikos, it seems you didn't detect my sarcasm (all caps ;)).
I also added the hooks on purpose because i wanted it to be detected. and since i made the script so small, basic and harm-free, I was expecting most/all to not detect it. now if I made a real virus in AHK, I'm sure more then 2 would pick it up.

felt like doing this for fun


but to be on-topic:
i don't mind UPX, remove or keep it, no biggy.

rawr. be very afraid
*poke*
. Populate the AutoHotkey city. Pointless but somewhat fun. .


SoLong&Thx4AllTheFish
  • Members
  • 4999 posts
  • Last active:
  • Joined: 27 May 2007
Cast your vote about UPX here <!-- m -->http://www.autohotke...ic.php?p=323104<!-- m -->

Lexikos
  • Administrators
  • 9844 posts
  • AutoHotkey Foundation
  • Last active:
  • Joined: 17 Oct 2006

now if I made a real virus in AHK, I'm sure more then 2 would pick it up.

If there was any point in my previous post, it was that anti-virus software won't necessarily pick it up just because it's malicious. I think it's very unlikely that any antivirus would immediately (or perhaps ever) pick up your hypothetical "real virus" script, and not also pick up every other script based on the same binary, harmful or not. Or was that lower-case sarcasm? :roll: