Wireshark mailing list archives
Re: Trojans associate with Wireshark, WinPCap, etc
From: gedropi () allmail net
Date: Sun, 01 Nov 2015 16:24:09 -0800
No I have removed them. On Sun, Nov 1, 2015, at 10:54 AM, Gerald Combs wrote:
Have you uploaded them to virustotal.com? What does it say? On 11/1/15 10:45 AM, gedropi () allmail net wrote:So the puzzle is about the remaining trojans. The trojans associated with the other networking tools. Here is my version info per Help>About: main = 55 daily = 21031 updated = Oct 30, 2015 On Sun, Nov 1, 2015, at 10:41 AM, Gerald Combs wrote:The only report I've seen so far on the buildbots is Win.Adware.Outbrowse-1168 in the NSIS uninstaller: C:\[...]\build\cmbuild\run\RelWithDebInfo\uninstall.exe: Win.Adware.Outbrowse-1168 FOUND On 11/1/15 10:38 AM, gedropi () allmail net wrote:Are you referring to only the Wireshark/WinPCap trojan or all of the trojans? Thanks On Sun, Nov 1, 2015, at 10:32 AM, Gerald Combs wrote:That should've been: ---- Sun Nov 1 17:29:10 2015 -> ClamAV update process started at Sun Nov 1 17:29:10 2015 Sun Nov 1 17:29:10 2015 -> main.cld is up to date (version: 55, sigs: 2424225, f-level: 60, builder: neo) Sun Nov 1 17:29:10 2015 -> daily.cld is up to date (version: 21032, sigs: 1645531, f-level: 63, builder: shurley) Sun Nov 1 17:29:10 2015 -> bytecode.cld is up to date (version: 269, sigs: 47, f-level: 63, builder: anvilleg) ---- That is, daily.cld version 21032 does not report the trojan. 21031 does. IIRC 21030 reported the trojan on Friday as well. On 11/1/15 10:25 AM, gedropi () allmail net wrote:ClamAV update process started at Sun Nov 01 05:58:39 2015 main.cvd is up to date (version: 55, sigs: 2424225, f-level: 60, builder: neo) daily.cld is up to date (version: 21031, sigs: 1645560, f-level: 63, builder: neo) bytecode.cld is up to date (version: 269, sigs: 47, f-level: 63, builder: anvilleg) Thanks for your response. On Sun, Nov 1, 2015, at 10:14 AM, Gerald Combs wrote:Which versions of the main, daily, and bytecode databases are you using? On Friday clamscan was reporting that Win.Adware.Outbrowse-1168 was present in some of the 32-bit Windows installers. If I run clamscan today with the following database versions on the same files the scans come up clean: ---- Sun Nov 1 08:27:42 2015 -> ClamAV update process started at Sun Nov 1 08:27:42 2015 Sun Nov 1 08:27:43 2015 -> main.cld is up to date (version: 55, sigs: 2424225, f-level: 60, builder: neo) Sun Nov 1 08:27:43 2015 -> daily.cld is up to date (version: 21031, sigs: 1645560, f-level: 63, builder: neo) Sun Nov 1 08:27:43 2015 -> bytecode.cld is up to date (version: 269, sigs: 47, f-level: 63, builder: anvilleg) ---- Note that AV false positives happen often enough that we maintain a list: https://wiki.wireshark.org/FalsePositives As does the NSIS team (which tends to impact the Wireshark and WinPcap installers): http://nsis.sourceforge.net/NSIS_False_Positives On 11/1/15 9:46 AM, gedropi () allmail net wrote:Yes I am. But these trojans were not present a on the 28th of October. Meaning that the database update since the 28th would have had to have contained this misinformation. I have contacted ClamAV but they have not responded yet. SANS is involved in this issue as well. On Sun, Nov 1, 2015, at 09:12 AM, Pascal Quantin wrote:2015-11-01 17:58 GMT+01:00 <gedropi () allmail net>:After discovering the attached trojans during a scan on the 30th, I removed infected files, scrubbed the registry, repeated the scan. Nada. Then, I needed to replace the networking tools by downloading fresh copies of the removed, infected exe files. Upon downloading various tools from their respective websites, I repeated the virus scan to be sure. All newly downloaded exe files were again infected with the same trojans. Since all the Wireshark & WinPCap files were affected, I was wondering if any of you out there have had the same experience? I hope that someone can help me brainstorm for a fix. I need to use the tools of the trade. Thanks for any ideas.Hi, Are you using ClamAV by any chance? as reported by Gerald Comb (Wireshark's leader) on the development list ( https://www.wireshark.org/lists/wireshark-dev/201510/msg00125.html) this seems to be a false positive reported to clamav.net. Best regards, Pascal. ___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: https://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: https://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: https://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: https://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: https://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe ___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: https://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: https://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: https://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: https://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: https://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- Re: Trojans associate with Wireshark, WinPCap, etc, (continued)
- Re: Trojans associate with Wireshark, WinPCap, etc gedropi (Nov 01)
- Re: Trojans associate with Wireshark, WinPCap, etc Gerald Combs (Nov 01)
- Re: Trojans associate with Wireshark, WinPCap, etc gedropi (Nov 01)
- Re: Trojans associate with Wireshark, WinPCap, etc Gerald Combs (Nov 01)
- Re: Trojans associate with Wireshark, WinPCap, etc gedropi (Nov 01)
- Re: Trojans associate with Wireshark, WinPCap, etc Gerald Combs (Nov 01)
- Re: Trojans associate with Wireshark, WinPCap, etc gedropi (Nov 01)
- Re: Trojans associate with Wireshark, WinPCap, etc Gerald Combs (Nov 01)
- Re: Trojans associate with Wireshark, WinPCap, etc gedropi (Nov 01)
- Re: Trojans associate with Wireshark, WinPCap, etc Gerald Combs (Nov 01)
- Re: Trojans associate with Wireshark, WinPCap, etc gedropi (Nov 01)
- Re: Trojans associate with Wireshark, WinPCap, etc gedropi (Nov 01)
- Re: Trojans associate with Wireshark, WinPCap, etc Gerald Combs (Nov 01)
- Re: Trojans associate with Wireshark, WinPCap, etc gedropi (Nov 02)
- Re: Trojans associate with Wireshark, WinPCap, etc gedropi (Nov 06)