Go Back   Web User Forums > Security > Malware Removal Help & Analysis

Closed Thread
 
Thread Tools Search this Thread Display Modes
  #1  
Old 24-05-18, 16:16
Moonshine Moonshine is offline
Passionate member
 
Join Date: Aug 2012
Posts: 1,007
Default Suspect Files

Hi all
I donít often ask questions in this forum, but if a file is offered for download and the downloaded file has these results when folders within that ĎFileí are checked with VirusTotal:

https://www.virustotal.com/#/file/47...4831/detection

https://www.virustotal.com/#/file/81...c633/detection

https://www.virustotal.com/#/file/a1...1965/detection

. . . . is it advisable for anyone, especially those that arenít security wise, to download the Ďfileí?
If the results of the folder were known before hand, would anyone actually go a head with the download and trust the file(s) as being safe?
  #2  
Old 25-05-18, 10:29
kevinf80's Avatar
kevinf80 kevinf80 is offline
Global Moderator
 
Join Date: Feb 2008
Location: Sunderland.UK.
Posts: 2,952
Default Re: Suspect Files

Hello Moonshine,

In the current day and age any software that you d/l has the ability to carry hidden unwanted extras, especially free or pirated software.
Anything I personally d/l I do to a sandboxed environment, that is where I check out the d/l before allowing it onto my system.
I use Sandboxie, https://www.sandboxie.com/DownloadSandboxie
My download folder is in a sandbox environment, also my default Browser (Firefox) is also run in a sandbox environment.

Which software were you referring to...?

Thank you,

Kevin..
  #3  
Old 25-05-18, 11:27
Moonshine Moonshine is offline
Passionate member
 
Join Date: Aug 2012
Posts: 1,007
Default Re: Suspect Files

Hi Kevin Ė thanks for getting back to me.

The files Iím referring are available via this website:

https://pcriver.com/operating-system...-download.html

. . . . an actual download link URL being:

http://downloadwins.xyz/download/Win_XP_32Bit_Pro.zip

I have tried to advise the person who is encouraging people to use this type of site and download(s) to be cautious in doing so, especially as the downloads are not being tested first by that person.
After getting expected warnings from my security to be aware of the website and it's potential content, I downloaded and tested the files (I use a VM with my preferred security installed within the VM) and have installed the software/OS (ISOs) and tested them within the VM to see what it/they entail. I scan the contents of an ISO container and not just the ISO Ďshellí.
I appreciate that any malware within the container will broadly speaking lay dormant until the ISO is opened up and the files are used/extracted or burned to disc.
Three flagged up files prompted me to use VirusTotal to further check the files with the result shown above in the VT report.
The results may well be an actual false positive (results deliberately shown as malicious to stop folks using them).
I appreciate that a Sandbox & VM are two different technologies/environments and the advantage of using a VM is that software can be ran as if it was on a real machine, operating systems being an example.

I believe Iím doing the right thing in warning the person, and persisting to do so, even when that person insists that the websites which host these Ďfiles/ISOsí are perfectly OK to use because his security says they are and the Ďfiles/ISOsí that are actually downloaded are OK, again because his security say so.
Do you think Iím right to warn this person that he is being irresponsible and likely to get someone/people eventually Ďburnedí by this cavalier attitude especially when no tests are done on the downloaded files/ISOs first before offering them to the public?

You advice will be greatly appreciated.
  #4  
Old 25-05-18, 21:07
kevinf80's Avatar
kevinf80 kevinf80 is offline
Global Moderator
 
Join Date: Feb 2008
Location: Sunderland.UK.
Posts: 2,952
Default Re: Suspect Files

Hiya Moonshine,

Yes I believe you are correct warning the guy concerned, I would not think the findings are FP`s, too many hits for that.
I use a VM myself, I have all versions of windows from 98 through to Windows 10.
When fixing infected PC`s it always helpful to have similar OS`s available so you are aware of what should be happening as opposed to what info you are reading from diagnostic logs..
I`m away from home this weekend so will not be online much. I believe you are very well clued up with Windows and do not need any advice/help from me, keep up the good work....

Regards,

Kevin...
  #5  
Old 25-05-18, 21:55
Cantrel Cantrel is offline
Global Moderator
 
Join Date: Jul 2012
Location: UK
Posts: 11,052
Default Re: Suspect Files

He's talking about me, Kevin.

I downloaded first and from that web page which Norton Toolbar said was safe.

This is the URL in question and I downloaded the 32bit ISO and created a boot disk - https://pcriver.com/operating-system...-download.html

I've ran a scan on the extracted ISO with Norton Security and mrt.exe.

A scan overall with the free MBAM and the ESET Free Online Scanner.

mrt.exe was the only one that found one infected file but did not list it in its report.

Scooby has downloaded the ISO from there on a Win 8.1 machine without getting any alerts either to the web page or the ISO download.

He has since done a clean install with the ISO and I've asked him to run a scan with the free version of MBAM to see if it picks up anything untoward.

I don't have a VM so was unable to fully check out the install, but having downloaded from there onto my laptop without any alerts, I trusted my Norton Security which is usually pretty keen on bad websites and downloads that it appeared safe to me.

From the checks that Moonshine has linked, there are quite a few reputable AV programs which gave it a green light.
  #6  
Old 26-05-18, 00:34
Moonshine Moonshine is offline
Passionate member
 
Join Date: Aug 2012
Posts: 1,007
Default Re: Suspect Files

I canít believe you are trying to get Kevin, the forum malware expert, to justify your decision to point total strangers, in a family forum, to websites that offer links to potentially malicious/dangerous downloads and pirated/hacked software without forewarning readers first as to what the consequences might be for Ďthemí.

If those that have downloaded and used your recommendations happen to have been lucky on this occasion, I guess thatís your excuse to continue to recommend these places in the future.
Itís just a matter of time before someone gets burned, but you know that, because I have mentioned that to you and you donít appear to be concerned at all with that eventuality.

What on Earth is happening to these forums?
  #7  
Old 26-05-18, 04:58
fossewayfella's Avatar
fossewayfella fossewayfella is offline
Highly valued member
 
Join Date: Oct 2012
Posts: 2,667
Default Re: Suspect Files

Moonshine, I believe you have summed up in your post the answer. i.e.

" is it advisable for anyone, especially those that arenít security wise, to download the Ďfileí? "

Anyone who downloads anything, even if the person suggesting it is respected for his / her information, downloads those suggestions at their own risk. Maybe a caveat should be posted on each occasion when a download suggestion is made on this forum. Some already do this if they are not sure of its provenance.

In my opinion it is no good arguing the point here, as while making that point that you believe your findings are correct and should be made known, it only making more people, less versed in security, more nervous about ever downloading anything from posts or articles they may read.

fosseway
  #8  
Old 26-05-18, 08:04
Cantrel Cantrel is offline
Global Moderator
 
Join Date: Jul 2012
Location: UK
Posts: 11,052
Default Re: Suspect Files

Quote:
Originally Posted by Moonshine View Post
I canít believe you are trying to get Kevin, the forum malware expert, to justify your decision to point total strangers, in a family forum, to websites that offer links to potentially malicious/dangerous downloads and pirated/hacked software without forewarning readers first as to what the consequences might be for Ďthemí.

If those that have downloaded and used your recommendations happen to have been lucky on this occasion, I guess thatís your excuse to continue to recommend these places in the future.
Itís just a matter of time before someone gets burned, but you know that, because I have mentioned that to you and you donít appear to be concerned at all with that eventuality.

What on Earth is happening to these forums?
I have simply put my side of the story and what I found with the resources I have at hand and while are less than those more well versed in antimalware, I used respected programs for my scans.

I've just used VirusTotal for a check on https://pcriver.com/operating-system...-download.html which you said was a bad site and the report came back as 0/67 but I viewed the previous report which was no doubt run by you and this is the result -

https://www.virustotal.com/en/url/37...c417/analysis/

This would seem to vindicate Norton's Toolbar assessment of the website.

Perhaps the file that mrt.exe found was the hack one you found, but it didn't list it in its report.

I downloaded the ISO first and Norton didn't snag it as a bad download, so given that Norton has blocked downloads and websites in the past, then it is reasonable for me to take its word on this and conclude that it was safe.
  #9  
Old 26-05-18, 08:26
Moonshine Moonshine is offline
Passionate member
 
Join Date: Aug 2012
Posts: 1,007
Default Re: Suspect Files

Cantrel

Please read post No 3.

The download does not come from:

https://pcriver.com/operating-system...-download.html

Those that press the download tab in the PC River page are redirected.That download URL is:

http://downloadwins.xyz/download/Win_XP_32Bit_Pro.zip

Look at the URL:



Here's a link to the thread in question if anyone is wondering what is going on.

http://forum.webuser.co.uk/showthread.php?t=153240

By the way Cantrel - the issues the user is having with the 'Battery' is the same as what I got in the VM. Strange that because a VM doesn't use a battery! Could it be that it is a hacked/pirate version and those that choose to use the likes of these ISOs can't always expect things to work as the should.
  #10  
Old 26-05-18, 08:57
Cantrel Cantrel is offline
Global Moderator
 
Join Date: Jul 2012
Location: UK
Posts: 11,052
Default Re: Suspect Files

Scooby already knew that his battery was knacked before the clean install.

Did you have any sound problems in the VM or doesn't that get installed in a VM.

I've emailed the admin at pcriver to see if I can get more details on that ISO - not sure if I'll get a reply and I'm still trying to persuade Scooby to run a MBAM scan on that machine.

As I've already stated, Norton did not snag any aspect of that download.

I appreciate that no AV program is 100% effective, but I have to trust a program that has kept me safe for the last 8 years.

So whose word do you take on that URL -

https://www.virustotal.com/en/url/16...is/1527325293/
Closed Thread

Bookmarks

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off



Search the forum

Search

© Dennis Publishing Limited Licensed by Felden





All times are GMT. The time now is 10:00.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2018, Jelsoft Enterprises Ltd.
Copyright Dennis Publishing 2010, All rights reserved