Lua x antivirus

classic Classic list List threaded Threaded
14 messages Options
Reply | Threaded
Open this post in threaded view
|

Lua x antivirus

Roberto Ierusalimschy
I got a report that some antivirus software (e.g., Symantec and McAfee)
are reporting the file wlua52.exe (from LuaBinaries) as a virus. Does
anyone know anything about that?

-- Roberto

Reply | Threaded
Open this post in threaded view
|

Re: Lua x antivirus

Enrico Colombini
On 12/07/2012 18.57, Roberto Ierusalimschy wrote:
> I got a report that some antivirus software (e.g., Symantec and McAfee)
> are reporting the file wlua52.exe (from LuaBinaries) as a virus. Does
> anyone know anything about that?

I just sent the file (from lua-5.2.1_Win32_bin.zip) to virustotal. Four
antiviruses seem to have an overzealous heuristic analysis:
https://www.virustotal.com/file/a82364fce4c72b1b8088bc360925c9585ad49d960d0bcf6f7cbc3353cbd62066/analysis/

(I think you'd better contact those companies - after checking the
integrity of the file, just to be sure)

--
   Enrico

Reply | Threaded
Open this post in threaded view
|

Re: Lua x antivirus

Marc Balmer
In reply to this post by Roberto Ierusalimschy
Am 12.07.12 18:57, schrieb Roberto Ierusalimschy:
> I got a report that some antivirus software (e.g., Symantec and McAfee)
> are reporting the file wlua52.exe (from LuaBinaries) as a virus. Does
> anyone know anything about that?
>
> -- Roberto
>

<sarcasm>
I hope many computer are infected, then ... ;)
</sarcasm>

I can test against Norman and Symantec on some terminal servers, but
since I don't usually use Lua on Windows, where can I download the exact
binary that causes the issue (URL?).

Regards from Oberfrick,
Marc



Reply | Threaded
Open this post in threaded view
|

Re: Lua x antivirus

Matthieu Tourne
In reply to this post by Roberto Ierusalimschy


On Thu, Jul 12, 2012 at 9:57 AM, Roberto Ierusalimschy <[hidden email]> wrote:
I got a report that some antivirus software (e.g., Symantec and McAfee)
are reporting the file wlua52.exe (from LuaBinaries) as a virus. Does
anyone know anything about that?


This might be related to all the press around the recent Flame, the super advanced malware that uses Lua : http://notebook.kulchenko.com/programming/flame-malware-using-lua

As a result antivirus might have added Lua as a whole as a signature..

Regards,
Matthieu
 

Reply | Threaded
Open this post in threaded view
|

Re: Lua x antivirus

liam mail
In reply to this post by Roberto Ierusalimschy
On 12 July 2012 17:57, Roberto Ierusalimschy <[hidden email]> wrote:
> I got a report that some antivirus software (e.g., Symantec and McAfee)
> are reporting the file wlua52.exe (from LuaBinaries) as a virus. Does
> anyone know anything about that?
>
> -- Roberto
>

IIRC it is Symantec that flags lua.exe as a virus, or at least it did
a number of years ago on XP machines.

Liam

Reply | Threaded
Open this post in threaded view
|

Re: Lua x antivirus

M. Edward (Ed) Borasky
It should be noted that the infamous "Flame" virus included a version
of Lua, so perhaps there's some bridge-building that needs to be done.

On Thu, Jul 12, 2012 at 12:06 PM, liam mail <[hidden email]> wrote:

> On 12 July 2012 17:57, Roberto Ierusalimschy <[hidden email]> wrote:
>> I got a report that some antivirus software (e.g., Symantec and McAfee)
>> are reporting the file wlua52.exe (from LuaBinaries) as a virus. Does
>> anyone know anything about that?
>>
>> -- Roberto
>>
>
> IIRC it is Symantec that flags lua.exe as a virus, or at least it did
> a number of years ago on XP machines.
>
> Liam
>



--
Twitter: http://twitter.com/znmeb Computational Journalism Server
http://j.mp/compjournoserver

Data is the new coal - abundant, dirty and difficult to mine.

Reply | Threaded
Open this post in threaded view
|

Re: Lua x antivirus

Oliver Schneider-2
In reply to this post by Roberto Ierusalimschy
Most AVs these days work not solely signature based. To find out which
AV detects it use Jotti or VirusTotal to scan with multiple scanners.

This is no different from malware authors who use this approach to
verify that few - if any - AVs detect their latest concoction.

So: simply try yourself with the binary in question.

// Oliver

PS: I can try to get you in touch with some AV vendors' viruslabs once
you know more. Feel free to contact me off list, especially in case we
also falsepos on it ;)

On 2012-07-12 16:57, Roberto Ierusalimschy wrote:
> I got a report that some antivirus software (e.g., Symantec and McAfee)
> are reporting the file wlua52.exe (from LuaBinaries) as a virus. Does
> anyone know anything about that?
>
> -- Roberto
>


Reply | Threaded
Open this post in threaded view
|

Re: Lua x antivirus

Florian Weimer
In reply to this post by Enrico Colombini
* Enrico Colombini:

> On 12/07/2012 18.57, Roberto Ierusalimschy wrote:
>> I got a report that some antivirus software (e.g., Symantec and McAfee)
>> are reporting the file wlua52.exe (from LuaBinaries) as a virus. Does
>> anyone know anything about that?
>
> I just sent the file (from lua-5.2.1_Win32_bin.zip) to
> virustotal. Four antiviruses seem to have an overzealous heuristic
> analysis:
> https://www.virustotal.com/file/a82364fce4c72b1b8088bc360925c9585ad49d960d0bcf6f7cbc3353cbd62066/analysis/

Try again, the count should have gone up by now.

Uploading false positives to Virustotal is not a good idea because it
triggers all kinds of automated actions, most of them geared towards
branding the file as malware.

Reply | Threaded
Open this post in threaded view
|

Re: Lua x antivirus

Elias Barrionovo
In reply to this post by Matthieu Tourne
On Thu, Jul 12, 2012 at 3:02 PM, Matthieu Tourne
<[hidden email]> wrote:
> This might be related to all the press around the recent Flame, the super
> advanced malware that uses Lua :
> http://notebook.kulchenko.com/programming/flame-malware-using-lua
>
> As a result antivirus might have added Lua as a whole as a signature..

Because of the of "loadstring", Flame seems to be written in 5.1, but
the binary flagged is 5.2. Though I don't think it means much because
I would guess that 51 and 52 share a lot of code.

Anyway, shouldn't other software that embed Lua be flagged as well?
Also, is it happening only with that single binary?

--
NI!

Reply | Threaded
Open this post in threaded view
|

Re: Lua x antivirus

Enrico Colombini
In reply to this post by Florian Weimer
On 12/07/2012 23.13, Florian Weimer wrote:
> Uploading false positives to Virustotal is not a good idea because it
> triggers all kinds of automated actions, most of them geared towards
> branding the file as malware.

I didn't know that; are you sure it works that way? I've often used it
to check files and I often got a negative result. Sometimes it was a
false positive by a single antivirus only.

If virustotal has such an impact, I guess it should be possible to
contact them and have it marked as "good", but contacting McAfee and
Symantec is probably more important. Especially because it's not a
signature-based alert, but a heuristic one (which seems to go against
the Flame theory).

An important question is why heuristic engines do flag that executable.

--
   Enrico

Reply | Threaded
Open this post in threaded view
|

Re: Lua x antivirus

Oliver Schneider-2
On 2012-07-12 21:43, Enrico Colombini wrote:
> I didn't know that; are you sure it works that way? I've often used it
> to check files and I often got a negative result. Sometimes it was a
> false positive by a single antivirus only.
As someone from the industry I can tell you that it doesn't work this
way. It's yet another myth similarly grotesque as the one that we're
writing the malware to sell the protection against it :)

There is sample sharing going on between vendors over other channels and
sometimes also from VT, but the decision whether something is classified
malware, grayware or goodware is at the discretion of each vendor.
Although it is a known problem that false positives spread like this and
there is (IMO) no proper mechanism in pace to report a false positive to
numerous vendors (although VT worked on something like that some time
ago). I suppose Florian was referring to this spreading of false
positives. But it's a fallacy to believe VT is the driving mechanism there.

> If virustotal has such an impact, I guess it should be possible to
> contact them and have it marked as "good",
You can register and do that yourself, btw. I did it for that file.

// Oliver

Reply | Threaded
Open this post in threaded view
|

Re: Lua x antivirus

M. Edward (Ed) Borasky
On Fri, Jul 13, 2012 at 7:30 AM, Oliver Schneider
<[hidden email]> wrote:

> On 2012-07-12 21:43, Enrico Colombini wrote:
>> I didn't know that; are you sure it works that way? I've often used it
>> to check files and I often got a negative result. Sometimes it was a
>> false positive by a single antivirus only.
> As someone from the industry I can tell you that it doesn't work this
> way. It's yet another myth similarly grotesque as the one that we're
> writing the malware to sell the protection against it :)
>
> There is sample sharing going on between vendors over other channels and
> sometimes also from VT, but the decision whether something is classified
> malware, grayware or goodware is at the discretion of each vendor.
> Although it is a known problem that false positives spread like this and
> there is (IMO) no proper mechanism in pace to report a false positive to
> numerous vendors (although VT worked on something like that some time
> ago). I suppose Florian was referring to this spreading of false
> positives. But it's a fallacy to believe VT is the driving mechanism there.
>
>> If virustotal has such an impact, I guess it should be possible to
>> contact them and have it marked as "good",
> You can register and do that yourself, btw. I did it for that file.
>
> // Oliver
>

My experience is that the only "fix" is to use your virus scanner's
tools on your machine to allow "false positives" to execute.  There's
no other practical solution; this isn't a "democratic" or
"negotiation" process.

--
Twitter: http://twitter.com/znmeb Computational Journalism Server
http://j.mp/compjournoserver

Data is the new coal - abundant, dirty and difficult to mine.

Reply | Threaded
Open this post in threaded view
|

Re: Lua x antivirus

Florian Weimer
In reply to this post by Enrico Colombini
* Enrico Colombini:

> On 12/07/2012 23.13, Florian Weimer wrote:
>> Uploading false positives to Virustotal is not a good idea because it
>> triggers all kinds of automated actions, most of them geared towards
>> branding the file as malware.
>
> I didn't know that; are you sure it works that way?

Yes, in extreme cases.  I don't know why Oliver thinks otherwise.

To clarify, I did not want to suggest that Virustotal or the AV
vendors are doing something nefarious.  It's just that there automated
processes whose effects can be surprising.  This makes sense for
various reasons.. Some malware authors use Virustotal to test their
creations.  Here's one case which is quite well-documented:

<http://www.f-secure.com/weblog/archives/00002250.html>

> I've often used it to check files and I often got a negative
> result. Sometimes it was a false positive by a single antivirus
> only.

It has to be a false positive with a certain level of AV detection.
It doesn't work for files with no detection.

Reply | Threaded
Open this post in threaded view
|

Re: Lua x antivirus

Enrico Colombini
On 13/07/2012 21.00, Florian Weimer wrote:
>> I've often used it to check files and I often got a negative
>> >result. Sometimes it was a false positive by a single antivirus
>> >only.
> It has to be a false positive with a certain level of AV detection.
> It doesn't work for files with no detection.

Yes, I meant I use it when an antivirus marks a file as "bad" but I'm
not convinced; so let's see what the others think. I know it's
definitely not a proof, just an additional hint.

By the way, reloading the VT page, the detection ratio is now down from
4/42 to 2/42; Symantec had dropped it.

--
   Enrico