Debriefing > General Goldeneye
GoldenEye_Source_5.0.0_to_5.0.6_patch.exe has a very possible malware problem.
IsMal?:
So, first I'll explain how I came across this. I wanted to download Golden Eye: Source on my main home PC. I think that its really amazing that its just a mod, its really incredible. But like anything I download on to my PC, I decided to look into it before downloading. I did the normal googling too see how credible it is. For this part it came up clean and I was going to download it today. While downloading the installer( from Moddb ) I decided to run Golden Eye's site though VirusTotal to see what came up. The clean links I sent were: "https://geshl2.com/" and "geshl2.com/" respectfully. Then I found that they are both lead me to "www.geshl2.com/". This lead to an automated report of all the files downloaded from "www.geshl2.com/". 5 files were listed, one of them being "GoldenEye_Source_5.0.0_to_5.0.6_patch.exe". Getting a detection ratio of 4/67. I decided to download the file from both Moddb and GameStand. Both gave the same results.
The AV Engines that detected it were:
* Antiy-AVL: Trojan[Exploit]/EXE.CVE-2016-0099.Generic
* Bkav: HW32.Packed.969A
* Baidu: Win32.Trojan.WisdomEyes.16070401.9500.9751
* McAfee-GW-Edition: BehavesLike.Win32.Vopak.tcI looked up each one of the basic diagnosis given to it. I was relieved to find out that they were all associated with false positives. I decided to go back and look at the community score for it and saw that there was one post by a HybridAnalysis. I looked though there report of it and it shed a lot more light on the issue.
We will now be looking at the HybridAnalysis report filed August 28th 2017. The link to the Hybrid report will be give below, along with the virustotal links. Please check then out for your self.
The report begins with a Risk Assessment. Stating:
* Spyware: Accesses potentially sensitive information from local browsers
* Persistence: Writes data to a remote process
* Fingerprint: Reads the active computer name, Reads the cryptographic machine GUID, and Reads the windows installation date Interpret that as what you will. It then moves on to the more detail matters of Malicious Indicators, on which there was 4. It goes on to say that it had a 9% detection rate, which as of writing this has gone down to 5%. The main thing I want to focus on is that it says that a .dll file was found in the installer. That .dll being UAC.dll, which on doing some quick research found a lot of malware reports. It also lists two other malicious indicators but I didn't think I needed to list all of them. Then it goes onto Suspicious Indicators. There were 20 Suspicious Indicators, you can go and read about them as for the sake of time will not be listing them. Another thing that worried me was it making changes to internet explorer. Here one example: "%LOCALAPPDATA%\Microsoft\Internet Explorer\Recovery\High\Active\{F5857E24-8B77-11E7-ACF3-0A00270556D5}.dat".
Now your probably wondering why I care if the patch has malware? I'm looking to install Golden Eye: Source, not the patch. I trust The GoldenEye: Source team, but I feel that this issue lies with the installer. The patch installer and the Mod installer share the same installer. And I feel like this is a problem with the installer. Though that is my theory.
To end this off I decided to submit my patch installer and see a new report. So far Malicious Indicators when down to 1. Still the UAC.dll.
I really would like an explanation. And if this is a problem with the installer could the devs fix it?
VirusTotal Site Report: https://www.virustotal.com/gui/file/2e500e0d1b5be7572ac3d5fa9a4f80b62c8eac081ac26ba63ae8c2ebe1633084/detection
Hybrid-Analysis: https://www.hybrid-analysis.com/sample/2e500e0d1b5be7572ac3d5fa9a4f80b62c8eac081ac26ba63ae8c2ebe1633084?environmentId=100
My Hybrid-Analysis: https://www.hybrid-analysis.com/sample/2e500e0d1b5be7572ac3d5fa9a4f80b62c8eac081ac26ba63ae8c2ebe1633084
soupcan:
These are false positives... reading the Hybrid Analysis reports makes that fairly obvious. For instance, it flags things like "http://nsis.sf.net/NSIS_Error" which is common to all NSIS installers.
A bunch of antimalware products flagged the files as malicious at launch based on heuristics, those that we've been able to submit for reviews have since whitelisted the files. Certain DLLs you see flagged, are flagged because many programs use them, malicious or not.
We'll try to mitigate this in the future by minimizing the use of certain frequently-flagged NSIS plugins, signing the installer, etc. In the end it's hard to release a program that does as much as our installer does (reading / writing various files and registry keys, downloading files, etc) without upsetting some antivirus product, but we're actively looking at ways to mitigate it.
In the end as long as you're downloading the file from a legit source you should be OK.
IsMal?:
While now I believe that most of them are false positives. The UAC.dll I still believe to be malicious. But on further inspection I made a mistake in my original post:
--- Quote ---To end this off I decided to submit my patch installer and see a new report. So far Malicious Indicators when down to 1. Still the UAC.dll.
--- End quote ---
It seems on a second check that I have not see any report of UAC.dll, I could be wrong and its still there. But the most recent Hybrid report doesn't bring it up. Have you removed UAC.dll? If so that kind of wipes away all my worries.
To show I'm not trying to throw a bad name at Golden Eye: Source I feel that the new and most recent ratings are unfair. If you check the most recent Hybrid report( The one I submitted ) still marks it as malicious. This is because VirusTotal marks it as malicious because of past reports and Hybrids past report. Do you see the problem? Even if UAC.dll is gone and its 100% clean, its still gonna get a bad rating because of past reports. Which is obviously unfair.
Anyway is UAC.dll removed? And if its not do you plan on removing it in the future?
kraid:
Dude, UAC is that windows warning thing that comes up when you try to run an installer.
Ofc. it's part of Windows, so it has to be malicious. ;)
IsMal?:
I looked on 2 pc running windows and saw no trace of UAC.dll.
I also looked at the NSIS Docs concerning UAC and it said that it wasn’t needed anymore and abandon ware.
The only place in see UAC used was in the installer.
Navigation
[0] Message Index
[#] Next page
Go to full version