[tor-bugs] #8430 [Tor bundles/installation]: PyInstaller binaries detected as malware

Tor Bug Tracker & Wiki blackhole at torproject.org
Thu Mar 7 22:18:40 UTC 2013 

#8430: PyInstaller binaries detected as malware
--------------------------------------+-------------------------------------
 Reporter:  dcf                       |          Owner:  erinn
     Type:  defect                    |         Status:  new  
 Priority:  normal                    |      Milestone:       
Component:  Tor bundles/installation  |        Version:       
 Keywords:                            |         Parent:       
   Points:                            |   Actualpoints:       
--------------------------------------+-------------------------------------
 This is a summary of discussion about malware detection that happened
 mostly in email.

 Blog comment showing VirusTotal analysis for `obfsproxy.exe` from the
 2.4.7-alpha-1 flashproxy+pyobfsproxy bundles. The purported malware
 detected is variants of "Backdoor/Win32.Swrort.gen."
 https://blog.torproject.org/blog/combined-flash-proxy-pyobfsproxy-browser-
 bundles#comment-18759
 https://www.virustotal.com/en/file/b9c9357a2923520fbcecd1044e0aa58a323d4d3c94c08799415b61c0cfbe31b6/analysis/1361218309/

 The bundles being detected as malware were built by Alex. David
 independently built his own and they had similar malware results. A
 trivial "hello, world" executable built by David had similar malware
 results.
 David's `obfsproxy.exe`:
 https://www.virustotal.com/en/file/cdabf1ca98becd88392cd8249047efb3802d4142e922f04b23acbda6d08872ab/analysis/
 David's `hello.exe`:
 https://www.virustotal.com/en/file/147eed31da492c98b0908f208e74be1c36136edbee81708a5940d11e3cd10760/analysis/

 We traced the issue to PyInstaller upstream. This is their ticket for the
 "Swrort" detection.
 http://www.pyinstaller.org/ticket/603

 Alex and David built new 2.4.10-alpha-2 bundles
 ([http://cs.mcgill.ca/~aallai2/bundles/2.4.10/ Alex],
 [https://people.torproject.org/~dcf/flashproxy/ David]) using PyInstaller
 commit
 [https://github.com/pyinstaller/pyinstaller/commit/555e9f7f6fbaccaeb024c658fcb96e199f4a3b0d
 555e9f7f], which has a fix for the antivirus issue 603. (The 2.4.7-alpha-1
 binaries were built with the PyInstaller 2.0 release.) However, they now
 test positive for different malware ("Gen:Variant.Strictor.20210").
 Alex `pyobfsproxy.exe`:
 https://www.virustotal.com/en/file/9a12fc0773e939c246ff2269f930ce1e3cf903ddb81810e4f10d924da6c37e2d/analysis/
 David `pyobfsproxy.exe`:
 https://www.virustotal.com/en/file/5f2675b7d19d412c47655203273e2babc07ce1be31521a80ba9d579b70b07e15/analysis/

 Binaries from Nmap built with py2exe do not show any malware detection.
 Here is `ndiff.exe` from http://nmap.org/dist/nmap-6.25-setup.exe:
 https://www.virustotal.com/en/file/fee79b95d1e4439ce7b0a676943e5551c2cca56b72a0954ec206897c683676db/analysis/
 Alex is testing py2exe to see if it works for the pluggable transports
 bundles.

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/8430>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list