Yes, AV software, especially HitmanPro are not gospel. 67 other AVs came out clean. But let’s say for the sake of argument that they’re all wrong.
“Trojan-Downloader” is a class of Trojan that downloads a payload. Which means they need to use a socket somehow. $ sha256sum.exe ghc-8.2.2/lib/bin/touchy.exe 5ffdaa7da4381637ab2a0ec327118cd933398a477430e2f5d94e9d53c53f2782 *ghc-8.2.2/lib/bin/touchy.exe Is the binary I’m looking it, it matches the hash on the total virus link and yours. This is the source of touchy https://github.com/ghc/ghc/blob/ghc-8.2/utils/touchy/touchy.c The application does not import Winsock, so networking seems more unlikely, but it imports GetProcAddress, so let’s say for the sake of argument it’s Dynamically binding to the socket library. http://lpaste.net/3408264924009332736 is the full string table. Which contains no ascii string starting with “WSA”. So unlikely since you need to name the function you want to call, and you need to initialize the sockets, so WSA. This is the full disassembly of touchy.exe http://lpaste.net/7667888088021991424 Below you’ll find an inline copy of main, it pretty much follows the source in touchy.c. I’m pretty confident that HitmanPro is just throwing a false positive, I won’t be going through the CRT startup code. Here’s main: 00000000004015c0 <main>: 4015c0: 41 57 push %r15 4015c2: 41 56 push %r14 4015c4: 41 55 push %r13 4015c6: 41 54 push %r12 4015c8: 55 push %rbp 4015c9: 57 push %rdi 4015ca: 56 push %rsi 4015cb: 53 push %rbx 4015cc: 48 83 ec 68 sub $0x68,%rsp 4015d0: 89 ce mov %ecx,%esi 4015d2: 48 89 d7 mov %rdx,%rdi 4015d5: e8 e6 02 00 00 callq 4018c0 <__main> 4015da: 83 fe 01 cmp $0x1,%esi 4015dd: 74 10 je 4015ef <main+0x2f> 4015df: b8 00 00 00 00 mov $0x0,%eax 4015e4: 83 fe 01 cmp $0x1,%esi 4015e7: 0f 8e 4d 01 00 00 jle 40173a <main+0x17a> 4015ed: eb 26 jmp 401615 <main+0x55> 4015ef: 48 8b 1f mov (%rdi),%rbx 4015f2: ff 15 1c 6d 00 00 callq *0x6d1c(%rip) # 408314 <__imp___iob_func> 4015f8: 48 8d 48 60 lea 0x60(%rax),%rcx 4015fc: 49 89 d8 mov %rbx,%r8 4015ff: 48 8d 15 2a 2a 00 00 lea 0x2a2a(%rip),%rdx # 404030 <.rdata> 401606: e8 65 17 00 00 callq 402d70 <fprintf> 40160b: b8 01 00 00 00 mov $0x1,%eax 401610: e9 25 01 00 00 jmpq 40173a <main+0x17a> 401615: 48 8d 5f 08 lea 0x8(%rdi),%rbx 401619: 8d 46 fe lea -0x2(%rsi),%eax 40161c: 4c 8d 7c c7 10 lea 0x10(%rdi,%rax,8),%r15 401621: 4c 8b 2d ec 6b 00 00 mov 0x6bec(%rip),%r13 # 408214 <__imp_CreateFileA> 401628: 48 8d 7c 24 50 lea 0x50(%rsp),%rdi 40162d: 4c 8b 25 30 6c 00 00 mov 0x6c30(%rip),%r12 # 408264 <__imp_GetSystemTimeAsFileTime> 401634: 48 8b 2d 71 6c 00 00 mov 0x6c71(%rip),%rbp # 4082ac <__imp_SetFileTime> 40163b: 4c 8b 35 ca 6b 00 00 mov 0x6bca(%rip),%r14 # 40820c <__IAT_start__> 401642: 48 89 5c 24 48 mov %rbx,0x48(%rsp) 401647: 48 c7 44 24 30 00 00 movq $0x0,0x30(%rsp) 40164e: 00 00 401650: c7 44 24 28 80 00 00 movl $0x80,0x28(%rsp) 401657: 00 401658: c7 44 24 20 04 00 00 movl $0x4,0x20(%rsp) 40165f: 00 401660: 41 b9 00 00 00 00 mov $0x0,%r9d 401666: 41 b8 00 00 00 00 mov $0x0,%r8d 40166c: ba 00 00 00 40 mov $0x40000000,%edx 401671: 48 8b 0b mov (%rbx),%rcx 401674: 41 ff d5 callq *%r13 401677: 48 89 c6 mov %rax,%rsi 40167a: 48 83 f8 ff cmp $0xffffffffffffffff,%rax 40167e: 75 2b jne 4016ab <main+0xeb> 401680: 48 8b 44 24 48 mov 0x48(%rsp),%rax 401685: 48 8b 18 mov (%rax),%rbx 401688: ff 15 86 6c 00 00 callq *0x6c86(%rip) # 408314 <__imp___iob_func> 40168e: 48 8d 48 60 lea 0x60(%rax),%rcx 401692: 49 89 d8 mov %rbx,%r8 401695: 48 8d 15 a7 29 00 00 lea 0x29a7(%rip),%rdx # 404043 <.rdata+0x13> 40169c: e8 cf 16 00 00 callq 402d70 <fprintf> 4016a1: b9 01 00 00 00 mov $0x1,%ecx 4016a6: e8 cd 16 00 00 callq 402d78 <exit> 4016ab: 48 89 f9 mov %rdi,%rcx 4016ae: 41 ff d4 callq *%r12 4016b1: 49 89 f9 mov %rdi,%r9 4016b4: 41 b8 00 00 00 00 mov $0x0,%r8d 4016ba: ba 00 00 00 00 mov $0x0,%edx 4016bf: 48 89 f1 mov %rsi,%rcx 4016c2: ff d5 callq *%rbp 4016c4: 85 c0 test %eax,%eax 4016c6: 75 2b jne 4016f3 <main+0x133> 4016c8: 48 8b 44 24 48 mov 0x48(%rsp),%rax 4016cd: 48 8b 18 mov (%rax),%rbx 4016d0: ff 15 3e 6c 00 00 callq *0x6c3e(%rip) # 408314 <__imp___iob_func> 4016d6: 48 8d 48 60 lea 0x60(%rax),%rcx 4016da: 49 89 d8 mov %rbx,%r8 4016dd: 48 8d 15 74 29 00 00 lea 0x2974(%rip),%rdx # 404058 <.rdata+0x28> 4016e4: e8 87 16 00 00 callq 402d70 <fprintf> 4016e9: b9 01 00 00 00 mov $0x1,%ecx 4016ee: e8 85 16 00 00 callq 402d78 <exit> 4016f3: 48 89 f1 mov %rsi,%rcx 4016f6: 41 ff d6 callq *%r14 4016f9: 85 c0 test %eax,%eax 4016fb: 75 2b jne 401728 <main+0x168> 4016fd: 48 8b 44 24 48 mov 0x48(%rsp),%rax 401702: 48 8b 18 mov (%rax),%rbx 401705: ff 15 09 6c 00 00 callq *0x6c09(%rip) # 408314 <__imp___iob_func> 40170b: 48 8d 48 60 lea 0x60(%rax),%rcx 40170f: 49 89 d8 mov %rbx,%r8 401712: 48 8d 15 62 29 00 00 lea 0x2962(%rip),%rdx # 40407b <.rdata+0x4b> 401719: e8 52 16 00 00 callq 402d70 <fprintf> 40171e: b9 01 00 00 00 mov $0x1,%ecx 401723: e8 50 16 00 00 callq 402d78 <exit> 401728: 48 83 c3 08 add $0x8,%rbx 40172c: 4c 39 fb cmp %r15,%rbx 40172f: 0f 85 0d ff ff ff jne 401642 <main+0x82> 401735: b8 00 00 00 00 mov $0x0,%eax 40173a: 48 83 c4 68 add $0x68,%rsp 40173e: 5b pop %rbx 40173f: 5e pop %rsi 401740: 5f pop %rdi 401741: 5d pop %rbp 401742: 41 5c pop %r12 401744: 41 5d pop %r13 401746: 41 5e pop %r14 401748: 41 5f pop %r15 40174a: c3 retq 40174b: 90 nop 40174c: 90 nop 40174d: 90 nop 40174e: 90 nop 40174f: 90 nop From: Brandon Allbery Sent: Thursday, December 28, 2017 21:29 To: Matthew Lamari Cc: [email protected]; [email protected] Subject: Re: Haskell Platform 8.2.2 - virus? This wouldn't be the first time some program that uses heuristic execution patterns to detect malware decided it didn't like the STG. On Thu, Dec 28, 2017 at 4:15 PM, Matthew Lamari <[email protected]> wrote: The site gave me the 5ffdaa sha256 you have below for touchy.exe. That said, I still have the 2 builds yield different results from Hitman Pro on the clean boxes. And Bitdefender, on my machine, (albeit being obtuse) chucks a fit over it. It doesn't detect the EXE files; but detects secondary consequences of them running. I really think something is afoot here. On 12/28/2017 3:00 PM, [email protected] wrote: Upload one of the binaries it flagged to https://www.virustotal.com/en/ and send the link. As far as I can tell, they’re all clean https://www.virustotal.com/en/file/9cc2a6032dde8d8ab572f9491041242ab4c76d2b7d36eea5283c82cf9bf9fd69/analysis/ https://www.virustotal.com/en/file/5ffdaa7da4381637ab2a0ec327118cd933398a477430e2f5d94e9d53c53f2782/analysis/ From: Matthew Lamari Sent: Thursday, December 28, 2017 20:29 To: [email protected] Subject: Haskell Platform 8.2.2 - virus? New Haskell install was tripping my Bitdefender like crazy and in weird ways - not new as that's how bitdefender rolls. However, I retested in a clean test, with (free) Hitman Pro I started from a base case with 2 clean windows 8 VMs. New 8.2.2 install - has virus Old 8.0.2 Jan 2017 - no virus According to Hitman Pro, touchy.exe, haddock-8.2.2, ghc-8.2.2.exe, and unlit.exe have some problem post-install. I went no further on the VMs. "Detection Names Kaspersky Trojan-Downloader.Win32.Paph.fsv " Bitdefender didn't get it on install but would lock the whole thing down on the first run of "Cabal". _______________________________________________ ghc-devs mailing list [email protected] http://mail.haskell.org/cgi-bin/mailman/listinfo/ghc-devs _______________________________________________ ghc-devs mailing list [email protected] http://mail.haskell.org/cgi-bin/mailman/listinfo/ghc-devs -- brandon s allbery kf8nh sine nomine associates [email protected] [email protected] unix, openafs, kerberos, infrastructure, xmonad http://sinenomine.net
_______________________________________________ ghc-devs mailing list [email protected] http://mail.haskell.org/cgi-bin/mailman/listinfo/ghc-devs
