TROJAN INFECTION boost 1.67 binaries for Windows x64 MSVC 14.1

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
12 messages Options
Reply | Threaded
Open this post in threaded view
|

TROJAN INFECTION boost 1.67 binaries for Windows x64 MSVC 14.1

Boost - Dev mailing list
Dear boost developers and/or release managers:

Today I downloaded boost_1_67_0-msvc-14.1-64.exe from the Windows binaries
downloads page:
https://dl.bintray.com/boostorg/release/1.67.0/binaries/

The file contains a Trojan, according to Windows Defender.

Screenshot:
https://usercontent.irccloud-cdn.com/file/Uy6o19AC/2018-07-26%2016_29_52-Windows%20Defender%20Security%20Center.jpg

Someone should verify this & check the other pre-built binaries ASAP to
reduce exposure.

Thank you & best regards

_______________________________________________
Unsubscribe & other changes: http://lists.boost.org/mailman/listinfo.cgi/boost
Reply | Threaded
Open this post in threaded view
|

Re: TROJAN INFECTION boost 1.67 binaries for Windows x64 MSVC 14.1

Boost - Dev mailing list
Read this thread
https://lists.boost.org/Archives/boost/2018/05/242200.php

It's always a good idea to search through the list archives first.

Mateusz Loskot, [hidden email]
(Sent from mobile)

On Fri, 27 Jul 2018, 00:08 Zipper Fish via Boost, <[hidden email]>
wrote:

> Dear boost developers and/or release managers:
>
> Today I downloaded boost_1_67_0-msvc-14.1-64.exe from the Windows binaries
> downloads page:
> https://dl.bintray.com/boostorg/release/1.67.0/binaries/
>
> The file contains a Trojan, according to Windows Defender.
>
> Screenshot:
>
> https://usercontent.irccloud-cdn.com/file/Uy6o19AC/2018-07-26%2016_29_52-Windows%20Defender%20Security%20Center.jpg
>
> Someone should verify this & check the other pre-built binaries ASAP to
> reduce exposure.
>
> Thank you & best regards
>
> _______________________________________________
> Unsubscribe & other changes:
> http://lists.boost.org/mailman/listinfo.cgi/boost
>

_______________________________________________
Unsubscribe & other changes: http://lists.boost.org/mailman/listinfo.cgi/boost
Reply | Threaded
Open this post in threaded view
|

Re: TROJAN INFECTION boost 1.67 binaries for Windows x64 MSVC 14.1

Boost - Dev mailing list
Thank you

Ok, I'll whitelist the file "boost_1_67_0-msvc-14.1-64.exe" with some
trepidation and try installing.

I normally do search archives and Google extensively for code issues, but
for a positive hit from the a virus detector, it wasn't the first idea that
popped into my head.

Just curious, why would a boost installer trigger virus detectors? Is the
virus executable linked to a boost library?


On Thu, Jul 26, 2018 at 6:41 PM, Mateusz Loskot via Boost <
[hidden email]> wrote:

> Read this thread
> https://lists.boost.org/Archives/boost/2018/05/242200.php
>
> It's always a good idea to search through the list archives first.
>
> Mateusz Loskot, [hidden email]
> (Sent from mobile)
>
> On Fri, 27 Jul 2018, 00:08 Zipper Fish via Boost, <[hidden email]>
> wrote:
>
> > Dear boost developers and/or release managers:
> >
> > Today I downloaded boost_1_67_0-msvc-14.1-64.exe from the Windows
> binaries
> > downloads page:
> > https://dl.bintray.com/boostorg/release/1.67.0/binaries/
> >
> > The file contains a Trojan, according to Windows Defender.
> >
> > Screenshot:
> >
> > https://usercontent.irccloud-cdn.com/file/Uy6o19AC/2018-07-
> 26%2016_29_52-Windows%20Defender%20Security%20Center.jpg
> >
> > Someone should verify this & check the other pre-built binaries ASAP to
> > reduce exposure.
> >
> > Thank you & best regards
> >
> > _______________________________________________
> > Unsubscribe & other changes:
> > http://lists.boost.org/mailman/listinfo.cgi/boost
> >
>
> _______________________________________________
> Unsubscribe & other changes: http://lists.boost.org/
> mailman/listinfo.cgi/boost
>

_______________________________________________
Unsubscribe & other changes: http://lists.boost.org/mailman/listinfo.cgi/boost
Reply | Threaded
Open this post in threaded view
|

Re: TROJAN INFECTION boost 1.67 binaries for Windows x64 MSVC 14.1

Boost - Dev mailing list
> -----Original Message-----
> From: Boost [mailto:[hidden email]] On Behalf Of Zipper Fish via Boost
> Sent: 27 July 2018 02:55
> To: [hidden email]
> Cc: Zipper Fish
> Subject: Re: [boost] TROJAN INFECTION boost 1.67 binaries for Windows x64 MSVC 14.1
>
> Thank you
>
> Ok, I'll whitelist the file "boost_1_67_0-msvc-14.1-64.exe" with some
> trepidation and try installing.
>
> I normally do search archives and Google extensively for code issues, but
> for a positive hit from the a virus detector, it wasn't the first idea that
> popped into my head.
>
> Just curious, why would a boost installer trigger virus detectors? Is the
> virus executable linked to a boost library?
>
>
> On Thu, Jul 26, 2018 at 6:41 PM, Mateusz Loskot via Boost <
> [hidden email]> wrote:
>
> > Read this thread
> > https://lists.boost.org/Archives/boost/2018/05/242200.php
> >
> > It's always a good idea to search through the list archives first.
> >
> > Mateusz Loskot, [hidden email]
> > (Sent from mobile)
> >
> > On Fri, 27 Jul 2018, 00:08 Zipper Fish via Boost, <[hidden email]>
> > wrote:
> >
> > > Dear boost developers and/or release managers:
> > >
> > > Today I downloaded boost_1_67_0-msvc-14.1-64.exe from the Windows
> > binaries
> > > downloads page:
> > > https://dl.bintray.com/boostorg/release/1.67.0/binaries/
> > >
> > > The file contains a Trojan, according to Windows Defender.
> > >
> > > Screenshot:
> > >
> > > https://usercontent.irccloud-cdn.com/file/Uy6o19AC/2018-07-
> > 26%2016_29_52-Windows%20Defender%20Security%20Center.jpg

You could download and unzip the zipped version instead if that makes you feel better?

https://www.boost.org/users/download/

My experience is that several virus checkers intermittently but persistently find false positives in Boost libraries that I
re-build;  I have been reduced to placing then in a separate partition which is not virus checked.

(Since Microsoft use Boost internally, I am puzzled why this issue hasn't caused some liaison between the C++ users and the Defender
team).

Don't panic!

Paul

---
Paul A. Bristow
Prizet Farmhouse
Kendal UK LA8 8AB
+44 (0) 1539 561830










_______________________________________________
Unsubscribe & other changes: http://lists.boost.org/mailman/listinfo.cgi/boost
Reply | Threaded
Open this post in threaded view
|

Re: TROJAN INFECTION boost 1.67 binaries for Windows x64 MSVC 14.1

Boost - Dev mailing list
On 27 July 2018 at 11:19, Paul A. Bristow via Boost <[hidden email]>
wrote:

> (Since Microsoft use Boost internally, I am puzzled why this issue hasn't
> caused some liaison between the C++ users and the Defender
> team).
>

Possibly becoz they, (the MS people) exclude their build directories (on
some build server) from scanning by Defender in the settings of that server
(if not turned off altogether), no need to create a partition.

degski
--
*"If something cannot go on forever, it will stop" - Herbert Stein*

_______________________________________________
Unsubscribe & other changes: http://lists.boost.org/mailman/listinfo.cgi/boost
Reply | Threaded
Open this post in threaded view
|

Re: TROJAN INFECTION boost 1.67 binaries for Windows x64 MSVC 14.1

Boost - Dev mailing list
In reply to this post by Boost - Dev mailing list
Paul, I already feel good and am not panicking, but thank you for your
concern :-)

I am interested in the Windows 3rd party binaries because I try to avoid
building boost manually on Windows if at all possible. As you know, the
Windows Zip file does not contain binaries for the non-header-only parts of
boost.

I already gathered your strategy about using a separate partition to beat
the virus checkers from the archive link that Mateusz shared.

As I wrote in my response to Mateusz, I am simply curious why a virus
checker would flag a false positive in compiled boost libraries. Is it
because viruses use boost libraries? I've used quite a number of libraries
over the years and none that I can recall had this issue. (If this is off
topic, my apologies.)

Best regards


On Fri, Jul 27, 2018 at 4:19 AM, Paul A. Bristow via Boost <
[hidden email]> wrote:

> > -----Original Message-----
> > From: Boost [mailto:[hidden email]] On Behalf Of Zipper
> Fish via Boost
> > Sent: 27 July 2018 02:55
> > To: [hidden email]
> > Cc: Zipper Fish
> > Subject: Re: [boost] TROJAN INFECTION boost 1.67 binaries for Windows
> x64 MSVC 14.1
> >
> > Thank you
> >
> > Ok, I'll whitelist the file "boost_1_67_0-msvc-14.1-64.exe" with some
> > trepidation and try installing.
> >
> > I normally do search archives and Google extensively for code issues, but
> > for a positive hit from the a virus detector, it wasn't the first idea
> that
> > popped into my head.
> >
> > Just curious, why would a boost installer trigger virus detectors? Is the
> > virus executable linked to a boost library?
> >
> >
> > On Thu, Jul 26, 2018 at 6:41 PM, Mateusz Loskot via Boost <
> > [hidden email]> wrote:
> >
> > > Read this thread
> > > https://lists.boost.org/Archives/boost/2018/05/242200.php
> > >
> > > It's always a good idea to search through the list archives first.
> > >
> > > Mateusz Loskot, [hidden email]
> > > (Sent from mobile)
> > >
> > > On Fri, 27 Jul 2018, 00:08 Zipper Fish via Boost, <
> [hidden email]>
> > > wrote:
> > >
> > > > Dear boost developers and/or release managers:
> > > >
> > > > Today I downloaded boost_1_67_0-msvc-14.1-64.exe from the Windows
> > > binaries
> > > > downloads page:
> > > > https://dl.bintray.com/boostorg/release/1.67.0/binaries/
> > > >
> > > > The file contains a Trojan, according to Windows Defender.
> > > >
> > > > Screenshot:
> > > >
> > > > https://usercontent.irccloud-cdn.com/file/Uy6o19AC/2018-07-
> > > 26%2016_29_52-Windows%20Defender%20Security%20Center.jpg
>
> You could download and unzip the zipped version instead if that makes you
> feel better?
>
> https://www.boost.org/users/download/
>
> My experience is that several virus checkers intermittently but
> persistently find false positives in Boost libraries that I
> re-build;  I have been reduced to placing then in a separate partition
> which is not virus checked.
>
> (Since Microsoft use Boost internally, I am puzzled why this issue hasn't
> caused some liaison between the C++ users and the Defender
> team).
>
> Don't panic!
>
> Paul
>
> ---
> Paul A. Bristow
> Prizet Farmhouse
> Kendal UK LA8 8AB
> +44 (0) 1539 561830
>
>
>
>
>
>
>
>
>
>
> _______________________________________________
> Unsubscribe & other changes: http://lists.boost.org/
> mailman/listinfo.cgi/boost
>

_______________________________________________
Unsubscribe & other changes: http://lists.boost.org/mailman/listinfo.cgi/boost
Reply | Threaded
Open this post in threaded view
|

Re: TROJAN INFECTION boost 1.67 binaries for Windows x64 MSVC 14.1

Boost - Dev mailing list
In reply to this post by Boost - Dev mailing list
On 7/26/18 2:02 PM, Zipper Fish via Boost wrote:

> Dear boost developers and/or release managers:
>
> Today I downloaded boost_1_67_0-msvc-14.1-64.exe from the Windows binaries
> downloads page:
> https://dl.bintray.com/boostorg/release/1.67.0/binaries/
>
> The file contains a Trojan, according to Windows Defender.
>
> Screenshot:
> https://usercontent.irccloud-cdn.com/file/Uy6o19AC/2018-07-26%2016_29_52-Windows%20Defender%20Security%20Center.jpg
>
> Someone should verify this & check the other pre-built binaries ASAP to
> reduce exposure.
>
> Thank you & best regards
>
> _______________________________________________
> Unsubscribe & other changes: http://lists.boost.org/mailman/listinfo.cgi/boost
>


Why do we even bother distributing binaries any more.  Boost is a source
code product.

Robert Ramey


_______________________________________________
Unsubscribe & other changes: http://lists.boost.org/mailman/listinfo.cgi/boost
Reply | Threaded
Open this post in threaded view
|

Re: TROJAN INFECTION boost 1.67 binaries for Windows x64 MSVC 14.1

Boost - Dev mailing list
In reply to this post by Boost - Dev mailing list
On 27 July 2018 at 03:55, Zipper Fish via Boost <[hidden email]> wrote:
>
> Just curious, why would a boost installer trigger virus detectors? Is the
> virus executable linked to a boost library?

No idea, sorry.

Best regards,
--
Mateusz Loskot, http://mateusz.loskot.net

_______________________________________________
Unsubscribe & other changes: http://lists.boost.org/mailman/listinfo.cgi/boost
Reply | Threaded
Open this post in threaded view
|

Re: TROJAN INFECTION boost 1.67 binaries for Windows x64 MSVC 14.1

Boost - Dev mailing list
> -----Original Message-----
> From: Boost [mailto:[hidden email]] On Behalf Of Mateusz Loskot via Boost
> Sent: 27 July 2018 15:25
> To: [hidden email]
> Cc: Mateusz Loskot
> Subject: Re: [boost] TROJAN INFECTION boost 1.67 binaries for Windows x64 MSVC 14.1
>
> On 27 July 2018 at 03:55, Zipper Fish via Boost <[hidden email]> wrote:
> >
> > Just curious, why would a boost installer trigger virus detectors? Is the
> > virus executable linked to a boost library?
>
> No idea, sorry.

Nor me neither - virus checkers work in mysterious ways - and have always suffered from false positives.

Paul




_______________________________________________
Unsubscribe & other changes: http://lists.boost.org/mailman/listinfo.cgi/boost
Reply | Threaded
Open this post in threaded view
|

Re: TROJAN INFECTION boost 1.67 binaries for Windows x64 MSVC 14.1

Boost - Dev mailing list
In reply to this post by Boost - Dev mailing list
On 27 July 2018 at 16:14, Zipper Fish via Boost <[hidden email]>
wrote:

> Paul, I already feel good and am not panicking, but thank you for your
> concern :-)
>

As you could have seen in the archive, quite a lot of people have looked at
it, and found it to be not a problem.

I am interested in the Windows 3rd party binaries because I try to avoid
> building boost manually on Windows if at all possible. As you know, the
> Windows Zip file does not contain binaries for the non-header-only parts of
> boost.
>

You could use vcpkg and build boost (and many other libraries) without any
fuss.

I already gathered your strategy about using a separate partition to beat
> the virus checkers from the archive link that Mateusz shared.
>

You can add excluded paths to Defender (and other AV's), add the build
directories as well, it will speed up you build.

As I wrote in my response to Mateusz, I am simply curious why a virus
> checker would flag a false positive in compiled boost libraries.


 It's an unsigned executable, the self extractor (tagged on at the end of
the file) is possibly itself compressed. If that is done with upx, it will
be flagged as a virus. There's an optimising exe compressor doing both 32-
and 64-bit exe/dll's called mpress
<https://autohotkey.com/mpress/mpress_web.htm>, this one will not get
flagged (by my experience) ever.

Is it because viruses use boost libraries? I've used quite a number of
> libraries
> over the years and none that I can recall had this issue. (If this is off
> topic, my apologies.)
>

Before doing anything, check the suspicious file with malwarebytes
<https://www.malwarebytes.com/premium/> (just use the free version), if it
is a problem, mb is very likely to find it. If you dare (and are allowed,
i.e. you don't work for the potus), use kaspersky
<https://www.kaspersky.com/downloads/thank-you/free-virus-removal-tool>, it
*will* find it (and remove).

degski
--
*"If something cannot go on forever, it will stop" - Herbert Stein*

_______________________________________________
Unsubscribe & other changes: http://lists.boost.org/mailman/listinfo.cgi/boost
Reply | Threaded
Open this post in threaded view
|

Re: TROJAN INFECTION boost 1.67 binaries for Windows x64 MSVC 14.1

Boost - Dev mailing list
In reply to this post by Boost - Dev mailing list
Thanks Robert
Have a great day

On Fri, Jul 27, 2018 at 10:02 AM, Robert Ramey via Boost <
[hidden email]> wrote:

> On 7/26/18 2:02 PM, Zipper Fish via Boost wrote:
>
>> Dear boost developers and/or release managers:
>>
>> Today I downloaded boost_1_67_0-msvc-14.1-64.exe from the Windows binaries
>> downloads page:
>> https://dl.bintray.com/boostorg/release/1.67.0/binaries/
>>
>> The file contains a Trojan, according to Windows Defender.
>>
>> Screenshot:
>> https://usercontent.irccloud-cdn.com/file/Uy6o19AC/2018-07-2
>> 6%2016_29_52-Windows%20Defender%20Security%20Center.jpg
>>
>> Someone should verify this & check the other pre-built binaries ASAP to
>> reduce exposure.
>>
>> Thank you & best regards
>>
>> _______________________________________________
>> Unsubscribe & other changes: http://lists.boost.org/mailman
>> /listinfo.cgi/boost
>>
>>
>
> Why do we even bother distributing binaries any more.  Boost is a source
> code product.
>
> Robert Ramey
>
>
>
> _______________________________________________
> Unsubscribe & other changes: http://lists.boost.org/mailman
> /listinfo.cgi/boost
>

_______________________________________________
Unsubscribe & other changes: http://lists.boost.org/mailman/listinfo.cgi/boost
Reply | Threaded
Open this post in threaded view
|

Re: TROJAN INFECTION boost 1.67 binaries for Windows x64 MSVC 14.1

Boost - Dev mailing list
In reply to this post by Boost - Dev mailing list
On 07/27/18 17:35, Paul A. Bristow via Boost wrote:

> Nor me neither - virus checkers work in mysterious ways - and have always suffered from false positives.

Back in the 90s when I was working on virus checkers, they were scanning
the executable for certain revealing code patterns. Back then, those
patterns were found by human analysts.

My guess is that these days the patterns are found automatically, and
if a virus is written using Boost libraries then the virus checkers
will likely detect patterns of Boost code as suspicious.

_______________________________________________
Unsubscribe & other changes: http://lists.boost.org/mailman/listinfo.cgi/boost