codeblocks-8.02mingw-setup.exe - Infected with Trojan.DownLoader.51776

[IUnknown]

DrWeb said that your windows installation infected with Trojan.DownLoader.51776!! Are there all packages infected?

[Major]

File is fine for me I use avast from www.avast.com btw what the hell is DrWeb?

Oh! ggl and I see now russian av stuff to trust their results its your choice then gl.

[Seronis]

I've used the windows installer on 3 different systems and scanned it with Symantec AntiVirus and got no bad results.  As a matter of fact when i drop 'Trojan.DownLoader.51776' into google the ONLY link returned is to this thread discussion.  Im not familiar with your AV program but Im quite confidant its a false report.

[MortenMacFly]

Be sure it is *not* infected. Go and buy a good AV software.

You might want try virustotal.com for your reference...

[IUnknown]

Thank you very much 

[schroeder]

...wait... wait... this thing interests me, too.

First: I, too, tend to think it's a false positive. Last month AVG Free 7.5, after updating its definitions, was suddenly persuaded that my SciLab 4.1.2, freshly downloaded from here, should be infected by a "Swizzor.Trojan.Downloader": which obviously was a bogus, since the file was coming exactly from there, the official site, the MD5 sum was correct, and so on.

And in fact, after a quick "tour" of opinions between the SciLab developers and the AVG maintainers, it came out that it actually was a false positive. Problem quickly fixed in a nightly update of the definitions, and period.

Now, anyway, in the very unfortunate case that the Windows installer of Code::Blocks' last release is infected, I wonder how it could have happened. Can it happen that somebody upload to the, say, sourceforge server a "poisoned" version of the installer itself, and this thing go ahead without a moan for about fifteen days? It would definitely be embarrassing/worrying ;^)

So, to avoid completely this risk, I'd humbly suggest that programs released through these "public channels" simply be signed, via GPG, and that their MD5 checksum / SHA1 checksum be given to the public in such a way that they can be considered safe and reliable information. For example, by publicizing them here, on C::B's central server, and not there, on sourceforge or berlios.

I think the time has come also for Windows open source developers to begin to cryptographically sign their products: it's a good habit of which we all will never be grateful enough :^)

[jaxon]

If DrWeb said it is infected, it really is, but may be it was infected somewhere on the way... My DrWeb reports it is all OK.

P.S. We use DrWeb and it is much better than avast or AVG: it is updated daily and can really heel damaged files that are corrupted afte AVG

[thomas]

Hashing/signing executables works as little as virus scanners do. It's treating the symptom, not the cause. If someone can hack into one server to upload a patched executable, he can as well hack into another server to update a hash (or a signature and spread a fake public PGP key). It is more work of course, but it's possible. On the other hand, the vast majority of people doesn't check hashes at all and very very few would probably check a PGP signature (I would not, for example) unless it's done automatically.

Fighting malware with software doesn't help, just like all of the anti-spam measures. All it does is add extra cost and overhead for you, to an extent that your computer becomes less and less usable, and you miss more and more real mail messages.

Whenever someone near you talks of how cool trojans and viruses are, or if you hear someone is a cool cracker/phracker/d00d or whatever they call themselves now, kick him in the face. In case he is still moving, do it again. If you know where they live, tip the police (say something about child [censored] or a pirate warez circle).

Whenever you get mail to enlarge your penis or to buy cH34p V I A G R A from realcheappharmacy.com, give them what they want. They want you to go to their website, alright. Launch up a dozen console windows and run wget or ab overnight. If it happens to be a company with an office near you, don't hesitate to pay them a visit late at night, and bring your lighter.

Spreading malware/trojan/viruses/spam/whatever works because it costs next to nothing to do it, and because there is absolutely no risk involved. Even in countries where it's illegal to some extent (EU/USA), the risk is extremely low.

If you get as much as one extra customer from spam, you have already made a gain, since spreading the malware and sending the spam over the zombie network did not cost you anything in the first place.
However, if 15,000 angry users worldwide let a traffic analyzer run overnight on your domain every time you spam them, so your regular customers get HTTP/500s and your hosting company asks an extra 500 for bandwidth at the end of the month, such a practice very quickly becomes a lot less attractive.

[schroeder]

Preamble: let me say, first of all, that my previous post wasn't intendend as a moralizing rant, notwithstanding the tone, that may indeed sound a little "harsh": nor was it intended to set up a fire. So, I apologize for any misunderstanding I could have caused. That said:

If DrWeb said it is infected, it really is, but may be it was infected somewhere on the way... My DrWeb reports it is all OK.

P.S. We use DrWeb and it is much better than avast or AVG: it is updated daily and can really heel damaged files that are corrupted afte AVG

First of all, I believe the probability for a program to be infected "along the way", during a transfer, is very low. Or, at least, I can't imagine how this could happen.

As to the "antivirus quality issue", instead, my opinion is that, until the day when finally somebody will come out with some sort of objective measure of antivirus scanners' efficiency, unquestioned and with which to objectively state an undisputed "hierarchy" of the products, any product will continue more or less to be worth any other - with the obvious exception of the rogue/fake scanners, which make more harm than nothing.

In order to claim that the antivirus X is better than Y, again in my opinion, one should effectively have been able to compare them "on the battlefield", by making them scan two or more machines infected with well-known (and not-so-well-known) viruses, and see what happens. Then, one should statistically analyze the data collected in such a way, and only at this point, on the basis of the results of such a comparison, a final judgement of the kind "X is probably better than Y" could be given. Otherwise, it's just a matter of taste.

As to this latter issue, I personally have been quite satisfied, in the past, with Antivir: but I left it and "converted" to AVG, mainly because 1) at that time a friend of mine, administrator of a huge Windows system, told me it was worth the try, 2) the main sectorial reviews, here, on the web, told it was worth the try, and finally 3) because I was tired of being forced, under Antivir, to substitute the whole program every time I decided to update just the definitions. 

Are these objective criteria? Of course, they aren't. However, until now I have been quite satisfied with AVG, even if I must add that my Windows systems are quite protected (I don't use Windows to go online, and I always try to be utmostly careful when I import on my PCs files "from abroad"), so it's very likely that my satisfaction is grounded on mere personal, subjective and self-deceptive criteria, not much more effective than a pure wishful thinking.

In the very end, this is one of the two main reasons why I have "converted" to Linux, more than six years now. Am I more protected because of this? I don't think either... but, one can't spend his/her whole life to worry about this kind of issues ;^D

Hashing/signing executables works as little as virus scanners do. It's treating the symptom, not the cause. If someone can hack into one server to upload a patched executable, he can as well hack into another server to update a hash (or a signature and spread a fake public PGP key). It is more work of course, but it's possible. On the other hand, the vast majority of people doesn't check hashes at all and very very few would probably check a PGP signature (I would not, for example) unless it's done automatically.

I agree with you as to the "symptom vs. cause" issue: but let me disagree on the rest.
True, if one is skilled enough to break into a server and substitute a legit program with a fake, he/she will also be able to change a hash/signature/whatever with whatever else. But, that will unquestionably be his/hers, and not yours, or the one of the C::B development team. The personal (and unique) data of your private GPG key, against which every public key claiming to be yours should be compared, would always be the definitive proof of the legitimacy of what I'm downloading, or of the contrary. I download the C::B installer, GPG-check it, see that it is apparently signed by the C::B development team, but that the signature I'm checking doesn't actually correspond to any legitimate public key by the team: and the thing ends there. Period. 

Yes, I agree: this is still a cure for the symptoms, and doesn't yet attack the causes.
But even an aspirin can be of some relief if you suffer from rheumatoid arthritis. At the opposite, you can keep on doing nothing, because aspirin is just, well, aspirin (and a big business for Bayer & co.), in the hope that one day a final cure for arthritis will be found, and go ahead with your stoicism and your pain.

In other words - and I close: I believe that crypto-signing software would at any rate be a security improvement, even in the Windows open source community - where, on the contrary, it still seems to remain a great "distrust" on this issue (I'm talking in general, here).  This, even if, in the very end, users don't want any hassle and probably wouldn't check the signatures anyway, and the whole thing would be not much more effective than aspirin with arthritis... 

But, again, this is just my opinion...

_____________________________________

P.S.: anyway... was it infected, or not?