Alpha Centauri 2

Sid Meier's Alpha Centauri & Alien Crossfire => Modding => Topic started by: BFG on February 05, 2019, 03:29:37 AM

Title: Scient 2.0 EXE - Trojan Horse?
Post by: BFG on February 05, 2019, 03:29:37 AM

I don't want to raise any false alarms here, so I'm asking the community.

Every time I download the Scient 2.0 EXE from this site, Norton warns me that it is infected with a Trojan called Cridex.  Is anyone else getting that warning?  False positive or legit?

Mods - please feel free to delete this thread if it's determined to be safe.

Title: Re: Scient 2.0 EXE - Trojan Horse?
Post by: Buster's Uncle on February 05, 2019, 03:48:49 AM

PM scient - he checked by a few days ago, but might miss this...

One of you be sure to update the rest of us, please...

Title: Re: Scient 2.0 EXE - Trojan Horse?
Post by: BFG on February 06, 2019, 12:17:04 AM

Good idea.  PM'ing.

Title: Re: Scient 2.0 EXE - Trojan Horse?
Post by: scient on February 06, 2019, 01:18:08 AM

Thanks for the heads up BFG, I'm kind of surprised no one else noticed this. VirusTotal results only show a few AV vendors (11/72) are flagging it.

VirusTotal:
https://www.virustotal.com/#/file/35d259ba0bdf7a44595f970f1779c3770a97d10afe87ba4672638736acd45396/detection (https://www.virustotal.com/#/file/35d259ba0bdf7a44595f970f1779c3770a97d10afe87ba4672638736acd45396/detection)

I think it is a false positive because I am using a free installer NSIS. However, the hash doesn't match the original copy I have in my project folder.

http://alphacentauri2.info/index.php?action=downloads;sa=view;down=364 (http://alphacentauri2.info/index.php?action=downloads;sa=view;down=364)
SHA256: 35d259ba0bdf7a44595f970f1779c3770a97d10afe87ba4672638736acd45396

My original SHA256: 1a74ffb7801d8a0152a07a2a8363f04cf254ab497ce6fac37c4452c64169f922
VirusTotal for original (1/68; one crappy AV vendor): https://www.virustotal.com/#/file/1a74ffb7801d8a0152a07a2a8363f04cf254ab497ce6fac37c4452c64169f922/detection (https://www.virustotal.com/#/file/1a74ffb7801d8a0152a07a2a8363f04cf254ab497ce6fac37c4452c64169f922/detection)

It could be I updated the installer with some minor changes after sending copy to be uploaded here. However, for completeness sake I uploaded the binary to Wildfire. The report shows nothing alarming with server side one. So that brings me back to original suspicion that Symantec is flagging on NSIS installer mistakenly as that trojan.

I'm going to see if I can figure out what changes I made between server copy and one I have in my project folder.

Title: Re: Scient 2.0 EXE - Trojan Horse?
Post by: scient on February 06, 2019, 02:10:03 AM

So the copy I had in my project folder is an older revision by a few days. Oops. I likely lost that version at some point. There were just a few minor changes to some of the text files.

The copy uploaded here is latest and 100% clean. I would recommend filing a false positive report here:
https://submit.symantec.com/false_positive/

Also, should have some news soonish about progress on my decompilation project. Been super busy with life/work but have had some free time recently.  :)

Title: Re: Scient 2.0 EXE - Trojan Horse?
Post by: DrazharLn on February 07, 2019, 11:10:25 AM

I built the installer from scient's source files.

I am 100% certain that I didn't deliberately add a virus ;) I'm glad that scient has been able to reproduce the build :)

Exciting to hear about new decompilation news!

Title: Re: Scient 2.0 EXE - Trojan Horse?
Post by: scient on February 08, 2019, 05:21:53 AM

Quote from: DrazharLn on February 07, 2019, 11:10:25 AM

I built the installer from scient's source files.

I am 100% certain that I didn't deliberately add a virus ;) I'm glad that scient has been able to reproduce the build :)

Exciting to hear about new decompilation news!

That makes a lot more sense! I was confused why I didn't have a local copy in my project folder. :)

Title: Re: Scient 2.0 EXE - Trojan Horse?
Post by: BFG on February 08, 2019, 10:19:14 PM

Thanks for the confirmation!  I’ll submit it as a false positive like suggested.

Title: Re: Scient 2.0 EXE - Trojan Horse?
Post by: Induktio on February 08, 2019, 11:43:48 PM

It is very common for AV programs to flag packed executables as malware based on some heuristic. Somewhat annoying to have false positives, but then again, the vast majority of malware is obfuscated/packed in some way.

I would be very interested to see what kind of new results Scient has in store, but maybe better to post them in the Decompilation thread or something. :)

Title: Re: Scient 2.0 EXE - Trojan Horse?
Post by: BFG on February 11, 2019, 01:53:08 AM

I submitted the EXE as a false positive to Norton.