Trojan:Script/Wacatac.B!ml in last update!!!

[Brutok]

Any statement from NQ what´s going on? How can there be a Trojan Script in your update?

[Maxim Kammerer]

One step after the other: First clarify if there actually is a Trojan Script in the update and if yes, than ask for the reason. With other words: What makes you sure that this is not a false positive?

[Brutok]

2 minutes ago, Maxim Kammerer said:

One step after the other: First clarify if there actually is a Trojan Script in the update and if yes, than ask for the reason. With other words: What makes you sure that this is not a false positive?

Absolutely nothing makes me sure that this is not a false positive because like 99% of the people here i am not a software engineer or hacker or whatever... I just think it´s not normal to get a Virus message when downloading the DU patch...

[Maxim Kammerer]

That means your question actually was why you get a virus message when downloading the DU patch. In that case you should add some information about your virus scanner.

[Sethioz]

11 hours ago, Maxim Kammerer said:

One step after the other: First clarify if there actually is a Trojan Script in the update and if yes, than ask for the reason. With other words: What makes you sure that this is not a false positive?

I agree, i have seen this so many times where people get an alert and then scream "OMG VIRUS YOU ARE SELLING A VIRUS OMG". seen this happen for other games and software aswell, people just don't think nowdays. they think that just because anti-virus says it's a virus, then this must be true. .. they do 0 research on what it even means or what file the "virus" occurred in. i also use windows defender and i didn't get any alerts with latest update.

must be some win11 thing, cuz win11 itself is WORST MASS SCALE SPYWARE ever made, microsoft really outdid themselves with this spyware called win11, they restrict and control, you don't even own your data anymore, they are in full control of all of your data, including passwords and encryption keys (if you use any).

 

but anyway, one of the first things i noticed when googling for this specific detection code is "It is a false positive. If you are distributing an unsigned executable then it will be flagged by Windows Defender." it costs about 100 - 1000 usd to get your software signed by microsoft, but you must do this every time your .exe or .dll has been updated, so you can imagine why DU is probably not doing this. altho this is just a speculation based on the alert.

what i DO know, is that if they'd have actual virus on steam, then they'd get banned from steam quite fast. i have seen some scams on steam, where they make a basic 2d game and include some custom made trojan in it, that won't even get detected, but those still get removed very fast. 

 

To further explain this situation, windows defender and lot of other anti-viruses detect encrypted files that they can't fully scan as "riskware" based on their behaviour, but this doesn't make it a virus. for example nowdays most game trainers are identified as trojan aswell, because game trainer needs to monitor for your keypresses in order for hotkeys to work and then inject custom code into game, which is also what a keylogger would do .. and since most anti-virus companies can't bother examining files they just leave false positives as they are. in fact most anti-viruses nowdays are AI based, there's no human interaction at all. which is why false positives are a huge problem nowdays.

 

however it could also be that you're on compromised internet or that your PC has been compromised. nowday scammers and hackers don't just mess up your computer, they monitor and plant things for later use, so if your connection has been compromised (this can be done in many different ways, like injecting some rootkit into your router, editing windows hosts files, on public wi-fi you can intercept and modify packets..etc) then attacker can modify files as you download them, so even if you downloading from legit source, such as steam, then attacker can attach malware to original file.

 

what you need to do is restore the file that your anti-virus detected, then first upload it to virus total online scanner (google it) and also compare it to original file that you get from someone else. if you post the exact filename and location here, i can check this against my file. first thing to check is exact file size and other thing to check is "date modified" and finally to be 100% sure, use some online "checksum" tool to verify that file is indeed exactly same as on other people's computers.

 

so there's no need to panic and blame that there's a trojan in DU (or any other software), but it's always good to be cautious! this is why i always do my own research, if i get an alert, i won't launch the file, but i won't consider it as virus either. for example i have heard of cases where someone in trusted software company has some grudge against CEO and does something stupid, like putting malware into their software. just do your research and you'll be fine.

 

I suggest you get "comodo cleaning essentials" and do a full scan on your pc, it's free tool, google for it. but do not just remove everything it detects, because it can also give false positives, but comodo is trustworthy and it has less false positives than most others. it's not a live monitoring tool tho, it's a virus scanner that scans all existing files on your pc.

 

[Aaron Cain]

De-install and wait for a reaction of NQ on this forum. Thats what we all should do.

Anything a regular antivirus detects in software is a reason to think twice of installing. 

Even if this is safe, do I really want NQ to be able to do stuff or read stuff on my property?

[Yoarii]

On 3/26/2023 at 3:41 AM, Sethioz said:

get your software signed by microsoft

This factually incorrect. Microsoft will never sign your software.

 

The procedure is to get a Code Signing Certificate from a trusted vendor, then use that to sign your own software. This will make Windows see that there's a valid certificate chain to a common trusted Certificate Authority. It will then show the blue prompt instead of the yellow one when launching the executable.

 

Even a virus creator can do this, though their certificate would (hopefully) be revoked pretty quick so Windows would once again show the yellow alert, or perhaps something else when it sees the certificate is revoked.

 

There's no cost to do the actual signing once you have the certificate.

 

And just to be clear on this point - a digital signature only establishes who signed it (i.e. put their stamp of approval on it), not that it is virus free.

[CptLoRes]

So in short, yet another way that money exchange hands with the security cartel to ensure that "there is no accident" with your software.

[blundertwink]

5 minutes ago, CptLoRes said:

So in short, yet another way that money exchange hands with the security cartel to ensure that "there is no accident" with your software.

 

Eh? How is code signing controversial...? 

 

It's absurdly simple and cheap -- something any developer that's written desktop software in the last decade and a half would be very familiar with. 

 

Generally, there's no reason to trust any unsigned executable; the only reason to trust unsigned software is if you've written it yourself or know the person that has. 

 

If you write commercial desktop software, it should be signed. The cost is immaterial. 

 

I've written commercial software that was signed and still flagged by VirusTotal et. al, so it doesn't mean anything other than that there's some shred of accountability between the entity publishing the software the consumer since it's "signed" by the creator and therefore not merely some anonymous code.

 

Hardly foolproof, but there's a good reason why Microsoft et al. check for this. 

 

From a security perspective as someone that has worked in software engineering for a very long time....this idea that you should do your own research case-by-case is not convincing to me. Don't play 'security researcher' unless you're trained and experienced in that field. The risk is far higher than any reward. 

 

Be paranoid -- there's very rarely any reason to trust unsigned software in general (if that's even what this flag comes from) and if Windows tells you something is a virus, that's something the developer needs to fix, not something you should decide to trust or not trust on your own.

 

People that think they are very security-savvy can easily be victims especially when they believe it's easy to figure out what is or isn't malicious on your own. Which...don't get me wrong, very often it is easy....but it's also very unwise to underestimate malware. 

[CptLoRes]

It's not just code signing. It is the sum of all those bits like signing, SSL, 2FA, TPM, DRM etc. etc. that adds up costing time and money and adding lots of complexity and points of failure.

 

And I am not saying I have a better solution, but it is strange that all those solutions somehow always ends up costing money and causing some kind of vendor type lock-in/walled garden scenario. Aka the security cartel..

[blundertwink]

2 minutes ago, CptLoRes said:

It's not just code signing. It is the sum of all those bits like signing, SSL, TPM, DRM etc. etc. that adds up costing time and money and adding lots of complexity and points of failure.

 

And I am not saying I have a better solution, but it is strange that all those solutions somehow always ends up costing money and causing some kind of vendor type lock-in/walled garden scenario. Aka the security cartel..

 

Code signing isn't an example of this, though....it's absurdly cheap and there's a billion different vendors. It isn't that hard to swap vendors. 

 

Neither is TLS/SSL (which is also free and extremely easy nowadays via services like LetsEncrypt).

 

At least in my opinion, there are far greater examples of "walled gardens" (like AWS) that are far more complex, more vendor locked, and more problematic for consumers overall. 

 

These security concepts are very, very, very minor inconvenience to developers and a minuscule cost of doing business compared to any other facet of development like staff, hardware, or platforms.

 

Especially concepts like TLS/SSL -- it takes devs 10 minutes or less to install a free LE cert (assuming they even need to do this themselves, which is hardly typical) but it does give a lot of benefit to end users.

 

There's a reason it's standard practice and there's no reason any site without SSL should be trusted in 2023 considering how damn easy it is to install relative to the benefit! Either they are too lazy to care, or too incompetent to be trusted. 

 

Ultimately, a world without code signing or TLS/SSL would be a less secure place.

 

I'm not saying there's no such thing as scammy anti-virus BS or that every security feature is valid, but IMO this isn't an example of big tech walled gardens or other BS like that...these are just common sense standard security practices that are a tiny, tiny, tiny effort/cost, especially compared to many other more scammy concepts in tech.

[CptLoRes]

I think we both understand each others point.

 

But take the SSL example. When anyone can generate a Let's Encrypt certificate and put any kind of site behind it, what security does the certificate actually add?

And again don't get me wrong, I understand very well why those certificates are needed for commercial sites to verify the site and prevent scams, man in the middle attacks etc, but what actual security is added by forcing everyone to use SSL on every site (even including internal ones if you don't want the browser to complain)? There is nothing preventing you from putting a scam site behind a SSL, so what justifies forcing the complexity on everyone?

[blundertwink]

33 minutes ago, CptLoRes said:

When anyone can generate a Let's Encrypt certificate and put any kind of site behind it, what security does the certificate actually add?

 

It provides actual security by encrypting requests and replies. 

 

Without it, the communication between your browser and a server is sent in plain-text. A third party could easily intercept data being sent between client and server, and that can be very bad news.

 

There's a reason Google sounds so many alarms and doesn't want to auto-fill your credit card on a non-https site! As evil as they are, they aren't always wrong. 

 

So SSL/TLS does provide "actual" security. The web is far safer with every site being forced to use it (although not really "forced" since you can ignore Chrome's warnings). 

 

Even if you're feeding data to a scammer behind an HTTPs site, it's better that some third party isn't also intercepting and using that data. SSL/TLS is about the protocol, not the site or the content or the organization. No one clicks on that lock icon to verify the organization; that's one facet of security but not the most important one.  

 

That anyone can use it doesn't make it inherently "not useful" -- but again, in this case it's about protocol and not content. 

 

I think I took this thread wildly off topic to talk about security in general, so I do apologize to the OP!

 

TLDR is that cybersecurity is complicated and it's better to be paranoid and never underestimate malicious actors. 

[Zeddrick]

The error the OP posted has nothing to do with code signing (it's a zip file and you can't sign one of those) and everything to do with some malware detector or other detecting a trojan.  It might be a false positive, but if it were then you would expect others to have seen the same thing and as far as I can tell nobody else did.

So probably what happened is the OP has a trojan of some sort which modified the zipfile and that then got detected by the malware scanner.  Or perhaps DU is coded badly and there was a man in the middle attack.

[Zeddrick]

6 hours ago, CptLoRes said:

I think we both understand each others point.

 

But take the SSL example. When anyone can generate a Let's Encrypt certificate and put any kind of site behind it, what security does the certificate actually add?

And again don't get me wrong, I understand very well why those certificates are needed for commercial sites to verify the site and prevent scams, man in the middle attacks etc, but what actual security is added by forcing everyone to use SSL on every site (even including internal ones if you don't want the browser to complain)? There is nothing preventing you from putting a scam site behind a SSL, so what justifies forcing the complexity on everyone?

The SSL part just proves who you're talking to.  If you have no idea who you're talking to then yes, any SSL certificate will do.  But even then a scammer who hacks the proxy you're using /controls the wifi hotspot/whatever can't pretend to be the website you're visiting and serve you up malware.  You actually have to visit a site that the bad actor controls (Let's Encrypt does do some validation and will not just hand out a certificate for a site you don't control).  So I can put a site behind SSL using lets encrypt, but not a site called dualuniverse.com.

For something like DU, that means that the download comes from their URL and the certificate has to point to their URL.  If a bad actor tries to redirect the download to somewhere bad and the download does proper endpoint verification then that won't work.

[Aaron Cain]

So in short, OP has a point to ask this question and wonder about digital safety.

[Zeddrick]

On 3/28/2023 at 12:29 PM, Aaron Cain said:

So in short, OP has a point to ask this question and wonder about digital safety.

But most likely their PC was compromised by something completely different and this is just a symptom.

[NQ-Deckard]

To clear this up, we had two reports of this occurring in a specific update where a version was skipped (IE: You updated from 1.3.3 to 1.3.5).

All our investigations indicate it's a false positive picked up by a scan.

[BlindingBright]

https://opalsec.substack.com/p/the-defenders-guide-to-the-3cx-supply?sd=pf

 

3cx also stated it was a false positive. With all due respect to Deckard and team... that doesn't settle it, if anything admitting to multiple instances of it happening with YOUR product could be a sign that there is an issue.

 

 

23 hours ago, NQ-Deckard said:

To clear this up, we had two reports of this occurring in a specific update where a version was skipped (IE: You updated from 1.3.3 to 1.3.5).

All our investigations indicate it's a false positive picked up by a scan.

 

NQ left reported exploits working for weeks/months that I sent in, I doubt your security professionals are any better than 3cx. 

 

On top of that emails/account info that was extracted via the now defunct community site...emails that were not supposed to be publicly avalible. 

 

Or the reports/early issues with security around LUA and remote code execution....

 

I urge you to take a closer look. Or dont..don't... ignorance is bliss.