Author Topic: Scient 2.0 EXE - Trojan Horse?  (Read 384 times)

0 Members and 1 Guest are viewing this topic.

Offline BFG

Scient 2.0 EXE - Trojan Horse?
« on: February 05, 2019, 03:29:37 AM »
  • Publish
  • I don't want to raise any false alarms here, so I'm asking the community.

    Every time I download the Scient 2.0 EXE from this site, Norton warns me that it is infected with a Trojan called Cridex.  Is anyone else getting that warning?  False positive or legit?

    Mods - please feel free to delete this thread if it's determined to be safe.

    Online Buster's Uncle

    • Yes, she's Buster, and I
    • Transcend
    • *
    • Posts: 44846
    • €362
    • View Inventory
    • Send /Gift
    • Someone thinks a Winrar is You!  Because there are times when people just need a cute puppy  Soft kitty, warm kitty, little ball of fur  
    • AC2 is my instrument, my heart, as I play my song.
    • Planet tales writer Smilie Artist Custom Faction Modder Downloads Contributor AC2 Wiki contributor
      • View Profile
      • My Custom Factions
      • Awards
    Re: Scient 2.0 EXE - Trojan Horse?
    « Reply #1 on: February 05, 2019, 03:48:49 AM »
  • Publish
  • PM scient - he checked by a few days ago, but might miss this...

    One of you be sure to update the rest of us, please...

    Offline BFG

    Re: Scient 2.0 EXE - Trojan Horse?
    « Reply #2 on: February 06, 2019, 12:17:04 AM »
  • Publish
  • Good idea.  PM'ing.

    Offline scient

    Re: Scient 2.0 EXE - Trojan Horse?
    « Reply #3 on: February 06, 2019, 01:18:08 AM »
  • Publish
  • Thanks for the heads up BFG, I'm kind of surprised no one else noticed this. VirusTotal results only show a few AV vendors (11/72) are flagging it.

    VirusTotal:
    https://www.virustotal.com/#/file/35d259ba0bdf7a44595f970f1779c3770a97d10afe87ba4672638736acd45396/detection

    I think it is a false positive because I am using a free installer NSIS. However, the hash doesn't match the original copy I have in my project folder.

    http://alphacentauri2.info/index.php?action=downloads;sa=view;down=364
    SHA256: 35d259ba0bdf7a44595f970f1779c3770a97d10afe87ba4672638736acd45396

    My original SHA256: 1a74ffb7801d8a0152a07a2a8363f04cf254ab497ce6fac37c4452c64169f922
    VirusTotal for original (1/68; one crappy AV vendor): https://www.virustotal.com/#/file/1a74ffb7801d8a0152a07a2a8363f04cf254ab497ce6fac37c4452c64169f922/detection

    It could be I updated the installer with some minor changes after sending copy to be uploaded here. However, for completeness sake I uploaded the binary to Wildfire. The report shows nothing alarming with server side one. So that brings me back to original suspicion that Symantec is flagging on NSIS installer mistakenly as that trojan.

    I'm going to see if I can figure out what changes I made between server copy and one I have in my project folder.
    « Last Edit: February 06, 2019, 01:27:15 PM by scient »

    Offline scient

    Re: Scient 2.0 EXE - Trojan Horse?
    « Reply #4 on: February 06, 2019, 02:10:03 AM »
  • Publish
  • So the copy I had in my project folder is an older revision by a few days. Oops. I likely lost that version at some point. There were just a few minor changes to some of the text files.

    The copy uploaded here is latest and 100% clean. I would recommend filing a false positive report here:
    https://submit.symantec.com/false_positive/

    Also, should have some news soonish about progress on my decompilation project. Been super busy with life/work but have had some free time recently.  :)

    Offline DrazharLn

    Re: Scient 2.0 EXE - Trojan Horse?
    « Reply #5 on: February 07, 2019, 11:10:25 AM »
  • Publish
  • I built the installer from scient's source files.

    I am 100% certain that I didn't deliberately add a virus ;) I'm glad that scient has been able to reproduce the build :)

    Exciting to hear about new decompilation news!

    Offline scient

    Re: Scient 2.0 EXE - Trojan Horse?
    « Reply #6 on: February 08, 2019, 05:21:53 AM »
  • Publish
  • I built the installer from scient's source files.

    I am 100% certain that I didn't deliberately add a virus ;) I'm glad that scient has been able to reproduce the build :)

    Exciting to hear about new decompilation news!

    That makes a lot more sense! I was confused why I didn't have a local copy in my project folder. :)


    Offline BFG

    Re: Scient 2.0 EXE - Trojan Horse?
    « Reply #7 on: February 08, 2019, 10:19:14 PM »
  • Publish
  • Thanks for the confirmation!  I’ll submit it as a false positive like suggested.

    Offline Induktio

    Re: Scient 2.0 EXE - Trojan Horse?
    « Reply #8 on: February 08, 2019, 11:43:48 PM »
  • Publish
  • It is very common for AV programs to flag packed executables as malware based on some heuristic. Somewhat annoying to have false positives, but then again, the vast majority of malware is obfuscated/packed in some way.

    I would be very interested to see what kind of new results Scient has in store, but maybe better to post them in the Decompilation thread or something. :)

    Offline BFG

    Re: Scient 2.0 EXE - Trojan Horse?
    « Reply #9 on: February 11, 2019, 01:53:08 AM »
  • Publish
  • I submitted the EXE as a false positive to Norton.

     

    * User

    Welcome, Guest. Please login or register.
    Did you miss your activation email?


    Login with username, password and session length

    Select language:

    * Community poll

    SMAC v.4 SMAX v.2 (or previous versions)
    -=-
    14 (6%)
    XP Compatibility patch
    -=-
    8 (3%)
    Gog version for Windows
    -=-
    64 (27%)
    Scient (unofficial) patch
    -=-
    24 (10%)
    Kyrub's latest patch
    -=-
    14 (6%)
    Yitzi's latest patch
    -=-
    82 (35%)
    AC for Mac
    -=-
    2 (0%)
    AC for Linux
    -=-
    5 (2%)
    Gog version for Mac
    -=-
    9 (3%)
    No patch
    -=-
    10 (4%)
    Total Members Voted: 232
    AC2 Wiki Logo

    * Random quote

    Will we next create false gods to rule over us? How proud we have become, and how blind.
    ~Sister Miriam Godwinson 'We must Dissent'

    * Select your theme

    *

    Facebook Comments