[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[amibroker] Re: emailer.exe file in AB directory.Kaspersky found backdoor.win32.RAdmin.bp trojan

Date: Sun, 21 Mar 2010 19:28:48 -0000
From: "progster01" <progster@xxxxxxxxxxxxxxxxxx>
Subject: [amibroker] Re: emailer.exe file in AB directory.Kaspersky found backdoor.win32.RAdmin.bp trojan

PureBytes Links

Trading Reference Links

Excellent info.  Thanks very much!

--- In amibroker@xxxxxxxxxxxxxxx, Tomasz Janeczko <groups@xxx> wrote:
>
> Hello,
> 
> With regards to integrity, official setup files such as this:
> http://www.amibroker.com/bin/AmiBroker520.exe
> 
> are digitally signed / certified with Microsoft authenticode, that 
> guarantees the
> source (AmiBroker.com) and integrity of the file and its contents.
> When you click with RIGHT mouse button over setup file and choose
> "Properties" you will see "Digital Signature" tab.
> See: http://msdn.microsoft.com/en-us/library/ms537364(VS.85).aspx
> 
> We do not sign individual files inside setup because
> a) when full setup is signed, it means that all files inside are genuine 
> too and integrity is maintained
> b) signing each file makes it slower to load
> 
> It is not possible to modify digitally signed file without invalidating 
> the signature.
> 
> With regards to emailer.exe it is program that sends e-mail alerts that 
> you define (via AlertIf function).
> 
> BTW: I have notified Kaspersky about their false positive and I received 
> the reply
> "Sorry, it was a false detection."
> How ridiculous is that ? I really think that AV companies producing 
> false positives
> should be made financially/legally responsible for creating such a mess.
> 
> Best regards,
> Tomasz Janeczko
> amibroker.com
> 
> On 2010-03-21 13:57, progster01 wrote:
> > The many testimonies at the link to the Nirsoft blog surely indicate a widespread problem with false positive reports, in general.  I think it's a good link to read, and the AV companies should be doing a better job here, no question.
> >
> > In specific though, how are we as users supposed to know that emailer.exe (in this case) is not infected/corrupted/tampered-with?
> >
> > What does this file do?   (I don't know)
> > What is it's correct size and checksum?  (I don't know)
> > What about it causes it to be flagged as dangerous?  (etc.)
> >
> > The fact of malicious attacks against AmiBroker.com has been mentioned before on this list.  How is a user supposed to know that an attack has not taken place, and resulted in a corrupted distro?
> >
> > I know at least one other TA platform vendor that provides MD5 checksums for their distro files.  When the distro matches the checksum, this makes me feel much more secure that it has not been tampered with.
> >
> > Could even that assurance be rendered false by a sufficiently determined criminal?   Probably, but if both the file and the checksum were tampered with, it should at least be possible to compare with completely offline records maintained by the developer to determine that this had taken place.
> >
> > Could a file be corrupted and made to have the same size and checksum?  I'll leave that question to those more expert than I.  Even if so though, it's surely a much higher bar to clear.
> >
> > As a thought experiment - assume that a criminal organization has targeted and corrupted an AB distro to make it into malware (of some sort).  Assume further that that corrupted file is on the AB server(s) and being downloaded by customers.
> >
> > How are we supposed to know it?  What should make us suspicious?  If suspicion is raised, how is corruption to be confirmed or refuted?
> >
> > These are questions I personally do not have a good answer for.  I only know that AV programs are an important line of defense.  They make me aware of things (rightly or wrongly) that I do not have the particular psychic ability to be otherwise aware of.
> >
> > Being simply told to ignore them, with no further explanation or evidence, is not very reassuring.
> >
> >
> > --- In amibroker@xxxxxxxxxxxxxxx, Tomasz Janeczko<groups@>  wrote:
> >    
> >> Hello,
> >>
> >> That is FALSE positive. You should report it to anti-virus vendor that
> >> they have bug in their program.
> >>
> >> You should probably read this:
> >> http://blog.nirsoft.net/2009/05/17/antivirus-companies-cause-a-big-headache-to-small-developers/
> >>
> >>
> >> Best regards,
> >> Tomasz Janeczko
> >> amibroker.com
> >>
> >> On 2010-03-20 21:53, gsmservplus wrote:
> >>      
> >>> emailer.exe file in AB directory.Kaspersky found backdoor.win32.RAdmin.bp trojan, criticality High
> >>> ??????????????????????????????????????????????
> >>>
> >>> is it fake or it`s realy something wrong?
> >>>
> >>>
> >>>
> >>> ------------------------------------
> >>>
> >>> **** IMPORTANT PLEASE READ ****
> >>> This group is for the discussion between users only.
> >>> This is *NOT* technical support channel.
> >>>
> >>> TO GET TECHNICAL SUPPORT send an e-mail directly to
> >>> SUPPORT {at} amibroker.com
> >>>
> >>> TO SUBMIT SUGGESTIONS please use FEEDBACK CENTER at
> >>> http://www.amibroker.com/feedback/
> >>> (submissions sent via other channels won't be considered)
> >>>
> >>> For NEW RELEASE ANNOUNCEMENTS and other news always check DEVLOG:
> >>> http://www.amibroker.com/devlog/
> >>>
> >>> Yahoo! Groups Links
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>        
> >>      
> >
> >
> >
> > ------------------------------------
> >
> > **** IMPORTANT PLEASE READ ****
> > This group is for the discussion between users only.
> > This is *NOT* technical support channel.
> >
> > TO GET TECHNICAL SUPPORT send an e-mail directly to
> > SUPPORT {at} amibroker.com
> >
> > TO SUBMIT SUGGESTIONS please use FEEDBACK CENTER at
> > http://www.amibroker.com/feedback/
> > (submissions sent via other channels won't be considered)
> >
> > For NEW RELEASE ANNOUNCEMENTS and other news always check DEVLOG:
> > http://www.amibroker.com/devlog/
> >
> > Yahoo! Groups Links
> >
> >
> >
> >
> >
>




------------------------------------

**** IMPORTANT PLEASE READ ****
This group is for the discussion between users only.
This is *NOT* technical support channel.

TO GET TECHNICAL SUPPORT send an e-mail directly to 
SUPPORT {at} amibroker.com

TO SUBMIT SUGGESTIONS please use FEEDBACK CENTER at
http://www.amibroker.com/feedback/
(submissions sent via other channels won't be considered)

For NEW RELEASE ANNOUNCEMENTS and other news always check DEVLOG:
http://www.amibroker.com/devlog/

Yahoo! Groups Links

<*> To visit your group on the web, go to:
    http://groups.yahoo.com/group/amibroker/

<*> Your email settings:
    Individual Email | Traditional

<*> To change settings online go to:
    http://groups.yahoo.com/group/amibroker/join
    (Yahoo! ID required)

<*> To change settings via email:
    amibroker-digest@xxxxxxxxxxxxxxx 
    amibroker-fullfeatured@xxxxxxxxxxxxxxx

<*> To unsubscribe from this group, send an email to:
    amibroker-unsubscribe@xxxxxxxxxxxxxxx

<*> Your use of Yahoo! Groups is subject to:
    http://docs.yahoo.com/info/terms/

References:
- Re: [amibroker] Re: emailer.exe file in AB directory.Kaspersky found backdoor.win32.RAdmin.bp trojan
  - From: Tomasz Janeczko

Prev by Date: Re: [amibroker] emailer.exe file in AB directory.Kaspersky found backdoor.win32.RAdmin.bp trojan
Next by Date: [amibroker] Re: Another Composite Trend/Mean Reversion Indicator
Previous by thread: Re: [amibroker] Re: emailer.exe file in AB directory.Kaspersky found backdoor.win32.RAdmin.bp trojan
Next by thread: [amibroker] Re: emailer.exe file in AB directory.Kaspersky found backdoor.win32.RAdmin.bp trojan
Index(es):
- Date
- Thread