Author Topic: Rigol - VIRUS on Ultrapower software for DP800!!  (Read 5127 times)

0 Members and 1 Guest are viewing this topic.

Offline ADC-1995

  • Regular Contributor
  • *
  • Posts: 52
  • Country: us
Rigol - VIRUS on Ultrapower software for DP800!!
« on: January 22, 2016, 06:26:20 AM »
I was performing computer maintenance and usually find manufacturer sites safe to download from. I was trying to locate any files for my newly purchased DP832 and behold the Worm.Palevo was embedded in a zip file from Rigols download site. The Worm.Palevo uses applications I don't have on my computer. Additionally, it uses vulnerabilities of pre-Win7 OS to propagate. I am running Win7 which may have somewhat limited its reach.

Additionally, I downloaded the file once more to verify and it is there. BEWARE!!
« Last Edit: January 23, 2016, 07:25:54 AM by ADC-1995 »
 

Offline Jeroen3

  • Super Contributor
  • ***
  • Posts: 2584
  • Country: nl
  • Embedded Engineer
    • jeroen3.nl
Re: Rigol - VIRUS on Ultrapower software for DP800!!
« Reply #1 on: January 22, 2016, 07:18:13 AM »
The url doesn't make sense.
Code: [Select]
/acton/attachment/1579/f-0081/0/-/-/-/-/file.zipBut... either it is a brand new exploit, or trend micro is just oversensitive.
The zip file dates to 2014-07-25.
https://www.virustotal.com/nl/file/362506b281c84feb6458f3b80cbf7640a343179d7acda0620c81c2e549b6e5ad/analysis/1453407257/
And unzipped:
https://www.virustotal.com/nl/file/05ef9234bc7967a791e31d7f3c62bdc47966c2da32949411d257330db1159c42/analysis/1453407592/
« Last Edit: January 22, 2016, 07:22:44 AM by Jeroen3 »
 

Offline Monkeh

  • Super Contributor
  • ***
  • Posts: 5117
  • Country: gb
Re: Rigol - VIRUS on Ultrapower software for DP800!!
« Reply #2 on: January 22, 2016, 07:42:54 AM »
It must be a virus, the program told me so!
 

Offline wraper

  • Supporter
  • ****
  • Posts: 6403
  • Country: lv
Re: Rigol - VIRUS on Ultrapower software for DP800!!
« Reply #3 on: January 22, 2016, 07:50:13 AM »
It must be a virus, the program told me so!
Exactly, there are tons of the posters on the file sharing/downloading sites, especially torrent trackers, who yell about the virus. Yet they almost always fail to double check if the file is really infected or their antivirus is just acting up.
 

Offline c4757p

  • Super Contributor
  • ***
  • Posts: 7805
  • Country: us
  • adieu
Re: Rigol - VIRUS on Ultrapower software for DP800!!
« Reply #4 on: January 22, 2016, 08:15:38 AM »
Did you seriously cover up "Users" in "C:\Users" in the first screenshot? WTF dude?
No longer active here - try the IRC channel if you just can't be without me :)
 

Offline Macbeth

  • Super Contributor
  • ***
  • Posts: 2281
  • Country: gb
Re: Rigol - VIRUS on Ultrapower software for DP800!!
« Reply #5 on: January 22, 2016, 08:43:18 AM »
I have never tried Ultrapower, but Ultrasensor for the DM3058 is guaranteed to brick your meter if you aren't careful. Three easy steps, but nobodies interested, especially Rigol.

Unfortunately Rigol treat me like some kind of annoying leper rather than fix such simple things in their firmware. I reported how the DM3058 is utterly useless in AGILENT SCPI mode over a year ago and absolutely nothing has been done. It is the most obvious bug imaginable, could be fixed in 10 minutes, but nope...  :palm:

Yes, I wouldn't be in the least surprised if there really is a virus in Ultrapower rather than just a false positive. Rigols PC software is utter shit. FACT  :palm:
 

Offline T3sl4co1l

  • Super Contributor
  • ***
  • Posts: 9334
  • Country: us
  • Expert, Analog Electronics, PCB Layout, EMC
    • Seven Transistor Labs
Re: Rigol - VIRUS on Ultrapower software for DP800!!
« Reply #6 on: January 22, 2016, 08:48:54 AM »
What is this cropping, 3800 pixels of white just for a teeny text window?  :wtf:
Seven Transistor Labs, LLC
Electronic Design, from Concept to Layout.
Need engineering assistance? Drop me a message!
 

Offline ADC-1995

  • Regular Contributor
  • *
  • Posts: 52
  • Country: us
Re: Rigol - VIRUS on Ultrapower software for DP800!!
« Reply #7 on: January 22, 2016, 09:04:56 AM »
The url doesn't make sense.
Code: [Select]
/acton/attachment/1579/f-0081/0/-/-/-/-/file.zipBut... either it is a brand new exploit, or trend micro is just oversensitive.
The zip file dates to 2014-07-25.
https://www.virustotal.com/nl/file/362506b281c84feb6458f3b80cbf7640a343179d7acda0620c81c2e549b6e5ad/analysis/1453407257/
And unzipped:
https://www.virustotal.com/nl/file/05ef9234bc7967a791e31d7f3c62bdc47966c2da32949411d257330db1159c42/analysis/1453407592/

Agreed it doesn't make sense but that is Rigols site for downloads. As for the software being 'sensitive' MalwareBytes works effectively. Very rare false positives. However I did run it across another anit-malware program and it clears without any issue. But that doesn't always mean its correct as the anit-malware suites are always ahead and behind as they try to stay at the top.

Did you by chance try it with your anit-malware to determine if it was flagged?

It must be a virus, the program told me so!

Not even sure how to respond.... I am trying to make people aware of a potential threat.

Did you seriously cover up "Users" in "C:\Users" in the first screenshot? WTF dude?

Never reveal anything!  :)
 

Offline Monkeh

  • Super Contributor
  • ***
  • Posts: 5117
  • Country: gb
Re: Rigol - VIRUS on Ultrapower software for DP800!!
« Reply #8 on: January 22, 2016, 09:06:43 AM »
It must be a virus, the program told me so!

Not even sure how to respond.... I am trying to make people aware of a potential threat.

It smells of false positive.

It's possible the file is really infected, of course.. but it's an old, old worm, and nothing else is detecting it. A couple of very, very generic heuristic hits, which pretty much pins it as a false positive.
« Last Edit: January 22, 2016, 09:12:58 AM by Monkeh »
 

Offline amyk

  • Super Contributor
  • ***
  • Posts: 5231
Re: Rigol - VIRUS on Ultrapower software for DP800!!
« Reply #9 on: January 22, 2016, 05:05:19 PM »
I took a brief glance at the file and I can definitely understand why some AV is thinking it is suspicious -- embedded in the middle of the installer .exe is what appears to be another .exe which has been obfuscated by XOR'ing each byte with the value 7 (suspicious point 1)[1]; I tried extracting and unobfuscating it but it seems not the whole file is actually obfuscated, although from what I could see of the header it's been packed with UPX (suspicious point 2). I didn't go deep enough to figure out where the XOR'ing obfuscation actually ends, so I couldn't unpack that one and explore further, but this would be enough for me to think it's trying to hide something.

[1] I observed the interesting phrase "Sont'wuh`ufj'dfiihs'eb'uri'ni'CHT'jhcb", which is actually the usual "This program cannot be run in DOS mode" message near the beginning of .exe files but with each byte XOR'd with 7. Googling this message brings up a discussion in Czech that mentions AV detection, so perhaps that's what is triggering it.

(And now everyone with web-AV that triggers on this phrase will get a funny message when they visit this thread...)
 

Offline Jeroen3

  • Super Contributor
  • ***
  • Posts: 2584
  • Country: nl
  • Embedded Engineer
    • jeroen3.nl
Re: Rigol - VIRUS on Ultrapower software for DP800!!
« Reply #10 on: January 22, 2016, 05:52:02 PM »
Also remember that with free antivirus you are the product and that includes being the site for any new database releases and algorithm updates.
 

Offline wraper

  • Supporter
  • ****
  • Posts: 6403
  • Country: lv
Re: Rigol - VIRUS on Ultrapower software for DP800!!
« Reply #11 on: January 23, 2016, 12:37:31 AM »
Did you by chance try it with your anit-malware to determine if it was flagged?
Did you even bother to read with which antiviruses/antimalware that file was checked on Virustotal? Malwarebytes is on of them. Rather stupid to install many antimalware programs on the computer wile you can just upload the file and check with 50+ of them at once.
 

Offline AlxDroidDev

  • Frequent Contributor
  • **
  • Posts: 471
  • Country: br
    • Arduino Web Brasil
Re: Rigol - VIRUS on Ultrapower software for DP800!!
« Reply #12 on: January 23, 2016, 04:55:55 AM »
I took a brief glance at the file and I can definitely understand why some AV is thinking it is suspicious -- embedded in the middle of the installer .exe is what appears to be another .exe which has been obfuscated by XOR'ing each byte with the value 7 (suspicious point 1)[1]; I tried extracting and unobfuscating it but it seems not the whole file is actually obfuscated, although from what I could see of the header it's been packed with UPX (suspicious point 2). I didn't go deep enough to figure out where the XOR'ing obfuscation actually ends, so I couldn't unpack that one and explore further, but this would be enough for me to think it's trying to hide something.

Like you stated, it really looks like it's been packed, but I can't state it's UPX or something else. Many EXE packers do this, and although it isn't harmful at all, it does triggers some anti-virus (false positive).

They work by compressing and/or obfuscating the original EXE and then injecting an on-the-fly decompressor on the resulting EXE. When the resulting EXE is run, the runtime decompressor loads first and then takes care of decompressing and loading the original code. As you can see, injecting lots of executable code in memory at runtime looks a lot like virus activity  - and the code to do that is the same as many virii, but in this case it is legitimate and harmless.

In the past days of dial-up internet, when bandwidth was limited, HDDs where very expensive, and floppy disks were popular, I used UPX and ASPack a lot to distribute software I wrote. The intention was just to make the EXE smaller. Nowadays it's also used to protect IP and prevent debugging, cracking and reverse engineering. I am sure that is the case. I'd rather give Rigol the benefit of the doubt and ask them directly if this is a false positive triggered by a runtime packer. If my suspicion if confirmed, it'd smart of them to have a note on their site that some of their files do trigger some anti-virus because of runtime packers that are used to protect their IP.
« Last Edit: January 23, 2016, 05:07:18 AM by AlxDroidDev »
"The nice thing about standards is that you have so many to choose from." (Andrew S. Tanenbaum)
 

Offline rich

  • Regular Contributor
  • *
  • Posts: 248
  • Country: gb
Re: Rigol - VIRUS on Ultrapower software for DP800!!
« Reply #13 on: January 23, 2016, 05:01:01 AM »
Might be worth reporting to malware bytes as a (possible) false positive too?
 

Offline ADC-1995

  • Regular Contributor
  • *
  • Posts: 52
  • Country: us
Re: Rigol - VIRUS on Ultrapower software for DP800!!
« Reply #14 on: January 23, 2016, 08:00:57 AM »
It must be a virus, the program told me so!
Exactly, there are tons of the posters on the file sharing/downloading sites, especially torrent trackers, who yell about the virus. Yet they almost always fail to double check if the file is really infected or their antivirus is just acting up.

Yelling wasn't what I was after but now observing the title a bit more it looks that way.

Did you seriously cover up "Users" in "C:\Users" in the first screenshot? WTF dude?

Adjusted for your viewing pleasure. (new pics) My 3 monitor system sometimes stretches projects further than I would like, hence all the blank space.


I took a brief glance at the file and I can definitely understand why some AV is thinking it is suspicious -- embedded in the middle of the installer .exe is what appears to be another .exe which has been obfuscated by XOR'ing each byte with the value 7 (suspicious point 1)[1]; I tried extracting and unobfuscating it but it seems not the whole file is actually obfuscated, although from what I could see of the header it's been packed with UPX (suspicious point 2). I didn't go deep enough to figure out where the XOR'ing obfuscation actually ends, so I couldn't unpack that one and explore further, but this would be enough for me to think it's trying to hide something.

[1] I observed the interesting phrase "Sont'wuh`ufj'dfiihs'eb'uri'ni'CHT'jhcb", which is actually the usual "This program cannot be run in DOS mode" message near the beginning of .exe files but with each byte XOR'd with 7. Googling this message brings up a discussion in Czech that mentions AV detection, so perhaps that's what is triggering it.

(And now everyone with web-AV that triggers on this phrase will get a funny message when they visit this thread...)

Thanks for taking a look.

Did you by chance try it with your anit-malware to determine if it was flagged?
Did you even bother to read with which antiviruses/antimalware that file was checked on Virustotal? Malwarebytes is on of them. Rather stupid to install many antimalware programs on the computer wile you can just upload the file and check with 50+ of them at once.

Googles VirusTotal is a good tool, but not a fix all. Malicious hacking groups also use it to test against their code. 'Stupid' to install two anti-malware, sorry no its not, it is if you run them at the same time. Below is a review of regarding VirusTotal. 
http://www.engadget.com/2014/09/02/google-virustotal-used-to-test-hacks/

Thanks to the contributors here and reviewing the issue. I reached out to Rigol and explained the scenario and have their IT group look into the file. They were appreciative and said they run their site against TWO anti-malware programs to review their software and they will try to identify the issue.
 

Offline karoru

  • Regular Contributor
  • *
  • Posts: 195
  • Country: pl
Re: Rigol - VIRUS on Ultrapower software for DP800!!
« Reply #15 on: January 23, 2016, 08:32:50 AM »
Modern antivirus software will report nearly any packed executable as virus. Which is funny, considering I've never seen real computer virus packed with UPX (or so) since 2001 or so. Modern malicious software isn't packed, doesn't infect files, just installs toolbars, modifies registry and adds perfectly legitimate botnet in your autorun. But most thing modern antiviruses do is mark your program made in Turbo Pascal that calculate prime numbers as malicious (really, Avast, come on);)
 

Offline wraper

  • Supporter
  • ****
  • Posts: 6403
  • Country: lv
Re: Rigol - VIRUS on Ultrapower software for DP800!!
« Reply #16 on: January 23, 2016, 09:27:34 AM »
Googles VirusTotal is a good tool, but not a fix all. Malicious hacking groups also use it to test against their code. 'Stupid' to install two anti-malware, sorry no its not, it is if you run them at the same time. Below is a review of regarding VirusTotal. 
http://www.engadget.com/2014/09/02/google-virustotal-used-to-test-hacks/
Do you understand what virustotal is? Your file is tested with 55 antivirus/antimalware programs. So installing the same antivirus/antimalware on your computer unlikely to detect something malicious what virustotal doesn't.
Yes it's handy for criminals too because they don't need:
Quote
to install two anti-malware
From your link:
Quote
upload a file and dozens of antivirus tools will check to see if it's malicious.
« Last Edit: January 23, 2016, 09:32:37 AM by wraper »
 

Offline amyk

  • Super Contributor
  • ***
  • Posts: 5231
Re: Rigol - VIRUS on Ultrapower software for DP800!!
« Reply #17 on: January 24, 2016, 02:56:05 AM »
Like you stated, it really looks like it's been packed, but I can't state it's UPX or something else. Many EXE packers do this, and although it isn't harmful at all, it does triggers some anti-virus (false positive).
I unobfuscated enough to see the header and the section names "UPX0", as well as the entry point (which doesn't seem to be obfuscated, so I had to XOR with 7 again) matches with that of UPX.
In the past days of dial-up internet, when bandwidth was limited, HDDs where very expensive, and floppy disks were popular, I used UPX and ASPack a lot to distribute software I wrote. The intention was just to make the EXE smaller. Nowadays it's also used to protect IP and prevent debugging, cracking and reverse engineering. I am sure that is the case. I'd rather give Rigol the benefit of the doubt and ask them directly if this is a false positive triggered by a runtime packer. If my suspicion if confirmed, it'd smart of them to have a note on their site that some of their files do trigger some anti-virus because of runtime packers that are used to protect their IP.
I don't know if Rigol themselves would say anything since it could be their software has been infected and they don't know... UPX by itself isn't suspicious and easy to unpack, it's that XOR-7 obfuscation that worries me (and probably the AV.) If I really had to use this I'd get a VM and try to unpack it there first.
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf