Malware in BitTorrent Sync.exe detecting by Kaspersky Internet Security

[vitz1]

Hi,

Strangely enough Kaspersky Internet Security Software started to detect a Trojan in BitTorrent Sync.exe file I have downloaded a month ago and have been keeping it for a month on my PC (http://bit.ly/14nlvx6). The same is for new BitTorrent Sync.exe release. Is the issue known, what can it be and how to fix it?

Thanks.

[GreatMarko]

Looks like you may have an existing infection in your machine, unrelated to BitTorrent Sync.

Whilst I can't find specific details for the ".diwl" variant of "Trojan-Ransom.Win32.Foreign", for all other "Trajan-Ransom.Win32.Foreign" threats; "This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites." (Source)

Therefore, this infection has not been caused by BitTorrent Sync itself!

UPDATE: Ignore the above, and please see my subsequent post

[btrg]

I can attest to this as the downloaded file is indeed harboring the trojan.

I have got a new laptop(3 days old), and was looking to replicate the setup I have in my other computer, so I proceeded to download and install BTSync(yesterday) and Kaspersky Internet Security(v13.0.1.4190) gave me a warning that BTSync.exe contains Trojan-Ransom.Win32.Foreign.diwl at "Program Files\Bittorrent Sync\BTSync.exe//UPX

I uninstalled and performed a thorough scan and restarted.

Scanned again, and the system was clean. When I tried to download the installer again, the AV gave me a warning that the installer has a trojan and I had to delete it.

Is it possible that the virus signature has been added recently and that is causing alarms in the detection?

I was searching for help on this and found no reports anywhere online about similar incidences. I was looking to write to the BT team when I chanced upon this thread, so had to add to this.

[vitz1]

I sent the file to Kaspersky Lab to check it out for false positive - let`s see.

[kos13]

First can you check that Sync.exe has a right BitTorrent signature? Could you please also send us a version of KIS you are using?

There are two cases:

1. You downloaded infected binary;

2. Or this is a false positive from KIS and we will take care of it.

[btrg]

I downloaded it from here: http://labs.bittorrent.com/experiments/sync.html

which gave me a link to this: http://btsync.s3-website-us-east-1.amazonaws.com/BTSync.exe

There are no hashes or signatures on the website to match against so can't check file signature. Also, since I don't anymore have the installers as the antivirus won't let me live with them and I also am not sure if I should download it again.

[Xanza]

Looks like you have an existing infection in your machine, unrelated to BitTorrent Sync.

Whilst I can't find specific details for the ".diwl" variant of "Trojan-Ransom.Win32.Foreign", for all other "Trajan-Ransom.Win32.Foreign" threats; "This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites." (Source)

Therefore, this infection has not been caused by BitTorrent Sync itself!

This is incorrect. The actual official BTSync.exe program is being picked up as "Trojan-Ransom.Win32.Foreign.diwl" from Kaspersky and "TROJ_GEN.F47V0608" from TrendMicro HouseCall.

Also, just for clarification, I downloaded this exact file from the BTSync page and tested that file, not the one I currently have. So these findings are legitimate. Therefore it's up to a BitTorrent representative to contact these virus vendors to correct this false positive.

[GreatMarko]

I downloaded it from here: http://labs.bittorre...ments/sync.html

which gave me a link to this: http://btsync.s3-web....com/BTSync.exe

Hmm... I've just download this and checked it with Kasperksy:

Looks clean to me! (Kaspersky database release date: 07/06/2013 14:53:00)

UPDATE: Having just posted the above, I decided to see if new database definitions were available since yesterdays, and sure enough, after update (new database release date 08/06/2013 12:57:00), "Trojan-Ransom.Win32.Foreign.diwl" HAS now been detected on the installer!!

...so looks like potentially a false-positive caused by the latest database update from Kaspersky?!

[btrg]

The antivirus database update which set this off happened 2 hours ago(1100 GMT). I wish updates had a version so we could compare.

Anyhow I would like to err on caution. We actually started to use BTSync on several platforms at work and now have to get everything quarantined, so I know we are in some serious trouble on Monday as this Trojan looks scary by what is known of it to the Internet.

UPDATE: Sorry hadn't seen your(GreatMarko) update, but saw it after the page refreshed after posting. So I guess we have it there then.

[vitz1]

No panic, I suppose.

I have just got an official reply from Kaspersky Lab:

"Здравствуйте,

Это было ошибочное срабатывание.

Оно будет исправлено.

Благодарим Вас за помощь.

С наилучшими пожеланиями, Юнаковский Сергей, вирусный аналитик"

In short - it is a truly false positive, they promise to fix.

[kos13]

This is definitely False Positive we will contact Kaspersky and Trend Micro on this matter.

I'll keep updating this thread

[GreatMarko]

UPDATE: Issue appears to be resolved as of Kaspersky database release 08/06/2013 18:07:00. Kaspersky no longer identifies BTSync.exe as a Trojan

If you've encountered the issue described in this thread and are running Kaspersky Internet Security (KIS) or Kaspersky Antivirus (KAV), please update to the latest database release (Right-click Kaspersky taskbar icon and select "Update")

[btrg]

Woof! This was scary until this. Happy syncing everybody. Thank you vitz1, GreatMarko, Xanza & kos13 for helping with this.

[kjartana]

Just tried to install BTSync and Trend went crazy. Identified a total of 11 hits in files which was all autoremoved.

Threat identified as HEU_CDPLC024 (5 files), HEU_CDPLC016 (4 files) and HEU_DLTI.G145 (2 files).

 

BTSync was downloaded from http://www.bittorrent.com/sync.

 

Any idea if this is false positives or not. Wouldn't like to accept these files if they are "dirty".

[GreatMarko]

Just tried to install BTSync and Trend went crazy. Identified a total of 11 hits in files which was all autoremoved.

Threat identified as HEU_CDPLC024 (5 files), HEU_CDPLC016 (4 files) and HEU_DLTI.G145 (2 files).

 

BTSync was downloaded from http://www.bittorrent.com/sync.

 

Any idea if this is false positives or not. Wouldn't like to accept these files if they are "dirty".

 

BTSync.exe (the latest Windows installer for Sync 1.2.82) is clean.

 

See: https://www.virustotal.com/en/file/cbe0accf8e2d1c2e641502d812fed2d0abbbc62f31c9304a7c47df8ed9f4cada/analysis/

 

Trend was likely giving you a "false positive". Try updating your virus definition files, as according to a VirusTotal scan (see above), Trend (with the latest definitions) doesn't detect any issues with the Sync installer.