vitz1 Posted June 8, 2013 Report Share Posted June 8, 2013 Hi,Strangely enough Kaspersky Internet Security Software started to detect a Trojan in BitTorrent Sync.exe file I have downloaded a month ago and have been keeping it for a month on my PC (http://bit.ly/14nlvx6). The same is for new BitTorrent Sync.exe release. Is the issue known, what can it be and how to fix it?Thanks. Quote Link to comment Share on other sites More sharing options...
GreatMarko Posted June 8, 2013 Report Share Posted June 8, 2013 Looks like you may have an existing infection in your machine, unrelated to BitTorrent Sync.Whilst I can't find specific details for the ".diwl" variant of "Trojan-Ransom.Win32.Foreign", for all other "Trajan-Ransom.Win32.Foreign" threats; "This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites." (Source)Therefore, this infection has not been caused by BitTorrent Sync itself!UPDATE: Ignore the above, and please see my subsequent post Quote Link to comment Share on other sites More sharing options...
btrg Posted June 8, 2013 Report Share Posted June 8, 2013 I can attest to this as the downloaded file is indeed harboring the trojan.I have got a new laptop(3 days old), and was looking to replicate the setup I have in my other computer, so I proceeded to download and install BTSync(yesterday) and Kaspersky Internet Security(v13.0.1.4190) gave me a warning that BTSync.exe contains Trojan-Ransom.Win32.Foreign.diwl at "Program Files\Bittorrent Sync\BTSync.exe//UPXI uninstalled and performed a thorough scan and restarted.Scanned again, and the system was clean. When I tried to download the installer again, the AV gave me a warning that the installer has a trojan and I had to delete it.Is it possible that the virus signature has been added recently and that is causing alarms in the detection?I was searching for help on this and found no reports anywhere online about similar incidences. I was looking to write to the BT team when I chanced upon this thread, so had to add to this. Quote Link to comment Share on other sites More sharing options...
vitz1 Posted June 8, 2013 Author Report Share Posted June 8, 2013 I sent the file to Kaspersky Lab to check it out for false positive - let`s see. Quote Link to comment Share on other sites More sharing options...
kos13 Posted June 8, 2013 Report Share Posted June 8, 2013 First can you check that Sync.exe has a right BitTorrent signature? Could you please also send us a version of KIS you are using?There are two cases:1. You downloaded infected binary;2. Or this is a false positive from KIS and we will take care of it. Quote Link to comment Share on other sites More sharing options...
btrg Posted June 8, 2013 Report Share Posted June 8, 2013 I downloaded it from here: http://labs.bittorrent.com/experiments/sync.htmlwhich gave me a link to this: http://btsync.s3-website-us-east-1.amazonaws.com/BTSync.exeThere are no hashes or signatures on the website to match against so can't check file signature. Also, since I don't anymore have the installers as the antivirus won't let me live with them and I also am not sure if I should download it again. Quote Link to comment Share on other sites More sharing options...
Xanza Posted June 8, 2013 Report Share Posted June 8, 2013 Looks like you have an existing infection in your machine, unrelated to BitTorrent Sync.Whilst I can't find specific details for the ".diwl" variant of "Trojan-Ransom.Win32.Foreign", for all other "Trajan-Ransom.Win32.Foreign" threats; "This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites." (Source)Therefore, this infection has not been caused by BitTorrent Sync itself!This is incorrect. The actual official BTSync.exe program is being picked up as "Trojan-Ransom.Win32.Foreign.diwl" from Kaspersky and "TROJ_GEN.F47V0608" from TrendMicro HouseCall.Also, just for clarification, I downloaded this exact file from the BTSync page and tested that file, not the one I currently have. So these findings are legitimate. Therefore it's up to a BitTorrent representative to contact these virus vendors to correct this false positive. Quote Link to comment Share on other sites More sharing options...
GreatMarko Posted June 8, 2013 Report Share Posted June 8, 2013 I downloaded it from here: http://labs.bittorre...ments/sync.htmlwhich gave me a link to this: http://btsync.s3-web....com/BTSync.exeHmm... I've just download this and checked it with Kasperksy:Looks clean to me! (Kaspersky database release date: 07/06/2013 14:53:00)UPDATE: Having just posted the above, I decided to see if new database definitions were available since yesterdays, and sure enough, after update (new database release date 08/06/2013 12:57:00), "Trojan-Ransom.Win32.Foreign.diwl" HAS now been detected on the installer!!...so looks like potentially a false-positive caused by the latest database update from Kaspersky?! Quote Link to comment Share on other sites More sharing options...
btrg Posted June 8, 2013 Report Share Posted June 8, 2013 The antivirus database update which set this off happened 2 hours ago(1100 GMT). I wish updates had a version so we could compare.Anyhow I would like to err on caution. We actually started to use BTSync on several platforms at work and now have to get everything quarantined, so I know we are in some serious trouble on Monday as this Trojan looks scary by what is known of it to the Internet.UPDATE: Sorry hadn't seen your(GreatMarko) update, but saw it after the page refreshed after posting. So I guess we have it there then. Quote Link to comment Share on other sites More sharing options...
vitz1 Posted June 8, 2013 Author Report Share Posted June 8, 2013 No panic, I suppose.I have just got an official reply from Kaspersky Lab:"Здравствуйте,Это было ошибочное срабатывание.Оно будет исправлено.Благодарим Вас за помощь.С наилучшими пожеланиями, Юнаковский Сергей, вирусный аналитик"In short - it is a truly false positive, they promise to fix. Quote Link to comment Share on other sites More sharing options...
kos13 Posted June 8, 2013 Report Share Posted June 8, 2013 This is definitely False Positive we will contact Kaspersky and Trend Micro on this matter.I'll keep updating this thread Quote Link to comment Share on other sites More sharing options...
GreatMarko Posted June 8, 2013 Report Share Posted June 8, 2013 UPDATE: Issue appears to be resolved as of Kaspersky database release 08/06/2013 18:07:00. Kaspersky no longer identifies BTSync.exe as a Trojan If you've encountered the issue described in this thread and are running Kaspersky Internet Security (KIS) or Kaspersky Antivirus (KAV), please update to the latest database release (Right-click Kaspersky taskbar icon and select "Update") Quote Link to comment Share on other sites More sharing options...
btrg Posted June 8, 2013 Report Share Posted June 8, 2013 Woof! This was scary until this. Happy syncing everybody. Thank you vitz1, GreatMarko, Xanza & kos13 for helping with this. Quote Link to comment Share on other sites More sharing options...
kjartana Posted November 30, 2013 Report Share Posted November 30, 2013 Just tried to install BTSync and Trend went crazy. Identified a total of 11 hits in files which was all autoremoved.Threat identified as HEU_CDPLC024 (5 files), HEU_CDPLC016 (4 files) and HEU_DLTI.G145 (2 files). BTSync was downloaded from http://www.bittorrent.com/sync. Any idea if this is false positives or not. Wouldn't like to accept these files if they are "dirty". Quote Link to comment Share on other sites More sharing options...
GreatMarko Posted November 30, 2013 Report Share Posted November 30, 2013 Just tried to install BTSync and Trend went crazy. Identified a total of 11 hits in files which was all autoremoved.Threat identified as HEU_CDPLC024 (5 files), HEU_CDPLC016 (4 files) and HEU_DLTI.G145 (2 files). BTSync was downloaded from http://www.bittorrent.com/sync. Any idea if this is false positives or not. Wouldn't like to accept these files if they are "dirty". BTSync.exe (the latest Windows installer for Sync 1.2.82) is clean. See: https://www.virustotal.com/en/file/cbe0accf8e2d1c2e641502d812fed2d0abbbc62f31c9304a7c47df8ed9f4cada/analysis/ Trend was likely giving you a "false positive". Try updating your virus definition files, as according to a VirusTotal scan (see above), Trend (with the latest definitions) doesn't detect any issues with the Sync installer. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.