vitz1

Malware in BitTorrent Sync.exe detecting by Kaspersky Internet Security

Recommended Posts

Hi,

Strangely enough Kaspersky Internet Security Software started to detect a Trojan in BitTorrent Sync.exe file I have downloaded a month ago and have been keeping it for a month on my PC (http://bit.ly/14nlvx6). The same is for new BitTorrent Sync.exe release. Is the issue known, what can it be and how to fix it?

Thanks.

Share this post


Link to post
Share on other sites

Looks like you may have an existing infection in your machine, unrelated to BitTorrent Sync.

Whilst I can't find specific details for the ".diwl" variant of "Trojan-Ransom.Win32.Foreign", for all other "Trajan-Ransom.Win32.Foreign" threats; "This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites." (Source)

Therefore, this infection has not been caused by BitTorrent Sync itself!

UPDATE: Ignore the above, and please see my subsequent post

Share this post


Link to post
Share on other sites

I can attest to this as the downloaded file is indeed harboring the trojan.

I have got a new laptop(3 days old), and was looking to replicate the setup I have in my other computer, so I proceeded to download and install BTSync(yesterday) and Kaspersky Internet Security(v13.0.1.4190) gave me a warning that BTSync.exe contains Trojan-Ransom.Win32.Foreign.diwl at "Program Files\Bittorrent Sync\BTSync.exe//UPX

I uninstalled and performed a thorough scan and restarted.

Scanned again, and the system was clean. When I tried to download the installer again, the AV gave me a warning that the installer has a trojan and I had to delete it.

Is it possible that the virus signature has been added recently and that is causing alarms in the detection?

I was searching for help on this and found no reports anywhere online about similar incidences. I was looking to write to the BT team when I chanced upon this thread, so had to add to this.

Share this post


Link to post
Share on other sites

First can you check that Sync.exe has a right BitTorrent signature? Could you please also send us a version of KIS you are using?

There are two cases:

1. You downloaded infected binary;

2. Or this is a false positive from KIS and we will take care of it.

Share this post


Link to post
Share on other sites

I downloaded it from here: http://labs.bittorrent.com/experiments/sync.html

which gave me a link to this: http://btsync.s3-website-us-east-1.amazonaws.com/BTSync.exe

There are no hashes or signatures on the website to match against so can't check file signature. Also, since I don't anymore have the installers as the antivirus won't let me live with them and I also am not sure if I should download it again.

Share this post


Link to post
Share on other sites

Looks like you have an existing infection in your machine, unrelated to BitTorrent Sync.

Whilst I can't find specific details for the ".diwl" variant of "Trojan-Ransom.Win32.Foreign", for all other "Trajan-Ransom.Win32.Foreign" threats; "This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites." (Source)

Therefore, this infection has not been caused by BitTorrent Sync itself!

This is incorrect. The actual official BTSync.exe program is being picked up as "Trojan-Ransom.Win32.Foreign.diwl" from Kaspersky and "TROJ_GEN.F47V0608" from TrendMicro HouseCall.

HxbTi4P.png

JqjI5BH.png

al5nyCU.png

Also, just for clarification, I downloaded this exact file from the BTSync page and tested that file, not the one I currently have. So these findings are legitimate. Therefore it's up to a BitTorrent representative to contact these virus vendors to correct this false positive.

Share this post


Link to post
Share on other sites

I downloaded it from here: http://labs.bittorre...ments/sync.html

which gave me a link to this: http://btsync.s3-web....com/BTSync.exe

Hmm... I've just download this and checked it with Kasperksy:

Kaspersky_File_Advisor.jpg

Kaspersky_Scan.jpg

Looks clean to me! (Kaspersky database release date: 07/06/2013 14:53:00)

UPDATE: Having just posted the above, I decided to see if new database definitions were available since yesterdays, and sure enough, after update (new database release date 08/06/2013 12:57:00), "Trojan-Ransom.Win32.Foreign.diwl" HAS now been detected on the installer!!

Kaspersky_Threat.jpg

...so looks like potentially a false-positive caused by the latest database update from Kaspersky?!

Share this post


Link to post
Share on other sites

The antivirus database update which set this off happened 2 hours ago(1100 GMT). I wish updates had a version so we could compare.

Anyhow I would like to err on caution. We actually started to use BTSync on several platforms at work and now have to get everything quarantined, so I know we are in some serious trouble on Monday as this Trojan looks scary by what is known of it to the Internet.

UPDATE: Sorry hadn't seen your(GreatMarko) update, but saw it after the page refreshed after posting. So I guess we have it there then.

Share this post


Link to post
Share on other sites

No panic, I suppose.

I have just got an official reply from Kaspersky Lab:

"Здравствуйте,

Это было ошибочное срабатывание.

Оно будет исправлено.

Благодарим Вас за помощь.

С наилучшими пожеланиями, Юнаковский Сергей, вирусный аналитик"

In short - it is a truly false positive, they promise to fix.

Share this post


Link to post
Share on other sites

This is definitely False Positive we will contact Kaspersky and Trend Micro on this matter.

I'll keep updating this thread

Share this post


Link to post
Share on other sites

UPDATE: Issue appears to be resolved as of Kaspersky database release 08/06/2013 18:07:00. Kaspersky no longer identifies BTSync.exe as a Trojan :)

If you've encountered the issue described in this thread and are running Kaspersky Internet Security (KIS) or Kaspersky Antivirus (KAV), please update to the latest database release (Right-click Kaspersky taskbar icon and select "Update")

Share this post


Link to post
Share on other sites

Just tried to install BTSync and Trend went crazy. Identified a total of 11 hits in files which was all autoremoved.

Threat identified as HEU_CDPLC024 (5 files), HEU_CDPLC016 (4 files) and HEU_DLTI.G145 (2 files).

 

BTSync was downloaded from http://www.bittorrent.com/sync.

 

Any idea if this is false positives or not. Wouldn't like to accept these files if they are "dirty".

Share this post


Link to post
Share on other sites

Just tried to install BTSync and Trend went crazy. Identified a total of 11 hits in files which was all autoremoved.

Threat identified as HEU_CDPLC024 (5 files), HEU_CDPLC016 (4 files) and HEU_DLTI.G145 (2 files).

 

BTSync was downloaded from http://www.bittorrent.com/sync.

 

Any idea if this is false positives or not. Wouldn't like to accept these files if they are "dirty".

 

BTSync.exe (the latest Windows installer for Sync 1.2.82) is clean.

 

See: https://www.virustotal.com/en/file/cbe0accf8e2d1c2e641502d812fed2d0abbbc62f31c9304a7c47df8ed9f4cada/analysis/

 

Trend was likely giving you a "false positive". Try updating your virus definition files, as according to a VirusTotal scan (see above), Trend (with the latest definitions) doesn't detect any issues with the Sync installer.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.