Jump to content

Compiled AutoIt scripts


remarkad

Recommended Posts

Malwarebytes' Anti-Malware 1.44

Database version: 3614

Windows 5.1.2600 Service Pack 3

Internet Explorer 7.0.5730.11

1/22/2010 9:12:30 AM

mbam-log-2010-01-22 (09-12-02).txt

Scan type: Full Scan (D:\|)

Objects scanned: 139789

Time elapsed: 2 minute(s), 32 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

D:\Test\test.exe (BackDoor.Bifrost) -> No action taken. [01B441D6D9C052935158843F734AB7E8]

test.zip

Link to post
Share on other sites

I poked at it a bit more and it appears that it's the part of the EXE containing the icon that's triggering the false positive. If you compile the script with the default AutoIt icon it flags it as BackDoor.Bifrost. If you compile it with any other icon it's clean. Hope this narrows down your search.

Link to post
Share on other sites

Malwarebytes' Anti-Malware 1.44

Database version: 3614

Windows 5.1.2600 Service Pack 3

Internet Explorer 7.0.5730.11

1/22/2010 9:12:30 AM

mbam-log-2010-01-22 (09-12-02).txt

Scan type: Full Scan (D:\|)

Objects scanned: 139789

Time elapsed: 2 minute(s), 32 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

D:\Test\test.exe (BackDoor.Bifrost) -> No action taken. [01B441D6D9C052935158843F734AB7E8]

I made an identical report yesterday

http://www.malwarebytes.org/forums/index.php?showtopic=37215

Link to post
Share on other sites

Also much more frequently used by legitimate programmers such as myself. I encounter this each time I scan with MBAM and it's much more a nuisance than a desirable detection. This is pretty much like saying "we'll flag all programs written in Java as malware, but we might reduce that to a PUP, because a lot of malware is distributed by Java". Can you even hear how silly that sounds?

This detection came up rather recently and I was hoping it would go away just as quickly. But, it seems, false positives are seen as a "feature" :D here. May I politely join the imminent crowd in asking to reconsider this position?

Link to post
Share on other sites

We don't let you get away with much with auto IT as it is very frequently used by malware . We may change this to PUP but the detection is not going away .

So let me get this straight. You're saying that all compiled AutoIt scripts are malicious. How is that when I see many more legitimate uses than malicious? So you're going to block every other program created in any other language too? You're reasoning behind this is retarded to say the least. Last time I checked more people would use other languages to create malware than AutoIt. Just because AutoIt isn't as big (even though we have a thousand downloads per day.) you still want to block every single compiled program.

You can contact Jon (the creator) to get the information needed to be able to filter between malicious and legitimate AutoIt scripts.

Cheers,

Brett

Link to post
Share on other sites

So let me get this straight. You're saying that all compiled AutoIt scripts are malicious. How is that when I see many more legitimate uses than malicious? So you're going to block every other program created in any other language too? You're reasoning behind this is retarded to say the least. Last time I checked more people would use other languages to create malware than AutoIt. Just because AutoIt isn't as big (even though we have a thousand downloads per day.) you still want to block every single compiled program.

You can contact Jon (the creator) to get the information needed to be able to filter between malicious and legitimate AutoIt scripts.

Cheers,

Brett

We are working on better ways to refine this , for now the FPs should be gone .

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.