furger

Malicious code detected in SimServer.exe (Trojan-Ransom.Win32.Blocker.kdwe)

Recommended Posts

Hi

When downloading the most current version 3.1 (http://library.avsim.net/esearch.php?DLID=200064) Kaspersky is telling me that malicious code has been detected in SimServer.exe (Trojan-Ransom.Win32.Blocker.kdwe).

Best regards

Andreas

Share this post


Link to post
Share on other sites
Help AVSIM continue to serve you!
Please donate today!

False positive.

If you have downloaded it from the official source there is no problem.

Share this post


Link to post
Share on other sites

Hi Andreas,

I downloaded the app from AVSIM, and first of all, I confirm it's the same file I uploaded. So the one at AVSIM is not corrupted in any way.

Then I ran this online virus scan which uses many detection engines:

https://www.virustotal.com/file/fe5e08c8906e6e63aa16431debb378798c51b808785902325442bfd856b78409/analysis/1498721286/

Indeed, 6 engines detect malware. I'm guessing this is because I use a tool to encrypt the binary file to avoid easy disassembly.

Since 55 anti virus engines don't detect a virus, I would say this is indeed a false positive (so the tool I'm using doesn't add anything malicious).

I hope this reassures you on this topic.

Best Regards

Mark

Share this post


Link to post
Share on other sites

Dear Mark

Thank you for taking attention and thank you for clarifying. It's currently a sensitive topic . . .

Best regards

Andreas

Share this post


Link to post
Share on other sites

Hi Andreas,

I fully understand - and as such, thank you for pointing this out.

As a FYI: I have contacted Kaspersky and reported this as a false positive. As soon as I hear back from them, I will post the information in this thread.

Best Regards

Mark

Share this post


Link to post
Share on other sites

I will also note that Kaspersky does not like simserver.exe. Took me quite a while to get it installed and running as it would automatically be blocked and then deleted.

Share this post


Link to post
Share on other sites

Same problem but with BitDefender.....I can't even extract it from the zip file without BitDefender blocking and deleting it. :-(

Share this post


Link to post
Share on other sites

Dear All,

a quick update from my side:

  • Since I haven't heard back from Kaspersky, I did some research as to what was causing this increasing rate of false positives. Indeed, as Hilkiah mentioned above, more and more AV engines have detected some form of malware.
  • AV software use heuristic (empirical) algorithms to detect suspicious code. So if something looks fishy, it will be flagged, regardless if it actually is truly malware or not.
  • While playing around with my tool chain during compilation, I noticed that my original executable didn't show any sign of detected malware.
  • Instead, as I had expected, I ran into malware detection when running my obfuscation tool. It turns out, there is a small setting that will set off AV software. After disabling this setting, Kaspersky and co no longer detect malware.
  • This doesn't mean that the app was misbehaving in the past. It just means, it looked 'fishy' and probably other forms of malware took similar precautions of being disassembled.
  • I have uploaded a new version to AVSIM and as soon as the link goes live, I will update the link on here. Also, the app should notify you once the update is available.
  • No code changes to the app were made (except updating version info from 3.1.0.0 to 3.1.0.1)
  • There is nothing wrong with the current version, except that is sets off AV software

Thank you all for reporting this - I am trying to treat this problem with very high priority.

As such, I'm also trying to be as transparent as I can be.

Best Regards

Mark

 

 

Share this post


Link to post
Share on other sites

Version 3.1.0.1 is now available on AVSIM.

 

Share this post


Link to post
Share on other sites

 

7 hours ago, marcom said:

Version 3.1.0.1 is now available on AVSIM.

 

I currently have an open case with Kaspersky and they are looking at this figure out what is causing the false positive. Also, the new version of the program has the same results with Kaspersky. I cannot unpack the zip file as it deletes the executable file every time. I will keep you posted on what I find out.

Share this post


Link to post
Share on other sites

Dear Mark

Unfortunately there is no difference with the new version 3.1.0.1. My system still is diagnosing/treating the file SimServer.exe as infected.

I hope you/Kaspersky will find a solution.

Best regards

Andreas

Share this post


Link to post
Share on other sites

Hi folks,

yes, I am seeing this now as well. This is really frustrating, as yesterday everything looked ok.

Before uploading yet a new version to AVSIM, please give this version a test (I uploaded it to my google drive):

https://drive.google.com/file/d/0B5HdXeQAwtKVZVVhVFgxMDQ0LVk/view?usp=drive_web

The new .exe gave this result on VirusTotal:

https://virustotal.com/en/file/61b3f5a9b3b16467773a3892794d6e9b802fd0093f40fc6f237cc05b2a08928d/analysis/1499109271/

PS: again no code changes, just different settings for the obfuscation tool.

Regards

Mark

Share this post


Link to post
Share on other sites

Mark,

 

I was able to download this version (from your google drive) to my computer and open and successfully run the simserver.exe.  Bitdefender didn't complain one bit!.  I also ran the online check and its passes with flying colors.  

https://virustotal.com/en/file/08d61fa7cd659d4ae704ddc2b92753ebbecad0e16f56de6e637d1a3e299db594/analysis/1499109928/

Go ahead and upload and I will redownload the newly updated version and test again.  If that fails, then the problem has to do with the zipfiles getting corrupted after being uploaded.  If it passes, then the problem most likely was due to the obfuscation settings you used.

 

Regards,

Hilkiah

Share this post


Link to post
Share on other sites

Incidentally has anyone gotten the server working properly with Bitdefender Firewall?  I have added an exception for simserver.exe (all ports and all protocols) but it doesn't allow my devices to connect (though I can connect to is from the PC itself).  However when I turn off Bitdefender Firewall and enable the regular Windows 10 firewall, it works ok (and yes I added a similar exception to the Windows Firewall).

Regards,

Share this post


Link to post
Share on other sites

Thanks for the feedback. Let me wait 24 hours before uploading this, since yesterday my original 3.1.0.1 version also passed without errors.

In the meantime, feel free to use this version, since it will match the AVSIM version.

I don't believe the upload process breaks anything, as I did a byte-wise comparison and the AVSIM version matched my .zip. So that's not a source of error.

Regards

Mark

Share this post


Link to post
Share on other sites

I wanted to let everyone know that I heard back from Kaspersky, and after a few emails back and forth they determined it was indeed a false positive. There was never anything wrong on Marks end or with the software. 

However, as Mark fixed the issue before Kaspersky got too it, this all may be a moot point. Thanks for the quick response to your customers Mark! Excellent service as usual. 

Share this post


Link to post
Share on other sites

Hi Mark

Great, you have managed it. Also Kaspersky (at least in the environment I am current running) doesn't complain anymore on the download drawn from your google drive.

Thank you

Andreas

Share this post


Link to post
Share on other sites

Thanks for the feedback!

I've now uploaded that version (3.1.0.2) to AVSIM and once its available, I will update the links.

Hope that finalizes this topic :-)

Share this post


Link to post
Share on other sites

Hi Mark.....think we still have a problem.

I am doing a flight and realized I didn't have simserver running so I went to start it....and noticed my exe was missing.  I went back to the zipfile and tried to extract it from there and sure enough, Bitdefender didn't let me.  I then uploaded the last file I donwloaded (which was ok at the time) to the online virus scan and again sure enough 7 scanners detected viruses/malware:

https://www.virustotal.com/en/file/564c9339f90279ae78e6e211eb34e0434e46669aeb5d5e7d5d05a3ed7b7de63d/analysis/1499308249/

 

I then used your link (http://library.avsim.net/esearch.php?DLID=200324) and redownloaded the zipfile and ....viruses detected.  I am thinking, could it be some sort of timed malware which is dormant which then 'wakes up' after x number of days or hours?  Can anyone else try and see if they are getting malware detection also?

Share this post


Link to post
Share on other sites

The MOST easy and pretty safe way to solve that problems:

Setup proper exceptions in your AV suite for ALL folders of your sim, addons etc....

Deactivate your AV suite during your sim session, as long as you don't surf to suspicious websites during flyling you won't need it.

Share this post


Link to post
Share on other sites
On 7/6/2017 at 4:35 AM, Hilkiah said:

Hi Mark.....think we still have a problem.

I am doing a flight and realized I didn't have simserver running so I went to start it....and noticed my exe was missing.  I went back to the zipfile and tried to extract it from there and sure enough, Bitdefender didn't let me.  I then uploaded the last file I donwloaded (which was ok at the time) to the online virus scan and again sure enough 7 scanners detected viruses/malware:

https://www.virustotal.com/en/file/564c9339f90279ae78e6e211eb34e0434e46669aeb5d5e7d5d05a3ed7b7de63d/analysis/1499308249/

 

I then used your link (http://library.avsim.net/esearch.php?DLID=200324) and redownloaded the zipfile and ....viruses detected.  I am thinking, could it be some sort of timed malware which is dormant which then 'wakes up' after x number of days or hours?  Can anyone else try and see if they are getting malware detection also?

Hi Hilkiah,

sorry for not responding until now, but I have contacted BitDefender in the meantime and asked them to do a more in-depth analysis of the application. If you run a new scan via VirusTotal, you should see that no major AV software is reporting anything suspicious, including Kaspersky and BitDefender. At least, that's the case as per today, see also:

https://virustotal.com/en/file/95fe6149536d26381ecda35900dd2c06c43693f5e774154ea773de0321458529/analysis/1499612242/

I hope this reassures everyone that there is indeed no virus/malware contained within SimServer.

PS a binary executable contained in a zip archive doesn't change. A virus is not something biological which changes over time. Malware either exists or it doesn't - but the compiled binary will not change over time. And AV software doesn't actually run the application (such as VirusTotal), it just scans for patterns within the binary file.

Best Regards

Mark

Share this post


Link to post
Share on other sites

Could this be why whenever I right click or click on SimServer.exe my system goes to a crawl.  This also happens with the OverheadClient.exe too... note.. no other files exhibit this behaviour..

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now