Did I Trojan Myself?
September 13, 2007 6:30 PM Subscribe
It is possible that I programmed a virus by mistake?
I'm coding a game using the Dev-Cpp IDE and the Allegro game library. Today after a compile as the IDE was linking the object files into the exe my virus scanner (Avast) pops up and says that the game exe I'm in the process of building has a trojan horse, Win32:Agent-DEF to be exact. I updated my virus scanner to the latest program and database updates, but it's still reading the exe as infected. The main exe for the Dev-Cpp IDE is not infected. Is this a real trojan horse that somehow manages to infect this exe every time I build it (deleting the infected copy and rebuilding does not help) or is Avast getting a false-positive off my game? This has never happened before and only started happening after a certain build.
I'm coding a game using the Dev-Cpp IDE and the Allegro game library. Today after a compile as the IDE was linking the object files into the exe my virus scanner (Avast) pops up and says that the game exe I'm in the process of building has a trojan horse, Win32:Agent-DEF to be exact. I updated my virus scanner to the latest program and database updates, but it's still reading the exe as infected. The main exe for the Dev-Cpp IDE is not infected. Is this a real trojan horse that somehow manages to infect this exe every time I build it (deleting the infected copy and rebuilding does not help) or is Avast getting a false-positive off my game? This has never happened before and only started happening after a certain build.
I second Nelson, but I say it is 100% chance of a false positive, particularly if you can compile previous versions without it alerting on those.
posted by procrastination at 7:31 PM on September 13, 2007
posted by procrastination at 7:31 PM on September 13, 2007
Does building other executable files with the same compiler/linker chain also produce a positive result? (Not, in the past, but if you try one right now?)
It's possible that you could have a virus on your system, which infects and hides itself deeply in your compiler (or the linker) and inserts a trojan into all the executables that you compile. That's actually fairly devious: I've heard it discussed as a theoretical method of attack, but never in the wild.
But I doubt that the virus would only bother to plop itself into one particular project. It would probably copy itself into everything you compile ... so just compile something else (anything from a test project to Hello, World, or maybe a previous version) and see if it produces the same result.
If it doesn't, then call it a false positive. But if it does, you'll need to hose your system down to eliminate the possibility that it's been rooted.
posted by Kadin2048 at 8:33 PM on September 13, 2007
It's possible that you could have a virus on your system, which infects and hides itself deeply in your compiler (or the linker) and inserts a trojan into all the executables that you compile. That's actually fairly devious: I've heard it discussed as a theoretical method of attack, but never in the wild.
But I doubt that the virus would only bother to plop itself into one particular project. It would probably copy itself into everything you compile ... so just compile something else (anything from a test project to Hello, World, or maybe a previous version) and see if it produces the same result.
If it doesn't, then call it a false positive. But if it does, you'll need to hose your system down to eliminate the possibility that it's been rooted.
posted by Kadin2048 at 8:33 PM on September 13, 2007
Kadin2048: The Jargon file mentions one possible in-the-wild instance of that sort of trojan in the entry on back doors. It does sound somewhat myths-and-legends-ish, though, so who knows.
posted by spaceman_spiff at 8:58 PM on September 13, 2007
posted by spaceman_spiff at 8:58 PM on September 13, 2007
Damn you spaceman_spiff, I was just about to post that link.
Yes, it was confirmed by Ken Thompson that there was a back-door in the login program in early versions of UNIX. But because you can recompile login from the source, the compiler had to be hacked to recognise that it was compiling login and so insert the back-door code at compile time. But because the compiler was also able to be compiled from source, the binary version shipped with UNIX had to also recognise that it was compiling the compiler and so put in the login back-door compile code at compile time as well.
Extremely fiendish, but to answer the original question, it's sheer blind luck that you've compiled a virus. Maybe add some standard MS slowdown routines to change the binary...
posted by bruzie at 9:04 PM on September 13, 2007
Yes, it was confirmed by Ken Thompson that there was a back-door in the login program in early versions of UNIX. But because you can recompile login from the source, the compiler had to be hacked to recognise that it was compiling login and so insert the back-door code at compile time. But because the compiler was also able to be compiled from source, the binary version shipped with UNIX had to also recognise that it was compiling the compiler and so put in the login back-door compile code at compile time as well.
Extremely fiendish, but to answer the original question, it's sheer blind luck that you've compiled a virus. Maybe add some standard MS slowdown routines to change the binary...
posted by bruzie at 9:04 PM on September 13, 2007
Response by poster: I've been able to comment out blocks of code and get a clean compile that way, but certain additions of code seem to set the virus scanner off again, so I'm treating it as a false positive. I must be coming up with some sort of pattern that's similar to the virus though because a few different combinations of code will compile to an executable that comes up as "infected". I'm going to forge ahead and hope that eventually I'll stop setting off the detector. Thanks everyone.
posted by sudasana at 9:39 PM on September 13, 2007
posted by sudasana at 9:39 PM on September 13, 2007
Could you post the implicated snippets if they're not too long?
posted by Matt Oneiros at 12:52 AM on September 14, 2007
posted by Matt Oneiros at 12:52 AM on September 14, 2007
Are you planning to distribute the game?
If so, even if this is a false positive you'll want to sort it out before all your users think you're trying to kill their PCs!
Does it make any difference if you do a debug or release build?
posted by roomaroo at 6:28 AM on September 14, 2007
If so, even if this is a false positive you'll want to sort it out before all your users think you're trying to kill their PCs!
Does it make any difference if you do a debug or release build?
posted by roomaroo at 6:28 AM on September 14, 2007
Seconding submitting at least the executable to your anti-virus vendor. This sort of feedback is important to them, and it could potentially save your future users some trouble.
posted by dreadpiratesully at 7:00 AM on September 14, 2007
posted by dreadpiratesully at 7:00 AM on September 14, 2007
Isn't this most likely a false positive where the checker noticed the file changed but didn't get a signature match and defaulted to the first/ last thing in its list?
posted by yerfatma at 7:08 AM on September 14, 2007 [1 favorite]
posted by yerfatma at 7:08 AM on September 14, 2007 [1 favorite]
Response by poster: I've been adding to the program today and haven't had a false positive again. The problem came when I added a couple of lines like the following:
Which are basically breaking up a string read from a file into parts separated by commas, using the part before the comma to determine what sort of information it is, then slotting the part after the comma and up to the semicolon into the proper variable inside a class pointed to by this_rosterfile. If I run into this again I will certainly send a copy to the anti-virus vendor, but so far it hasn't come up again.
And I should mention that I am NOT a professional programmer so this code may appear totally irrational to many of you. But it does the job.
posted by sudasana at 12:40 PM on September 14, 2007
a = strtok(read_buffer, ",");
if (strcmp (a, "name")==0) {
a = strtok(NULL, ";");
strcpy(this_rosterfile->name, a);
} else if (strcmp (a, "type")==0) {
a = strtok(NULL, ";");
this_rosterfile->type=atoi(a);
} else if (strcmp (a, "total_pts")==0) {
a = strtok(NULL, ";");
this_rosterfile->total_pts=atoi(a);
}
Which are basically breaking up a string read from a file into parts separated by commas, using the part before the comma to determine what sort of information it is, then slotting the part after the comma and up to the semicolon into the proper variable inside a class pointed to by this_rosterfile. If I run into this again I will certainly send a copy to the anti-virus vendor, but so far it hasn't come up again.
And I should mention that I am NOT a professional programmer so this code may appear totally irrational to many of you. But it does the job.
posted by sudasana at 12:40 PM on September 14, 2007
« Older How can I prevent potential employers from getting... | How do I pitch a TV show for the Travel Channel? Newer »
This thread is closed to new comments.
posted by Nelson at 6:41 PM on September 13, 2007