This is the mail archive of the cygwin mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

RE: Trojan associated with rsync and wget


----Original Message----
>From: bob sandefur
>Sent: 03 May 2005 17:57

> Hi-
> 
> Norton antivirus thinks cygwin wget and rsync are trying to Trojan my
> machines (first reported in December)

  No, it thinks they *are* trojans that have got onto your machine and are
trying to communicate out.  Norton AV is a pile of garbage.  If I were you,
I would report these false positives to Norton.

  Then again, if you were me, you would just uninstall it and throw it in
the bin with the rest of the garbage.

> Anyone know if Norton and I are  unduly paranoid or if this is a real
> threat?

  It's Norton being stupid.  There's nothing harmful about those programs.

  Because _some_ hackers _sometimes_ use wget or rsync to download tools to
a box they have broken into, Norton think this means that wget and rsync are
malware.  Of course, hackers also use "ls" when they've broken into a
machine, to see what files are there.  Does this mean that we should regard
"ls" as a trojan or virus?  Or perhaps a better example would be ftp:
hackers use ftp just as often as wget or rsync to download malware to an
owned box, but that doesn't mean that the ftp client utility is a trojan!

  It is a stupid and indiscriminate test they are applying, because wget and
rsync are legitimate software with an overwhelmingly vast numer of
legitimate uses, but the lazy programmers at Norton couldn't be bothered to
try and code their software to distinguish how they are being used, so it
just blocks them all the time.

  When you recompile the code yourself from source, Norton fails to spot
them, because it's just looking for a particular 'signature' or series of
bytes to identify the supposed malware.  Build them yourself and the file
contents change, and the signature test, being poorly targetted, fails.

  So Norton AV is employing a very poorly designed test that generates both
false positives and false negatives and only once in a blue moon will ever
generate a non-false alarm.

[  The report you found was about how an rsync-downloaded version of portage
could contain trojaned code, but so could one that you downloaded by ftp or
http or any other means from any mirror site where the admin was in the
habit of trojanning the downloads.  The vulnerability was not in rsync but
in their automated build system.  ]


    cheers,
      DaveK
-- 
Can't think of a witty .sigline today....


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]