Antivirus changes?

[bg4u]

Hey John, I posted here;
http://www.ownedcore.com/forums/diab...ml#post3714400 ([HOW TO] Solve your antivirus problems)

To paraphrase, your old release detected at 8/81, now you/re at 25/62. Your traffic does not appear to be malicious and I looked over your files with peid (pretty familiar with the tool) and the file doesn't appear to be malicious. It doesn't seem like you changed packers, what gives?

[KillerJohn]

Your virustotal link does not match to the latest release's hash. Current release is 6/58.

[bg4u]

Are we looking at the same file? Here's the current release of Thud out of the current package
TurboHUD 17.4.2.10 (v7.2) STABLE for Diablo III 2.5.0.44247 (DX11).zip with a checksum of 0be3ef1daafe58c89edfef959fbb0f4d right?
Antivirus scan for 67c833585487f374fd7fd98399259055c1071aa2ab095cd65db403ac6f898a04 at
2017-04-02 19:19:09 UTC - VirusTotal 12/62 for me


The version that generated quite a bit of noise was 17.3.30.10 with a md5 of d4299c757d49f2221785fa0fa2ad5977


I was actually going to ask, now that you don't control the forum and its easy for people to edit your posts and place malware, would you consider having a pgp signature to verify authenticity by perhaps?

[KillerJohn]

Define 'people'. I don't think that anybody could edit my posts without visible proof, except the highest admins. You should not worry about the download links...

[KillerJohn]

You are posting virustotal links for the .exe file, while I post the link for the .zip, so everything is included. The difference between your (12 false positives) and mine (6) is probably caused by those 6 does not support the zip files somehow (this is an educated guess).

Peace

[NeoCGS]

You are posting virustotal links for the .exe file, while I post the link for the .zip, so everything is included. The difference between your (12 false positives) and mine (6) is probably caused by those 6 does not support the zip files somehow (this is an educated guess).

Peace

Latest scan of the ZIP shows 18/58.

Antivirus scan for 7bdb09c18ba2507321e910eccebd1d2f7cf28e45cec19e5950b06365fbf21f0b at
UTC - VirusTotal

Note the identical checksum.

Even Avast doesn't like it now even after it working fine for a long time with the older ones.

[bg4u]

Yep, something changed. Either one of the packers you are using is listed now as being very suspicious now in AV's or something else. I don't actually think you injected much if any code because the exe is still pretty much the same as the previous versions.

Edit: To be specific for those who have no idea: I'm saying I don't think KJ has done anything malicious.

Also, John, NeoCGS is correct;
x@nope:/tmp$ wget http://www53.zippyshare.com/d/nNp80G...%28DX11%29.zip
--2017-04-02 11:33:16-- http://www53.zippyshare.com/d/nNp80G...%28DX11%29.zip
Resolving www53.zippyshare.com (www53.zippyshare.com)... 46.166.139.211
Connecting to www53.zippyshare.com (www53.zippyshare.com)|46.166.139.211|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 52395858 (50M) [application/x-download]
Saving to: ‘TurboHUD 17.4.2.10 (v7.2) STABLE for Diablo III 2.5.0.44247 (DX11).zip’

100%[================================================================================ ================================================================================ ================================================================================ ===================================>] 52,395,858 7.22MB/s in 8.4s

2017-04-02 11:33:25 (5.93 MB/s) - ‘TurboHUD 17.4.2.10 (v7.2) STABLE for Diablo III 2.5.0.44247 (DX11).zip’ saved [52395858/52395858]

x@nope:/tmp$ sha256sum TurboHUD\ 17.4.2.10\ \(v7.2\)\ STABLE\ for\ Diablo\ III\ 2.5.0.44247\ \(DX11\).zip
7bdb09c18ba2507321e910eccebd1d2f7cf28e45cec19e5950b06365fbf21f0b TurboHUD 17.4.2.10 (v7.2) STABLE for Diablo III 2.5.0.44247 (DX11).zip

And obviously virus total links by the sha256 hash;
Antivirus scan for 7bdb09c18ba2507321e910eccebd1d2f7cf28e45cec19e5950b06365fbf21f0b at
2017-04-03 16:49:04 UTC - VirusTotal

[Blueice22]

I actually noticed the same thing when my AV program did not do anything for the previous version, but this version my AV program would auto delete and I had to go create an exception for the file

[KillerJohn]

well, I use the same build toolchain since years, so nothing changed on my side.

[bg4u]

Super bizarre. I'm guessing the packer you use is triggering the AV's rule definitions. So ****ing lazy that AV companies use packers for signature analysis.