VB.NET -- Trojan:Win32/AgentTesla!ml

2,050 views
Skip to first unread message

Pa...@MargusConsulting.com

unread,
Jun 9, 2022, 4:31:07 PM6/9/22
to Excel-DNA
I'm new to Excel-DNA.

I added several functions, and inserted
[ExcelFunction(Category = "My .NET Functions",   Description = "whatever")]
and
[ExcelArgument(Name="1st string", Description=@"Text Value")]
Everything worked like a charm. The functions, categories, etc. are all visible in Excel, and produce correct answers.

Unfortunately, the foregoing is in C#, but I'm much more facile in VB.NET.
I resolved to repeat the steps on a totally new solution, keeping everything unchanged except substituting VB.NET for C#, and translating the simple sample programs as appropriate.

As before, Excel started but no functions we visible.

On investigation, I discovered that Windows Defender detected the dreaded Trojan:
      Threat found - action needed. 2022-06-09 15:41
      SEVERE
      Detected: Trojan:Win32/AgentTesla!ml
      Status: Active
      Active threats have not been remediated and are running on your device.
      Date: 2022-06-09 15:41
      Details:  This program is dangerous and executes commands from an attacker.

Windows Defender had quarantined the entire Solution, and I let Windows Defender delete the offending files.  In Visual Studio, I also did "Build / Clean Solution".

I investigated further.  Taking it from the top, after each step, I did a "Build / Rebuild Solution".  Nothing bad happened until I go to NuGet and installed "ExcelDna.AddIn".  Running "Build / Rebuild Solution" triggered immediate warnings from Windows Defender.  I've tried this several times, and the behavior is consistent.

I'm running
  • Windows 11 Pro, 64-bit operating system, x64-based processor, up-to-date as of this morning.
  • Microsoft Visual Studio Professional 2022 (64-bit) - Current Version 17.2.3
Any suggestions would be greatly appreciated.

Govert van Drimmelen

unread,
Jun 9, 2022, 6:26:14 PM6/9/22
to exce...@googlegroups.com

Hi Paul,

 

The anti-virus issues have been very frustrating – you’ll see various discussions here and on the GitHub project issues list.

It seems the trouble was caused by some malware authors using Excel-DNA as an easy way to create add-ins that in turn download and run malware executables.

So the anti-virus vendors try to pick some heuristic for detecting a ‘bad’ Excel add-in, and now they are mistakenly identifying and blocking all Excel-DNA add-ins.

 

I have Windows Defender running on my machine – with signatures last updated on 2022/06/09, and have not seen problems for many months.

This is when creating C# or VB.NET add-ins, with Excel-DNA version 1.5.1 or 1.6.0 previews.

Can you see what Windows Defender version or signatures you have running (maybe under the Windows Security tab)?

What version of the ExcelDna.AddIn package are you installing (I guess the latest release, which is version 1.5.1)?

 

I’d firstly recommend that you report the false positives to Microsoft.

They have been responsive in the past – better than some of the other A/V vendors.

 

Next you can try some other Excel-DNA versions to see if they are detected differently.

Best would be if you can use the current pre-release package version 1.6.0-Preview3.

Otherwise an older version 1.1 might also be fine.

There are some fixes in later versions, but for your purposes the older version might be fine, at least until your anti-virus stops blocking the newer versions.

 

Let us know what you find.

 

-Govert

--
You received this message because you are subscribed to the Google Groups "Excel-DNA" group.
To unsubscribe from this group and stop receiving emails from it, send an email to exceldna+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/exceldna/9da4aa00-6afd-4bc9-9f97-c826be994e51n%40googlegroups.com.

Johan Mulder

unread,
Jun 10, 2022, 2:08:09 AM6/10/22
to exce...@googlegroups.com
Hi Govert,

Playing a bit with Excel-DNA and I like it ;)   Jy's 'n ster !!

I have also noticed that when unpacking the  *.xll add-in file you always get the following packed file inside.

image.png

So most anti-virus is probably going to raise one flag already as this filename seems generic across all Excel-DNA addins and with bad actors using the addins as an attack vector this filename should probably be dynamic to prevent anti-virus pinning the addin.

Any chance you can infer the name above from the dna name  =>  myapp.dna  will result in myapp above ?

Johan






Johan Mulder

unread,
Jun 10, 2022, 10:27:16 AM6/10/22
to Excel-DNA
Also ,

The packed file is full of ExcelDNA references.  When I open the file in something like wordpad then there are lots of ExcelDNA references that anti-virus can use to flag the add-in. (assuming now a very simplistic crude inspection )  If there is a way to remove the commonality between the add-ins then it's going to be alot harder for anti-virus to build a "pattern signature" of the add-in.  Anti-virus vendors like to use the "beginning" and "end" of file text todo this.

This is an example of my excel add-in (beginning text) :  

dna0.png


This is an example of my excel add-in (end text) :  

dna1.png



Johan

Pa...@MargusConsulting.com

unread,
Jun 10, 2022, 5:03:40 PM6/10/22
to Excel-DNA
Hello Govert --

First, I would like to say how impressive Excel-DNA is.  It meets a definite need.

============
Now, to your questions from yesterday:
  • Can you see what Windows Defender version or signatures you have running (maybe under the Windows Security tab)?
                    In "Settings / About", I see the following System information
                   Antimalware Client Version: 4.18.2203.5 Engine Version: 1.1.19200.6
                    Antivirus Version: 1.367.1337.0 Antispyware Version: 1.367.1337.0
  • What version of the ExcelDna.AddIn package are you installing (I guess the latest release, which is version 1.5.1)?
                    Yes, I was using version 1.5.1.
============
Currently, I have 2 Solutions, substantially identical, except one is C# and the other is VB.NET.  They each contain
  • "public void AutoOpen" or "Public Sub AutoOpen()"
  • "public void AutoClose " or "Public Sub  AutoClose()"
  • 3 simple text functions, each with category = "My .NET Functions".
============
In the C# solution,
  • I press F5
  • Excel Opens with the Security Warning. I press "Enable this add-in for this session only".
  • AutoOpen is fired.  I click OK in the resulting dialog.
  • To create a Blank Workbook, I press ctrl-N
  • My 3 text functions are visible under their category, and they work as expected.
When I press shift-F5 in the C# solution,
  • Excel closes, but
  • AutoClose doesn't fire (don't know why).
Conclusions for the C# solution :
  • The C# solution mostly works.
  • Windows Defender complained under Excel-DNA version 1.5.1.  I uninstalled it and installed  version 1.1.1. Windows Defender seems to have stopped complaining.
============
In the VB.NET solution (with  Excel-DNA version 1.1.1 ),
  • I press F5
  • Excel Opens with the Security Warning. I press "Enable this add-in for this session only".
  • AutoOpen is NOT fired.
  • To create a Blank Workbook, I press ctrl-N
  • My 3 text functions are NOT visible. Neither is their category. Entering a function name into a cell produces a #NAME? error.
When I press shift-F5 in the VB.NET solution ,
  • Excel closes, but
  • AutoClose doesn't fire.
Conclusions for the VB.NET solution :
  • The VB.NET solution doesn't work, although the F5 and shift-F5 actions work.
  • It's possible that I somehow haven't got the VB.NET protocol exactly right, but for now I'll investigate further on my own.
============

Although Windows Defender is no longer complaining, I still have some unresolved messages.  I have tried "Actions Quarantine" and "Actions Remove" but they won't go away.  Maybe they are interfering with the VB.NET solution.

Tomorrow, I'll contact Microsoft.

Thanks for developing Excel_DNA.  And thanks for bearing with my questions.

Paul

Govert van Drimmelen

unread,
Jun 10, 2022, 5:23:34 PM6/10/22
to exce...@googlegroups.com

Hi Paul,

 

AutoClose only fires in the case where an add-in is removed (from the installed add-ins list) during an Excel session.

It is not expected to run when Excel is closed normally.

 

I can’t imagine why there would be a difference for the anti-virus between the C# and VB.NET projects.

For the VB.NET add-in, be sure to make the functions ‘Public Shared ‘ in a ‘Public Class’ or put them inside a ‘Public Module’.

AutoOpen needs to have the right interface implementation story like this:

 

Imports ExcelDna.Integration

 

Public Class MyAddIn

    Implements IExcelAddIn

 

    Public Sub AutoOpen() Implements IExcelAddIn.AutoOpen

        MsgBox("Add-In Loaded")

    End Sub

 

    Public Sub AutoClose() Implements IExcelAddIn.AutoClose

    End Sub

End Class

----

 

I don’t seem to have the Microsoft Defender application front-end where you press Settings -> About.

I just have the built-in protection in Windows, and I can’t tell whether this is the same thing you have or not.

Govert van Drimmelen

unread,
Jun 10, 2022, 5:35:05 PM6/10/22
to exce...@googlegroups.com

Hi Johan,

 

What anti-virus / security product are you dealing with, and is it currently flagging the version 1.6.0-preview3 add-ins as problematic?

 

Using the “ExcelDna” string in the packed file encoding is intentional.

 

My current thinking is that I don’t want to hide the fact that an add-in is made with Excel-DNA at all.

It would be great if your anti-virus vendor did not mistakenly classify all Excel-DNA based add-ins as malware.

The best way I know to improve their heuristics is to give them many different false positives, where they are making a mistake in identifying an add-in as malware.

That way, their heuristics will have to be improved to look beyond the implementation library in order to detect malware add-ins.

Otherwise we may soon find that no binary Excel .xll add-ins are allowed at all, and that might be a deeper hole to climb out of.

 

-Govert

 

 

From: exce...@googlegroups.com <exce...@googlegroups.com> On Behalf Of Johan Mulder


Sent: 10 June 2022 16:27
To: Excel-DNA <exce...@googlegroups.com>

image001.png
image002.png

Johan Mulder

unread,
Jun 11, 2022, 9:11:23 AM6/11/22
to exce...@googlegroups.com
Hi Govert,

I don't have an anti-virus issue on my side. Simply experimenting with the add-in at this stage, so I don't have users using it.  My observations are purely what I perceive as low hanging fruits in tackling the issue that others are experiencing.

Johan

Reply all
Reply to author
Forward
0 new messages