Entire site taken down by 'malware attack' in Innosetup installer

[P S]

I just received a message from my web hoster that my entire web account (account, sites, email, everything) has been suspended because of an innosetup installer I have (one I built in October 2020) - has been detected as being the cause of an 'ongoing malware attack'

It looks like a false positive but this is clearly an issue...

The report talks about these 'suspicious' things found within the installer exe

> Executes dropped EXE

> Loads dropped DLL

> Suspicious behavior: GetForegroundWindowSpam

> Suspicious use of WriteProcessMemory

Anybody else getting this issue?

[P S]

Just to add, I have been using Inno Setup for nearly 20 years (and it's great!) but this is the first time I've had an issue like this... 

[Eivind Bakkestuen]

What results do you get when you upload your suspicious installer to be tested in eg virustotal.com?

Do you create codesigned installers (making them tamper proof)?

You'll find in this group that IS installers are often triggering false positives... but that's not a guarantee that your installer is a false positive.

--
You received this message because you are subscribed to the Google Groups "innosetup" group.
To unsubscribe from this group and stop receiving emails from it, send an email to innosetup+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/innosetup/02234850-8cce-4404-97bb-1cfcda0b0f0dn%40googlegroups.com.

[P S]

Hi

Funnily enough, it is VirusTotal that flagged the installer via an outfit called 'netcraft' that checks websites for vulnerabilities.

VirusTotal claims 3 out of 70 scanners flagged the installer with the four triggers I listed earlier.  No other local scanners on my side or on my webhosters side found anything suspicious.

[P S]

I meant to add that the installer isn't codesigned but I checked it and it is identical to the one created by the original Innosetup build.  There is also no indication that any of my systems or that of my webhoster is compromised.  

It simply looks like there are things that the installer does that the scanners now decide are suspicious.  Unfortunately we would expect copying and 'dropping' files is exactly what an installer would be expected to do... it's not Innosetup's fault but as it stands I can see more and more people will not be able to host Innosetup installers on their websites because VirusTotal will start flagging them.  As it is right now, I will have to find a new installer software that doesn't trigger VirusTotal or I will need to stop distributing my software :(

[TonHu]

A more helpful approach could be to report a false positive to the involved AV suppliers, as they haven't done their homework properly.

Op za 9 jan. 2021 om 21:10 schreef 'P S' via innosetup <inno...@googlegroups.com>:

To view this discussion on the web visit https://groups.google.com/d/msgid/innosetup/1fca59ba-a4fc-4405-844d-4c208d987f09n%40googlegroups.com.

[Andrew Truckle]

And, to sign your software.

[P S]

I certainly can report it but to whom?  VirusTotal?  Even if I do, do you think they will pay any attention whatever to me?  And in the many months that it takes them to figure it out - if they ever do - I will still be unable to publish my software - so I still have no choice but to publish it via another means.

Will signing the software prevent it from being detected?  It won't change what the installer actually does internally.

[Alessandro Marinuzzi]

Setup with high compression level can make the setup executable sensible to VirusTotal engines. I never signed my setups and put them inside a zip folder. My life is more simple doing that.

Happy weekend.

Inviato da smartphone Samsung Galaxy Note 10+

To view this discussion on the web visit https://groups.google.com/d/msgid/innosetup/b05817cd-87b7-4e64-b711-d977b7c7a835n%40googlegroups.com.

[Andrew Truckle]

I have a dedicated FTP login provided by Avast where I upload my signed executables. They then whitelist them and email me confirmation.

 

Search for Avast “whitelist”. This also covers AVG.

 

Andrew

 

Sent from Mail for Windows 10

 

From: 'P S' via innosetup
Sent: 10 January 2021 15:34
To: innosetup
Subject: Re: Entire site taken down by 'malware attack' in Innosetup installer

 

I certainly can report it but to whom?  VirusTotal?  Even if I do, do you think they will pay any attention whatever to me?  And in the many months that it takes them to figure it out - if they ever do - I will still be unable to publish my software - so I still have no choice but to publish it via another means.

 

Will signing the software prevent it from being detected?  It won't change what the installer actually does internally.

 

 

 

 

On Sunday, 10 January 2021 at 15:14:45 UTC truc...@gmail.com wrote:

And, to sign your software.

On Sunday, 10 January 2021 at 12:38:30 UTC Ath wrote:

A more helpful approach could be to report a false positive to the involved AV suppliers, as they haven't done their homework properly.

 

Op za 9 jan. 2021 om 21:10 schreef 'P S' via innosetup <inno...@googlegroups.com>:

I meant to add that the installer isn't codesigned but I checked it and it is identical to the one created by the original Innosetup build.  There is also no indication that any of my systems or that of my webhoster is compromised.  

 

It simply looks like there are things that the installer does that the scanners now decide are suspicious.  Unfortunately we would expect copying and 'dropping' files is exactly what an installer would be expected to do... it's not Innosetup's fault but as it stands I can see more and more people will not be able to host Innosetup installers on their websites because VirusTotal will start flagging them.  As it is right now, I will have to find a new installer software that doesn't trigger VirusTotal or I will need to stop distributing my software :(

 

 

  

On Saturday, 9 January 2021 at 20:03:48 UTC P S wrote:

Hi

 

Funnily enough, it is VirusTotal that flagged the installer via an outfit called 'netcraft' that checks websites for vulnerabilities.

 

VirusTotal claims 3 out of 70 scanners flagged the installer with the four triggers I listed earlier.  No other local scanners on my side or on my webhosters side found anything suspicious.

 

 

On Saturday, 9 January 2021 at 04:20:15 UTC eivind.b...@gmail.com wrote:

What results do you get when you upload your suspicious installer to be tested in eg virustotal.com?

 

Do you create codesigned installers (making them tamper proof)?

 

You'll find in this group that IS installers are often triggering false positives... but that's not a guarantee that your installer is a false positive.

 

 

 

On Fri, Jan 8, 2021 at 11:15 PM 'P S' via innosetup <inno...@googlegroups.com> wrote:

Just to add, I have been using Inno Setup for nearly 20 years (and it's great!) but this is the first time I've had an issue like this.. 

On Friday, 8 January 2021 at 13:10:14 UTC P S wrote:

I just received a message from my web hoster that my entire web account (account, sites, email, everything) has been suspended because of an innosetup installer I have (one I built in October 2020) - has been detected as being the cause of an 'ongoing malware attack'

 

It looks like a false positive but this is clearly an issue...

 

The report talks about these 'suspicious' things found within the installer exe

 

> Executes dropped EXE

> Loads dropped DLL

> Suspicious behavior: GetForegroundWindowSpam

> Suspicious use of WriteProcessMemory

 

Anybody else getting this issue?

 

 

 

 

--
You received this message because you are subscribed to the Google Groups "innosetup" group.
To unsubscribe from this group and stop receiving emails from it, send an email to innosetup+...@googlegroups.com

To view this discussion on the web visit https://groups.google.com/d/msgid/innosetup/02234850-8cce-4404-97bb-1cfcda0b0f0dn%40googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "innosetup" group.
To unsubscribe from this group and stop receiving emails from it, send an email to innosetup+...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/innosetup/1fca59ba-a4fc-4405-844d-4c208d987f09n%40googlegroups.com.

--
You received this message because you are subscribed to a topic in the Google Groups "innosetup" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/innosetup/2w9y182pRmM/unsubscribe.
To unsubscribe from this group and all its topics, send an email to innosetup+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/innosetup/b05817cd-87b7-4e64-b711-d977b7c7a835n%40googlegroups.com.

 

Virus-free. www.avast.com

[Gavin Lambert]

On 10/01/2021 9:10 am, 'P S' wrote:
> I meant to add that the installer isn't codesigned but I checked it and
> it is identical to the one created by the original Innosetup build.
> There is also no indication that any of my systems or that of my
> webhoster is compromised.
>
> It simply looks like there are things that the installer does that the
> scanners now decide are suspicious.  Unfortunately we would expect
> copying and 'dropping' files is exactly what an installer would be
> expected to do... it's not Innosetup's fault but as it stands I can see
> more and more people will not be able to host Innosetup installers on
> their websites because VirusTotal will start flagging them.  As it is
> right now, I will have to find a new installer software that doesn't
> trigger VirusTotal or I will need to stop distributing my software :(

For your immediate issue, you would need to tell your webhoster that it
is an entirely legitimate app installer, and that it uses an
installation engine that is commonly flagged as a false positive by
virus scanners that don't do their work properly.

If they don't agree to put your website back up after that, then take
your business elsewhere and find a better webhost.


But also, run your installer through virustotal and follow the false
positive reporting procedures for any scanner that flags it -- it should
have links for each one nearby.

[Vladimir]

I'm in the same boat. Each new installer generates CrowdStrike alert and our securities pushing us to switch as they say not only CrowdStrike but also McAfee and Mimecast detects installers packaged with InnoSetup as 100% threat. 

[P S]

Gavin; yes, I had a long debate with my webhoster to get my account reinstated, but they won't allow the installer to be hosted because their flagging and suspension system is automatic and handled by a third party. So my choice is to change webhoster or installer...  changing webhoster is a major pain as I'm sure everybody knows.

My point. and the point of getting in touch here, is that in general if Innosetup is increasingly getting flagged in this way it might behove the developers to look at ways to prevent these false positives from happening by altering their code...  It's not their fault, but the sad truth is that, just like we as developers have to modify our code to workaround OS bugs that aren't our fault all the time, the Innosetup guys can't fight the tide and ultimately they will begin to loose customers because the customers will choose the path of least resistance and change installer...  which I'm sure none of us want.

[Jernej Simončič]

On Monday, January 11, 2021, 21:04:15, 'P S' via innosetup wrote:

> My point. and the point of getting in touch here, is that in general if
> Innosetup is increasingly getting flagged in this way it might behove the
> developers to look at ways to prevent these false positives from happening
> by altering their code...

They can't – the majority of false positives happen because some malware also uses Inno Setup for distribution, and lazy AV companies just flag the installer.

--
< Jernej Simončič ><><><><>< https://eternallybored.org/ >

You always find something in the last place you look.
-- Boob's Law

[Alessandro Marinuzzi]

And putting the setup into a folder and then zipping it? Example:

Setup.exe -> folder "Setup" - > zipping "Setup.zip"

This can prevent the setup.exe to being executed and would be a workaround in the meanwhile...

Hope this helps

Alessandro

Il Dom 10 Gen 2021, 17:03 'P S' via innosetup <inno...@googlegroups.com> ha scritto:

Yes, unfortunately it looks like VirusTotal engines that are complaining work by executing the installer inside a virtual sandbox and monitor its windows API usage, so wrapping it up won't prevent the detection.  There's not an easy way around this one.

To view this discussion on the web visit https://groups.google.com/d/msgid/innosetup/bf56b614-a052-422b-b98f-8e32089febd8n%40googlegroups.com.

[Andrew Truckle]

Did you do what I said and sign it and upload to avast whitelist ? Sometimes es this process stops the problems for many virus vendors. 

--
You received this message because you are subscribed to a topic in the Google Groups "innosetup" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/innosetup/2w9y182pRmM/unsubscribe.
To unsubscribe from this group and all its topics, send an email to innosetup+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/innosetup/3b109bdc-9c30-4f29-819d-e4536df1475bn%40googlegroups.com.

[Jordan Russell]

On Monday, January 11, 2021 at 2:04:15 PM UTC-6, P S wrote:

Gavin; yes, I had a long debate with my webhoster to get my account reinstated, but they won't allow the installer to be hosted because their flagging and suspension system is automatic and handled by a third party. So my choice is to change webhoster or installer...  changing webhoster is a major pain as I'm sure everybody knows.

Temporarily, though, couldn't you move just the installer EXEs to a different host (on a different domain)?

 

My point. and the point of getting in touch here, is that in general if Innosetup is increasingly getting flagged in this way it might behove the developers to look at ways to prevent these false positives from happening by altering their code...  It's not their fault, but the sad truth is that, just like we as developers have to modify our code to workaround OS bugs that aren't our fault all the time, the Innosetup guys can't fight the tide and ultimately they will begin to loose customers because the customers will choose the path of least resistance and change installer...  which I'm sure none of us want.

Well first, this really isn't a new problem. Reports of false detections come in multiple times every year. Typically, once the vendor is made aware of the issue (e.g. by following the submission process on the vendor's website), it's resolved within a few days via a definition update.

Second, false detections aren't unique to Inno Setup. They've been known to happen with other installers as well, such as NSIS.

I suspect a contributing factor in your case may be the lack of a digital signature on your EXEs. When I run Inno Setup's own signed installer (innosetup-6.1.2.exe) through VirusTotal, it reports only 1 detection -- something called "CRDF", which Google seems to know nothing about -- compared to the 3 you're seeing.

Signing your installers is strongly encouraged anyway, because without a signature, users have no way of knowing if the EXEs they download from your website have been tampered with since you uploaded them. (HTTPS should prevent man-in-the-middle tampering, but it doesn't help if the files on the server have been modified directly.)

[Jordan Russell]

On Monday, January 11, 2021 at 9:23:16 AM UTC-6, Vladimir wrote:

I'm in the same boat. Each new installer generates CrowdStrike alert and our securities pushing us to switch as they say not only CrowdStrike but also McAfee and Mimecast detects installers packaged with InnoSetup as 100% threat. 

Are you signing your installers? Have you tested your installers with VirusTotal? Have you reported the false detections to the vendors?

[Jordan Russell]

On Thursday, January 14, 2021 at 3:05:02 PM UTC-6 Jordan Russell wrote:

When I run Inno Setup's own signed installer (innosetup-6.1.2.exe) through VirusTotal, it reports only 1 detection -- something called "CRDF"

Correction: I had performed that scan by pasting the URL into VirusTotal, not realizing that that just does a check on the website, and does not download or scan the actual file. When I upload the file instead, 0 detections are reported.

As for that CRDF Labs detection on the website: There's no way to see the exact reason, but evidently, according to their Criteria page, simply not posting a Privacy Policy is enough to get blacklisted. 🙄

[Alessandro Marinuzzi]

Try to scan your website by passing the url of your website to VirusTotal and see.

Inviato da smartphone Samsung Galaxy Note 10+

--

You received this message because you are subscribed to the Google Groups "innosetup" group.
To unsubscribe from this group and stop receiving emails from it, send an email to innosetup+...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/innosetup/4eeae59c-ff79-40d8-94cc-e9b34b71dd13n%40googlegroups.com.