False Positives in 0.2.0.30: RISING found Trojan.PSW.Win32.Undef.adp

by phobos | August 6, 2008

I've noticed a few comments about a Chinese anti-virus program, RISING, reporting that Vidalia.exe and Privoxy.exe are infected with Trojan.PSW.Win32.Undef.adp. In both cases, I suspect that RISING is reporting false positives. These executables as packaged and available on the Tor download page are not infected.

I've looked at the MD5 and SHA-1 sums of these programs as included in the Vidalia bundle and they match what the source packages produce as executables. The privoxy.exe included in the bundles is the exact same one as found at the Sourceforge Privoxy Download Page.

The Vidalia.exe is the same as the one included in the Vidalia Download Page.

Feel free to confirm this is true for you. Better yet, let us know if these individual packages (Vidalia.exe from Vidalia and Privoxy.exe from Sourceforge) also show up as infected.

Comments

Please note that the comment area below has been archived.

phobos

phobos said:

August 06, 2008

Permalink

an old version of tor doesn't mean they have weak keys. Only debian systems which were installed during the period of vulnerability are risky. We believe we've blacklisted all bad keys, so those servers would have dropped off the network long ago.

Old versions of tor may have other bugs, however. Anyone running 1.1 is probably vulnerable. 0.2.0.30 is the new stable, 0.2.1.x is the new alpha.

Here are all the versions I currently see as tor nodes:

0.1.1.19-rc
0.1.1.20
0.1.1.21
0.1.1.22
0.1.1.23
0.1.1.24
0.1.1.25
0.1.1.26
0.1.2.10-rc
0.1.2.12-rc
0.1.2.13
0.1.2.14
0.1.2.15
0.1.2.16
0.1.2.17
0.1.2.18
0.1.2.19
0.1.2.2-alpha
0.1.2.3-alpha
0.2.0.12-alpha
0.2.0.18-alpha
0.2.0.20-rc
0.2.0.21-rc
0.2.0.22-rc
0.2.0.23-rc
0.2.0.24-rc
0.2.0.25-rc
0.2.0.26-rc
0.2.0.27-rc
0.2.0.28-rc
0.2.0.29-rc
0.2.0.2-alpha
0.2.0.30
0.2.0.4-alpha
0.2.0.5-alpha
0.2.0.6-alpha
0.2.0.7-alpha
0.2.0.8-alpha
0.2.0.9-alpha
0.2.1.0-alpha-dev
0.2.1.1-alpha
0.2.1.2-alpha
0.2.1.2-alpha-dev
0.2.1.3-alpha
0.2.1.4-alpha
0.2.1.4-alpha-dev

Anonymous (not verified) said:

August 13, 2008

Permalink

ah, RISING anti-virus, always miss true virus but report false positives, no one should be surprised about this. it even reports the open source edition of Qt4.4.1 installer has some trojan/malware downloader. really, it'd be abnormal if RISING don't report false positives all the time.

Anonymous (not verified) said:

August 14, 2008

Permalink

The Chinese government is most likely not a fan of Tor, so imagine their pressure to domestic Chinese anti-virus companies include false positives on Tor software. It perhaps would be an effective way to stop the new Chinese dissident from using Tor to discover uncensored news beyond China's "Great Firewall".

Just a little conspiracy theory for you all. It happens all the time.

I bid you all adieu!