Announcement

Collapse
No announcement yet.

Symantec declares old version(s) of VNC as "Trojan" software

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Symantec declares old version(s) of VNC as "Trojan" software

    well, my day just went to shit in a fucking hurry. i have many consulting clients. they are located far and wide, and have many machines at each location. all win32 machines that i deploy run my standard gamut of utilities, all installed from a master disc that i keep handy. it's nice to know that no matter what site i may be going to, all computers will have the exact same tools available to me (basics like winzip, winrar, ssl tunnel, putty, process explorer, regmon, etc.)

    one of the tools i've installed at least eight million times is VNC... possibly my favorite "remote desktop" type tool. i love it because of its ridiculously slim footprint and resource use and the fact that it runs as a service yet only uses two files. i tunnel it all through SSL and am happy as a pig in slop. anytime someone has weirdness, i can choose to securely connect in remotely, fuss around, and usually fix it without putting on pants.

    today, with Revision #18 of Symantec's September 20th virus definition file, version 1.2.3 of TightVNC is being called a "trojan" and the antivirus tool is trying to delete is.... all. fucking. over. town. i've got panicked and uncertain people calling me, and i can't just tell them "no, you're not virused, close the message and i'll get to it when i see you next" since the antivirus tool is actively trying to delete an executable that's running as a service... failing to do so, then generating another message every 30 seconds. the latest TightVNC (1.2.9 stable and 1.3.8 beta RC1) seems unaffected. looks like i'm in for a huge-ass session of repair jobs.

    heh, if i were unscroupulous i'd be able to make a killing on this and charge everyone for "emergency service" fees or something.

    UPDATE: some new fun details of the situation

    1. for those who haven't figured this out yet, trying to remotely update one's own remote-connection tools is not a day at the beach. i've had to custom-create a zip file that i'm going to remote-download onto these machines which includes within it a batch command that will (hopefully) kill the vnc service, rename the old executables, extract the new executables, and restart the service again. of course, on servers where the firewall monitors the checksum of all TCP connecting apps, that will be a problem.

    2. the newer versions of VNC seem to be a little bit flaky at times. for example, the "send Ctrl-Alt-Delete" command (the most useful fucking thing about vnc if you're on a winnt platform at the other end) seems to not always work. [EDIT: after a little more poking and prodding, it seems that a restart of the service or in extreme cases a reboot of the computer will get the Ctrl-Alt-Delete functioning without error.]

    3. nowhere on symantec's web site does there seem to be a phone number that i can call in order to scream at someone. random email to their support staff simply will not convey my emotions properly at this moment.

    UPDATE: someone was kind enough to clue me in to the company's naming scheme for email accounts. a list of corporate officers and other department heads yeilded an audience for the email i sent off late last night.

    UPDATE2: of the few emails that i sent, one generated a response. symantec's President of Consumer Products and Solutions replied with a very polite and sympathetic message, telling me that their response team would look into the matter. i'm still going with my script kiddie theory (seen in a response below) as opposed to any attempts by one company to torpedo a competetor's product.
    Last edited by Deviant Ollam; September 21, 2006, 08:36.
    "I'll admit I had an OiNK account and frequented it quite often… What made OiNK a great place was that it was like the world's greatest record store… iTunes kind of feels like Sam Goody to me. I don't feel cool when I go there. I'm tired of seeing John Mayer's face pop up. I feel like I'm being hustled when I visit there, and I don't think their product is that great. DRM, low bit rate, etc... OiNK it existed because it filled a void of what people want."
    - Trent Reznor

  • #2
    Re: Symantec declares old version(s) of VNC as "Trojan" software

    I wrote about this a full 7 years ago. Symantec and most anti-virus companies have a definition creep where normally legit tools get caught up as virus's. The case I took on was for the paid version of sub-seven. The orgins were shady, but it was changed into a useful remote desktop utility. The sneaky parts were removed and things were now 'legit'.

    Sound like your having the same problem as Weld Pond had years ago with l0phtcrack. Some company was tired of employees using l0phtcrack to snarf passwords, so rather than tightening thier password policy, they lobbied thier vendor (trend micro I think) to add it to the definitions and auto-nuke it. Every other company listed it as well in short order, calling it all sorts of nasty things, but not listing paid password auditing software that did the same thing. I'm betting that someone complained that thier passwordless VNC server isntallation was being abused internally and so they got someone to add it to the definitions.

    What exactly is it being referenced as?

    The fact that symantec sells PC Anywhere just makes things very suspicious.

    I fought for a couple years to get Symantec and others to de-list the paid version of sub-seven. At one point they stopped taking my calls when they punched my name into thier system. Sounds like I might have to harrass a few people.

    Keep us posted.

    EDIT: Interesting, the Symantec threat database does not list VNC.....
    Last edited by renderman; September 20, 2006, 15:51.
    Never drink anything larger than your head!





    Comment


    • #3
      Re: Symantec declares old version(s) of VNC as "Trojan" software

      3. nowhere on symantec's web site does there seem to be a phone number that i can call in order to scream at someone. email simply will not convey my rage properly at this moment.
      If you are still interested in contacting Symantec, I got phone numbers and addresses for them.

      Symantec World HQ
      20330 Stevens Creek Blvd.
      Cupertino, CA 95014 USA

      1 (800) 441-7234
      1 (541) 334-6054

      It also gives many many international numbers at this site:

      http://enterprisesecurity.symantec.com/PDF/ITSECWP.pdf

      Hopefully this helps


      oo0 nothing 0oo
      In the end, our society will be defined not only by what we create, but by what we refuse to destroy." - John Sawhill

      Comment


      • #4
        Re: Symantec declares old version(s) of VNC as "Trojan" software

        Active Ports and Cain & Abel are also 'threats' according to Symantec.
        "\x74\x68\x65\x70\x72\x65\x7a\x39\x38";

        Comment


        • #5
          Re: Symantec declares old version(s) of VNC as "Trojan" software

          Originally posted by renderman
          same problem as Weld Pond had years ago with l0phtcrack ... calling it all sorts of nasty things, but not listing paid password auditing software that did the same thing.
          yes, i remember you telling me about that. part of the impetus behind anti-av.com or something? (can't remeber the exact name of that site)

          Originally posted by renderman
          What exactly is it being referenced as?
          while most malware get bagged and tagged under a very specific naming scheme (a la "Backdoor.GapingAnus.B" or something long and technical like that) this situation surprisingly generates messages with the sparse warning of "Trojan Horse" and that's all. No category designation, no outbreak/version classifier.

          Originally posted by renderman
          The fact that symantec sells PC Anywhere just makes things very suspicious.
          indeed. the day that an uber-mainstream product is flagged is the day satan needs a pair of longjohns.

          Originally posted by renderman
          EDIT: Interesting, the Symantec threat database does not list VNC
          if i had to bet, i'd imagine that some leetboy h4x0r custom-wrote some rootkit which essentially consisted of his favorite tools in a zip file with a self-hiding executable. wouldn't surprise me if wget, tftp, and net cat wind up having their signatures flagged after this.
          "I'll admit I had an OiNK account and frequented it quite often… What made OiNK a great place was that it was like the world's greatest record store… iTunes kind of feels like Sam Goody to me. I don't feel cool when I go there. I'm tired of seeing John Mayer's face pop up. I feel like I'm being hustled when I visit there, and I don't think their product is that great. DRM, low bit rate, etc... OiNK it existed because it filled a void of what people want."
          - Trent Reznor

          Comment


          • #6
            Re: Symantec declares old version(s) of VNC as "Trojan" software

            update - i tossed a quick tutorial page online for those that need hand-holding with the upgrading of VNC. it's mostly for clients of mine that have only one or two machines (whose sites are really far away and therefore i don't want to visit) but if anyone here for some reason ran into trouble (or has a relative whose computer gets in a twist about this) feel free to use the files and images at the following URL to make the upgrade smooth and easy for even the most novice user...

            http://deviating.net/vnc
            "I'll admit I had an OiNK account and frequented it quite often… What made OiNK a great place was that it was like the world's greatest record store… iTunes kind of feels like Sam Goody to me. I don't feel cool when I go there. I'm tired of seeing John Mayer's face pop up. I feel like I'm being hustled when I visit there, and I don't think their product is that great. DRM, low bit rate, etc... OiNK it existed because it filled a void of what people want."
            - Trent Reznor

            Comment


            • #7
              Re: Symantec declares old version(s) of VNC as "Trojan" software

              After spending at great expense for one of my smaller clients a five license firewall and virus package, the Symantec software worked great for about nine months, and then started weekly asking to be registered (again), then daily (again and again), and then after about a month later it told me its been registered too many times and it just quit.

              Calling 'Betty' and 'Jo Ann' and 'Bobby' in India for Symantec's tech support gets old after about five minutes of dicking around with their canned script.

              To hell with their company, I can only imaging what kind of layers of hell I'd have to deal with their enterprise gear.
              Nonnumquam cupido magnas partes Interretis vincendi me corripit

              Comment


              • #8
                Re: Symantec declares old version(s) of VNC as "Trojan" software

                Something similar happened to me at my previous job. Symantec decided that cmdow.exe was a 'virus'. We used it in our scripts to hide the dos windows that pop up so the user doesn't freak out. Had to dig into the software and make exclusions for that software...what a task

                Comment


                • #9
                  Re: Symantec declares old version(s) of VNC as "Trojan" software

                  Active Ports and Cain & Abel are also 'threats' according to Symantec.
                  Not only those but NetCat too!

                  Good luck with contacting Symantec and getting an intelligent response. We have a specific product from Symantec that we continuously have issues with and pay a lot for licensing and support for it. Everytime we contact them about a problem it's like they don't even know how their own product works.

                  Comment


                  • #10
                    Re: Symantec declares old version(s) of VNC as "Trojan" software

                    Originally posted by cashmoney
                    Not only those but NetCat too!

                    Good luck with contacting Symantec and getting an intelligent response. We have a specific product from Symantec that we continuously have issues with and pay a lot for licensing and support for it. Everytime we contact them about a problem it's like they don't even know how their own product works.
                    Having Norton tag NetCat a virus every time the bleeding thing ran the AV scan was a pain the ass, if I am at either Costco or Sam's Club I often find myself evangelizing all the negatives of Symantec software if I see it sitting in someones cart, pointing out there's plenty of free security software that is just as good as paying good money for the same thing, and telling them all to keep their machines patched with the latest updates.
                    Nonnumquam cupido magnas partes Interretis vincendi me corripit

                    Comment


                    • #11
                      Re: Symantec declares old version(s) of VNC as "Trojan" software

                      pardon me in this brief moment of self-congratulatory fanfare. i've not gone to bed and have been hecticly bouncing all around the tri-state area upgrading as many computers as i could before they grabbed the latest virus definitions and went apeshit. i have to say that my success in this endeavor has been very rewarding so far. my vnc upgrade tutorial page is working well for the most far-flung offices with only a few machines. as for large clients with enterprise-size networks (a couple schools, in particular) it's been one of those moments where you just kneel down and give thanks to the fact that you kept shit running properly until now. like the reaching for a shotgun whose action is smooth and unfouled when a riot starts in your city -- you breathe a near-silent thank you to whomever taught you to keep a weapon cleaned and oiled -- i'm so grateful to have known a few fanatical sysadmins when i was growing up. these guys kept their networks running like swiss watches and i learned to do the same.

                      i've been able to remote-upgrade about 90% or more of the machines at the huge sites, they all have the same profiles and configs, etc. only one user thus far has come to me saying even so much as "there was a strange virus message on my computer but now it's gone" at that's it.

                      when we do our jobs well, people shouldn't know we did them at all. the tech world isn't a career path that will blanket you in praise and recognition, but it's exceedingly satisfying to be the person who drifts silently across the network like a protecting ghost, slaying demons whom the regular users will never know or see.
                      "I'll admit I had an OiNK account and frequented it quite often… What made OiNK a great place was that it was like the world's greatest record store… iTunes kind of feels like Sam Goody to me. I don't feel cool when I go there. I'm tired of seeing John Mayer's face pop up. I feel like I'm being hustled when I visit there, and I don't think their product is that great. DRM, low bit rate, etc... OiNK it existed because it filled a void of what people want."
                      - Trent Reznor

                      Comment


                      • #12
                        Re: Symantec declares old version(s) of VNC as "Trojan" software

                        latest news...

                        well, isn't this a kick in the head... symantec was wickedly on the ball about the whole thing and was actually addressing the issue as early as last night, shortly after i had sent off the original email. their latest definition file (2006-09-20 rev 52) does NOT flag TightVNC 1.2.3 as a trojan.

                        in addition to their president for consumer products responding to me, their senior director for security response ops had the matter come across his desk and he, too, offered apologies and assurances that things were being addressed.

                        i, for one, am impressed. a huge corporation like this wouldn't have likely upset or offended a wide array of their customers if they just ignored the matter. i mean, how many people can be running a wildly out of date version of an open-source offshoot of an old AT&T remote admin tool? i may have been one of a dozen people affected. (of course, the fact that i had deployed this executable to like ~500 machines may have skewed the data in this matter)

                        so, yeah... any stragglers or clients who were unreachable in the past 36 hours will not be a problem. by now their AV tools have likely fetched the latest definitions and will not balk about TightVNC.

                        heh, quite a good day in my book, i must say... something of significance got done and was done well. i'm pleased to be a part of that when it manages to happen every now and then.
                        "I'll admit I had an OiNK account and frequented it quite often… What made OiNK a great place was that it was like the world's greatest record store… iTunes kind of feels like Sam Goody to me. I don't feel cool when I go there. I'm tired of seeing John Mayer's face pop up. I feel like I'm being hustled when I visit there, and I don't think their product is that great. DRM, low bit rate, etc... OiNK it existed because it filled a void of what people want."
                        - Trent Reznor

                        Comment

                        Working...
                        X