Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Antivirus detecting compiled C++ files as trojans

I had installed a c++ compiler for windows with MinGW. I tried to make a simple program:

#include <iostream>
using namespace std;

int main() {
   cout << "Hello World!";
   return 0;
}

And saved it as try.cc. Afterwards I opened cmd in the folder and ran g++ try.cc -o some.exe. It generated some.exe but my antivirus (avast) recognized it as malware. I thought it could be a false positive, but it specifically said it's a trojan.

I removed the file from the virus chest and uploaded it to "https://www.virustotal.com/" The result: https://i.stack.imgur.com/jC2oz.png

24 out of 72 engines detected it as malware and a lot of them as a trojan.

Is this a false positive? Why would it get detected as a trojan? If it is, how do I avoid getting this warning every time I make a new program?

Edit:

Thanks all for the help, I ran a full scan of my computer, with 2 antivirus and everything seemed clean. I also did a scan on the MinGW folder and nothing.

The problem keeps appearing each time I make a new c++ program. I tried modifying the code and the name but the AV kept detecting it as a virus. Funny thing is that changing the code changed the type of virus the av reported.

I'm still not 100% sure that the compiler is clean so I dont know if I should ignore it and run the programs anyway. I downloaded MinGW from "https://osdn.net/projects/mingw/releases/"

If anyone knows how to be completely sure that the executables created are not viruses, only false positives I would be glad they share it.

Edit 2:

It occurred to me that if the compiler is infected and it's adding code, then I might be able to see it with a decompiler/disassembler, feeding it the executable. I downloaded a c++ decompiler I found here "snowman" and used it on the file. The problem is that the code went from 7 lines in the original executable to 5265 and is a bit hard to make sense of it. If someone has some experience with reverse engineering, a link to the original file is in the comments below.

like image 236
gabriel Avatar asked Nov 10 '20 13:11

gabriel


People also ask

Can antivirus software detect Trojan?

Antivirus software protects devices from malicious software that poses a threat to the system. It scans the computer to find and remove the Trojan and provides automatic updates to ensure protection against newer viruses.

Are all Trojan files viruses?

Trojans are a common type of malware, which, unlike viruses, can't spread on their own. This means they either have to be downloaded manually or another malware needs to download and install them. Trojans often use the same file names as real and legitimate apps.

Can Trojan hide from antivirus?

Rootkit technologies – that are generally employed by Trojan viruses – can intercept and substitute system functions, in order to make the infected file invisible to the operating system and antivirus programs. Sometimes even the registry branches – where the Trojan is registered – and other system files are hidden.


2 Answers

The issue has come up before. Programs compiled with mingw tend to trigger the occasional snake oil (i.e., antivirus program) alarm. That's probably because mingw is a popular tool chain for virus authors and thus its output matches generic patterns occurring in true positives. This has come up over and over again, also on SE (e.g. https://security.stackexchange.com/questions/229576/program-compiled-with-mingw32-is-reported-as-infected). [rant] In my opinion that's true evidence of incapacity for the AV companies because it would be easy to fix and makes you wonder whether the core functions of their programs are better implemented. [/rant]

Your case is a bit suspicious though because the number of triggered AV programs is so large. While I have never heard of a compromised mingw, and a cursory google search did not change that, it's not impossible. Compromising compilers is certainly an efficient method to spread a virus; the most famous example with an added level of indirection is the Ken Thompson hack.

It is also certainly possible that your computer is infected with a non-mingw-originating virus which simply inserts itself into new executables it finds on disk. That should be easy to find out by the usual means. A starting point could be to subject a few other (non-mingw) new executables to the online examination; they should trigger the same AV programs.

Note that while I have some general IT experience I have no special IT security knowledge; take everything I say just as a starting point for your own research and actions.

like image 106
Peter - Reinstate Monica Avatar answered Sep 21 '22 13:09

Peter - Reinstate Monica


This could be caused by two things

  1. It really is a trojan, you downloaded your mingw from some places where its code was altered to add a virus inside each program you create. This is done for almost all the commercial compilers, all "free" (cracked) version have that code inside them, each time you compile your code the virus is added to your exe.

  2. The hash of your exe for some reason matched an existing virus, you can confirm if this by altering one characters in your code for example "hello world!" to "hello world?" and see if it is still considered as a virus, if yes, there is a very high chance that your compiler adds viruses to your programs.

like image 43
phoenixstudio Avatar answered Sep 17 '22 13:09

phoenixstudio