Why are Rock-XP / Magic Jellybean Keyfinder id'd by antivirus progs?

  • Thread starter Thread starter Virus Guy
  • Start date Start date
V

Virus Guy

I've got old versions of Rock-XP and Keyfinder that are always being
nailed when I do a scan on a few XP systems. Out of curiosity I
uploaded them to VT and they are flagged by fully half the progs. Some
of the flags are "Not.A.Virus.what-ever" but most are not clear about
that. Some id them as droppers (?).

Is it _really_ necessary to flag these apps if they actually don't do
anything malicious?
 
Virus Guy said:
I've got old versions of Rock-XP and Keyfinder that are always being
nailed when I do a scan on a few XP systems. Out of curiosity I
uploaded them to VT and they are flagged by fully half the progs.
Some
of the flags are "Not.A.Virus.what-ever" but most are not clear about
that. Some id them as droppers (?).

Is it _really_ necessary to flag these apps if they actually don't do
anything malicious?
Click to expand...

They can be used maliciously, and trojans are defined subjectively. IMO
it should be a PUP.

This is the sort of thing that comes from AV getting into general
malware - if they were only concerned with viruses, there would be less
grey area problems like this (it replicates or it doesn't). Now they
have to guess at the mind of the user (is this tool wanted or not)?
 
FromTheRafters said:
They can be used maliciously, and trojans are defined subjectively.
Click to expand...

How can they be used maliciously?

Can they be invoked silently?

Do they have enough command line switches to perform desired tasks?

Can their output be piped to a file?
 
Bill said:
Some AV products detect programs that assist in pirating of
software.
Click to expand...

Why detect or flag software on the basis that they're probably on the
system intentionally as desired by the user?

Since when does a virus-scan turn into a nanny-scan?
 
Why detect or flag software on the basis that they're probably on the
system intentionally as desired by the user?
Click to expand...

Some of the better programs have an off switch and give the option.
 
Virus Guy said:
How can they be used maliciously?
Click to expand...

To crack passwords?
Can they be invoked silently?
Click to expand...

Does it matter?
Do they have enough command line switches to perform desired tasks?
Click to expand...

Again, does it matter?
Can their output be piped to a file?
Click to expand...

....and again?

I think by configuration you can keep your own AV from alerting on PUPs.
By all means, if someone found them on their system and uploaded them to
VT it should be detected (and alerted to) as grey area malware.
 
FromTheRafters said:
To crack passwords?


Does it matter?
Click to expand...

Yes, it does matter.

If apps like Rock-XP / Keyfinder are on a system because they were
downloaded as secondary payload by malware, and if the malware intends
to use those programs to discover product keys and passwords, then those
programs must be invoked and controlled by the malware in such a way
that is invisible to the user, and the output of those programs must
also be captured in such a way that is useful to the malware so that
(presumably) that information can be transfered back to hackers /
bot-owners.

If Rock-XP / Keyfinder does not have that capability, then I fail to
understand any argument as to why they should be flagged as malware or
even evidence of latent malware presence.

(I believe that Rock-XP and Keyfinder only provide product keys and NOT
passwords - making their value as malware helpers somewhat suspect)
 
Virus Guy said:
Yes, it does matter.

If apps like Rock-XP / Keyfinder are on a system because they were
downloaded as secondary payload by malware, and if the malware intends
to use those programs to discover product keys and passwords, then
those
programs must be invoked and controlled by the malware in such a way
that is invisible to the user, and the output of those programs must
also be captured in such a way that is useful to the malware so that
(presumably) that information can be transfered back to hackers /
bot-owners.
Click to expand...

There is more to malware than just remote access and command and
control. Some malware needs to be detected even though the environment
it resides in cannot execute it. A system administrator might not want
an employee storing password cracking software on the company's Linux
server.
If Rock-XP / Keyfinder does not have that capability, then I fail to
understand any argument as to why they should be flagged as malware or
even evidence of latent malware presence.
Click to expand...

I agree, that is why I suggested that it should be detected as a PUP.
Not really malware.
(I believe that Rock-XP and Keyfinder only provide product keys and
NOT
passwords - making their value as malware helpers somewhat suspect)
Click to expand...

http://www.korben.info/rockxp
http://www.magicaljellybean.com/keyfinder/faq.shtml#spyware
 
Back
Top