Nxt Forum

Please login or register.

Login with username, password and session length
Advanced search  

News:

Latest Nxt Client 1.11.5 - NEW RELEASE: Ardor 2.0.3e TestNet IS LAUNCHED!

Pages: 1 [2]  All

Author Topic: Avast detects malware int Nxt address  (Read 4308 times)

Jean-Luc

  • Core Dev
  • Hero Member
  • *****
  • Offline Offline
  • Posts: 1606
    • View Profile
  • Karma: +812/-81
Re: Avast detects malware int Nxt address
February 24, 2015, 10:36:25 am

We should do exactly that, put a notice on nxt.org, and in all README files, telling people to ignore false virus warnings due to outgoing connections that NRS makes to peers.

Otherwise anyone who can get a URL listed as malicious in the antivirus databases gets to say which nodes can be trusted and which not, and can attack our network at will.

GPG key fingerprint: 263A 9EB0 29CF C77A 3D06  FD13 811D 6940 E1E4 240C
NXT-X4LF-9A4G-WN9Z-2R322

capodieci

  • Hero Member
  • *****
  • Offline Offline
  • Posts: 1303
  • Tips go to DeBuNe Dev fund
    • View Profile
    • DeBuNe - Decentralised Business Network
  • Karma: +252/-18
Re: Avast detects malware int Nxt address
February 24, 2015, 11:36:06 am

We should do exactly that, put a notice on nxt.org, and in all README files, telling people to ignore false virus warnings due to outgoing connections that NRS makes to peers.

Otherwise anyone who can get a URL listed as malicious in the antivirus databases gets to say which nodes can be trusted and which not, and can attack our network at will.

This is true, but if it is a pull done in BitBucket it would need the ok of... you ;)

I agree 100% that is not proper, but I'm concerned of the damage the virus warning can do.

Did this happen to bitcoin wallets too? And any other crypto currency/platform app?

Rob
- Decentralised Business Network: DeBuNe -
Asset: 6926770479287491943 - Issuer: NXT-GQ27-DD53-YM6K-ER6HK
OTDocs.com - debune.org - nxtforum.org/debune - NEW: thesoundkey.com

cryptoventurefund

  • Full Member
  • ***
  • Offline Offline
  • Posts: 199
  • Please call me Mike
    • View Profile
  • Karma: +32/-9
Re: Avast detects malware int Nxt address
February 24, 2015, 12:18:56 pm

This happens to most crypto-platforms and ALL miners.

Because most antivirus programs have no idea about their existence, they just flag them as virus or malware or whatever.

I'm not worried.
NXT-SBSP-BPHH-E7BR-9USXU is promoting the use of NXT in the real life, see : http://www.NXTtracker.com...
Member of TheNxtForex committee

Jean-Luc

  • Core Dev
  • Hero Member
  • *****
  • Offline Offline
  • Posts: 1606
    • View Profile
  • Karma: +812/-81
Re: Avast detects malware int Nxt address
February 24, 2015, 12:36:42 pm

We automatically blacklist nodes that send invalid blocks or transactions, or send too much data, or do similar violations of our network protocol. Centralized node blacklisting is not better than centralized blacklisting of transactions, no way we can do that.

Indeed, mining software commonly triggers false positives, because there are viruses that actually mine coins on the victims computers, and some fingerprint of the mining code gets listed in the antivirus databases. So at least the miners community is familiar with the problem. About the general public, maybe Avast and the others can be asked to whitelist NRS and the outgoing requests it makes. No idea what their policy is about that, especially for an open source software with no company behind it.
GPG key fingerprint: 263A 9EB0 29CF C77A 3D06  FD13 811D 6940 E1E4 240C
NXT-X4LF-9A4G-WN9Z-2R322

capodieci

  • Hero Member
  • *****
  • Offline Offline
  • Posts: 1303
  • Tips go to DeBuNe Dev fund
    • View Profile
    • DeBuNe - Decentralised Business Network
  • Karma: +252/-18
Re: Avast detects malware int Nxt address
February 24, 2015, 12:57:17 pm

maybe Avast and the others can be asked to whitelist NRS and the outgoing requests it makes. No idea what their policy is about that, especially for an open source software with no company behind it.

This is a good point. Tomorrow I will write to a few of them and ask what can be done about it. After all the wrong message comes from them. At last resource we can do a petition ;) if this issue (connecting to "malicious" nodes) affects other apps as well (I guess most p2p apps) we may collect a lot of consents and get them to do something about it.

It is indeed a bad thing and may strongly affects the diffusion of Nxt (and other apps with similar problems)

Rob
- Decentralised Business Network: DeBuNe -
Asset: 6926770479287491943 - Issuer: NXT-GQ27-DD53-YM6K-ER6HK
OTDocs.com - debune.org - nxtforum.org/debune - NEW: thesoundkey.com

EvilDave

  • Hero Member
  • *****
  • Offline Offline
  • Posts: 1791
    • View Profile
    • NXT Foundation
  • Karma: +341/-40
Re: Avast detects malware int Nxt address
February 24, 2015, 05:54:31 pm

@Rob:
Good plan, mate.
You can use the name of the NXT Foundation, if Avast or whoever need to have a legal entity or other contact organisation to back up your request.
Sent ya a PM.....
Nulli Dei, nulli Reges, solum NXT
NXT Donations: NXT-BNZB-9V8M-XRPW-3S3WD
We will ride eternal, shiny and chrome!

turingtape

  • Newbie
  • *
  • Offline Offline
  • Posts: 2
    • View Profile
  • Karma: +0/-0

Hi guys, bumping this. Just bought my first NXT and now I'm syncing the blockchain. I get the malware warnings described here. And as also speculated, it freaks a newcomer like me out. It is a bad feeling running software which will hold a considerable amount of NXT when you get malware warnings. Had it been on my primary machine, or did I not manage to find this thread, I would not continue and leave my NXG on the exchange (which I wouldn't like either). So my guess would be it is definitely a turnoff for newcomers.

Just my two cents.

Cheers!

Riker

  • Core Dev
  • Hero Member
  • *****
  • Offline Offline
  • Posts: 1620
    • View Profile
  • Karma: +418/-42

Hi guys, bumping this. Just bought my first NXT and now I'm syncing the blockchain. I get the malware warnings described here. And as also speculated, it freaks a newcomer like me out. It is a bad feeling running software which will hold a considerable amount of NXT when you get malware warnings. Had it been on my primary machine, or did I not manage to find this thread, I would not continue and leave my NXG on the exchange (which I wouldn't like either). So my guess would be it is definitely a turnoff for newcomers.

Just my two cents.

Cheers!

Can you post a screen capture of the warning somewhere ?
Any other details you can extract from the Avast logs to explain the reason for the warning.

Typically what happens is that some of the peers are behind a VPN exit IP, shared by multiple users. Just like a tor exit node, it can happen that at some time someone else using the VPN  is abusing it to send spam or malware and thus causes avast to blacklist all the peers which use this same IP.
NXT Core Dev
Account: NXT-HBFW-X8TE-WXPW-DZFAG
Public Key: D8311651 Key fingerprint: 0560 443B 035C EE08 0EC0  D2DD 275E 94A7 D831 1651

ScripterRon

  • Sr. Member
  • ****
  • Offline Offline
  • Posts: 457
    • View Profile
  • Karma: +72/-2

Hi guys, bumping this. Just bought my first NXT and now I'm syncing the blockchain. I get the malware warnings described here. And as also speculated, it freaks a newcomer like me out. It is a bad feeling running software which will hold a considerable amount of NXT when you get malware warnings. Had it been on my primary machine, or did I not manage to find this thread, I would not continue and leave my NXG on the exchange (which I wouldn't like either). So my guess would be it is definitely a turnoff for newcomers.

Just my two cents.

Cheers!

Can you post a screen capture of the warning somewhere ?
Any other details you can extract from the Avast logs to explain the reason for the warning.

Typically what happens is that some of the peers are behind a VPN exit IP, shared by multiple users. Just like a tor exit node, it can happen that at some time someone else using the VPN  is abusing it to send spam or malware and thus causes avast to blacklist all the peers which use this same IP.
Avast flags some VPN and Tor exit points as malicious.  For example, Jean-Luc's address is flagged and connections are dropped unless your whitelist the address.
« Last Edit: July 17, 2016, 04:56:07 pm by ScripterRon »
NXT-XM86-4ZNA-65L5-CDWUE

capodieci

  • Hero Member
  • *****
  • Offline Offline
  • Posts: 1303
  • Tips go to DeBuNe Dev fund
    • View Profile
    • DeBuNe - Decentralised Business Network
  • Karma: +252/-18
- Decentralised Business Network: DeBuNe -
Asset: 6926770479287491943 - Issuer: NXT-GQ27-DD53-YM6K-ER6HK
OTDocs.com - debune.org - nxtforum.org/debune - NEW: thesoundkey.com

Riker

  • Core Dev
  • Hero Member
  • *****
  • Offline Offline
  • Posts: 1620
    • View Profile
  • Karma: +418/-42



This is something else, uninstaller.jar is a Jar file generated by the IzPack tool when we package the installation.
The reported exploit: Java CVE-2012-1723 has been fixed in Java 7 update 4 around 2012 so must be fixed in Java 8 (http://www.oracle.com/technetwork/topics/security/javacpujun2012-1515912.html)
SelfModifier.class is an IzPack class file that IzPack bundles inside uninstaller.jar, quite sure this class has no malicious code, it just triggers the specific code pattern used by the original exploit.

Are you getting this message when running a full scan on your workstation or during installation of NXT ?
Are you running this Antivirus product (https://www.intego.com/antivirus-mac-internet-security) on a Mac ?
Which version of antivirus and Mac/OS are you using ?
NXT Core Dev
Account: NXT-HBFW-X8TE-WXPW-DZFAG
Public Key: D8311651 Key fingerprint: 0560 443B 035C EE08 0EC0  D2DD 275E 94A7 D831 1651

capodieci

  • Hero Member
  • *****
  • Offline Offline
  • Posts: 1303
  • Tips go to DeBuNe Dev fund
    • View Profile
    • DeBuNe - Decentralised Business Network
  • Karma: +252/-18

Are you getting this message when running a full scan on your workstation or during installation of NXT ?
Are you running this Antivirus product (https://www.intego.com/antivirus-mac-internet-security) on a Mac ?
Which version of antivirus and Mac/OS are you using ?

I got it during a full scan of the computer, as the antivirus is not active (just scan files/hdd upon request)

The AV is called VirusBarrier Plus and I ran it on a OSX 10.10.5 (Yosemite) MacBook Air.

The Nxt version that has been scanned I think was 1.8.3

R
- Decentralised Business Network: DeBuNe -
Asset: 6926770479287491943 - Issuer: NXT-GQ27-DD53-YM6K-ER6HK
OTDocs.com - debune.org - nxtforum.org/debune - NEW: thesoundkey.com
Pages: 1 [2]  All