News:

Simutrans Wiki Manual
The official on-line manual for Simutrans. Read and contribute.

Installer allegedly contains virus

Started by The Unevers, March 15, 2016, 01:48:27 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

The Unevers

So I would really like to try this game.. But when I download the latest version from SourceFourge Windows keeps blocking the download because it has a virus in it. I tried all the mirrors but they all got a virus in it.

Where can I find a virus-free installer?

Václav

Try to install it without installer. It means, download separated exe - and graphics.
Because all that installer does, is that it help with installing graphic sets.
But game, itself, is not installed as most Windows SW.

Just extract archive with executables anywhere you need, and then add graphic sets.

Chybami se člověk učí - ale někteří lidé jsou nepoučitelní

Isaac Eiland-Hall

Further discussion on what is surely the same issue: http://forum.simutrans.com/index.php?topic=14893.0

i.e. I don't believe it's actually a virus.

Leartin

Not because of a virus, because of heuristic analysis indicating the possibility of a virus. I don't know why, probably because a small program asks about your pc specification and tries to access online material...  I could tell you to ignore the warning, but that's not something you should trust a stranger on the internet with. However, the virus warning would be the same no matter where you get the installer from.

Thus, you'd need to download directly. On sourceforge, https://sourceforge.net/projects/simutrans/files/simutrans/120-1-3, neither "simuwin-120-1-3.zip" nor "simuwin-sdl-120-1-3.zip" give me a warning, while the installer does. (One version uses SDL, the other does not - but it's the same game)

Edit@Vaclav: Actually, the pakset downloader is included in the zip file, and would start when you try to start the game. It also does not trigger a virus warning. I think the installer just checks what your system (OS etc.) is in the first place?

Ters

Quote from: Leartin on March 15, 2016, 04:10:01 PM
I think the installer just checks what your system (OS etc.) is in the first place?

As far as I know, Simutrans' installer does what installers in general do. It puts Simutrans where software is supposed to be installed according to OS guidelines (unless overridden by eccentric user), registers uninstaller, creates shortcuts on the start menu so that users can launch Simutrans, and makes the UAC elevation process smoother if required (which it is by default). Nothing of this is required for Simutrans to function, but it requires more of the user. Probably more than the average is capable of.

I don't think the installer checks the system for anything special. If the system can't run Simutrans, it will either be unable to run the installer in the first place, or be so old that the user deserves a hard failure. (Simutrans is supposed to run on anything from Windows XP onwards. That's more than half the history of 32-bit Windows.)

DrSuperGood

SourceForge has been known to insert malware (in the form of adware) into installers of various hosted projects in the past. Not that this is the case here, but it still would be a good idea that the publisher check that the executable downloaded from SourceForge when not logged in is byte for byte the same as the one uploaded to SourceForge during publishing. Just in case these rumors have any truth behind them.

prissi

The installer contains a cab unpacker, and unzip unpacker, download routines, and is a self-extracting program. I think these points drive the heuristic over the edge. However, it ask nicely for for admin rights, which Trojans usually don't. So a good heuristic should consider this too.

Incidentally, when compiling Simutrans the first time on my PC after I switched to Avast I had to wait for 24h hours in order to compile Simutrans and the Online installer, since it was quarantained immediately all the time. I had to send the file for whitelisting, and then I could compile them again. I can image some virus whitelisting is not universally shared.

It is the same installer used also by Trojans, sonce it is Open source ... However, also winamp uses it, albeit without download capacity.

Even Simutrans.exe 120.1.1 (to use a version which should have been around for quite some time) still triggers a false virus warning in one out of 55 scanner on Virustotal.com ..

TurfIt

Quote from: DrSuperGood on March 15, 2016, 09:26:51 PM
SourceForge has been known to insert malware (in the form of adware) into installers of various hosted projects in the past. Not that this is the case here, but it still would be a good idea that the publisher check that the executable downloaded from SourceForge when not logged in is byte for byte the same as the one uploaded to SourceForge during publishing. Just in case these rumors have any truth behind them.
The online installer just downloaded from 3 mirrors still matches the md5 of the file as uploaded ( and which is included in the forum announcement ). It still hits a heuristic match on 1/56 at virustotal. IIRC it was 3/56 when originally checked. VBA32 - suspected of Trojan.Downloader.gen.h

Ters

Quote from: prissi on March 15, 2016, 10:40:29 PM
However, it ask nicely for for admin rights, which Trojans usually don't. So a good heuristic should consider this too.

If the malware gains access without fooling the user into giving it access, I'd be reluctant to call it a trojan. On the other hand, if the malware is fine with just pestering one user and doesn't try to pick a fight with security software, but rather just hang around for as long as possible, it doesn't need more access than the right to simply run.

Quote from: prissi on March 15, 2016, 10:40:29 PM
It is the same installer used also by Trojans, sonce it is Open source ... However, also winamp uses it, albeit without download capacity.
Quote from: TurfIt on March 15, 2016, 10:58:05 PM
VBA32 - suspected of Trojan.Downloader.gen.h

Is it so that the installer doesn't actually contain Simutrans, and needs to download Simutrans separately, like so many so called web installers (I still don't see the point of doing that)? Or is it simply the pak downloader within all versions of Simutrans that is triggering an alarm just because it is packaged inside of an installer?

Lmallet

This is pretty bad.  Windows 10 (which comes with Windows Defender installed as a default) sees the Simutrans installer as malware.

prissi

Not on my machine though. Possibly country dependent?

Ters

Quote from: prissi on March 19, 2016, 10:04:40 PM
Not on my machine though. Possibly country dependent?

Seems strange that such things are country dependent. Are you sure you haven't cleared it at some point, and that your computer remembers that?

For me, Edge and Internet Explorer's SmartScreen flags the installer as unsafe without saying why. That hasn't changed since last time. Symantec gives it an all clear (reporting hundreds of users). I don't remember what it said last time. Perhaps it was a little bit less sure. Firefox doesn't say anything.

DrSuperGood

It gets flagged as unsafe because it is not signed. All non-signed executables will be flagged as unsafe and the user warned when trying to run them. The warning can be bypassed by pressing "details" and choosing to run it anyway. After it is run once, the warning never pops up again.

One also cannot rule out malicious tampering or malware as both could be system/country specific. Run a MD5 check on what you download just to be sure.

Ters

Quote from: DrSuperGood on March 20, 2016, 05:47:43 AM
Run a MD5 check on what you download just to be sure.

Unfortunately, those who need the installer, have no idea how to do that.

Isaac Eiland-Hall

Looks to me like it would be a cost of several hundred dollars to get a certificate to sign our binaries with. Is that something worth pursuing? Are there other technical problems? Is it something we could do?

Ters

Quote from: Isaac.Eiland-Hall on March 20, 2016, 09:56:31 AM
Looks to me like it would be a cost of several hundred dollars to get a certificate to sign our binaries with. Is that something worth pursuing? Are there other technical problems? Is it something we could do?

Since we have no juridical person that encompasses the developers, the certificate will be tied to the one physical person buying it. The certificate system also relies on the private key being kept absolutely secret. Great care must be used when handling it. The one who buys such a certificate will likely have to be the only one to make the released installers.

As for Microsoft's SmartScreen, there might not be another solution, but at least that one quarantine or delete the files, although it recommends the latter action.

As for being flagged as a Trojan downloader, it might be an option to make an offline installer.

DrSuperGood

Quote
Looks to me like it would be a cost of several hundred dollars to get a certificate to sign our binaries with. Is that something worth pursuing? Are there other technical problems? Is it something we could do?
Welcome to the scam of software signing. At least Simutrans is not a driver since starting with Windows 7 it is only possible to install drivers which are signed.

Instead of keeping with the installer method of distribution, it might be better to emphasize the stand-alone method where by users download just what they need. Additionally the apparent steam build should not have this problem as steam is signed and should be doing the downloading for it. From personal experience all one needs to do to get Simutrans to run on Windows 10 is to download the executable bundle and download the paksets you want. Seeing how pak64 is mandatory and pak128 is pretty universally played one might as well bundle both together with the executable for a "simutrans complete" bundle which simply requires extraction into a folder with appropriate permissions to be playable.

An_dz

The Simutrans executable comes with a pak downloader that is automatically run if no pakset is found. I guess that's enough.

We just need to confirm that it works on Windows 10.

Leartin


Ters

Quote from: DrSuperGood on March 20, 2016, 07:27:17 PM
Welcome to the scam of software signing. At least Simutrans is not a driver since starting with Windows 7 it is only possible to install drivers which are signed.

On the other hand, look where Java's willingness to run unsigned code downloaded from the Internet has put it. It almost died over night from a single exploit.

In the end, I guess it is part of the developing trend of "guilty until proven innocent".

prissi

#20
Maybe I do not get a special warning, since I am using chrome ...

EDIT: OpenSource certification is available for 14 €. I will look futher into that.

Ters

Quote from: prissi on March 21, 2016, 11:23:36 PM
Maybe I do not get a special warning, since I am using chrome ...

Then you won't be bothered by SmartScreen, and if you don't use Windows Defender, you won't hear from that either.