Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com Delivered-To: mailing list cygwin AT cygwin DOT com From: "Dave Korn" To: Subject: RE: Trojan associated with rsync and wget Date: Tue, 3 May 2005 18:23:08 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit In-Reply-To: <16465809356429@colorado-mail.cam-llc.com> Message-ID: X-OriginalArrivalTime: 03 May 2005 17:22:57.0946 (UTC) FILETIME=[BFE4C7A0:01C55004] Note-from-DJ: This may be spam ----Original Message---- >From: bob sandefur >Sent: 03 May 2005 17:57 > Hi- > > Norton antivirus thinks cygwin wget and rsync are trying to Trojan my > machines (first reported in December) No, it thinks they *are* trojans that have got onto your machine and are trying to communicate out. Norton AV is a pile of garbage. If I were you, I would report these false positives to Norton. Then again, if you were me, you would just uninstall it and throw it in the bin with the rest of the garbage. > Anyone know if Norton and I are unduly paranoid or if this is a real > threat? It's Norton being stupid. There's nothing harmful about those programs. Because _some_ hackers _sometimes_ use wget or rsync to download tools to a box they have broken into, Norton think this means that wget and rsync are malware. Of course, hackers also use "ls" when they've broken into a machine, to see what files are there. Does this mean that we should regard "ls" as a trojan or virus? Or perhaps a better example would be ftp: hackers use ftp just as often as wget or rsync to download malware to an owned box, but that doesn't mean that the ftp client utility is a trojan! It is a stupid and indiscriminate test they are applying, because wget and rsync are legitimate software with an overwhelmingly vast numer of legitimate uses, but the lazy programmers at Norton couldn't be bothered to try and code their software to distinguish how they are being used, so it just blocks them all the time. When you recompile the code yourself from source, Norton fails to spot them, because it's just looking for a particular 'signature' or series of bytes to identify the supposed malware. Build them yourself and the file contents change, and the signature test, being poorly targetted, fails. So Norton AV is employing a very poorly designed test that generates both false positives and false negatives and only once in a blue moon will ever generate a non-false alarm. [ The report you found was about how an rsync-downloaded version of portage could contain trojaned code, but so could one that you downloaded by ftp or http or any other means from any mirror site where the admin was in the habit of trojanning the downloads. The vulnerability was not in rsync but in their automated build system. ] cheers, DaveK -- Can't think of a witty .sigline today.... -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/