Bad Setup File? (Virus Detected)

Everything related to MakeMKV
lordzero
Posts: 5
Joined: Sat Nov 24, 2018 3:27 pm

Bad Setup File? (Virus Detected)

Post by lordzero »

Hopefully this is the right area to post this in, and I didn't see a direct email address to email.

I was attempting to update MakeMKV and Edge, Chrome, and FF all said it was infected with a virus. Thinking this was just a fluke I grabbed the file down on my Linux box and checked the hashes.

Listed SHA256:
99897048fe1aef6668f20d4ff326cad0ddf44f0a5a4c08d4760b25530b3e39d8 Setup_MakeMKV_v1.14.1.exe

Actual Downloaded SHA256:
ea974bdfac2d460cdefb3d98a176318b011eeb39b4eb4214078c3285657f3cb2 Setup_MakeMKV_v1.14.1.exe

I ran it through Virustotal as well and it came back with 0 hits (that's not definitive since zero-days can make it through) but a good indicator that it isn't malicious.
https://www.virustotal.com/#/file/ea974 ... /detection

Any information would be great as this is has always been a great product / service you have provided.
Last edited by lordzero on Sat Nov 24, 2018 6:21 pm, edited 1 time in total.
Woodstock
Posts: 10676
Joined: Sun Jul 24, 2011 11:21 pm

Re: Bad Setup File?

Post by Woodstock »

The SHA256 for the file virustotal downloaded and tested matches what's posted on the website for the Windows executable:

99897048fe1aef6668f20d4ff326cad0ddf44f0a5a4c08d4760b25530b3e39d8

https://www.virustotal.com/#/url/ef6f9e ... /detection

They have zero of 70 tests showing a problem. Not sure how you would have gotten a file with a different hash... I'm assuming you downloaded from http://makemkv.com/download/ ,and not the non-secure URL. They should be the same, but the use of https removes much of the risk of a "man in the middle" substitution.

As always, if you have ANY suspicion, submit the file to your favorite antivirus company's site for them to verify. This is especially true if your vendor's AV pops up a "generic" warning.

The stored hash in your VirusTotal link is different, though, than the hash it got when it processed my request. Did you upload the file, or submit it as a URL?
joerg04
Posts: 4
Joined: Sat Nov 24, 2018 5:50 pm

Re: Bad Setup File?

Post by joerg04 »

I have the same issue on Windows 7.

Microsoft Security Essentials claims to find "Trojan:Win32-Skeeyah.G" on Setup_MakeMKV_v1.14.1.exe.

Did an download to my linux box, too an it has the correct hash there, also scanning it with ClamAV didn't find anything.

Copying this file to Windows (SSH), again, is showing an issue. The file seems to get deleted immediately, as I couldn't find it on my machine.
lordzero
Posts: 5
Joined: Sat Nov 24, 2018 3:27 pm

Re: Bad Setup File?

Post by lordzero »

I pulled directly from the website. Windows browser requests all light up with it had a virus.

On my Linux box I grabbed it via wget

user@Earth:~# wget http://makemkv.com/download/Setup_MakeMKV_v1.14.1.exe
--2018-11-24 10:21:45-- http://makemkv.com/download/Setup_MakeMKV_v1.14.1.exe
Resolving makemkv.com (makemkv.com)... 104.24.105.123, 104.24.104.123, 2606:4700:30::6818:697b, ...
Connecting to makemkv.com (makemkv.com)|104.24.105.123|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 11658752 (11M) [application/x-msdownload]
Saving to: ‘Setup_MakeMKV_v1.14.1.exe’

100%[==============================================================================>] 11,658,752 8.11MB/s in 1.4s

2018-11-24 10:21:47 (8.11 MB/s) - ‘Setup_MakeMKV_v1.14.1.exe’ saved [11658752/11658752]


Then ran sha256sum on it:

user@Earth:~# sha256sum Setup_MakeMKV_v1.14.1.exe
ea974bdfac2d460cdefb3d98a176318b011eeb39b4eb4214078c3285657f3cb2 Setup_MakeMKV_v1.14.1.exe

I agree that VT shows nothing malicious but being in the field, this isn't 100%. There is a (small) chance I would argue that someone replaced the file if the sha's aren't matching. Maybe a way to test this is to reupload 1.14.1 to the site and reverify the sha.
lordzero
Posts: 5
Joined: Sat Nov 24, 2018 3:27 pm

Re: Bad Setup File?

Post by lordzero »

Ohh and I uploaded the file to VT. So it did it's own sha calc
joerg04
Posts: 4
Joined: Sat Nov 24, 2018 5:50 pm

Re: Bad Setup File?

Post by joerg04 »

Uploaded my file to virustotal, looks not so good to me:
https://www.virustotal.com/#/file/99897 ... /detection
Woodstock
Posts: 10676
Joined: Sun Jul 24, 2011 11:21 pm

Re: Bad Setup File? (Virus Detected)

Post by Woodstock »

This is very strange - when I have VirusTotal fetch the file from https://makemkv.com/download/Setup_MakeMKV_v1.14.1.exe, it finds nothing, and computes the SHA256 as matching the posted file. It says 0 of 70 tests found problems.

When I download the file myself, run sha256sum on it, I get the same hash. My up-to-date AVG says no problems with the file.

When I upload the file to VT, it reports the exact same hash, but now says 5 of 66 engines had an issue with the file.

I compared the copies I downloaded just now with the copy I downloaded on 11/10 (two weeks ago), and they are byte-for-byte identical.

sha256sum hash on all files is 99897048fe1aef6668f20d4ff326cad0ddf44f0a5a4c08d4760b25530b3e39d8.

Given that the threat Microsoft says it is protecting you from is over TWO YEARS old (Microsoft says 1 year, others say 2), it is doubly strange that so few virus detection engines seem to find it in the setup program; They all should, if it is really there.

Again, I suggest uploading the file to your favorite antivirus provider for a second opinion.
joerg04
Posts: 4
Joined: Sat Nov 24, 2018 5:50 pm

Re: Bad Setup File? (Virus Detected)

Post by joerg04 »

If you look deeply into the results of VirusTotal you may recognize, that the "engines" there differ between "url" and "file".
So, eg. "Microsoft" as engine shows not up in "url".

It also says "5/66" not "0/70". That explains the different output, but of course not the info that Woodstock gave.

I also uploaded some of the old files, and they produce similar output:
- 1.14.0 https://www.virustotal.com/#/file/73ee0 ... /detection
- 1.12.2 https://www.virustotal.com/#/file/1b1e9 ... /detection
blufoot
Posts: 1
Joined: Wed Apr 13, 2016 4:18 am

Re: Bad Setup File? (Virus Detected)

Post by blufoot »

http://makemkv.com/download/Setup_MakeMKV_v1.14.1.exe (and https://...) set off my Win 10 machine too...
KriRohde
Posts: 2
Joined: Sun Nov 25, 2018 8:26 am
Location: Denmark

Re: Bad Setup File? (Virus Detected)

Post by KriRohde »

I have the same problem with version 1.14.1 on my Windows 10 computer - Windows being fully updated.
I use the Windows Defender as my anti virus programme, and the Setup file for the new version 1.14.1 is immediately recognized as the Win32/Skeeyah.G virus. The installation of the programme is finished instantly, and the whole programme is removed from my PC.
After a short time in agony I downloaded the previous version 1.14.0 and saw that this version causes no problem at all. Hence I am still a happy user of the MakeMKV programme.
I suspect that somewhere in the programming code of the new version is hidden some string, which by the Defender is mistaken for the virus??
rivey
Posts: 130
Joined: Fri Dec 29, 2017 3:49 pm
Location: Los Angeles

Re: Bad Setup File? (Virus Detected)

Post by rivey »

blufoot wrote:
Sun Nov 25, 2018 12:46 am
http://makemkv.com/download/Setup_MakeMKV_v1.14.1.exe (and https://...) set off my Win 10 machine too...
I used this link just now and installed fine. I use Eset 32 and nothing popped up. For the fun of it, I am running a full virus scan on my computer and so far 0 threats. Wonder what this is all about.
lordzero
Posts: 5
Joined: Sat Nov 24, 2018 3:27 pm

Re: Bad Setup File? (Virus Detected)

Post by lordzero »

Well the paranoid side of me (and well, being in the industry) would think that one option is that the download site was compromised. this could be solved by reuploading the file to the server (and fixing however they go onto the server).

the other option is that there is some kind of dynamic coding going on that is making the virus detection engines go a bit crazy.
Woodstock
Posts: 10676
Joined: Sun Jul 24, 2011 11:21 pm

Re: Bad Setup File? (Virus Detected)

Post by Woodstock »

And it is quite important to be paranoid today... I'm in the industry, too, and get paid to be paranoid.

What concerns me is that multiple people have reported downloading a file with a DIFFERENT hash than in the signed hash list on the site. I've pulled the file multiple times (both HTTP and HTTPS), on multiple days, first on 11/10, most recently 11/24, and two different versions of sha256sum always give the published hash code; why do some others get a different hash?

Could it be that Windows Defender is modifying the EXE on download so that it has a different hash?
lordzero
Posts: 5
Joined: Sat Nov 24, 2018 3:27 pm

Re: Bad Setup File? (Virus Detected)

Post by lordzero »

I'm sure its possible, though unlikely. it would have to be polymorphic code for something to be like that.
mike admin
Posts: 4083
Joined: Wed Nov 26, 2008 2:26 am
Contact:

Re: Bad Setup File? (Virus Detected)

Post by mike admin »

blufoot wrote:
Sun Nov 25, 2018 12:46 am
http://makemkv.com/download/Setup_MakeMKV_v1.14.1.exe (and https://...) set off my Win 10 machine too...
Did you check the SHA256 hash of the file with http://www.makemkv.com/download/makemkv-sha-1.14.1.txt ? Do you know if antivirus tags a specific file or the whole installer?

p.s. There are no viruses/trojans in MakeMKV...
Post Reply