Guest - Testers are needed for the reworked CDateTime core component. See... https://forum.kodi.tv/showthread.php?tid=378981 (September 29) x
Trojan in Kodi RC4 and files with different checksums!!
#1
Hello,

Recently I got warnings from windows defender that the kodi RC4 file does contain a trojan. (Trojan:Win32/Gaobot).
That was reported in an earlier thread.
People were just smiling like "false positive" you should use another virus checker.
I am very much shocked by that attitude the more since I think it is true and we have a very serious problem!!
Reason for saying than is that not only defender is hinting in the direction of malware, but there is hard evidence that there is something terrible wrong too.
After defender alerted me, I did a couple of other downloads of the kodi17 rc4 file (windows version), and did calculate the checksums of all those files.
And up to my surprise the checksums of the different downloads did differ. And different checksums for files which are supposed to be identical is defectively not ok!!
So my *** very urgent *** message is:
- Do take virus alerts serious
- Do publish your site file was hacked, that is bad. But much better that not telling because others will run infected computers without knowing it
- Publish the correct checksums, so that downloads can be verified
- Take care that alterative download sites really are providing not tampered files
- Use HTTPS protected sites as download sites
Sincerely,

Louis

Got the same message. Next to that is is very alarming to me that I have downloaded the file multiple times finding different file length and different checksums ....

I did find files with
sha512 42CFA2C8109700673D7D7DBD36B78CF05E952B85E8B1078DEF008107CEF8B8F73FC7019888D12299BDACF4AF8B4369189AB14359D8FF231E43266981ACCAB2D1 (removed by defender)

and file with sha512
0B527AAFD3AC43AA6E5A68AB95CAD58C834D05D7A4AAA2AFBFD16447F73F85F495C10929570A3B26D2C1335CB1B4DA0C6361268F08486DE53C3842350D7A885E

I already installed something on my kodi pc Sad Sad
Reply
#2
Downloaded twice from https://kodi.tv/download/ mirror, same bytes and Avast declared it safe, hum what's to do? Might switch virus scanner to what you are using?

kodi-17.0-Krypton_rc4.exe 79.6 MB (83,559,756 bytes)
kodi-17.0-Krypton_rc4(1).exe 79.6 MB (83,559,756 bytes)

Please note: Size on disk 79.6 MB (83,562,496 bytes)

Quote:I already installed something on my kodi pc
Let's hope it's the enjoyment of Kodi.
Reply
#3
I am not sure why you are using sha512, because we do not usually distribute that

This is the MD5 sum for Kodi RC4 :
4d6b9bd64e2c183fb1095a6e88b9bdc3 kodi-17.0-Krypton_rc4.exe (You can see that when you append ?md5 to any file like this)

You can get a list of all copies of that one file here:
http://mirrors.kodi.tv/releases/win32/ko...mirrorlist

Maybe one mirror simply has a badly rsynced file. If you tell us which download was bad i can check that mirror.
I have checked a few but can't find the wrong mirror so you will have to be more specific!

I am still very confident this is (another) falso positive, we have had them quite often on RC and nightlies because the virusscanners often did not signature those files yet.
Reply
#4
Clean download from PatK's link. Lightly-edited results:

Code:
C:\Users\Ian\Downloads\Kodi RC4>dir

01/02/2017  21:09    <DIR>          .
01/02/2017  21:09    <DIR>          ..
01/02/2017  21:05        83,559,756 kodi-17.0-Krypton_rc4.exe
               1 File(s)     83,559,756 bytes

Checking the file integrity versus your versions:

Code:
C:\Users\Ian\Downloads\Kodi RC4>certUtil -hashfile kodi-17.0-Krypton_rc4.exe SHA512
SHA512 hash of file kodi-17.0-Krypton_rc4.exe:
0b 52 7a af d3 ac 43 aa 6e 5a 68 ab 95 ca d5 8c 83 4d 05 d7 a4 aa a2 af bf d1 64 47 f7 3f 85 f4 95 c1 09 29 57 0a 3b 26 d2 c1 33 5c b1 b4 da 0c 63 61 26 8f 08 48 6d e5 3c 38 42 35 0d 7a 88 5e
CertUtil: -hashfile command completed successfully.

... which *seems* to match your second checksum (I didn't check every byte pair, though...)

OS: Win10 version 1607 (OS Build 14393.693)

Manual update of antivirus definitions.

Windows Defender Antimalware version 4.10.14393.0
Engine version 1.1.13407.0
Antivirus Definitions 1.235.1852.0 (created 01/02, 15:41 GMT)
Antispyware Definitions 1.235.1852.0 (created 01/02, 15:41 GMT)


Download moved to its own directory (not opened, just moved with Explorer)
Custom scan of just that directory

== nothing found. Not a squeak or a hint of an issue.

EDIT

Just saw Kib's post, so here's the MD5 of that same file:

Code:
C:\Users\Ian\Downloads\Kodi RC4>certUtil -hashfile kodi-17.0-Krypton_rc4.exe md5
MD5 hash of file kodi-17.0-Krypton_rc4.exe:
4d 6b 9b d6 4e 2c 18 3f b1 09 5a 6e 88 b9 bd c3
CertUtil: -hashfile command completed successfully.

... which matches the hash given above.
Search | Banned addons (wiki) | Forum rules (wiki) | First time user (wiki) | FAQs (wiki) | Troubleshooting (wiki) | Add-ons (wiki) | Free content (wiki) | Debug log (wiki)Free Content
Reply
#5
Also if you look at the rsync data and mirrorlist data: all mirrors have the same file exact filesize.

In other words if you are finding different filelength on downloads you are either:
- not downloading from the filelist i just linked to (which is the sites offered by the mirrorservice we run ourselves)
- not downloading the files complete.
Reply
#6
Next steps would be to take that other file and put it in a VM and check for the symptoms.

https://www.microsoft.com/security/porta...2%2fGaobot

You should see new registry entries as well as seeing it trying to connect to an IRC server. Wireshark should snag that. It looks like it also manipulates the hosts file. Looks like there are several variants.

From the other thread http://forum.kodi.tv/showthread.php?tid=...ght=trojan
https://www.virustotal.com/en/file/4483f...485722845/

The file size I got from downloading it from the mirror is 83,559,756. The file size from the virus total website is 83,557,411. So they are 2 different files. There may be something here? No threats from windows defender on the one I just downloaded.

The virustotal from that download. https://virustotal.com/en/file/fc7f288fa...485984801/
Still has one item showing. To be fair v16 also had one showing (a different one).

The mirror list page does not work for me.
Reply
#7
I've edited kib's link to just give a file list.
Search | Banned addons (wiki) | Forum rules (wiki) | First time user (wiki) | FAQs (wiki) | Troubleshooting (wiki) | Add-ons (wiki) | Free content (wiki) | Debug log (wiki)Free Content
Reply
#8
(2017-02-02, 00:03)Prof Yaffle Wrote: I've edited kib's link to just give a file list.

Think that takes you to a random mirror?
Reply
#9
No not completely random, it is weighted to take you to a randomized mirror that is somewhat close to you.
It also takes into account the bandwidth each mirror has, not too overload servers with requests.

The mirrorlist link takes you to a list of all the mirrors that exist.
Another teammember was moving some files around on the server which is why my link broke. This is now being undone.

I'll post the link in a second again.
Reply
#10
http://mirrors.kodi.tv/releases/win32/ko...mirrorlist

That links to a page which shows all mirrors to that file.
It has direct links to all the different mirrors and shows their filesize.

If you do find a wrong mirror with a different filesize, please tell me which mirror is wrong.
I am guessing something on your PC did not download the file correctly.
Reply
#11
I've tested the three biggest mirrors (in bandwidth) just now:
So far everything i tested is clean.

https://www.virustotal.com/en/url/6e3e62.../analysis/
https://www.virustotal.com/en/url/7f0815.../analysis/
https://www.virustotal.com/en/url/c41f95.../analysis/
Reply
#12
I have uploaded a few downloaded files and chose to reanalyze. Microsoft is giving it "Clean" but one of the lesser known is saying there is a "HEUR/QVM20.1.0000.Malware.Gen" which is exactly what we have seen before with nightly builds. In other words, it is another false positive.

https://www.virustotal.com/en/file/fc7f2...485989656/

This does not explain how you got a different filesize though! That is very weird indeed. If you check your download history please tell me which mirror you were downloading from.
Reply

Logout Mark Read Team Forum Stats Members Help
Trojan in Kodi RC4 and files with different checksums!!0