Why are Rock-XP / Magic Jellybean Keyfinder id'd by antivirus progs?

[Virus Guy]

I've got old versions of Rock-XP and Keyfinder that are always being
nailed when I do a scan on a few XP systems. Out of curiosity I
uploaded them to VT and they are flagged by fully half the progs. Some
of the flags are "Not.A.Virus.what-ever" but most are not clear about
that. Some id them as droppers (?).

Is it _really_ necessary to flag these apps if they actually don't do
anything malicious?

 

[FromTheRafters]

I've got old versions of Rock-XP and Keyfinder that are always being
nailed when I do a scan on a few XP systems. Out of curiosity I
uploaded them to VT and they are flagged by fully half the progs.
Some
of the flags are "Not.A.Virus.what-ever" but most are not clear about
that. Some id them as droppers (?).

Is it _really_ necessary to flag these apps if they actually don't do
anything malicious?

They can be used maliciously, and trojans are defined subjectively. IMO
it should be a PUP.

This is the sort of thing that comes from AV getting into general
malware - if they were only concerned with viruses, there would be less
grey area problems like this (it replicates or it doesn't). Now they
have to guess at the mind of the user (is this tool wanted or not)?

 

[Bill]

Is it _really_ necessary to flag these apps if they actually don't do
anything malicious?

Some AV products detect programs that assist in pirating of software.

 

[Virus Guy]

They can be used maliciously, and trojans are defined subjectively.

How can they be used maliciously?

Can they be invoked silently?

Do they have enough command line switches to perform desired tasks?

Can their output be piped to a file?

 

[Virus Guy]

Some AV products detect programs that assist in pirating of
software.

Why detect or flag software on the basis that they're probably on the
system intentionally as desired by the user?

Since when does a virus-scan turn into a nanny-scan?

 

[Bill]

Why detect or flag software on the basis that they're probably on the
system intentionally as desired by the user?

Some of the better programs have an off switch and give the option.

 

[FromTheRafters]

How can they be used maliciously?

To crack passwords?

Can they be invoked silently?

Does it matter?

Do they have enough command line switches to perform desired tasks?

Again, does it matter?

Can their output be piped to a file?

....and again?

I think by configuration you can keep your own AV from alerting on PUPs.
By all means, if someone found them on their system and uploaded them to
VT it should be detected (and alerted to) as grey area malware.

 

[Virus Guy]

To crack passwords?


Does it matter?

Yes, it does matter.

If apps like Rock-XP / Keyfinder are on a system because they were
downloaded as secondary payload by malware, and if the malware intends
to use those programs to discover product keys and passwords, then those
programs must be invoked and controlled by the malware in such a way
that is invisible to the user, and the output of those programs must
also be captured in such a way that is useful to the malware so that
(presumably) that information can be transfered back to hackers /
bot-owners.

If Rock-XP / Keyfinder does not have that capability, then I fail to
understand any argument as to why they should be flagged as malware or
even evidence of latent malware presence.

(I believe that Rock-XP and Keyfinder only provide product keys and NOT
passwords - making their value as malware helpers somewhat suspect)

 

[FromTheRafters]

Yes, it does matter.

If apps like Rock-XP / Keyfinder are on a system because they were
downloaded as secondary payload by malware, and if the malware intends
to use those programs to discover product keys and passwords, then
those
programs must be invoked and controlled by the malware in such a way
that is invisible to the user, and the output of those programs must
also be captured in such a way that is useful to the malware so that
(presumably) that information can be transfered back to hackers /
bot-owners.

There is more to malware than just remote access and command and
control. Some malware needs to be detected even though the environment
it resides in cannot execute it. A system administrator might not want
an employee storing password cracking software on the company's Linux
server.

If Rock-XP / Keyfinder does not have that capability, then I fail to
understand any argument as to why they should be flagged as malware or
even evidence of latent malware presence.

I agree, that is why I suggested that it should be detected as a PUP.
Not really malware.

(I believe that Rock-XP and Keyfinder only provide product keys and
NOT
passwords - making their value as malware helpers somewhat suspect)

http://www.korben.info/rockxp
http://www.magicaljellybean.com/keyfinder/faq.shtml#spyware