Versions of bitcoin core? | Bitcointalksearch.org

PeterTheGrape

sr. member

Activity: 462

Merit: 250

Quote from: achow101 on April 17, 2017, 12:07:50 PM

...
Some people who are strongly anti-core have submitted some binaries of Core to antivirus vendors to list them as viruses in order to discourage people from using Core. Since they probably don't want to go through the effort of installing Core and then uninstalling it, they probably just used the binaries from the zip files. Because the binaries from the zip files are different from the ones in the installer due to NSIS, those are the ones that are flagged as viruses and not the ones in the installer.

If you still think that it is a virus, you can check that it is not for yourself. Checkout the 0.14.0 source code and examine it for yourself that there is no virus in there. Then perform the same gitian deterministic build process and release process for yourself and see if the output matches. The way that gitian works is that it will always produce the same exact binaries for the same exact code (normally the binaries will differ even with the same code due to timestamps and other sources of non-determinism). If it matches, then there is no virus. If it does not match, then either you have done something wrong, or the binaries on bitcoin.org are not legitimate. However, that is likely not the case as the hashes of those on bitcoin.org matches the hashes built by the multiple independent gitian builders.

Your first paragraph would explain things to my satisfaction, if that's what happens. Coins are becoming dirty pool but I guess with billions of dollars at stake it's the same as any business. I'm not going to go through all the technical efforts in your second paragraph but you obviously have some expertise so that works. Thanks.

achow101

staff

Activity: 3458

Merit: 6793

Just writing some code

Quote from: PeterTheGrape on April 17, 2017, 11:06:44 AM

I have been downloading coin wallets for 4 years and have downloaded many dozens of wallets and tested lots in virustotal and elsewhere.

I am highly suspicious that two different versions of bitcoind would come bundled in two installs at the same time from bitcoin.org, one testing hot the other not.

It tested bad on a specific trojan, not on heuristics. Something is not right.

Some people who are strongly anti-core have submitted some binaries of Core to antivirus vendors to list them as viruses in order to discourage people from using Core. Since they probably don't want to go through the effort of installing Core and then uninstalling it, they probably just used the binaries from the zip files. Because the binaries from the zip files are different from the ones in the installer due to NSIS, those are the ones that are flagged as viruses and not the ones in the installer.

If you still think that it is a virus, you can check that it is not for yourself. Checkout the 0.14.0 source code and examine it for yourself that there is no virus in there. Then perform the same gitian deterministic build process and release process for yourself and see if the output matches. The way that gitian works is that it will always produce the same exact binaries for the same exact code (normally the binaries will differ even with the same code due to timestamps and other sources of non-determinism). If it matches, then there is no virus. If it does not match, then either you have done something wrong, or the binaries on bitcoin.org are not legitimate. However, that is likely not the case as the hashes of those on bitcoin.org matches the hashes built by the multiple independent gitian builders.

PeterTheGrape

sr. member

Activity: 462

Merit: 250

Quote from: achow101 on April 17, 2017, 09:59:29 AM

Quote from: PeterTheGrape on April 17, 2017, 09:51:11 AM

So, in my situation, the advice you would give to a new person is to tell the antivirus to ignore the alert?

I'll remind you again
I had just downloaded at least two versions of bitcoin from the bitcoin website.
About a day later one of the two alerted on an antivirus as having Rundas.b

Asking again
Your advice to a new person would be "Ignore the alert" / "tell the anti virus not to delete the alerted program"?

http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Trojan:Win32/Rundas.B

https://bitcointalksearch.org/topic/m.17069334

From 2 days ago https://forum.ethereum.org/discussion/11946/windows-defender-detectet-rundas-b-troyan-in-ethminer-exe

My advice is that you fully verify that the binary is legitimate by downloading the SHA256SUMS.asc file, verifying the GPG signature with Wladimir's release key, and then check that the sha256 of the binary package you download matches what is in the SHA256SUMS.asc. If that all matches and verifies, then yes, ignore the antivirus and tell it that it is a false positive.

This is not a new issue. This has happened for all versions of Bitcoin Core. Antivirus software will always flag Bitcoin Core as a virus, especially with new versions since people haven't reported the false positive for the new version yet.

How many times do I need to repeat myself? If you fully verify that the download is legitimate, then the antivirus is wrong and it is a false positive.

I have already stated why antivirus software do this.

I have been downloading coin wallets for 4 years and have downloaded many dozens of wallets and tested lots in virustotal and elsewhere.

I am highly suspicious that two different versions of bitcoind would come bundled in two installs at the same time from bitcoin.org, one testing hot the other not.

It tested bad on a specific trojan, not on heuristics. Something is not right.

achow101

staff

Activity: 3458

Merit: 6793

Just writing some code

Quote from: PeterTheGrape on April 17, 2017, 09:51:11 AM

So, in my situation, the advice you would give to a new person is to tell the antivirus to ignore the alert?

I'll remind you again
I had just downloaded at least two versions of bitcoin from the bitcoin website.
About a day later one of the two alerted on an antivirus as having Rundas.b

Asking again
Your advice to a new person would be "Ignore the alert" / "tell the anti virus not to delete the alerted program"?

http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Trojan:Win32/Rundas.B

https://bitcointalksearch.org/topic/m.17069334

From 2 days ago https://forum.ethereum.org/discussion/11946/windows-defender-detectet-rundas-b-troyan-in-ethminer-exe

My advice is that you fully verify that the binary is legitimate by downloading the SHA256SUMS.asc file, verifying the GPG signature with Wladimir's release key, and then check that the sha256 of the binary package you download matches what is in the SHA256SUMS.asc. If that all matches and verifies, then yes, ignore the antivirus and tell it that it is a false positive.

This is not a new issue. This has happened for all versions of Bitcoin Core. Antivirus software will always flag Bitcoin Core as a virus, especially with new versions since people haven't reported the false positive for the new version yet.

How many times do I need to repeat myself? If you fully verify that the download is legitimate, then the antivirus is wrong and it is a false positive.

I have already stated why antivirus software do this.

PeterTheGrape

sr. member

Activity: 462

Merit: 250

Quote from: achow101 on April 16, 2017, 11:08:43 PM

Quote from: PeterTheGrape on April 16, 2017, 11:01:15 PM

1) This looks like a real virus https://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?name=Trojan%3aWin32%2fRundas.B&threatid=2147720787&enterprise=0

2) I downloaded several versions, the zipped, the installer etc.

3) The virus was found only in the zipped copy.

4) All were downloaded directly from the bitcoin.org website https://bitcoin.org/en/download

5) It was the 'bitcoind' file specifically that Windows defender said had a problem. That was the part of the file that Armory used.

I reinstalled the operating system now but still it seems like things are pretty low tech for a program that people are expected to trust a lot of money with. A bare minimum add on to bitcoin might be some program that automatically checks the hashes of certain files that don't change, like bitcoind. I've been using coins for a while but stopped using bitcoin wallets when they got above 10gb, the only reason I use it now is to get the functionality of Armory.

If it were a false positive then it seems like it would have alerted on the other bitcoind files? Coins are great but a lot of people are going to be too trusting as they attach to strangers' computers to try and download 100+ gb.

If the hash of the zip file matches the hash published on Bitcoin.org and the ones published here: https://github.com/bitcoin-core/gitian.sigs/tree/master/0.14.0-win-unsigned, then I can guarantee you that there is no virus whatsoever. The distributed binaries are built deterministically (meaning that everyone who builds it using the same build process will always get identical binaries) by multiple people, and the hashes are checked and signed by the PGP keys of those people. If the hash that you get from the download matches the hashes of the files built by everyone in the build process (including myself), then the download is genuine and there is no virus.

If you don't trust that there is no virus there, you can even build it yourself and generate the same results.

So, in my situation, the advice you would give to a new person is to tell the antivirus to ignore the alert?

I'll remind you again
I had just downloaded at least two versions of bitcoin from the bitcoin website.
About a day later one of the two alerted on an antivirus as having Rundas.b

Asking again
Your advice to a new person would be "Ignore the alert" / "tell the anti virus not to delete the alerted program"?

http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Trojan:Win32/Rundas.B

https://bitcointalksearch.org/topic/m.17069334

From 2 days ago https://forum.ethereum.org/discussion/11946/windows-defender-detectet-rundas-b-troyan-in-ethminer-exe

achow101

staff

Activity: 3458

Merit: 6793

Just writing some code

Quote from: PeterTheGrape on April 16, 2017, 11:01:15 PM

1) This looks like a real virus https://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?name=Trojan%3aWin32%2fRundas.B&threatid=2147720787&enterprise=0

2) I downloaded several versions, the zipped, the installer etc.

3) The virus was found only in the zipped copy.

4) All were downloaded directly from the bitcoin.org website https://bitcoin.org/en/download

5) It was the 'bitcoind' file specifically that Windows defender said had a problem. That was the part of the file that Armory used.

I reinstalled the operating system now but still it seems like things are pretty low tech for a program that people are expected to trust a lot of money with. A bare minimum add on to bitcoin might be some program that automatically checks the hashes of certain files that don't change, like bitcoind. I've been using coins for a while but stopped using bitcoin wallets when they got above 10gb, the only reason I use it now is to get the functionality of Armory.

If it were a false positive then it seems like it would have alerted on the other bitcoind files? Coins are great but a lot of people are going to be too trusting as they attach to strangers' computers to try and download 100+ gb.

If the hash of the zip file matches the hash published on Bitcoin.org and the ones published here: https://github.com/bitcoin-core/gitian.sigs/tree/master/0.14.0-win-unsigned, then I can guarantee you that there is no virus whatsoever. The distributed binaries are built deterministically (meaning that everyone who builds it using the same build process will always get identical binaries) by multiple people, and the hashes are checked and signed by the PGP keys of those people. If the hash that you get from the download matches the hashes of the files built by everyone in the build process (including myself), then the download is genuine and there is no virus.

If you don't trust that there is no virus there, you can even build it yourself and generate the same results.

PeterTheGrape

sr. member

Activity: 462

Merit: 250

Quote from: achow101 on April 14, 2017, 12:12:33 PM

Quote from: PeterTheGrape on April 14, 2017, 12:09:21 PM

The hashes were the ones I posted.

Then there is no problem and you can ignore the warning and tell your antivirus that it is a false positive.

1) This looks like a real virus https://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?name=Trojan%3aWin32%2fRundas.B&threatid=2147720787&enterprise=0

2) I downloaded several versions, the zipped, the installer etc.

3) The virus was found only in the zipped copy.

4) All were downloaded directly from the bitcoin.org website https://bitcoin.org/en/download

5) It was the 'bitcoind' file specifically that Windows defender said had a problem. That was the part of the file that Armory used.

I reinstalled the operating system now but still it seems like things are pretty low tech for a program that people are expected to trust a lot of money with. A bare minimum add on to bitcoin might be some program that automatically checks the hashes of certain files that don't change, like bitcoind. I've been using coins for a while but stopped using bitcoin wallets when they got above 10gb, the only reason I use it now is to get the functionality of Armory.

If it were a false positive then it seems like it would have alerted on the other bitcoind files? Coins are great but a lot of people are going to be too trusting as they attach to strangers' computers to try and download 100+ gb.

achow101

staff

Activity: 3458

Merit: 6793

Just writing some code

Quote from: PeterTheGrape on April 14, 2017, 12:09:21 PM

The hashes were the ones I posted.

Then there is no problem and you can ignore the warning and tell your antivirus that it is a false positive.

PeterTheGrape

sr. member

Activity: 462

Merit: 250

Quote from: achow101 on April 14, 2017, 10:38:03 AM

Quote from: PeterTheGrape on April 14, 2017, 10:34:28 AM

Just got an alert from Antivirus that this malware Trojan:Win32Rundas.B was found inside the Bitcoin core bitcoind.

https://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?name=Trojan%3aWin32%2fRundas.B&threatid=2147720787&enterprise=0

As long as you have verified the binary when you downloaded it from bitcoin.org, it is safe and legitimate. Antivirus software will often flag Bitcoin Core as a virus because it contains mining code (to allow you to mine on testnet and regtest) and looks for a wallet.dat file (that's the wallet file that Core uses and creates).

The hashes were the ones I posted. It was listed as safe on virustotal.

Category: Trojan

Description: This program is dangerous and executes commands from an attacker.

Recommended action: Remove this software immediately.

Items:
containerfile:C:\Users\xxxxx\Downloads\bitcoin-0.14.0-win64.zip
file:C:\Users\xxxxx\Downloads\bitcoin-0.14.0-win64.zip->bitcoin-0.14.0/bin/bitcoind.exe

Get more information about this item online.

achow101

staff

Activity: 3458

Merit: 6793

Just writing some code

Quote from: PeterTheGrape on April 14, 2017, 10:34:28 AM

Just got an alert from Antivirus that this malware Trojan:Win32Rundas.B was found inside the Bitcoin core bitcoind.

https://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?name=Trojan%3aWin32%2fRundas.B&threatid=2147720787&enterprise=0

As long as you have verified the binary when you downloaded it from bitcoin.org, it is safe and legitimate. Antivirus software will often flag Bitcoin Core as a virus because it contains mining code (to allow you to mine on testnet and regtest) and looks for a wallet.dat file (that's the wallet file that Core uses and creates).

PeterTheGrape

sr. member

Activity: 462

Merit: 250

Just got an alert from Antivirus that this malware Trojan:Win32Rundas.B was found inside the Bitcoin core bitcoind.

https://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?name=Trojan%3aWin32%2fRundas.B&threatid=2147720787&enterprise=0

achow101

staff

Activity: 3458

Merit: 6793

Just writing some code

This is normal and completely fine. You can replicate the results yourself if you go through the gitian build process. The reason this happens is because one is in the installer and gets a couple of extra things because of NSIS and the other is just the plain binary file that comes straight out of compiling.

PeterTheGrape

sr. member

Activity: 462

Merit: 250

Downloaded the zipped and installable bitcoin qt's and noticed they had different hashes, though otherwise very similar

https://virustotal.com/en/file/822240e8e036cec48137ca64c3407f58cbfa877d0b5c6b08a2028c4a2fd86818/analysis/1492112786/

https://virustotal.com/en/file/2b050cffb91137d756a3860d699e15130dfda5b0defc9ea0063526d24df2a0f0/analysis/1492112839/

Then clicked on the other virustotal uploads that included the qt

https://virustotal.com/en/file/f260d52cf2fe91c4be99ed6fcf8aa0de669ff326c5da920b7ed3a3e2ec981e0a/analysis/

https://virustotal.com/en/file/415693ed81cfc4960bbfcb815529003405aefbf839ef8fc901b0a2c4ef5317d0/analysis/

https://virustotal.com/en/file/78589e5a0929056611f2dcc2ac0380382f1bbbdc4a88b85e10e915f99b9d1f0b/analysis/

https://virustotal.com/en/file/7996a8d3c0a9e4e6af75fe91a4ef6cb1afd7e2e62a79428031f88d16088afb10/analysis/

https://virustotal.com/en/file/cce4f2c01fe6b6bb7fbd5cdc0827c73ee5f1b3f05b2fc9951104f586a2be12b1/analysis/

Should a person be concerned that there are two different hashes for the same bitcoin-qt.exe 0.14.0.0, i.e., the first two virustotals above?

Topic: Versions of bitcoin core? (Read 1619 times)