6

I'm trying to use a deugger (namely OllyDbg) to analyze some exe files.

However, all the versions I downloaded from the Internet are considered as Trojans by some anti-virus software. (I use www.virustotal.com to scan the binary I downloaded)

Are OllyDbg's main behaviors belong to a kind of Trojan?

Currently, I want to download OllyDbg v1.10 defixed (version from [potentialy harmful link] http://4server.info/download/4shared.com/rar/RFNpFbiP/ollydbg_v110_defixed.html)

Here is the scan result of "ollydbg v1.10 defixed.rar" by virustotal:

VirusTotal results

Does "ollydbg v1.10 defixed.rar" really contain Trojans?

Ola Ström
  • 105
  • 1
  • 1
  • 5
lyenliang
  • 61
  • 1
  • 2
  • 10
    Why don't you download it from the official site? – S.L. Barth Mar 03 '15 at 14:55
  • 26
    Sure looks like it if VirusTotal says so! Don't download software from shady websites kids, espcially if you can download it from the official site for free ;) – Mints97 Mar 03 '15 at 14:56
  • 1
    The .rar format by itself is pretty unusual for legitimate software, and the 4shared link (generic file upload site) is the *icing on the cake*. –  Mar 03 '15 at 16:03
  • I did have a problem with an NT/Nokia development kit, on Vista. The built-in MS virus detection (or was it Kaspersky?) was constantly removing pieces of the debugger. Finally figured out which knobs to turn. Can't tell you more since it's been about 4 years. – Hot Licks Mar 03 '15 at 18:05

2 Answers2

19

The link provided in the question seems really fishy. If it's a "patched" version supposed to get rid of limitation, it's more than probable the fixer added some kind of additional surprises (like a virus) in it. The official site already proposes a free version of the software, so I would start here to avoid getting a virus from a random stranger.

This being said, it's not impossible that anti-viruses detect innocuous programs as malwares. This happens cause AV checks for some known signatures of exploits and/or detects unusual behaviour, like access to some memory ranges for example.

Debuggers have these kinds of odd behaviours, as the need to bind to existing processes, de-route function calls, check and modify memory, etc.

M'vy
  • 13,033
  • 3
  • 47
  • 69
  • 6
    Most antivirus consider legitimate cracks, not containing any undesired software, as "generic trojans". This is presumably to discourage their use and/or simply because it's, generally speaking, a risky category of software. Still, I think it's very wrong to intentionally erroneously classify software we don't like as a trojan. I obviously can't speak for this specific case. – Andreas Bonini Mar 03 '15 at 19:44
  • 2
    @AndreasBonini, a few years ago, when I used windows a lot more, it seemed to be the corporate security packages that flagged all cracked versions as malware while AVG free (which is what I used then) didn't. – Chris H Mar 03 '15 at 19:49
  • 1
    @ChrisH Makes sense from a policy perspective: if you have a cracked executable on a work image, something has gone *very* wrong. – sapi Mar 03 '15 at 22:13
  • I say the opposite of @AndreasBonini. While most cracks do what they claim to do, they **also** inject some kind of malware to the original software. I won't name them, but I have found a few of my own by sniffing the packets. Piracy is not 100% free. – AKS Mar 04 '15 at 03:49
  • 1
    "legitimate cracks" - lol – piet.t Mar 04 '15 at 07:43
  • @AyeshK: I don't doubt that. What I'm saying though is that antivirus consider *all* cracks as malware, whether they have it or not. This trains users to ignore the antivirus warnings (because most of the time they are false positives, hell, *intentional* false positives) so when they do finally come across a crack containing real malware, they will ignore the warnings because the antivirus cried wolf. – Andreas Bonini Mar 04 '15 at 15:00
  • @sapi, that's of course true. A more helpful/honest error message couldn't hurt though. And things do go wrong in the field with network-licenced software that you "don't need" out of the office. – Chris H Mar 04 '15 at 17:11
0

These detections you see are false positives because the original DeFixed_Edition.rar (OllyDbg - FOFF Team Edition 2.0) is falsely detected by false positives too.

If you update the file PhantOm.dll (PhantOm Plugin) with an updated version of the plugin, you would see the number of false detections decreases significantly.

schroeder
  • 123,438
  • 55
  • 284
  • 319
Minh-Triet Pham Tran
  • 500
  • 3
  • 7