Ubot False Positives

[Asentrix 17]

A while back , someone made me a demo program with little to no code in it , compiled by ubot.

All Was well , until I decided to check the md5 hash on virustotal.

 

Bam , 24 detections..

How is this possible?

 

Is ubots obfuscation messing with antivirus software / url scanners?

I want to buy the developer edition of ubot tomorrow , but I'm worried about my program(s) being flagged as malicious even though they aren't.

 

The program was created with ubot v4 about 6 months ago , so hopefully things have changed?

If anyone has a recent scan link with false detections on it could they please post it here as well , thanks!

[gavind 6]

I think it would be tagged as one. You can probably just ignore that or exclude the directory upon scanning. 

[Bot-Factory 602]

http://ubotstudio.com/blog/2015/02/

[Asentrix 17]

http://ubotstudio.com/blog/2015/02/

Already read it , unfortunately it's a bit useless :l

because of the programs detections , it scares a lot of people off , as well as opens a door for other developers to sales trash.

 

I was recently banned from a marketing website because apparently my file was infected , yet it wasn't , just riddled with ubots false positives.

Edited May 21, 2015 by Asentrix

[Bot-Factory 602]

Already read it , unfortunately it's a bit useless :l

because of the programs detections , it scares a lot of people off , as well as opens a door for other developers to sales trash.

 

I was recently banned from a marketing website because apparently my file was infected , yet it wasn't , just riddled with ubots false positives.

Prototype and test with ubot and if it has potential and enough customers, convert to another language. 

That's my approach at the moment.

 

 

Dan

[MiriamMB 63]

Already read it , unfortunately it's a bit useless :l

because of the programs detections , it scares a lot of people off , as well as opens a door for other developers to sales trash.

 

I was recently banned from a marketing website because apparently my file was infected , yet it wasn't , just riddled with ubots false positives.

 

Are you seeing the false positive results with every bot you compile, or are you noticing it in specific bots?

 

Does a compiled bot with only a navigate command cause false positives for instance?

[Asentrix 17]

Are you seeing the false positive results with every bot you compile, or are you noticing it in specific bots?

 

Does a compiled bot with only a navigate command cause false positives for instance?

This is the scan result on a file with navigate google.com

 

SHA256: b1140c11f390d84b6cb521fc75f169f751ca8621079d9e6b7f86e4e54208d501
File name: false_positives_nav_only.exe
Detection ratio: 5 / 57
Analysis date: 2015-05-23 08:12:33 UTC ( 1 minute ago )

 

https://www.virustotal.com/en/file/b1140c11f390d84b6cb521fc75f169f751ca8621079d9e6b7f86e4e54208d501/analysis/1432368753/

navigate("http://www.google.com", "Wait")

 File identification

MD5 73ef02b1f59ec683e95872e250b10db2

SHA1 c87eb715f427050aaad5d4eab28a02381bc84a5d

SHA256 b1140c11f390d84b6cb521fc75f169f751ca8621079d9e6b7f86e4e54208d501

ssdeep

49152:kF+FBdV9JI9ZNhCsj8Eeweygd7hdKqTrsE6QfgVP+gKpyQJpK7x9Ow/GWAz/hjgC:nBNONhCsjAyuTzT6RPt0p0D/GWqBL3

authentihash  a480f7f960a8b74b5abad40f7601890001a4384b0cfdbfe9183333da6a87637f

imphash  f34d5f2d4577ed6d9ceec516c1f5a744

File size 3.5 MB ( 3668638 bytes )

File type Win32 EXE

Magic literal

PE32 executable for MS Windows (GUI) Intel 80386 32-bit Mono/.Net assembly

TrID Generic CIL Executable (.NET, Mono, etc.) (56.7%)

Win64 Executable (generic) (21.4%)

Windows screen saver (10.1%)

Win32 Dynamic Link Library (generic) (5.0%)

Win32 Executable (generic) (3.4%)

Tags

peexe assembly overlay

 VirusTotal metadata

First submission 2015-05-23 08:12:33 UTC ( 14 minutes ago )

Last submission 2015-05-23 08:12:33 UTC ( 14 minutes ago )

File names false_positives_nav_only.exe

Bot.exe

 Advanced heuristic and reputation engines

Symantec reputation Suspicious.Insight

Edited May 23, 2015 by Asentrix

[MiriamMB 63]

 

This is the scan result on a file with navigate google.com

SHA256: b1140c11f390d84b6cb521fc75f169f751ca8621079d9e6b7f86e4e54208d501
File name: false_positives_nav_only.exe
Detection ratio: 5 / 57
Analysis date: 2015-05-23 08:12:33 UTC ( 1 minute ago )

https://www.virustotal.com/en/file/b1140c11f390d84b6cb521fc75f169f751ca8621079d9e6b7f86e4e54208d501/analysis/1432368753/

navigate("http://www.google.com", "Wait")

 File identification

MD5 73ef02b1f59ec683e95872e250b10db2

SHA1 c87eb715f427050aaad5d4eab28a02381bc84a5d

SHA256 b1140c11f390d84b6cb521fc75f169f751ca8621079d9e6b7f86e4e54208d501

ssdeep

49152:kF+FBdV9JI9ZNhCsj8Eeweygd7hdKqTrsE6QfgVP+gKpyQJpK7x9Ow/GWAz/hjgC:nBNONhCsjAyuTzT6RPt0p0D/GWqBL3

authentihash  a480f7f960a8b74b5abad40f7601890001a4384b0cfdbfe9183333da6a87637f

imphash  f34d5f2d4577ed6d9ceec516c1f5a744

File size 3.5 MB ( 3668638 bytes )

File type Win32 EXE

Magic literal

PE32 executable for MS Windows (GUI) Intel 80386 32-bit Mono/.Net assembly

TrID Generic CIL Executable (.NET, Mono, etc.) (56.7%)

Win64 Executable (generic) (21.4%)

Windows screen saver (10.1%)

Win32 Dynamic Link Library (generic) (5.0%)

Win32 Executable (generic) (3.4%)

Tags

peexe assembly overlay

 VirusTotal metadata

First submission 2015-05-23 08:12:33 UTC ( 14 minutes ago )

Last submission 2015-05-23 08:12:33 UTC ( 14 minutes ago )

File names false_positives_nav_only.exe

Bot.exe

 Advanced heuristic and reputation engines

Symantec reputation Suspicious.Insight

 

 

Is this a bot compiled with UBot 5.5 and above or UBot 4?

 

If it is a UBot 5 bot, please open a ticket and we'll walk through the issue with you.