Toggle sidebar

Homebrew Discussion PSA: SuperLan might be a virus

  • Thread starter Thread starter LUCKASS
  • Start date Start date
  • Views Views 11,515
  • Replies Replies 63
  • Likes Likes 1
10(dd)/12(mm)/2018 @ 10:50AM
Analyse for the "client-b" (SHA256: 41251978b0f7f49a895725b39a75639fd4e5a55386d64fb9c54ffd965e793da3)
Analyse for the "client" (SHA256: c304b194c4be0a6808e18a159b32faaec0ffd970fce117104633feb8a1ec18cd)

It's a quite bad ratio in my opinion for the "client-b"

Someone has an explanation concerning the difference between the two client, I'm not using superlan for now.
And is there more player connected to superlan ? I checked the original lan soft and there is only 32 players connected to US server.
 
Last edited by LUCKASS,
LUCKASS said:
10(dd)/12(mm)/2018 @ 10:50AM
Analyse for the "client-b" (SHA256: 41251978b0f7f49a895725b39a75639fd4e5a55386d64fb9c54ffd965e793da3)
Analyse for the "client" (SHA256: c304b194c4be0a6808e18a159b32faaec0ffd970fce117104633feb8a1ec18cd)

It's a quite bad ratio in my opinion for the "client-b"
Someone has an explanation concerning the difference between the two client, I'm not using superlan for now.
Click to expand...
Wow Client-B got WAAAAY to many hits for being a false positive. I mean Bitdefender? Variant.MSILPerseus.172810 is a real trojan and not a false positive statement, so that file is fishy as all heck now.
 
  • Like
Reactions: focusonme and LUCKASS
LUCKASS said:
10(dd)/12(mm)/2018 @ 10:50AM
Analyse for the "client-b" (SHA256: 41251978b0f7f49a895725b39a75639fd4e5a55386d64fb9c54ffd965e793da3)
Analyse for the "client" (SHA256: c304b194c4be0a6808e18a159b32faaec0ffd970fce117104633feb8a1ec18cd)

It's a quite bad ratio in my opinion for the "client-b"
Someone has an explanation concerning the difference between the two client, I'm not using superlan for now.
Click to expand...
presumably - and that's just a wild guess - the "client-b" seems to be compressed, whereas "client" isn't.
And since this is a method viruses use to obfuscate themselves from being identified by a checksum, client-b is caught in the heuristic engines of various Antivirus Software because it simply utilizes similar methods to real viruses.

While I would more assume it's a false positive, i'd still stay clear off the tool and I recommend everyone to do the same.
 
Last edited by Localhorst86,
  • Like
Reactions: Subtle Demise, focusonme and LUCKASS
LUCKASS said:
To be sure, just use the regular SwitchLanPlay, it does the exact same thing.
Click to expand...
Localhorst86 said:
presumably - and that's just a wild guess - the "client-b" seems to be compressed, whereas "client" isn't.
And since this is a method viruses use to obfuscate themselves from being identified by a checksum, client-b is caught in the heuristic engines of various Antivirus Software because it simply utilizes similar methods to real viruses.

While I would more assume it's a false positive, i'd still stay clear off the tool and I recommend everyone to do the same.
Click to expand...
thank you! will stay the hell out :D
 
LUCKASS said:
10(dd)/12(mm)/2018 @ 10:50AM
Analyse for the "client-b" (SHA256: 41251978b0f7f49a895725b39a75639fd4e5a55386d64fb9c54ffd965e793da3)
Analyse for the "client" (SHA256: c304b194c4be0a6808e18a159b32faaec0ffd970fce117104633feb8a1ec18cd)

It's a quite bad ratio in my opinion for the "client-b"

Someone has an explanation concerning the difference between the two client, I'm not using superlan for now.
And is there more player connected to superlan ? I checked the original lan soft and there is only 32 players connected to US server.
Click to expand...
https://avcaesar.malware.lu/sample/41251978b0f7f49a895725b39a75639fd4e5a55386d64fb9c54ffd965e793da3
 
"Client B" is the "beta version". The non-beta version was updated, whereas the "beta" version is still the obfuscated mess it was before.
 
Localhorst86 said:
Have you looked at the dates of the virus definitions used?
Click to expand...
No, but that wasn't the point of linking that. AV scans are useless to me anyway. They're never to be solely relied on, and really don't offer anything to actual analysis. This is why I despise sites like VT, because they only serve to propagate samples amongst AV companies and give people false hope. Sites like Malwr, AVCeasar, and Hybrid Analysis give detailed reports on the sample. If you wanna do it at home, look into the Cuckoo sandbox, or create your own environment with Komodo, Sandboxie, PE Explorer, and MBAM.
 
Joom said:
No, but that wasn't the point of linking that. AV scans are useless to me anyway. They're never to be solely relied on, and really don't offer anything to actual analysis. This is why I despise sites like VT, because they only serve to propagate samples amongst AV companies and give people false hope. Sites like Malwr, AVCeasar, and Hybrid Analysis give detailed reports on the sample. If you wanna do it at home, look into the Cuckoo sandbox, or create your own environment with Komodo, Sandboxie, PE Explorer, and MBAM.
Click to expand...
So, care to comment on what information we should get from your link which we didn't have before?
 
Joom said:
Yeah. It's benign. You guys can stop posting VT links going "omg virus".
Click to expand...
So, just to make sure I am getting this right.

You don't trust sites like virustotal and to "debunk" the results on that site you post a link to another site using highly outdated malware definitions under the premise it gives us "detailed reports" (to quote you) on the file without elaborating what additional detailed information your link is supossed to give us that was not already available on the virustotal results?

I do agree that you should not rely solely on a VT results page, but not everyone in here is a malware forensics expert. And I find it highly dangerous to simply scrub of a result page like this as not potentially dangerous for the sake of less experienced users. But a result like this should always raise a red flag for the average user and if someone asks if they should use this software, our answer should always be "no". Because otherwise next time, they might not ask someone and really run malicious software.

@GerbilSoft has provided a lot of details on this file in this thread already

For the record: I find it reasonable to assume that the software is not actually malware. But this software still has lots of signs that should tell us: better use something else instead.
 
  • Like
Reactions: Subtle Demise
LUCKASS said:
edit : 10/12/2018 @ 10:50AM (dd/mm/yyyy)
Analyse for the "client-b" (SHA256: 41251978b0f7f49a895725b39a75639fd4e5a55386d64fb9c54ffd965e793da3)
Analyse for the "client" (SHA256: c304b194c4be0a6808e18a159b32faaec0ffd970fce117104633feb8a1ec18cd)
It's a quite bad ratio in my opinion for the "client-b" (too many hits to be a false positive)


To be sure, just use the regular SwitchLanPlay, it does the exact same thing.

It's maybe a false-positive, it's maybe a virus
I just wanted to share this to the community


This is not from me, just took the reddit one

https://cdn.discordapp.com/attachments/490143667038715906/516704618617634819/Super_Lan_Play_Exposed_1.html

And here, a chat with community influencer Cubuss, giving us more info

https://i.imgur.com/1ghJnbW.jpg
Click to expand...
“Do you have TeamViewer?

no i dont use software that scammers use.“

That right there tells me you don’t know what you’re talking about, TeamViewer is just a software taken advantage of by scammers, not a scam program. In fact, they started adding a warning message to any connection from an Indian IP. Scammers also use Chrome/Firefox, do you not use those programs because of it? Now i’m not saying that it isn’t a virus, it very may well be, but you don’t seem to be the right person to accuse that.
 
guyman70718 said:
“Do you have TeamViewer?

no i dont use software that scammers use.“

That right there tells me you don’t know what you’re talking about, TeamViewer is just a software taken advantage of by scammers, not a scam program. In fact, they started adding a warning message to any connection from an Indian IP. Scammers also use Chrome/Firefox, do you not use those programs because of it? Now i’m not saying that it isn’t a virus, it very may well be, but you don’t seem to be the right person to accuse that.
Click to expand...

Do you realize that I'm not the guy that discussed that with him?
 
Localhorst86 said:
So, just to make sure I am getting this right.

You don't trust sites like virustotal and to "debunk" the results on that site you post a link to another site using highly outdated malware definitions under the premise it gives us "detailed reports"
Click to expand...
Yes, because again, AV definitions can't really be trusted. I suggest you study up on crypters (and I don't mean public obfuscation software). What if there were absolutely no detections at all? Would any of you actually further analyze the binary? In this scenario, the author used a common packing and obfuscation method used by malware for years. All detections are purely heuristic signatures. The binary makes no drops, doesn't hook suspiciously, only contacts GitHub and grabs WinPCAP. These actions alone are enough to set off an AV since remote files are accessed and downloaded silently. It takes a bit of nuance, not scantime results, to understand what is and isn't malicious.
 

Site & Scene News

Go to forum More news

Popular threads in this forum

Feedback Homebrew  Essential Homebrew

Homebrew Tutorial Translation Project  CS2SX — Write Nintendo Switch Homebrew in C#

Homebrew Homebrew game Project  So... Dan didn't want to reveal his Vulkan, so I made mine.

Homebrew Homebrew game  Lego Star Wars: The Complete Saga · Switch Port

Homebrew Homebrew game  GTA: Chinatown Wars - Switch port

running 20.5 Is it worth upgrading my firmware...?

Homebrew Homebrew game  Half Life 2 (Source Engine) - Switch Port

Homebrew Homebrew game  Final Fantasy IV 3D Remake - Switch port