19

I wrote this program:

#include <stdio.h>

main()
{
  int n;
  n=1;
  while (n>0)
  {
    puts("Write a number: ");
    scanf(" %d",&n);
    printf("This is the number you wrote: %d\n", n);
  }

}

Apparently there are absolutely no syntax errors, nor any compilation error. It compiled and built perfectly.

Now, if I switch this line:

puts("Write a number: ");

with this one:

printf("Write a number: ");

it compiles with no errors but when the compiled object launches, it immediately stops and an anti-virus warning pops up saying it identified a trojan horse. Before taking any conclusions, I built it several times and after getting the same message I scanned it in virustotal.com and this was the result.

Well I know puts is actually more correct than printf given the objective, but still it should work just fine.

What's wrong here?

I'm using AVG anti-virus, and Pelles C to compile.

cigien
  • 57,834
  • 11
  • 73
  • 112
K09P
  • 480
  • 4
  • 13
  • 1
    Curious, is it possible that the compiled object has been tampered with by a virus, after compilation? – Jim W Oct 18 '13 at 20:57
  • 10
    This question appears to be off-topic because it is about a bug in an anti-virus software. – Kuba hasn't forgotten Monica Oct 18 '13 at 20:58
  • 1
    Heck, there might even be a [virus inside the compiler](http://c2.com/cgi/wiki?TheKenThompsonHack) – Kninnug Oct 18 '13 at 20:58
  • 7
    AVG is what's wrong. That's about it. Or you're already infected. – Kuba hasn't forgotten Monica Oct 18 '13 at 20:58
  • 6
    In the link provided by the author, *many* AV tools are flagging this as a virus. It's not "just AVG". – user2864740 Oct 18 '13 at 20:59
  • @HotLicks That could be the case for live virus detection, but a scanner can't tell that there's a buffer overrun. Scanners just look for known virus signatures. – Barmar Oct 18 '13 at 21:01
  • 1
    Perhaps the problem is Pelles C. http://cm.bell-labs.com/who/ken/trust.html... – Waleed Khan Oct 18 '13 at 21:03
  • 3
    Does the same thing happen if you use a different compiler? – Christian Ternus Oct 18 '13 at 21:03
  • 2
    AVG likes to detect itself as a virus. – Dave Rager Oct 18 '13 at 21:08
  • I had Avast and this kind of thing would happens to me with almost everything compiled with tcc or gcc under mingw. Sometimes it would merely sandbox it, other times it would delete the binary. The solution for me was to use different anti virus. – johnish Oct 18 '13 at 21:19
  • I admit I haven't tried any other compilers, all I can say is that I have recently (today) upgraded from a previous major version and the problem didn't go away with the new version. Is there any free compiler worth trying? Well, I don't know how can it exactly be that off topic, but it's not my call... :) – K09P Oct 18 '13 at 21:54
  • @K09P what was it before and what is it now? – Cole Tobin Oct 18 '13 at 22:19
  • Anyways, most antivirus programs that flagged it think it's a backdoor. WUT? – Cole Tobin Oct 18 '13 at 22:20
  • @Cole Johnson It stayed exactly the same before and after I upgrade Pelles C. Well I don't know what to think, actually. I started thinking that there could be something interfering with the compiler, that's why I upgraded it in first place. I even thought there could actually be a virus generating malware code, but got my feet on earth and concluded that's not that much likely =) I am now trying to configure Eclipse to C programming...will edit the post after trying it. – K09P Oct 18 '13 at 22:32
  • 1
    possibly related thread on the Pelles C forum: http://forum.pellesc.de/index.php?topic=4675.15 – SirDarius Oct 18 '13 at 22:46
  • same code compiled with gcc not warn any av on virustotal, check your machine sanity – r043v Oct 18 '13 at 23:05
  • Code is an infinite loop when input is non-numeric --> bad code. So a _virus_? IDK, but certainly a CPU black-hole. – chux - Reinstate Monica Jul 03 '22 at 18:44
  • 2nd thought, perhaps the compiler is injecting a virus? Certain you have a clean compiler tool chain? – chux - Reinstate Monica Jul 03 '22 at 18:47

3 Answers3

6

It's a false positive, obviously. The generated machine code just happens to resemble code that is in the malware database. This has nothing to do with the use of puts().

Nikos C.
  • 50,738
  • 9
  • 71
  • 96
  • Of course it has to do with puts. It's puts that when compiled generates code that is identified in the malware database. But yeah I got what you meant. Anyways it should work and it doesn't, that's the point. – K09P Oct 21 '13 at 16:41
5

Anti virus software work on signatures which are basically known patterns in executable code used by virus software.

Some virus in the wild has a similar pattern to the printf version of code you wrote (I searched all of the people who did flag you as a virus, unfortunately none of them publish what their signature files are checking for). Due to the fact you should never call printf with one argument it is likely many anti-virus software providers may use that as part of their signature process.

The two options you have are don't call printf with a single argument (which you shouldn't anyway) or submit your program as a false positive to the antivirus vendors that said your program was a virus and they may update their signatures to rule out your program as a false positive.

Scott Chamberlain
  • 124,994
  • 33
  • 282
  • 431
  • 3
    What's wrong with using printf the way the OP has? The argument to printf here is a string literal. I don't see the issue. – Raja Oct 18 '13 at 23:17
  • @Raja The thing wrong with it is it causes a false positive in antiviruses. If there is a alternative that does not cause false positives (`puts`) I would use that instead. – Scott Chamberlain Oct 18 '13 at 23:33
  • 2
    Yup, I got that part - but why would this ever be dangerous (or how did this end up as a virus signature?) – Raja Oct 18 '13 at 23:46
  • @Raja like i said, I tried to find explanations of any of the false postives to see what they match but I could not. I don't know what they are matching on but the compiled code matched it. – Scott Chamberlain Oct 18 '13 at 23:50
  • @Raja Code is printing `n` without knowing `scanf(" %d",&n);` was successfully leading to UB. – chux - Reinstate Monica Jul 03 '22 at 18:49
1

printf() has a Uncontrolled format string security risk

you should use puts()

also found this:

see the comments in What is the difference between printf() and puts() in C?

Just a note on using printf instead of puts: never, ever do a printf(variable) to print a string. Use puts(variable) or printf("%s', variable). There's a security risk in using a variable format string: if the variable can be written by an attacker they can attack the program by using format strings. – Zan Lynx Dec 1 '12 at 9:05

Community
  • 1
  • 1
Chad Dienhart
  • 5,024
  • 3
  • 23
  • 30
  • 12
    None of those format strings are uncontrolled -- however true it is, this is irrelevant here. – jthill Oct 18 '13 at 22:37
  • I am aware of the differences between one and another. Still don't think it makes much sense...Thanks! – K09P Oct 18 '13 at 22:40