4

I just found this code is detected as a virus with some antivirus programs.

#include <stdio.h>

char* func(char *str) {
    return str;
}

void main() {
    char *str = "What the hack\n";
    char *str2 = func(str);
    printf(str2);
}

VirusTotal scan result Image:

enter image description here

Do you know why??

eyllanesc
  • 235,170
  • 19
  • 170
  • 241
SeetFack
  • 51
  • 3
  • I compiled it, no virus. Perhaps your computer has some viruses. – user3629249 Jan 17 '17 at 04:53
  • 1
    Possibly because it has the word "hack" in it? In any case, I'm not *sure* it's a programming-related question?? – paxdiablo Jan 17 '17 at 04:53
  • regardless of what Visual Studio may allow, the return type from`main()` is ALWAYS `int` – user3629249 Jan 17 '17 at 04:54
  • this line: `printf(str2);` does not compile, suggest: `printf( "%s\n", str2 );` – user3629249 Jan 17 '17 at 04:55
  • You can compile, and upload to virustotal.com – SeetFack Jan 17 '17 at 04:55
  • @user3629249 What? That surely compiles. – YoTengoUnLCD Jan 17 '17 at 04:55
  • 1
    @user3629249, `printf` with a `char*` compiles fine. It may not be a good idea if you don't control the content, but you definitely *do* control it in this case. – paxdiablo Jan 17 '17 at 04:56
  • I thought "printf" works with pointer , so it maybe works – SeetFack Jan 17 '17 at 04:57
  • 1
    Maybe I should have said: Does not cleanly compile. Here is what my `gcc` compiler has to say about the `printf()` statement: *warning: format not a string literal and no format arguments [-Wformat-security]* – user3629249 Jan 17 '17 at 04:58
  • @paxdiablo Original string was "fxxk" I think "hack" doesn't matter – SeetFack Jan 17 '17 at 04:58
  • @user3629249 A warning is obviously not an error. – Stargateur Jan 17 '17 at 04:59
  • I get only one positive with your code _Qihoo-360 HEUR/QVM10.1.0000.Malware.Gen_ – Danh Jan 17 '17 at 05:03
  • @Danh at virustotal.com ?? . What is Malware.Gen..?? Does that code generate Malware? – SeetFack Jan 17 '17 at 05:12
  • https://www.virustotal.com/en/file/eb71a851a02063417522a7fbdb7afd2b821831f903c90737ea9fa7dc9b689568/analysis/1484629337/ – Danh Jan 17 '17 at 05:12
  • I have never heard about Qihoo-360. I don't think that code generate Malware. And your malware analysis is difference from mine, I think it's your computer. – Danh Jan 17 '17 at 05:15
  • [link](https://virustotal.com/ko/file/e6c4c735777ef16780f094f9f979999dd66752dd595e235897c4cedf42e76bbb/analysis/1484629341/) why is it different between my result and your result? @Danh – SeetFack Jan 17 '17 at 05:16
  • I complied it with [VS 2015](https://virustotal.com/en/file/5e86796475bec9466c6c8a717ffb65301509996afed9b51fb8a220d258505db4/analysis/1484661745/) and [mingw-w64](https://virustotal.com/en/file/abd1c0f29cb0366f09335811a4d3b3f57326e1c1640382581b102f87bfa425fe/analysis/1484656874/) and did not get many of those detections. Which compiler+linker do you use? – user45891 Jan 17 '17 at 14:07
  • 1
    Malware.Gen means a "generic" detection instead of a signature based. That can mean a number of things, e.g. too high entropy indicating compressed/encrypted data, an uncommon section/import/resource/... layout, a very small executable, EOF data, ... – user45891 Jan 17 '17 at 14:10
  • As is easy to look for `"What the hack"` in the executable, edit that string to include a `%` and cause problems with `printf("%sat the hack");`, perhaps a prior virus used similar code? – chux - Reinstate Monica Jan 17 '17 at 16:05

1 Answers1

0

The issue:

Your program is an executable file that you compiled. That means that it doesn't have any background. Your program will raise fewer flags if, for example, it had a verified publisher associated with it. See this post for some more detail on that. In addition, your app runs invisibly; that is, it does not allow user input. That is often a 'red flag' that will be detected by some antivirus programs.

Proof:

Your initial program looks like this when I compile it: as-is However, I altered the program like so:

#include <stdio.h>

char* func(char *str) {
    return str;
}

void main() {
    char str[] = "What the heck\n";
    char *str2 = func(str);
    printf(str2);
}

the program looks like this (the word was changed to heck and initialized differently):

slightly altered program

Note that it looks exactly the same.

Now, when I alter the program like this: 

#include <stdio.h>

//char* func(char *str) {
//    return str;
//}

void main() {
    char str[] = "What the heck\n";
    //char *str2 = func(str);
    //printf(str2);
}

the results look like this:

near-empty program

Scott Forsythe
  • 360
  • 6
  • 18