Not logged inRybka Chess Community Forum
Up Topic The Rybka Lounge / Computer Chess / FinalGen
1 2 3 4 5 Previous Next  
Parent - - By Banned for Life (Gold) Date 2012-04-10 06:15
If I have saved but one life, I have saved the whole world.

This is a rough translation from the Babylonian Talmud, Sanhedrin 4:8 (37a), written long after the end of the Bronze Age...
Parent - By mexicanstandoff (*) Date 2012-04-10 07:43 Edited 2012-04-11 02:11
I somehow knew you would bite. :neutral:

>written long after the end of the Bronze Age


Surely true! But when it was written, and from which period it took its ideas (not copying its code, or words, mind you!), are two very different things... right?
Parent - - By RFK (Gold) Date 2012-04-10 13:41 Edited 2012-04-10 13:54
Sorry, whatever mission you're on had nothing to do with my decision.

[edit] you are a bit obsessive -don't you think?
Parent - - By siah (***) Date 2012-04-11 06:07
You are so talkative in this forum. Talk less.:mad:
Parent - By RFK (Gold) Date 2012-04-11 07:12
Mind your business! :wink:
Parent - By mexicanstandoff (*) Date 2012-04-08 02:53
pPerez, I have no idea who you are. I am very keen to use this program, but would only consider running it on a wholly isolated PC until I am satisfied it is malware-free. In this post, I assume you or your colleagues are 100% victims.

From where did you obtain/download the package that helped you make your distribution/installation/setup program?

If you used one of the commercial ones, but which was available "free" via bit-torrent, emule clients etc., please be aware that 95+% of such "offers" are free in terms of $$ but very expensive in terms of extra payload... Even DVD/CD manipulation programs have a lower proportion of infected torrents.

I suggest you download Avira AV and Comodo Firewall+AV (all free, and all from their host websites, NOT from a torrent!) and scan your system thoroughly. If running Windoze, disable System Restore and use Safe Mode when doing this. The fact that the setup.exe itself does not trigger ANY AV program, but its contents do, tell me that the tech is reasonably new. Good luck!
Parent - By mexicanstandoff (*) Date 2012-04-08 20:13

>my former antivirus (ad-aware)


I use Ad-Aware, but it is not an antivirus program in the normal sense! It merely detects some types of adware.

I suggest, if you wish to operate "free", use Comodo as the FW and Avira as the AV. With this pair, there is really very little reason to spend money on commercial protection.  Each is frequently ranked best on test.

But even with them, a lot of caution is needed. And often if one is D/L'ing something newly released, good to wait a while before running or checking it (like, manually quarantine it), as any malicious content it has may also be new and unknown to the AV as yet.

Have you worked out exactly how you got infected in the first place?
Parent - By mexicanstandoff (*) Date 2012-04-08 12:17 Edited 2012-04-10 04:08
You've detected the peculiar statement re dates...

btw, the world takes 24 hours, give or take, to perform one rotation. Not 72 hours as the earlier developer email implied:

>The current version .... was released the 19/3/2012 french/german/spanish time.
>I have indicated the 22/3/2012  because there can be time and date differences
>between countries and this is a way to give a valid date for all of them.


In fact, this final version of FinalGensetup.exe (CRC32 of 4B98E4B2, file size 4415648) was compressed into the distribution .zip bearing a creation date of 9:38 am March 20, 2012, CET (as that is where the program supposedly comes from).

The zip file itself, obviously, has an even later timestamp, as the contents have to be created before they are compressed.

So how is that compatible with the statement by pPerez that the current version was released on March 19, 2012 CET ?? How can it be released before it is created?

Further, as already observed, 9 am CET on March 20 would be March 20 everywhere on earth except from a few islands in the east Pacific, where it would be March 19.  Not March 21/22/23 etc. as pPerez wrote...

Developer using Ad-Aware as AV? (It was conceived as anti-adware, as the name tells you, only later some AV features added, and repackaged, it is not regarded seriously). Releasing version 1 software with admitted malware-payload? Even then, releasing version 2 with (IMO) even worse payload (11 AVs, including the best-on-test one, Avira), and concealed so the setup file does not reveal any infection? Then saying that this concealment was in fact a good sign??? (As refuted by Vempele, Date 2012-04-08 14:12, and myself). Then his claim that version 1 is infected but version 2 guaranteed safe is convincingly refuted by fhub, Date 2012-04-08 17:28...

The creator of this apparently beautiful program must by definition be very intelligent.

So why so many oddities?

I like mysteries.

This qualifies.

For Richard Vida, who allegedly believes that the default position is that programs from not-known sources are not malware, and that AV reports are FPs (False Positives), my friend could today have a little gift to email to you. It makes a nice screen on your Windoze PC. It will pass your Nod32 check without any complaints. Guaranteed! And almost all others. Three or two will give a bad report, but you know, it is safe, all these reports will be False Positives, right, as you wrote? So of course as you said it is safe. Just run it on your Windoze PC containing the only copy in the world of the undistributed-as-yet Beta-source for Critter, and in 48 hours you will no longer have the Beta Critter. That part is guaranteed. But, if you have a little hole in your firewall, or switch it off, or if you are mean, just tell us what exact version of firewall you are running (good malware can stuff the keyboard buffer, so the firewall will think you are typing in instructions) but then I can't guarantee the next part, as an additional bonus for you a friend of mine who speaks fluent Mandarin will have the Beta source. :lol: He may even sell it back to you. (You might also need a newly made NTFS partition on your HDD).
What email do you want this screen saver sent to? :wink:
Don't misunderstand, I am a Critter fan. Open source near the top is always extra creditworthy. But this is not about Critter, it is about risk evaluation by its author.
Parent - - By Fulcrum2000 (****) Date 2012-03-21 18:02
Which trojan do you expect to be in the first version?.

BTW About your program: If there would be a version using lets say 12 GB in stead of the 1 GB it uses now, would that be much faster or would it hardly make a difference?
Parent - By keoki010 (Silver) Date 2012-03-22 15:49
Fulcrum see my post above:
Parent - - By Barnard (Bronze) Date 2012-03-23 06:36
Hi

i think i can give you an aprox answer:programs that generate lot of write acces to hard disk,if you run multiple instances or increase the RAM,there is a 'hang-bottle' accesing the hard disk,so even if in your example,future version will allow use 12 Gb of RAM,if he wont make a MP version that allow each core split the data generated to one different hard drive,you wont have any improvement,since you can generate (just example) 10 positions,that if the hard drive can only write 2 positions in that time,the other 8 positions are the same than if never were generated,since hard drive is not able to write 'faster'

i dont know if i was able to explain enough better...

is too much better that he makes a MP version of the program (lets say a 2 cores) and allow each core to be asigned to one different hard drive internally by the program,than increase RAM,since splitting that work into that 2 cores (and each core with its own hard drive) will finish the work in the half of time
Parent - - By Fulcrum2000 (****) Date 2012-03-23 10:31
I understand what you mean, but the idea was having more data in memory would required less data read/writes to the harddisk and that way causing a nice speedup. But indeed it can go both ways.
Parent - By Barnard (Bronze) Date 2012-03-24 00:12
im not a programmer,but in the example that you told (12 Gb of RAM),if the program can have dedicated that 12 Gb of RAM,maybe it can work faster,but with the limit generating the tablebase of 12 Gb (if you want generate a bigger database,you will must write the RAM into the hard drive,so the speed gained using that more RAM i think it will be lossed)

i think is too much more efficient implement a MP version that uses 2 cores (or 4) and allow each core to be asigned one hard drive,so the work of the generation of tablebases will be splitted between the cores,and each core will write directly to its own hard drive,making 2 times (or 4 times,dependin on the number of cores and hard drives) faster generating the tablebases
Parent - - By pPerez (*) Date 2012-03-26 19:20
The name of the Trojan was Trj/CI.A

12 GB instead of 1G would not make any difference in terms of CPU, but it could improve hard disk accesses because Windows could use larger buffers.
Anyway, the improvement will never exceed more than 30%.

In fact, 1G is a pessimistic estimation. FinalGen reserves less than 600M to build databases.
Parent - By Fulcrum2000 (****) Date 2012-03-26 19:49
Ok clear. Thanks for the answers, looking out for a new (multi-core) version of your program. :grin:
Parent - By keoki010 (Silver) Date 2012-03-27 17:31
In the next version could you include the ability to paste/copy a fen? Thanks in advance, I enjoy the program.
Parent - - By Sam Gamgee (**) Date 2012-04-08 08:20
There are 150 DLLs in the Finalgen directory after installation ("____1.dll", "____8.dll", "___D1.dll", "___D8.dll", "__D_1.dll" etc.) Several antivirus programs, including special trojan seekers, do no identify any of these as infected.
Does FinalGen actually use all of these DLLs?
If not, which of the DLLs are necessary for FinalGen and which can be safely deleted?

If they are indeed dangerous, is the problem solved by removing FinalGen completely?

Thank you very much for your help.

Best regards,
Sam
Parent - - By mexicanstandoff (*) Date 2012-04-08 12:09

>Several antivirus programs, including special trojan seekers, do no identify any of these as infected


Sigh.... 11 different AV engines report problems. As I wrote earlier, don't trust me, put all 100+ DLLs into an archive, submit it to virustotal.org or indeed to any of the multi-engine submission sites (there are at least 20 of them now; I choose from 3 depending on site workload.

>Does FinalGen actually use all of these DLLs?


Don't know, didn't check.  You could simply do a hex search within FinalGen, not that it would be conclusive either way irrespective of whether the string was there or not.

Remove from your PC all the DLLs, including any from system or other directories, and run FinalGen, which I think (but, as this is not based on pedigree or disassembly, NOT a guarantee!) is malware-free.  It would be expected that FinalGen will produce an error message for the first DLL it needs but can't find. Add that DLL back and re-run FinalGen (if the DLL is infected, it is your funeral!). Loop this process until FinalGen runs fully.

Notice that the developers of this brand new program have been absent for almost 2 weeks now? Perhaps they no longer have working systems as they too are victims.

>If they are indeed dangerous, is the problem solved by removing FinalGen completely?


If you have not yet run FinalGen, almost certainly yes (I ran the setup only, but that in a sandbox and did not observe other activity). If you have run FinalGen, I have no idea. It depends on the latency of the mischief - i.e., were bad things set to start happening as soon as code was executed, or not.

At least you seem to have your head screwed on right. The attitude towards risk by the (inevitably non-programmers) here is ludicrous - ALL SOFTWARE NOT DIRECTLY OBTAINED FROM SOURCES THAT ARE FULLY KNOWN, HIGHLY COMPETENT (they could be victims or vectors) AND FULLY TRUSTED SHOULD BE ASSUMED TO BE MALWARE AS DEFAULT, UNTIL PROVEN OTHERWISE, and not the other way around.

There is clearly little perception of how much damage malware can do. Once the first one bites, it'll be too late.
Parent - - By pPerez (*) Date 2012-04-08 19:14
Hi again

Some additional explanations about the false viruses reports.
For some reason, most of the false infection reports are caused by the way MASM (microsoft macro assembler) handle the dynamic libraries. If you develop a dll with MASM and you use the windows functions in the normal way, you will have a false positive.

As I said before, the antiviruses do not detect anything on the installation program, that is, when you double click on the setup.exe, the antivirus is not detecting anything. If the file is infected, it is too late, because the infected code is running. So if the antivirus detects the virus on individual files and not in the setup file, it is not protecting you. It is a bad ANTIVIRUS!

The fact that many commercial antiviruses do not detect anything is interesting. People who are paying for these antiviruses may ask why their antivirus is not protecting them.

I think that people who develop viruses would try to infect as many people as they can by simple methods, not by developing a very complex software that takes years to be developed and needs a lot of research on algorithms and artificial intelligence.

The initial version was infected because my computer was infected, and my antivirus was not able to protect me. The current version is safe but it has "false positives". The next version (1.1) will be free of suspicion

Best Regards
Pedro Pérez
Parent - By mexicanstandoff (*) Date 2012-04-08 20:07
Thanks for this too.  I have many grumbles about MASM (but not this one). I used the 8086 MS assembler v1.0, where I had to manually insert NOPs in various places because early Intel CPUs fell over otherwise!

>my antivirus was not able to protect me


Exactly..... AV programs only defend against viruses they fully know about, and against certain virus-like activities or attributes (e.g. attempts at a Windoze host file change, or boot-sector write, or behind-the-scenes attempt to modify the FAT or some key NTFS structure), and against certain internal structures they associate rightly or wrongly (this is what can give rise to false positives) with code library combinations frequently chosen by virus authors or by virus-generating engines.

Which is why my approach, one of skepticism and caution, is required. I never underestimate how intelligent and hard-working some virus-coders are...

>The next version (1.1) will be free of suspicion


Good.

Questions/Suggestions (remember, I have never run the current version, so I may be incorrect): Will it take advantage of multiple cores and 64-bit environments, please? Would you get better speed if you permitted it to use RAM more extensively, not just for HDD buffering? To try and get at least some 10-man positions resolvable in human timespans, assuming HDD arrays were available?

Thank you.
Parent - - By fhub (**) Date 2012-04-08 22:28

>The initial version was infected because my computer was infected, and my antivirus was not able to protect me. The current version is safe but it has "false positives".


I've downloaded both versions, the first one and a few days later the current one,
and then made a binary file compare. All DLLs of the new release had exactly the
same sizes as the old release, and all files differed only in 8-12 bytes.
4 of these bytes were just the compile date, and the other (max. 8) bytes seemed
to be just addresses (of a few routines) which might simply be on different locations
for two compiler runs.

Since so few bytes (max. 8) can't contain any malware at all, I didn't have a closer
look at these differences with a debugger - it would just have been a waste of time.

So your statement above can't be right, either your first release did also not
contain any virus, or both versions (i.e. also the current one) are infected.
"Initial version infected, current version not" is definitely NOT possible, because
even in assembly I doubt you would be able to write any malware. ;-)
Parent - - By mexicanstandoff (*) Date 2012-04-09 03:14
fhub - most fascinating!

Assuming the binary compares were done correctly (hard not to!!) and the result is as you report, it is highly suspicious.

>So [the original posters] your statement above can't be right, either your first release did also not
>contain any virus, or both versions (i.e. also the current one) are infected.
>"Initial version infected, current version not" is definitely NOT possible, because
>even in assembly I doubt you would be able to write any malware. ;-)


Absolutely correct logic.

Can email me that first release, exactly as originally distributed? I am a machine-level programmer, and so I don't care whether the source is assembler or compiler generated.  I can PM you my email address.

It is not credible that someone motivated to and with the skills to write a clearly excellent EGTB generator would have bad motivation.

It is credible that this someone is dangerously naive about the dangerousness of malware.  Several statements made in this discussion suggest that (use of adware detector as AV (!), wrong analysis of seriousness, as independently pointed out by Vempele and by myself).

As to other posters, I cringe when I read nonsense like "I haven't noticed anything bad happening so it must be OK"... Any malware I wrote that got activated on your PC, I'd make very sure you probably noticed nothing till your third-generation backup too had been rendered useless by the subtlety of the data corruption.
Parent - - By fhub (**) Date 2012-04-09 08:21

>Can email me that first release, exactly as originally distributed?


Sorry, I don't have it anymore. When I saw that the new files were almost identical,
I assumed that this virus alert was just one of these "false positives" (which happen
so often that I don't trust any AV software at all), and so I've deleted this first
version of FinalGen.
Parent - - By mexicanstandoff (*) Date 2012-04-09 23:45
It is a shame you do not have it any more. Perhaps someone else does?

What you wrote in response to pPerez, that is:

>The initial version was infected because my computer was infected, and my antivirus
>was not able to protect me. The current version is safe but it has "false positives".


I've downloaded both versions, the first one and a few days later the current one,
and then made a binary file compare. All DLLs of the new release had exactly the
same sizes as the old release, and all files differed only in 8-12 bytes.
4 of these bytes were just the compile date, and the other (max. 8) bytes seemed
to be just addresses (of a few routines) which might simply be on different locations
for two compiler runs.
Since so few bytes (max. 8) can't contain any malware at all, I didn't have a closer
look at these differences with a debugger - it would just have been a waste of time.
So your statement above can't be right, either your first release did also not
contain any virus, or both versions (i.e. also the current one) are infected.
"Initial version infected, current version not" is definitely NOT possible, because
even in assembly I doubt you would be able to write any malware. ;-)

is most highly significant, and completely correct in its reasoning.

This, together with what Vempele wrote earlier in response to pPerez:

>That means that all these antiviruses allows you to run the installation program, and
>after that they detect the viruses on the extracted files. This is not serious.


Well, it's certainly much more serious than if the antivirus warned you about the installer
so I don't follow your logic. Why >120 DLLs?


should raise warning bells - even for the ostriches... Same pPerez who uses ADaware as his
antivirus program (!!) etc.

If this has not been resolved one way or another soon, then when work permits I'll return
to a DLL or two with a disassembler and get to the bottom of this. I would love to right
now explore this software on a fast machine, but on the evidence so far I'd be **** to
do so.
Parent - By Fulcrum2000 (****) Date 2012-04-10 11:36 Edited 2012-04-10 11:46

> Well, it's certainly much more serious than if the antivirus warned you about the installer so I don't follow your logic. Why >120 DLLs?


It seems he uses a DLL for every case, so one DLL for KQPPKRPP, one for KQPPKQPP etc
Parent - - By Richard Vida (**) Date 2012-04-10 12:57 Edited 2012-04-10 13:04

> If this has not been resolved one way or another soon, then when work permits I'll return
> to a DLL or two with a disassembler and get to the bottom of this.


I am now convinced it is definitely a false positive.

I took the smallest DLL file named "____1.DLL" (file size 23040 bytes)
Uploaded it to virustotal.com to confirm I am looking at the rigth file. Indded it was flagged by 6 scanners (out of 42):


BitDefender Gen:Variant.Kazy.61424
Emsisoft    Win32.SuspectCrc!IK
F-Secure    Gen:Variant.Kazy.61424
GData       Gen:Variant.Kazy.61424
Ikarus      Win32.SuspectCrc
K7AntiVirus Riskware


Then I looked at the imports table - it uses only 10 functions from only 1 library (kernel32.dll), namely:

CloseHandle, CreateDirectoryA, CreateFileA, DeleteFileA, GetFileAttributesA, GetLastError, ReadFile, Sleep, WriteFile, GetFileSizeEx

these are completely legit and common file handling functions. No registry writes, no sockets / internet access, no email sending. To obfuscate import table / hide API calls it would have to be able to call at least LoadLibrary() + GetProcAddress(), but it is not.

Next step - if it is supposed to contain any malicious code - it needs some means to be executed. Quick look at the DllMain() entry point:

BOOL __stdcall DllEntryPoint(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpReserved)
{
  BOOL result; // eax@1

  result = 0;
  if ( fdwReason == 1 )
    result = 1;
  return result;
}

Again, nothing unusual here. No code is executed upon loading of the DLL.

There is only one exported function (named "principal"). I analysed this entry point too and found nothing unusual.

Then I followed the whole call graph (this DLL is rather small, so it was not very time consuming). Pretty usual stuff. No obfuscation, no unusual stack manipulation, no code decryption, no anti-debugger tricks. Not even a single indirect jump.

My conclusion -> this DLL file is perfectly clean
Parent - By Regularuser (***) Date 2012-04-10 15:44
Thanks for your work on this.

I have been using Finalgen on a chess only PC, figuring it was almost certainly OK but not wanting to risk it on my other PCs whcih have more sensitive data.

But it is nice to know it really is clean from someone who obviously is an expert in this area :)
Parent - - By mexicanstandoff (*) Date 2012-04-10 16:06
Thanks, Richard! That is good news, it sounds good, and I am eager to use the software, and all the better if I don't have to look at it myself (mission accomplished? :wink:).

You have shown that nothing in the DLL examined is executed when the FG exe is run and it loads the DLL, great.

I'm a little hazier about what you did about other calls to code within the DLL (i.e., which could then result in kernel fns like DeleteFile & WriteFile being used). As you know, some malware has no propagation capabilities or callback, and so isn't a virus - destruction/corruption of the direct target is the only aim.

Please also look at the oddity noted by fhub (on Date 2012-04-08 17:28).

For reasons unconnected with malware detection: What was your DLL count, please? (I've removed FG from my system, and only have the setup.exe in a sandbox). I'm trying to reconcile the count, roughly, with combinations of pieces; someone here wrote that is what each DLL represents. As I recall, a linking wasn't obvious, and the naming convention is obscure to me. There are far too few DLLs to have much to do with 7-man TBs (of course these DLLs are tiny and are not tablebase equivalents themselves), but also either too many or too few (depending on how WTM/BTM i.e. color symmetry is treated, combined or separately) to have any direct equivalence to 6- and fewer Nalimov, Gaviota or Robbo bases. The author seems to have a unique approach.

Thank you once again for cracking it open.
Parent - By Richard Vida (**) Date 2012-04-12 02:29

> As you know, some malware has no propagation capabilities or callback, and so isn't a virus - destruction/corruption of the direct target is the only aim.
>


Every "open file for write" operation gets the lpFileName paremeter from the parent application together with the workset parameters (board position? - just a guess). All DeleteFile() calls are from dead code, I am sure we can blame the (lack of) "smart" linker (I think of an asm file handling library included by default). Filenames for reading are generated on the fly in the form "Cxxxx/Dxx/dat.xx" where the "x" stuff is derived from the position index.

Btw I think the main reason for signaling false positives here is the lack of a standard library signature (c/c++/delphi/anything). And that is in agreement with what the author said - the whole thing except the GUI was written in pure asm. It doesn't even import msvcrt.dll - and this alone is suspicious for many AV heuristics.

> The author seems to have a unique approach.
>


Yes, the guy seems to be very smart, he has taken a completely different approach. Generate only what you need, and if I am not mistaken he prunes (err... postpones generating of) some not very meaningful conversions.
Parent - - By Richard Vida (**) Date 2012-04-12 02:42
PS.
Now I really think You should open a new thread and apologize for the negative publicity.
Author of this very nice piece of software really deserves it.
Parent - - By Homayoun_Sohrabi_M.D. (***) Date 2012-04-12 03:22
I think he had the good intention of trying to protect other people's computers.   Looks like if anyone is at fault here, it's the anti-virus software.    Kudos to you for resolving the issue.
Parent - - By buffos (Silver) Date 2012-04-13 09:29
Good intentions are not enough when you claim (and such a strong way) the other party has bad intentions.
Parent - - By Homayoun_Sohrabi_M.D. (***) Date 2012-04-13 14:35
Hi Buffos, thanks for your reply. 

I think Mexican Standoff was always talking about that particular software being infected, he never made this into a personal attack, and I think he was concerned that even the author's system may have been infected.    I don't know anything about software engineering, but shouldn't the author take care of some of these issues, make sure that his download is not gonna trigger all kinds of (false) alarms BEFORE he puts it out there?   You are an excellent aquarium expert, does aquarium give you a bunch of virus warnings when you try to download it? 

Sometimes the smoke detectors in my house go off on a false alarm and make a horribly loud irritating noise, but I don't get too upset because I know the system's intention is to prevent me from getting burned.

I could be mistaken, I am not a programmer.   At any case, the case is closed for me now.  Thank you Buffos.
Parent - - By mexicanstandoff (*) Date 2012-04-13 16:55 Edited 2012-04-14 03:27
I think Mexican Standoff was always talking about that particular software being infected, he never made this into a personal attack
he was concerned that even the author's system may have been infected.
shouldn't the author take care of some of these issues, make sure that his download is not gonna trigger all kinds of (false) alarms BEFORE he puts it out there?

(especially given the history of the previous release)?

Gold-standard post with correct overview and balance. Thank you.

A very believable reason that the author did not "take care of some of these issues", that is, make sure of these things, is that he knows for sure that he has no malicious intent at all, and he sincerely believes (thanks to Ad-Aware??) that his system is no longer infected, so he does not need to check before distribution. Or even that he did check with proper tools (he did not say this, but he might have done), but only the FGsetup.exe (which passes), not the actual files expanded from the compressed setup (which is what apparently only I checked).

This is quite likely, as the author is apparently a little unaware about the danger of viruses, which is why he had to come to the forums explaining that the first release was infected. Many others here seem similarly naive, but BannedforLife explained to me that as many use the system exclusively for chess testing, infection is not such a fear... (I understand, but also don't understand, as in a few hundred milliseconds targeted malware could corrupt 1,200,000,000,000 bytes of endgame tablebases which took months or years to collect quite nicely...)

Before Arrière Pensée makes a point about irresponsibility about running into a crowded cinema shouting "Fire!" (no one has made the analogy, but given his high intelligence it can be but a matter of time before he raises this :smile:), this is not my view of what I did. Not powerfully drawing the attention of potential victims to a hidden (setup tests as apparently clean but what gets set up triggers all alarms when examined) malware attack that is suspected would be the irresponsible act. For malware with destruction in mind, all connected hard drives can be reduced to uselessness (with loss of all data, or instead massive effort to recover and string together what is valuable) in a frighteningly short time.
Parent - - By Banned for Life (Gold) Date 2012-04-13 21:58
The only issue that needs to be resolved here is why you insist on attributing the Babylonian Talmud, Sanhedrin 4:8 (37a) to the Bronze Age...

By the way, it isn't that difficult to get the EGTBs. Nelson Hernandez has had them longer than just about anyone (aside from Nalimov and a redneck from Alabama), and if you send him a drive and enough green paper, you can probably convince him to copy them off for you.
Parent - By mexicanstandoff (*) Date 2012-04-13 22:22

>why you insist on attributing the Babylonian Talmud, Sanhedrin 4:8 (37a) to the Bronze Age...


Because, as I explained 3-4 days ago here, the Talmud includes copied code - not merely ideas, mind you - from earlier, Bronze Age, scribblings. But at that time, the Great Sanhedrin ruled it was OK. Maybe, because their multiple-roled redneck Chief Bobba the Hittite was vacationing in the Dead Sea at the time? Maybe, because he was a little guilty of such "borrowing" himself?

Now we have come fool circle, with the taking of mere ideas being criminalized by a modern-day, pharisaical panel, voting on issues where due to self-interest recusal would have been the judicial norm. But some of the characters are recognizable. The more things change, the more things stay the same.
Parent - - By RFK (Gold) Date 2012-04-13 23:36

> Before Arrière Pensée makes a point about irresponsibility about running into a crowded cinema shouting "Fire!"


Interesting that you make that insinuation and then attribute it to me! The more I hear from you, the more I have reason to doubt your sincerity.
Parent - - By mexicanstandoff (*) Date 2012-04-14 01:48
Interesting that you should view it as an "insinuation". I made no insinuation. I made a "prediction", and sought to pre-empt it.

>I have reason to doubt your sincerity


Have no fears or doubts.
Parent - - By RFK (Gold) Date 2012-04-14 02:54 Edited 2012-04-14 03:17

> I made no insinuation. I made a "prediction", and sought to pre-empt it.


You call it preempting - I would term it presumptuous or even rather telling behavior.

Addendum:

Let me rap my end up by concluding with -don't confuse me with someone who gives a shit. :wink:
Parent - By mexicanstandoff (*) Date 2012-04-14 03:29

>Let me rap my end up by concluding with -don't confuse me with someone who gives a shit.


I have reason to doubt your sincerity.
Parent - - By RFK (Gold) Date 2012-04-13 15:11
I think the bottom line here is that " mexicanstandoff " claimed he had enough programming skills to call FinalGen Malware  - But  not enough programming skills to make definitively  the claim that it wasn't! Which I suppose is the same thing as saying- 

I put my trust in Richard Vida for his programming skills, concomitant with his integrity and truthfulness in communication.   

If Richard did not step in would  this issue have turned into a  Mexican standoff ("confrontation between three opponents, facing each other") - taking advantage of the  many false positives?! :confused: 

(kind of leaves one wondering!)
Parent - By mexicanstandoff (*) Date 2012-04-13 16:44 Edited 2012-04-13 17:02
Arrière Pensée: ;)

>Richard Vida for his programming skills, concomitant with his integrity and truthfulness in communication.


+1
Additionally, for Critter to be both open-source and so very strong is a real credit! Many of the other top engines, commercial, weaker than Critter and not open source, somehow have escaped the scrutiny of the ICGA mob, but I have strong reasons to believe could be very fruity, but very carefully concealed... Particularly, I can contrast Richard with another open-source author, more than famous in the forums, who makes at least 10 times the noise of any other poster, but whose program can be defeated by Critter with odds of 1-2 pawns, every time. I can't remember his name.... maybe he will start posting here again?

>not enough programming skills to make definitively the claim that it wasn't (?)


To correct, not enough time to definitively state or claim it is not malware.

As you say you are not a programmer, let me explain.

It is comparatively easy to prove something is malware - one single incidence of malicious code is enough. Sometimes, this malicious code can be a little less obvious to identify. - for the simplest possible example, overwriting a file is usually a perfectly legitimate activity. But it depends on which file.

But to prove a negative, that something is not malware, is difficult, without spending more time than I have - this is in the same way that proving most negatives is difficult. All possible occurrences of potentially damaging activity would need to be examined, with all possible input or variable values.

Which is why we do not try to prove this difficult negative unless there is a red flag - same "red flag" that you reported, giving your (reasonable) reasons.

Relying on installed AV products is not enough. Your own behavior needs modification. Without writing an essay on how they work, can I say that a newly-vectoring piece of malware will probably succeed in infecting many PCs on "day zero" (a concept Richard is familiar with), and the control will only start when the AV engines begin to know about it, which takes some time? Run-time protection alarms may be triggered even on day zero, but clever malware writers know just how much they can do here before the alarms ring. And so many people use only sub-par protection (example: Ad-Aware AV), there will be success for malware distributors. Which is why the number of these undesirable programs keeps growing - they are still effective.

Personally, when the source is unknown, or known but not virus-aware (e.g., has himself suffered a previous infection) (in this case, pPerez falls into both categories) I manually quarantine the software, however interesting it may be, to avoid the day-zero problem.

Let me tell you a story here...

I don't want to say too much in this thread, as this has NOTHING to do with FinalGen or its author and happened many years ago, but have you considered how the source code for a well-known, very strong chess program unfortunately got "lost"? And then shortly afterwards clones appeared, requiring massive skills in decompilation by unknowns to accomplish without "assistance"? Imagine a very great and busy programmer, before the unpleasant realities of this world have hardened him, receives a very interesting new chess tool by email. Of course he runs it. Maybe it "calls home"...Source stolen from the original author and deleted by custom-written (i.e. day-zero) self-erasing piece of malware sent to the innocent author ostensibly to "help him" or "for him to examine" is the most likely explanation... Unfortunately, ICGA is apparently and conveniently too stupid to understand these concepts... Enough said here, before I am attacked by the drones from that other website. The time for these disclosures is later, and the venue is also different. :)

> Mexican standoff ("confrontation between three opponents, facing each other")
> :confused: (kind of leaves one wondering!)


Thank you for bringing this coincidence or oddity to my attention. I would never have known.
Parent - By mexicanstandoff (*) Date 2012-04-13 15:37 Edited 2012-04-13 15:40

>when you claim (and such a strong way) the other party has bad intentions.


I did not claim this. In at least 7 places, I stated that the likely explanation was that the author's PC was still infected, i.e. that the author was still a victim?

Here is one of many examples:
mexicanstandoff Date 2012-04-09 23:03
While I am quite confident the developer is innocent, and can be a victim, I do not want to make myself a victim too...


And you perhaps are forgetting the author's own posts here, where he apologized for distributing the first version with a virus or trojan (both words were used)?
Parent - By mexicanstandoff (*) Date 2012-04-13 15:44

>I think he had the good intention of trying to protect other people's computers.


Correct (and obviously correct).

The danger of waiting till an obviously clean version (as promised by the developer) is distributed is what?  Zero.
The danger of damage from getting an infection, to those of us who use our systems for valuable things, is what? Very high.

Should be an easy decision...
Parent - By keoki010 (Silver) Date 2012-04-12 16:30
I agree on the kudos to you Richard. Thanks for taking the time to clear this up some.
Parent - By Dhanish (***) Date 2012-04-13 05:55

> Author of this very nice piece of software really deserves it.


+1
Parent - - By mexicanstandoff (*) Date 2012-04-13 16:20
Thanks for your efforts, Richard.  I have looked at another (not the one you chose) of the >100 DLLs myself too, with identical results.  In response to your suggestion, and anyway because of fairness:

Because of further work done, mainly by Richard, I think that ON THE BALANCE OF LIKELIHOOD, THE CURRENT=SECOND RELEASE OF FINALGEN IS NOT INFECTED.

I was always careful to promote that I believed the author himself was a victim (as he had already been in the first version) and not once to ascribe any malicious intent to him. Still, if the author's feelings are hurt in any way (I doubt it - as an author/programmer, my guess is that he is annoyed he did not take more steps himself before distribution), I SINCERELY APOLOGIZE to him! :)


However, the facts remain that....
- in the author's own words he distributed a trojan-infected first version, and
- then distributed a second version where 11 antivirus engines reported multiple infections in multiple DLL files within the installed package, and
- this even though the setup program, which is all that 99% of people would check and then trust it, scanned "clean"  (suspicion-enhancing by definition) - I only found the reports by running a secondary check as the program source was unknown to me, and
- by his own explicit statement he had not checked for viruses using multiengine sites, only using Ad-Aware (!) before distributing the second version, and
- all this even after his bad experience with the first version, and
- the differences between the infected (by his own statement) and second versions were reported in this thread by another programmer as tiny/trivial (this phenomenon is as yet unexplained; as I do not have the first version, I cannot investigate it), which is inconsistent with one being infected and the other not, and
- some other small issues, in themselves insignificant, but less insignificant together and with the above, plus the fact that an obviously very highly intelligent programmer is needed to produce such a package in the first place, so why these oddities?


The author presumably now knows he should not release software to the public without checking it (both the installer package and the individual components) first on multi-engine AV websites. ;)

Even though I am very eager to explore this new and fascinating tool, without disassembly of the FinalGen executable itself, given the history, I am insufficiently confident to run it. Richard's and my work on some DLLs cannot, in my opinion, be 100% conclusive without examining the main program code that calls/invokes code within those libraries, and that entails a lot of work. So, I eagerly await the promised next release, which the author has promised will be free of suspicion.

My perception of the damage which malware can do is high. This definitely influences my personal perception of risk. Even a small unresolved risk, and I will not run the software.

Again, well done to the author for what looks like a very interesting and innovative package! Please keep working on it!
Parent - - By fhub (**) Date 2012-04-13 18:21

>- the differences between the infected (by his own statement) and second versions were reported in this thread by another programmer as tiny/trivial (this phenomenon is as yet unexplained; as I do not have the first version, I cannot investigate it), which is inconsistent with one being infected and the other not


This other programmer was me, and this 'phenomenon' is easy to explain:
I guess the FinalGen author just saw this 'false positive' virus report from any AV software, and so he re-compiled his sources (maybe after having cleaned his system). So he certainly was sure that this new version won't be infected anymore (although not even the initial version had any virus or trojan).
Parent - By mexicanstandoff (*) Date 2012-04-13 21:32

>I guess the FinalGen author just saw this 'false positive' virus report from any AV software,
>and so he re-compiled his sources (maybe after having cleaned his system). So he certainly
>was sure that this new version won't be infected anymore (although not even the initial
>version had any virus or trojan).


We are agreed, that is the simplest explanation. As we both wrote, it is not very credible for one version to be infected and the other not, when the difference between them was (you reported) so slight.

The FinalGen author never made this explanation, though. All his statements were that the first version contained malware ("virus" and "trojan" were the words used), nothing about a false positive. And I don't think he thought it was false positive, otherwise he would have checked the second release properly, wouldn't he?

As programmers, we can understand the enthusiasm in putting out a good program as soon as it is reasonably ready. Unfortunately in this world there are many bad people also, with bad motives, and the FinalGen author could be a victim of them. See my little post in this thread (Date 2012-04-13 11:44) for a concrete example of how much mischief can be done with targeted malware...
Parent - - By Pia (****) Date 2012-04-13 21:20

>I am insufficiently confident to run it
>Please keep working on it!


That a jibberish to sum. I'm too lazy to read the rest...
Just open any AV's suspected DLL by a simple text viewer to see that there's nothing unusual in them. No packed data, no hard-coded ASM arrays, no nothing.
And no one is gonna pay $120 for your disassembler, you just keep dreaming.

And why to write all this crap here, not in any of these 11 AV forums for their programs being malfunctioning and driven you crazy?
Up Topic The Rybka Lounge / Computer Chess / FinalGen
1 2 3 4 5 Previous Next  

Powered by mwForum 2.27.4 © 1999-2012 Markus Wichitill