World Stamp Collector Software

Hey team

I had this program scanned by hybrid analysis after it popped up on my malware bytes program. Unfortunately it scores a perfect 100/100 for malicious behaviour being listed as a trojan. link is here, I hope that the writer of the program is blissfully unaware that his program is considered an exploit but certainly accounts for some peoples hacked machines?? I also note is was in Linns a couple of years ago.

https://www.hybrid-analysis.com/sam...onmentId=120

Some of these so-called helpful sites and virus checkers are worse than virus's themselves.
I have run World Collector many times and have had absolutely no problems. I can assure you that it does not "certainly account for some peoples hacked machines".

The guy that developed World Collector has put in an incredible amount of work compiling stamp data, he has single handily accumulated a database of over 400,000 stamps including images and gives it all away absolutely free, so it is really upsetting seeing his name trashed.

The program does contact two websites, but only to download the stamp data from the one and the images from the other.

As a matter of interest, I was curious to see what the "hybrid analysis" site made of one of the programs I wrote, but I was unable to submit it because despite the green tick coming up whenever I ticked the "I am not a robot" box, I still kept on getting the message: "reCaptcha check fail - resolve captcha and try again"
So after multiple attempts I gave up, which makes me suspect that the "hybrid analysis" site itself is really not that reliable.

Clive

What I forgot to add is that programs such as Malwarebytes automatically flag programs that are not widely used as suspect.

This is exacerbated for programs that are not "digitally signed". Unfortunately, many free programs are not digitally signed as the required certificate for digital signing costs upwards of a $100 a year.

Clive

I don't actively use this program, but have played around with it in the past with no issues whatsoever.

My virus scanner routinely flags downloaded programs that do not have a large user base as potentially suspect. Scans and vigilance have served me well so far.

Dale

yes malware bytes does flag anything on its database with SHA or names of certain things. I run anything that comes up on that into Hybrid Analysis which is a very technically advanced site. Its definitely worth looking into but as you say not all things are trojans but its related SHA is. It could be the simple fact that where he holds the program is an issue. However it did rate pretty highly.. I would definitely keep it on a leash!

lostandfound,
I have no doubt that your comments are well intentioned, but I think that it would have been far more constructive for you to have first attempted to contact the author to point out the issue rather than trashing, and continuing to trash his thousands of hours of work based on specious information.

Your assertion that the "related SHA is a trojan", would indicate that you perhaps do not have a clear understanding of what an SHA actually is, or you would realise that an SHA could not possibly be a trojan.

An SHA is nothing more than a unique large number called a checksum generated from the program and saved in the Malwarebytes (or other virus scanner) database - think of it as a signature.
The virus scanner can then compare a copy of the program to the signature to detect if the copy has been modified from the original, possibly by a virus.

I have not seen the Malwarebytes report but I suspect that a close reading would have indicated that there is no valid signature in the database to compare against, possibly as a result of the program's small user base, and not that the program or its SHA is definitely a trojan as you have concluded.

You state that Hybrid Analysis is "a very technically advanced site" based on what? It may well be, but to my mind, from a technical standpoint it is poorly executed, which would lead me to the opposite conclusion.

Unfortunately, virus scanners such as Malwarebytes do generate a fairly large percentage of false positives especially for less common software, I am not for one moment suggesting that positives should be ignored, viruses are real and can do a lot of damage, but one must also realise that these scanners are far from infallible.
Clive

Hi Clive,
While I agree with much of what you wrote, I cannot help but note that
- an app calling home is a well understood behavior of malware
- the lack of a digital signature is problematic
- the demographic using this app is not typically tech experienced
- and as you mentioned, AV tools are always going to err on the side of false positive (as it should be)

Given these facts, I would have anticipated that that folks would report this kind of issue and at minimum would have published something on the download website alerting users to the potential issue. Being educated on the potential issue before downloading and using the app would have put most users at ease if they ran into the problem.

Luckily you read this forum and were able to respond but running around and reactively trying to put out the fires is far less effective and efficient than proactively educating users.
Don

Hi Don,
Thanks, you are absolutely correct, it would have been helpful for Collector Dave the author to have included a warning on the download site, but as it is possible that until now he has been blissfully unaware of the issue, I have let him know.
I also sent details on how to have his program whitelisted by Malwarebytes.

From my own experience, I had no idea that some of my software, some of which had been available for years, was being flagged by virus scanners. It was not until I started receiving emails from potential users many of which were actually quite nasty, that I became aware of the issue.

Clive

You MUST take every report seriously at first.

CC Cleaner, which is an extremely common downloaded tool, that has been around for years with literally about 3 billion downloads, was hacked twice. They actually hacked the download file so everyone that downloaded it got the Malware. There are rumors that the Malwarebytes download was hacked a few years ago too, although they never admitted it. They said it was just a coding error. Users CPUs were pinned and some had internet completely blocked after the update.

For this reason I never let a program do updates automagically, I download it and scan it first.

Nothing like walking into work in the morning and having 100+ computers all broken from an overnight 'update'. The third time this happened to me I finally got wise and install a WSUS server for the domain. This not only allowed me to have the update downloaded only once but also gave me complete control over how and when the updates were installed on each client computer.

This allowed me to install each update to one of the computers on my desk, live with it for a few days, and only roll it out once I was satisfied it was benign.

Automatic updates are also the reasons I recommend Win10 Pro over Win10 Home. I understand why a manufacturer wants to force security updates but I have always been a 'roll my own' kind of guy and Win10 Pro out-of-the-box allows you some control over the updating process. (And for those who dig a bit deeper you can turn them off completely.)
Don

CLivel, I have a very clear understanding of what a SHA is. I indicated that the SHA related directly to a trojan .exe file included and hidden in the original post. One must be aware of how it can be renamed. It is a very interesting study of mine to see how manipulative programmers can be. Whilst not necessarily being of a malicious nature by the author, it remains to be said that such programs open up a world of entertainment for others who have nothing better to do. Including some very seriously malicious programs and apk's by even google?! Ha!

Yes I was merely allowing the good folk to make up their own minds by researching the link and its indepth study. Perhaps I should have contact the author. But at the same time, one must be aware of one's own programs and in this day and age, one must surely be responsible for ones actions. Could you please ask Dave to contact the Hybrid Team and they will instruct him exactly how to allow his very lovely program onto a better platform.That may be all it needs.

And Bobby yes, 'just a coding error'... perhaps they were creating a need for their own product!

As mentioned in an earlier post, I had contacted Collector Dave to inform him of the issue and to make him aware of this thread.

Apparently, for some reason, he has been unable to logon to this site so he requested that I point out that:


and



Personally I can't make out head or tail of the Hybrid Analysis report, I hadn't actually taken a close look at it before, and now that I have, I think that Windows users would be far better off relying on Microsoft Windows Defender, AVG or Malwarebytes etc for their security needs.
Clive

Hi All

I am the programmer of the application World Stamp Collector.

I was blissfully unaware of it being listed as malware so let me have a look at the report.

The first thing that struck me on the Hybrid analysis report was the extracted files, link is just on the right side of the report.

The first thing is that the application does not contain any files.

So having a look at what was submitted and I am sorry to say the application was not submitted it was the self extracting zip file used to set it up that was submitted.

A normal way of distributing applications used by many programmers.

The application file as can be een when clicking on the extracted files 'World Stamp Collector.exe' is listed as CLEAN no malware.

What has gone on then?

Looking around the report it has analysed the HTML help files etc and lists these as informative, help file usually are.

The screenshots are not of the application but just the screen to ask the user where to install?

One piece did come up 'libcurl' this is an open source library used to copy files etc you can simply google this and read what wikipedia has to say. In this instance it is used by the self extracting zip format not by the application.

I do have some sympathy with the AV programmes. One of my pet hates is applications that 'Install' and modify my computers registry WSC does not install and does not modify the registry too many problems start there. (it is worth looking for a registry cleaner on the web and using it).

So far for a very technically advanced site not to notice that the file is a self extracting zip is giving me a few doubts about the programme.

Now some notes:-

- an app calling home is a well understood behaviour of malware

Nowhere does the report state that the application calls home mainly because it doesn't.

- the lack of a digital signature is problematic

Digital signatures cost money so for a free programme it does not make sense. It must be remembered that a digital signature does not guarantee the downloaded application is not malware.

- the demographic using this app is not typically tech experienced

Not just this demographic but most users of the internet are not tech experiened.

- and as you mentioned, AV tools are always going to err on the side of false positive (as it should be)

Of course they do it shows the user how great the programme is having protected you from all these attacks.

The next mention of worth is 'Automatic Updates' another pet hate of mine as well having suffered many times from applications that have automatically updated without my knowledge.

WSC does not automatically update it is all left to the user.

I will be putting on the download site a warning about the false positives generated by AV programmes etc.

A little advice

Follow the advice of 51studebaker if possible when downloading. If you do not have a second computer always create a restore point first.

Always use an AV programme, after finding one you are comfortable with, but read the reports with a little knowledge there are many free applications out there which are not malware and the AV programmes appear to try and create a need for their product.

Next consider what is important to you. The computer and operating system can always be replaced and even the applications can be replaced. However all the family photographs, letters you have written and lots of other stuff just cannot be replaced.

Keep all of these in your Documents folder on your computer.

Buy a small external drive, one powered by the USB port is best then regularly copy your whole documents folder to this drive, after making sure your computer is working correctly. After copying remove the drive and put it somewhere safe. No malicious programmer has as yet come up with a virus that can remotely turn on a disconnected drive so your data is then safe. There are many programmes that can help with this.

Be careful of applications that save your data all over the place it just causes you problems when making your backup.

Try to keep any application setup programmes that you know are ok on your backup as well.

PS I am not using self extracting zip files anymore.


Regards to all

Probably just a virus.
I'm joking.

Freelanceprog (Collector Dave),
Thanks, I don't use your program or the AV program mentioned but your response is just a good explanation and solid general info.