.

Analysis assistance requested

<<

SephStorm

User avatar

Hero Member
Hero Member

Posts: 569

Joined: Sat Apr 17, 2010 12:12 pm

Post Tue Jan 10, 2012 4:19 pm

Analysis assistance requested

Hi all,

I am currently trying out Amahi Home server as a home server (obviously) included is a vpn server, and they suggest their own, easy to use client software for windows.

download HERE: http://dl.amahi.org/HDAConnect3.exe

Now, when I downloaded the software I scanned it with MSE (clean) and submitted it to Virus total. The file had last been submitted in 2010 with 2 alerts. I reanalyzed the file and the report came back clean 100%. On a whim, i threw the MD5 into google and received one result

http://xml.ssdsandbox.net/index.php/4a7 ... b78f1180ca

It looks like an analysis of the file with a different exe name. IAC, the review  indicated what to my untrained eyes appears to be suspicious and concerning.

http://xml.ssdsandbox.net/index.php/files424 shows trojan files I suppose in the exe. In addition the exe appears to add some flags to itself, "Security anonymous" I havent looked this up yet but it seems suspicious. I was wondering if anyone wanted to take a look before I present this to the Amahi community.

In the meantime, i'll likely look elsewhere for a free vpn client.
sectestanalysis.blogspot.com/‎
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Tue Jan 10, 2012 6:41 pm

Re: Analysis assistance requested

It's probably a false positive. From what I've seen, it's relatively common to see remote access software identified as generic trojans. Also, someone could have repackaged it with malware and gotten it associated with something malicious at some point. I'm not familiar with the company, but if the vendor's reputable, it's probably a false positive.

Also, SECURITY_ANONYMOUS appears to be preferred since it doesn't attempt to impersonate anything and uses the anonymous impersonation level:
http://msdn.microsoft.com/en-us/library ... 85%29.aspx

http://msdn.microsoft.com/en-us/library ... 85%29.aspx
The day you stop learning is the day you start becoming obsolete.
<<

Triban

User avatar

Hero Member
Hero Member

Posts: 620

Joined: Fri Feb 19, 2010 4:17 pm

Post Wed Jan 11, 2012 10:45 am

Re: Analysis assistance requested

Check out OpenVPN, if all you need is a single VPN license, this works well and supports multiple platforms.  For Mac you need TunnelBlick.  The server end comes as pre-packed ISO for VM installation or CD/DVD install.  I think they may have instructions on installing it to a current system.
Certs: GCWN
(@)Dewser
<<

SephStorm

User avatar

Hero Member
Hero Member

Posts: 569

Joined: Sat Apr 17, 2010 12:12 pm

Post Wed Jan 11, 2012 6:38 pm

Re: Analysis assistance requested

The server includes OpenVPN, but i need a client to connect with. Thanks dynamik, Those are possibilities I considered, i'll wait a few days, see if anyone is interested.
sectestanalysis.blogspot.com/‎
<<

Triban

User avatar

Hero Member
Hero Member

Posts: 620

Joined: Fri Feb 19, 2010 4:17 pm

Post Thu Jan 12, 2012 10:35 am

Re: Analysis assistance requested

Ah, I am using Tunnelblick on my Mac, works pretty well.  I think the Windows and linux clients you can download directly from the OpenVPN Server site on the box.  I think you can see it if you visit the 443 site on your server.  Or whatever https port you are using.  OpenVPN has two service ports it uses, the https and the management port.
Certs: GCWN
(@)Dewser

Return to Malware

Who is online

Users browsing this forum: No registered users and 1 guest

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software