Windows Defender picked up this very nasty trojan Trojan: Tesla ( Trojan:Win32/AgentTesla!ml) which does keylogging etc… after I installed Portfolio Performance via the windows installer on my laptop.
This is one of the worst Trojans out there and a severe threat to any of your login password accounts without 2 factor authentication.
You cannot scan for this Trojan in a exe, for example by scanning the windows installer file PortfolioPerformance-0.68.3-setup.exe with a virus scanner, to see if it’s OK and clean.
It hides very well from scanners (see here - Catching the RAT called Agent Tesla | Qualys Security Blog)
It’s picked up later by Windows Defender after it spreads to other files unpacking itself out of its source exe.
I never usually download and install software on my laptop, my Adminstrator account is a seperate windows account, and the only app I have downloaded in many months has been Portfolio Performance windows installer.
I would encourage people to use Windows Defender to scan their systems just in case.
Welcome to the world of false positive signature assumed heuristic scans. This could result in that the scanner assume a finding, where their isn’t anything. Scan the file with https://www.virustotal.com/
However, is Windows Defender really good enough to protect your data?
The answer is no. Despite its convenience and somewhat acceptable protection rates, Microsoft Defender is lacking when it comes to dealing with more serious cyber threats. Even some free contenders offer better protection, compared to Microsoft Defender. The antivirus is also lacking in terms of reliable scans and secure browsing options.
This Trojan CANNOT be picked up on a scan of the exe.
Which is why it’s so dangerous.
Only when it unpacks itself into other directories can it be detected. After installing Portfolio-Performance Windows Installer exe, t was detected by Windows Defender when it unpacked itself here
That’s bull****! Sorry to be so rude, but that’s not true!
If you’re an expert, use your knowledge and show it to us in the code. The code is completely open source. Actually I have the feeling you read something in the Internet and just talking like that.
I had just for fun downloaded the Windows installer release of PP with Norton 360 in the background. Their was no alerts at all during the installation.
In plain english, it cannot be detected by a virus scanner scanning and looking at the exe file
Would you prefer I not report what happened? I am not making this up!
Read the article on the Trojan.
‘main payload code contains an obfuscated first stage PE dll file where char “@” is added for “000” at multiple locations. This helps Agent Tesla evade signature-based detection.’
TRANSLATION: In plain english, it cannot be detected by a virus scanner scanning and looking at the exe file for the signature
It’s capabilities - "keylogging, screen capture, form-grabbing, credential stealing, and more. It will also exfiltrate credentials from multiple software programs like Google Chrome, Mozilla Firefox, and Microsoft Outlook – making its potential impact truly catastrophic."
Unfortunately this is what occured and you have to say is very well targetted software, for such a Trojan. Unfortunately there are many malicoius actors out there - even whole countries like North Korea etc… who regularly commit such abuse.
I used portfolio-performance extensively and some operation must have triggered the trojan code to unpack. It’s not as simple as loading it in a sandbox and running a virus scanner.
I might open a sandbox and see if I can trigger it again though.
It strange how you are so antigonistic towards a ordinary user who posted this very real problem with a keylogger installed that can rip off all your accounts.
If others have found this problem at least they can do a search for ‘Trojan’ and add to the thread.
I will reinstall PP in a sandbox and use it there and there only for now, and see if it infects the sandbox.
I am using NSIS to create the installer. It’s used by many, many different applications. I already have code signing key, but I haven’t been able to make it work on my build machine. Once that is in place, I hope that it reduces the likelihood of virus scanner having false positives. (Of course, I also must ensure that the build machine is “clean” in the sense that I use the original NSIS and not a compromised one).
In general, I think PP is too small to be a reasonable attack vehicle to distribute trojan horses. But vigilance is needed anyway.
