Windows Defender picked up this very nasty trojan Trojan: Tesla ( Trojan:Win32/AgentTesla!ml) which does keylogging etc… after I installed Portfolio Performance via the windows installer on my laptop.
This is one of the worst Trojans out there and a severe threat to any of your login password accounts without 2 factor authentication.
You cannot scan for this Trojan in a exe, for example by scanning the windows installer file PortfolioPerformance-0.68.3-setup.exe with a virus scanner, to see if it’s OK and clean.
It hides very well from scanners (see here - Catching the RAT called Agent Tesla | Qualys Security Blog)
It’s picked up later by Windows Defender after it spreads to other files unpacking itself out of its source exe.
I never usually download and install software on my laptop, my Adminstrator account is a seperate windows account, and the only app I have downloaded in many months has been Portfolio Performance windows installer.
I would encourage people to use Windows Defender to scan their systems just in case.
Welcome to the world of false positive signature assumed heuristic scans. This could result in that the scanner assume a finding, where their isn’t anything. Scan the file with https://www.virustotal.com/
However, is Windows Defender really good enough to protect your data?
The answer is no. Despite its convenience and somewhat acceptable protection rates, Microsoft Defender is lacking when it comes to dealing with more serious cyber threats. Even some free contenders offer better protection, compared to Microsoft Defender. The antivirus is also lacking in terms of reliable scans and secure browsing options.
This Trojan CANNOT be picked up on a scan of the exe.
Which is why it’s so dangerous.
Only when it unpacks itself into other directories can it be detected. After installing Portfolio-Performance Windows Installer exe, t was detected by Windows Defender when it unpacked itself here
That’s bull****! Sorry to be so rude, but that’s not true!
If you’re an expert, use your knowledge and show it to us in the code. The code is completely open source. Actually I have the feeling you read something in the Internet and just talking like that.
I had just for fun downloaded the Windows installer release of PP with Norton 360 in the background. Their was no alerts at all during the installation.
In plain english, it cannot be detected by a virus scanner scanning and looking at the exe file
Would you prefer I not report what happened? I am not making this up!
Read the article on the Trojan.
‘main payload code contains an obfuscated first stage PE dll file where char “@” is added for “000” at multiple locations. This helps Agent Tesla evade signature-based detection.’
TRANSLATION: In plain english, it cannot be detected by a virus scanner scanning and looking at the exe file for the signature
It’s capabilities - "keylogging, screen capture, form-grabbing, credential stealing, and more. It will also exfiltrate credentials from multiple software programs like Google Chrome, Mozilla Firefox, and Microsoft Outlook – making its potential impact truly catastrophic."
Unfortunately this is what occured and you have to say is very well targetted software, for such a Trojan. Unfortunately there are many malicoius actors out there - even whole countries like North Korea etc… who regularly commit such abuse.
I used portfolio-performance extensively and some operation must have triggered the trojan code to unpack. It’s not as simple as loading it in a sandbox and running a virus scanner.
I might open a sandbox and see if I can trigger it again though.
It strange how you are so antigonistic towards a ordinary user who posted this very real problem with a keylogger installed that can rip off all your accounts.
If others have found this problem at least they can do a search for ‘Trojan’ and add to the thread.
I will reinstall PP in a sandbox and use it there and there only for now, and see if it infects the sandbox.
I am using NSIS to create the installer. It’s used by many, many different applications. I already have code signing key, but I haven’t been able to make it work on my build machine. Once that is in place, I hope that it reduces the likelihood of virus scanner having false positives. (Of course, I also must ensure that the build machine is “clean” in the sense that I use the original NSIS and not a compromised one).
In general, I think PP is too small to be a reasonable attack vehicle to distribute trojan horses. But vigilance is needed anyway.
Appreciate your efforts.
My solution to stop worrying is easy and anyone can do it - any trojan/virus for windows cannot work in this enviroment:
(1) Simply follow these instructions to install windows subsystem 2 with Ubuntu - So you now have a Linux running under windows on your laptop which you can interact with.
tar -xvf PortfolioPerformance-0.69.0-linux.gtk.x86_64.tar.gz
echo — rename this directory to portfolio to make it easy
sudo mv -fv PortfolioPerformance-0.69.0-linux.gtk.x86_64 portfolio
cd portfolio
echo – run Portfolio-performance
./PortfolioPerformance
You now hopefully have a working program - but running in linux not directly in windows - you can access your window files from the linux machine in windows via /mnt in the root directory.
I highly appreciate your effort in making such a useful tool!
Just a quick thought from my side:
So far I used Excel & co. to track my portfolio. It works but would be nice to have something more elaborate. So I found Portfolio Performance, downloaded it and checked it via virustotal, as did many before me (I’ve read through some of the threads in this forum). One of them showed a malware.
Now I know that there can be false-positives and I believe this is also the case here (after all, the other scanners were negative). But I do not have the skills nor time to check in the source code myself however, so for me the outcome is, that I won’t use the tool for now. The gain in convenience of tracking my portfolio doesn’t outweigh the tiny risk of breaking sth on my computer.
I wanted to mention it here, in the hopes that the efforts to optimize the installer to prevent these false-positives continues in the future.
PS:
Before I get silenced by some of the rather rude responders in this thread, I want to mention that I believe you do great work here, and this is just my personal risk-balancing decision.
