Black Dragon Viewer Potentially Containing a Backdoor

[PookieTM]

I don’t know if this is the right place to put this or if this goes against the naming and shaming policy, but seeing as my antivirus found a Trojan file after my install of the latest version of Black Dragon, I thought I’d perhaps write this forum post to warn others, bring this to someone’s attention, and/or figure out if this program is responsible or not.

Before downloading I was given several prompts from both Google Chrome and Windows warning about a suspicious file. Seeing as I downloaded Black Dragon previously I assumed this was due to the file coming from an unknown user. I was prompted to run my antivirus shortly afterwards and that is when it found the Trojan. Just to be extra sure I scanned it on Virustotal and sure enough it came up with the attached.

 

I am in no shape or form a techy person. I could be wrong. I simply wanted to inform someone of this just in case this viewer is harboring malicious code. I apologize if this is located in the wrong section. 

 

 

[diamond Marchant]

Norton 360 passed it. Maybe we should have Mikey try it.

[Scylla Rhiadra]

@NiranV Dean

[Coffee Pancake]

Virus total says its clean for me .. same hash - did a fresh uncached check.

https://www.virustotal.com/gui/file/2d194b33678e135689d58c1cfe56cfd76efbb0f4dac397fa43796d46a2df0f8a/detection

 

 

[Charalyne Blackwood]

You didn't get it from the Black Dragon site?

[PookieTM]

Maybe I’m wrong? I could’ve downloaded the wrong file? It was from GitHub I remember that much. Perhaps it was someone else posing as Black Dragon? I’m confused why I had the Trojan :/. I had to uninstall it completely, run the antivirus again, and it quarantined the malicious file. 

 

ETA: I was able to access the grid with this file. All of my settings and login information was saved, and I was able to purchase lindens through this file. It was exactly like the previous Black Dragon I had installed except for the red flags raised by my antivirus. The website I downloaded it from was originally a (not sure if it was the official one or not) Black Dragon site that redirected me to GitHub. Prior to installing the newest version, I had my previous one on my computer since I unboxed the tower back in early 2021, so I cannot recall if downloading from GitHub was always the case or not. The file ran smoothly, and looked absolutely no different than the previous version. 

Edited September 27, 2022 by PookieTM

[bigmoe Whitfield]

https://git.alchemyviewer.org/NiranV.Dean/blackdragon/-/releases

 

 

[Lindal Kidd]

I recently installed Black Dragon as well. I did get the two caution messages. The first is simply Google saying the file is too big for them to scan for viruses, do you want to download anyway. The second is from Microsoft, saying they don't recognize the source of the file. That is probably an expired certificate issue or something.

I ran MS Defender on the entire installed Black Dragon folder on my PC, and it scans clean.

[belindacarson]

@NiranV Dean

[Da5id Weatherwax]

My Norton scans my copy of that file clean.

[NiranV Dean]

7 hours ago, PookieTM said:

I don’t know if this is the right place to put this or if this goes against the naming and shaming policy, but seeing as my antivirus found a Trojan file after my install of the latest version of Black Dragon, I thought I’d perhaps write this forum post to warn others, bring this to someone’s attention, and/or figure out if this program is responsible or not.

Before downloading I was given several prompts from both Google Chrome and Windows warning about a suspicious file. Seeing as I downloaded Black Dragon previously I assumed this was due to the file coming from an unknown user. I was prompted to run my antivirus shortly afterwards and that is when it found the Trojan. Just to be extra sure I scanned it on Virustotal and sure enough it came up with the attached.

 

I am in no shape or form a techy person. I could be wrong. I simply wanted to inform someone of this just in case this viewer is harboring malicious code. I apologize if this is located in the wrong section. 

 

 

I was already informed of this yesterday.

Apparently this is being shared on virtual secrets (another SL drama website), see below.

Not only does this person not have any idea, nor was this person patient enough to simply do a reanalyse (which is what i did a couple hours ago), netting a fresh test of the same file and to no ones surprise all 60 apps detected it as clean. Jiangmin (like a couple others) as the name suggests is an asian antivirus, they are very well known to throw false positives at basically everything. Also whoever made this immediately started fearmongering to whirl up some more drama, clearly targeting to shoot me down. Not the first time. Shown in the above picture the very statement that i made the #1 copybot Viewer is proof enough that this is completely untrustworthy and someone who is simply out to attack me. I have never and will never make a copybot Viewer. Prior to Nirans Viewer i didn't even have any coding knowledge whatsoever and the development of Nirans Viewer into Black Dragon, all the way until today can be easily followed.

To adress the elephant in the room directly. You most likely did not download the wrong file. To understand why antivirus apps go off you have to understand how these antivirus apps work, they are no magical all-defense application that will protect you from all viruses, in fact they are actually quite stupid and make a lot of assumptions. Most of the essential work they do is just check something (like the auto extracting WinRar) against their database of reported "malicious" behavior, if they match up they will flag it as potentially malicious, keyword being "potentially". They do not know, they are simply warning you the user that this file is acting similar to common viruses (according to their database), that is a self extracting archive is a very common thing to abuse (just like any installer), in fact most of the actual viruses cannot be detected in the first place because they base their reports on their database. If i were to write something malicious i'd most likely not write it like a common virus, which would make your antivirus unable to detect it as it doesn't follow any commonly reported behavior. Antivirus apps are basically just a giant database that compares behavior, behavior that has to be reported first, this means people will get infected and probably into trouble long before the virus is deteced and reported to the database, potentially preventing future infections.

Anyway, as with anything if you do not trust it, send it again to VirusTotal, have it be retested, make a mental note of who actually reports it, make a manual scan with Defender or your Antivirus of your choice, it is very likely that its simply a false positive. Also do not ever download these files from anywhere but the official websites (that is in my case my blog which leads you through the pre-download page to explain some common problems and then into the actual download page: here)

4 hours ago, Lindal Kidd said:

I recently installed Black Dragon as well. I did get the two caution messages. The first is simply Google saying the file is too big for them to scan for viruses, do you want to download anyway. The second is from Microsoft, saying they don't recognize the source of the file. That is probably an expired certificate issue or something.

I ran MS Defender on the entire installed Black Dragon folder on my PC, and it scans clean.

To adress these, they are as you already explained quite normal, Google Drive can only scan files up to 64mb? i think, maybe 100mb... so its just warning you that it couldn't test it, nothing special about that, the other being Microsoft (either Defender or sometimes your browser) giving you a warning that this file might be unwanted, this is because again its an executable (which are often used for malicious stuff) and it also doesn't have a MS Certificate (never had), that's also completely normal. You can somewhat safely ignore them, again don't just blindly trust everything but also don't freak out when something is up, simply read what it tells you (usually its just a harmless warning) and then decide for yourself what to do.

The Viewer is fully open source, anyone can look into it and compile it themselves and if anyone believes i might have done something with the installer itself, you can essentially skip it, its a self extracting archive made with WinRar, this means you can simply open it with WinRar and manually extract the files without using the auto extraction expansion. 

[Da5id Weatherwax]

Agree this is fearmongering and false positive.

Reporting thread so the drama doesn't spread.

[Henri Beauchamp]

False positives are, sadly, extremely common with anti-viruses...

You must understand that anti-virus software work with either ”signatures” (meaning a small sequence of bytes that you can find in a given virus/malware) or with ”heuristics” analysis (meaning the anti-virus tries to find suspect sequences of code in the analyzed file; sequences that would, for example, write to the Windows registry, attempt to gain higher execution privilege, or overwrite/corrupt/infect some system file).

Neither of these methods are 100% reliable, by far, and especially when it comes down to software installers such as found for Windows software: these installers use a compressed form of the software they install (and a byte sequence corresponding to one ”virus signature” could accidentally appear in that compressed data), and they do write in the Windows registry, in the protected Programs folder, etc, so they can be mistaken for ”hostile” pieces of code by some ”heuristics” engines (not to mention other random compressed data sequences that could look just like hostile code to the heuristics engine)... Anti-virus software providers are constantly updating their databases and engines to fix the false positives they have been made aware about, but it can take time...

Point is, the very same viewer installer binary could have been considered safe three months ago, be considered ”infected” today and will be shown safe again in three months.

If Virus Total reports just one positive, then it is most likely a false positive...

Oh, and on a side note, before being detected by anti-virus software, a new virus always passes Virus Total tests like a charm !... If you want to be 99.99% sure you do not have any virus/malware on your system, then use a Gentoo Linux distribution (i.e. an operating system that is already natively very hard to infect (Linux), and you compile from scratch on your own computer, from well known sources): this is the only way... As a compromise and as far as SL viewers are concerned, you could also compile your preferred viewers from their sources, on your computer...

Edited September 27, 2022 by Henri Beauchamp

[Cinos Field]

I would just like to further emphasize (for future occurrences, and having a critical eye for these things) that indeed the one false positive comes from "Jiangmin", which isn't exactly a reputable piece of software. While any of them can produce false positives, it's barely even worth considering if it's only one obscure antivirus that isn't even tested by any professional sites (and indeed, you can Google "jiangmin antivirus" to find an absolute mountain of it detecting false positives in every kind of harmless file!)

Edited September 27, 2022 by Cinos Field

[Scylla Rhiadra]

I am pleased (but not surprised) that this seems to be a false alarm.

I would like to suggest gently that the OP is not, however, "fear-mongering." The question was asked in good faith, and without attached judgement. And for many of us who are not especially tech-savvy, a warning from an anti-virus programme can be alarming. But I'm delighted that it appears to be a false positive.

Agreed that this thread should now be closed, or even deleted (although others may experience the same thing?).

[Charalyne Blackwood]

2 hours ago, Da5id Weatherwax said:

Agree this is fearmongering and false positive.

Reporting thread so the drama doesn't spread.

It's "scare and share" kind of posting, like fb

[Quartz Mole]

I'm locking the thread since the topic seems to have been comprehensively explored.   Thanks to @NiranV Deanand others for the helpful and reassuring explanations.