syncthing still detected as malware?

Are there still reports of synchthing getting identified as malware (virus, troian)?

I received a claim by a local authority that my PC allegedly has been infected and/or spreading a variant of Hupigon / Graftor.

As I am away for some days I can’t currently run a scan on my PC.

Thanks for any information whether false positive reports currently still happen with syncthing.

I haven’t heard anything about it for years.

1 Like

Thank you.

Does this allegedly suspicious traffic (recorded by that authority) ring any bells?

Port 80 is regular HTTP. This could also be triggered by your browser prefetching an URL.

1 Like

Thank you. Would a trojan be using port 80?

Pretty much any C&C server will listen on ports 80 or 443 as those are the most likely to not be blocked by firewalls. Their goal is to stay undetected and so they try to make their traffic look like being generated by a browser.

IMHO the warning is a false-positive.

1 Like

Understood. Why do you think it is a false positive – can this be taken from the above table?

I will be running Wireshark on that PC today – is there something I could look for in order to find out whether there is that alleged Hupigon infection?

The malware in question is rather old and the detection logic can also be triggered by an URL which is also the most likely explanation.

Just a quick question but why can’t you run a scan? Windows 10 has a builtin antivirus software.

Thanks!

I will be running an AV scan today as soon as I arrive at that PCs location.

So do you think that the detection logic has been triggered by that “Destination Host”?

I thought that this authority would have read the actual traffic’s content and would have concluded from that on the actual malware?

The communication with a C&C server is usually encrypted.

1 Like

I once got a notification about using Tor instance when I have never used or installed Tor on my work laptop. Turned out that the IP address of one of discovery servers was related to Tor (exit node or just a proxy) so it triggered the alarm to infra security guys. Might be the same case here.

2 Likes

In fact, at the moment it looks like that suspicious website from the above table which has ceased to exist over ten years ago, might once have been infected with this Hupigon trojan and that this website was hosted by Internap.com.

Now it seems that this authority only has recorded an access (of the network to which my computer was connected) to Internap.com (that access most likely being completely harmless), inferred from there to this long-gone website, and then sent out this Trojan warning as a result.

2 Likes

FYI, actually the matter looks somewhat different now (but still probably has nothing to do with Syncthing, at least I hope so).

Most computer security companies seem to have agreed that any access to that website shown in the table above (which has ceased to exist a long time ago) is indeed a sign of malware infection.

Therefore, Internet providers have joined forces internationally, and automatically redirect this website (among many others) to a so-called sinkhole address. If an Internet provider then registers traffic on this sinkhole address, the authorities of the geographic region evident from the source IP address are contacted, who in turn can then issue warnings or initiate police investigations, as the case may be.

Thus, although I have not yet been able to investigate the PC in question, it seems that it was indeed infected by that malware.

Also, it is still not apparent to me how the PC could have been infected in the first place. It had been running automatically in regular intervals for a while, however only for file synchronization via Remote Desktop and Syncthing, and without any physical user interaction on-site.

None of this sounds like Syncthing. Just for the record. I think the topic subject may be misleading.

Okay thanks. Of course the topic title can be changed by a moderator. I believe I can’t change it anymore.