What is Spiderbanner.dll? Why is it connecting to a bunch of External IPs?

sprinterE · 2021-05-04T10:24:34.387Z

Things I have tried

I really like the concept of obsidian, so i tried to download it but i have a habit of scanning everything just to make sure it’s safe. What i found was the obsidian windows .exe itself was clean but it had a spiderbanner.dll file which was flagged by 1 antivirus, so i looked into it more and found it was connecting to multiple external IPs which i think are certificate checks but in Crowdsourced IDS rules i found:

Matches rule ET EXPLOIT Possible CVE-2020-11899 Multicast out-of-bound read from        

Emerging Threats Open Rulesets

Attempted Administrator Privilege Gain

View rule View matches

Matches rule SURICATA IPv4 padding required from Suricata Decoder Events

Generic Protocol Command Decode

View rule View matches

Matches rule ET POLICY Reserved Internal IP Traffic from Emerging Threats Open   

Rulesets

Potentially Bad Traffic

View rule View matches

Matches rule SURICATA zero length padN option from Suricata Decoder Events

Generic Protocol Command Decode

View rule View matches

Matches rule ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer 

Overflow from Emerging Threats Open Rulesets

A Network Trojan was detected

View rule View matches

Matches rule PROTOCOL-ICMP IPv6 multicast neighbor add attempt from snort

Misc activity

View rule View matches

Matches rule DELETED BAD TRAFFIC Non-Standard IP protocol from snort

Detection of a non-standard protocol or event

View rule View matches

Matches rule DELETED BAD-TRAFFIC same SRC/DST from snort

Potentially Bad Traffic

View rule View matches

Matches rule PROTOCOL-DNS SPOOF query response with TTL of 1 min. and no  

authority from snort

Potentially Bad Traffic

View rule View matches

Matches rule PROTOCOL-ICMP PING Windows from snort

Misc activity

View rule View matches

Matches rule PROTOCOL-ICMP Unusual PING detected from snort

Information Leak

View rule View matches

Matches rule SERVER-OTHER MRLG fastping echo reply memory corruption attempt 

from snort

Misc Attack

View rule View matches

Matches rule PROTOCOL-ICMP Echo Reply from snort

Misc activity

The

Matches rule ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer
Overflow from Emerging Threats Open Rulesets
A Network Trojan was detected

line was making me nervous, i tried looking for what exactly spiderbanner.dll is but i had no luck

What I’m trying to do

I’m trying to find, what exactly spiderbanner.dll is and why is it connecting to external IPs?
What does the

Matches rule ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow from Emerging Threats Open Rulesets
A Network Trojan was detected

mean?

Edit

I was digging for answers and in my research what i found was: it was a NSIS plugin made for installation, and it is used quite a lot.

While it is not clear why it would connect to those IPs being such a small plugin and with no certificates for it to connect and verify stuff even if they are from Microsoft.

I think the Devs of obsidian don’t have to do anything with it, which i am making clear here as it is my responsibility to do so, since it sounds like i am accusing (which i wasn’t) but yea i can see that.

Don’t worry i will find why that dll is connecting to those IPs as i am trying to contact it’s original creator soon.

In the end we all want a better program with privacy.

Scribe · 2021-05-05T17:41:00.617Z

SpiderBanner is a component of a generic installer. Only one vender flagged the file, which suggests a false positive. I’m guessing the reason for it is because it’s been used in the past to install malware, not that it is.

The file you scanned appears to be SpiderBanner, but not from Obsidian’s executable. When I run the scan, none of the engines detect it as malicious. If you examine the report, you can see everything it does, including SpiderBanner (which is only ever held in a temp file) deleting itself when finished. Notice also there are no suspicious registry actions.

https://www.virustotal.com/gui/file/a1f29e6b7825d43f31f138c591b3f9ae47f08029ed049f5a70b28dc92390e6a9/behavior/VirusTotal%20Jujubox

Obsidian’s executable is signed (Dynalist). The file you scanned was not, which makes me wonder where you got what you uploaded to VirusTotal. Nor did I notice any suspicious network traffic on my scan. Looking at yours, I’m seeing traffic going to Microsoft on Port 80 and 443. It’s common HTTP and HTTPS.

Perhaps you might download a fresh copy of Obsidian, scan it, install it, and search your system for the SpiderBanner. As mentioned above, it deletes itself. I didn’t find an active copy anywhere on my system.

I hope you give Obsidian a chance. You might find it to be as enjoyable as I do.

WhiteNoise · 2021-05-05T19:18:23.335Z

This is just a plugin used by the windows installer we use NSIS.
It’s used to show a progress bar while the app is installing.

https://nsis.sourceforge.io/SpiderBanner_plug-in

I-d-as · 2021-05-05T22:41:58.114Z

@sprinterE: Thanks for posting this. Even though I already felt quite confident, it makes me feel even safer to know that even under close scrutiny, Obsidian holds up as a safe program. Keep it up.

Much appreciated.

sprinterE · 2021-05-06T11:23:58.086Z

Hey there, thanks for replying.

The file you scanned appears to be SpiderBanner, but not from Obsidian’s executable. When I run the scan, none of the engines detect it as malicious. If you examine the report, you can see everything it does, including SpiderBanner

Obsidian’s executable is signed (Dynalist). The file you scanned was not, which makes me wonder where you got what you uploaded to VirusTotal. Nor did I notice any suspicious network traffic on my scan. Looking at yours, I’m seeing traffic going to Microsoft on Port 80 and 443. It’s common HTTP and HTTPS.

No, It is from Obsidian and it is from the official release. You can click my link and see that the file i mentioned is signed by Dynalist Inc , you can cross check hashes, you might be looking at a different platform release i guess? The one i mentioned was for windows.

The plugin we are discussing is made by Nsis user which is trusted but i don’t know why those unnecessary connections were made even if they are to microsoft.

Here are my thoughts:

I understand why Obsidian packed their software with Nsis plugins as Nsis plugins are one of the most trusted open source plugins used for packing a software.

The heuristics false positive can be understood because of the nature of the plugin: It is used when installation process is happening and deletes as soon as the software is installed which is similar to bundled malware which silently installs and deletes the installation file so user does not find out about it. While it is a popular way for malware to hide, the method can also be used for a legitimate purpose, which in this case is deleting the UI element of installer after its use is done, which makes sense, why would it stay there when you don’t need that? so it’s clear there

As for connecting to those external IPs i will find it soon. Well i hope i will do at least, My best guess is old leftover code for dependencies. The plugin has not been updated for a long time. So yea.

sprinterE · 2021-05-06T11:26:58.489Z

Yea, and it deletes after installation so it is safe.

sprinterE · 2021-05-06T11:32:19.516Z

No problem, Obsidian should be safe.
The dll i mentioned probably has some old code for dependencies and has heuristic nature, so i think that explains the situation. Either way it deletes as soon as obsidian is installed.

system · 2021-05-07T11:32:50.747Z

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.