I really like the concept of obsidian, so i tried to download it but i have a habit of scanning everything just to make sure it’s safe. What i found was the obsidian windows .exe itself was clean but it had a spiderbanner.dll file which was flagged by 1 antivirus, so i looked into it more and found it was connecting to multiple external IPs which i think are certificate checks but in Crowdsourced IDS rules i found:
Matches rule ET EXPLOIT Possible CVE-2020-11899 Multicast out-of-bound read from
Emerging Threats Open Rulesets
Attempted Administrator Privilege Gain
View rule View matches
Matches rule SURICATA IPv4 padding required from Suricata Decoder Events
Generic Protocol Command Decode
View rule View matches
Matches rule ET POLICY Reserved Internal IP Traffic from Emerging Threats Open
Rulesets
Potentially Bad Traffic
View rule View matches
Matches rule SURICATA zero length padN option from Suricata Decoder Events
Generic Protocol Command Decode
View rule View matches
Matches rule ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer
Overflow from Emerging Threats Open Rulesets
A Network Trojan was detected
View rule View matches
Matches rule PROTOCOL-ICMP IPv6 multicast neighbor add attempt from snort
Misc activity
View rule View matches
Matches rule DELETED BAD TRAFFIC Non-Standard IP protocol from snort
Detection of a non-standard protocol or event
View rule View matches
Matches rule DELETED BAD-TRAFFIC same SRC/DST from snort
Potentially Bad Traffic
View rule View matches
Matches rule PROTOCOL-DNS SPOOF query response with TTL of 1 min. and no
authority from snort
Potentially Bad Traffic
View rule View matches
Matches rule PROTOCOL-ICMP PING Windows from snort
Misc activity
View rule View matches
Matches rule PROTOCOL-ICMP Unusual PING detected from snort
Information Leak
View rule View matches
Matches rule SERVER-OTHER MRLG fastping echo reply memory corruption attempt
from snort
Misc Attack
View rule View matches
Matches rule PROTOCOL-ICMP Echo Reply from snort
Misc activity
The
Matches rule ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer
Overflow from Emerging Threats Open Rulesets
A Network Trojan was detected
line was making me nervous, i tried looking for what exactly spiderbanner.dll is but i had no luck
What I’m trying to do
I’m trying to find, what exactly spiderbanner.dll is and why is it connecting to external IPs?
What does the
Matches rule ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow from Emerging Threats Open Rulesets
A Network Trojan was detected
mean?
Edit
I was digging for answers and in my research what i found was: it was a NSIS plugin made for installation, and it is used quite a lot.
While it is not clear why it would connect to those IPs being such a small plugin and with no certificates for it to connect and verify stuff even if they are from Microsoft.
I think the Devs of obsidian don’t have to do anything with it, which i am making clear here as it is my responsibility to do so, since it sounds like i am accusing (which i wasn’t) but yea i can see that.
Don’t worry i will find why that dll is connecting to those IPs as i am trying to contact it’s original creator soon.
In the end we all want a better program with privacy.
SpiderBanner is a component of a generic installer. Only one vender flagged the file, which suggests a false positive. I’m guessing the reason for it is because it’s been used in the past to install malware, not that it is.
The file you scanned appears to be SpiderBanner, but not from Obsidian’s executable. When I run the scan, none of the engines detect it as malicious. If you examine the report, you can see everything it does, including SpiderBanner (which is only ever held in a temp file) deleting itself when finished. Notice also there are no suspicious registry actions.
Obsidian’s executable is signed (Dynalist). The file you scanned was not, which makes me wonder where you got what you uploaded to VirusTotal. Nor did I notice any suspicious network traffic on my scan. Looking at yours, I’m seeing traffic going to Microsoft on Port 80 and 443. It’s common HTTP and HTTPS.
Perhaps you might download a fresh copy of Obsidian, scan it, install it, and search your system for the SpiderBanner. As mentioned above, it deletes itself. I didn’t find an active copy anywhere on my system.
I hope you give Obsidian a chance. You might find it to be as enjoyable as I do.
@sprinterE: Thanks for posting this. Even though I already felt quite confident, it makes me feel even safer to know that even under close scrutiny, Obsidian holds up as a safe program. Keep it up.
The file you scanned appears to be SpiderBanner, but not from Obsidian’s executable. When I run the scan, none of the engines detect it as malicious. If you examine the report, you can see everything it does, including SpiderBanner
Obsidian’s executable is signed (Dynalist). The file you scanned was not, which makes me wonder where you got what you uploaded to VirusTotal. Nor did I notice any suspicious network traffic on my scan. Looking at yours, I’m seeing traffic going to Microsoft on Port 80 and 443. It’s common HTTP and HTTPS.
No, It is from Obsidian and it is from the official release. You can click my link and see that the file i mentioned is signed by Dynalist Inc , you can cross check hashes, you might be looking at a different platform release i guess? The one i mentioned was for windows.
The plugin we are discussing is made by Nsis user which is trusted but i don’t know why those unnecessary connections were made even if they are to microsoft.
Here are my thoughts:
I understand why Obsidian packed their software with Nsis plugins as Nsis plugins are one of the most trusted open source plugins used for packing a software.
The heuristics false positive can be understood because of the nature of the plugin: It is used when installation process is happening and deletes as soon as the software is installed which is similar to bundled malware which silently installs and deletes the installation file so user does not find out about it. While it is a popular way for malware to hide, the method can also be used for a legitimate purpose, which in this case is deleting the UI element of installer after its use is done, which makes sense, why would it stay there when you don’t need that? so it’s clear there
As for connecting to those external IPs i will find it soon. Well i hope i will do at least, My best guess is old leftover code for dependencies. The plugin has not been updated for a long time. So yea.
No problem, Obsidian should be safe.
The dll i mentioned probably has some old code for dependencies and has heuristic nature, so i think that explains the situation. Either way it deletes as soon as obsidian is installed.