0

This is weird, so I am trying to compile this code:

#include <stdio.h>
#include <stdlib.h>

typedef struct {
  int sz;
  unsigned char sequence[];
} morsechar;

int main(void) {

  morsechar *mc = malloc(sizeof *mc + 5 * (sizeof *mc->sequence));

  mc->sz = 5;

  for(size_t i = 0; i < 5; i++) {
    mc->sequence[i] = i;
  }

  for(size_t i = 0; i < mc->sz; i++) {
    printf("%d\n", mc->sequence[i]);
  }

  free(mc);
}
/*
Output:
0
1
2
3
4
*/

And compiled it with

gcc -o test.exe -Os test.c

so nothing fancy except for size optimization. Malwarebytes instantly quarantined it, and out of curiosity I uploaded it to virustotal and It's messy.

LINK: https://www.virustotal.com/gui/file/2c335bf32ac2562fbe965055c83f30f1d19e732676f980a0e0824da0a405936e/details

But anyway, before I was api throttled, It said under the relations tab that it was contacting 23.216.147.64, which is apparently owned by akamai, and in addition, the virustotal report mentioned cobaltstrike, which came up while searching the akamai IP. Is my gcc and/or my std libraries compromised? Are all the new AI powered virus scanners overreacting? Anyone know what's up?

Peaser
  • 565
  • 3
  • 8
  • 16
  • 1
    Akamai is a CDN service that's used by many large web sites to host their servers. – Barmar Sep 22 '22 at 20:43
  • 1
    A few months ago I got a spurious rate limit like that from explainxkcd.com. – Barmar Sep 22 '22 at 20:45
  • @Barmar Is that akamai contact virustotal's fault? There's no networking at all in my source code. – Peaser Sep 22 '22 at 20:47
  • Akamai is probably hosting virustotal. – Barmar Sep 22 '22 at 20:49
  • Hmm, I did a lookup of `www.virustotal.com`, it's an alias to an address at `googlehosted.com`. I'm not sure how Akamai is involved. – Barmar Sep 22 '22 at 20:51
  • @Barmar Here's the link: https://www.virustotal.com/gui/file/2c335bf32ac2562fbe965055c83f30f1d19e732676f980a0e0824da0a405936e/details Check the relations tab, it says the file itself contacted the ip. – Peaser Sep 22 '22 at 20:53
  • See [this](https://learn.microsoft.com/en-us/answers/questions/832664/c-app-flagged-in-virus-total-34contacted-ip-addres.html) – Barmar Sep 22 '22 at 21:01
  • It is unlikely _your_ code is triggering the virus scanner. Chances are someone, somewhere, wrote a virus using your exact same GCC setup, and, as virus detection people do, they casually added a checksum for non-virus parts of the program, so now _all_ programs compiled with that toolchain are incorrectly marked as suspect. (This is a common problem for Delphi5 programmers.) The correct thing to do is contact them to get your program removed from their positives list. – Dúthomhas Sep 22 '22 at 21:09
  • @Dúthomhas That makes sense, Which sucks since gcc is so ubiquitous. Thanks – Peaser Sep 22 '22 at 22:02
  • For us to reproduce, please [edit] your question and provide the exact version of your compiler and OS. -- It is _unlikely_, but not impossible, that your installation is compromised. Such cases are known, I remember one time on MacOS. Personally, I never experienced this in 35+ years of software development. With the mentionable exception of TCC executables, when they were packed with UPX, which triggered the malware scanner. It was the packer, not the compiler system. – the busybee Sep 23 '22 at 08:22

0 Answers0