[Geany-Users] geany-1.34_setup.exe security analysis

[Enrico Tröger]

On 12/16/18 11:29 PM, Enrico Tröger wrote:
> Hi,
> 
> On 12/16/18 10:37 PM, dany111 at email.it wrote:
>> I don't want to sound paranoid but I've just scanned geany binaries with Hybrid Anlisys.
>> I've got these results: https://www.hybrid-analysis.com/sample/109748fc6e6276462258ee104996fe29c9d826b4ea507857e7a2411b1614bd7d/5c1698807ca3e12dc155b5ad
>> In particular, could you explain me why the installer connects to the Swiss IP Address 194.230.81.170?
> 
> Interesting.
> I have not yet an explanation but am not panicly.
> The IP belongs to Akamai which is not per se anything bad but just a
> CDN. I'll try to get some more details.

I tested with my Windows system and the only network activity I saw was
a request to www.msftncsi.com/ncsi.txt which is Microsoft's network
connectivity check
(https://blog.superuser.com/2011/05/16/windows-7-network-awareness/).

While www.msftncsi.com actually resolves to an IP address of the Akamai
CDN IP range, it might be just accidental.

I would assume that Hybrid Analysis is smart enough to filter out
Windows' own connectivity check from the tests.

Furthermore, I grepped my whole Windows system used for the release
binaries for that IP address - without any matches.

If you are interested enough, it might help to contact Hybrid Analysis
for support and/or debug the installer yourself to get more information
than I gathered.

It might help to get some insights about how Geany for Windows is built.
The used software and build instructions are documented in the wiki at
https://wiki.geany.org/howtos/win32/msys2.

Regards,
Enrico

-- 
Get my GPG key from http://www.uvena.de/pub.asc

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.geany.org/pipermail/users/attachments/20181217/19a0b9aa/attachment.sig>