this post was submitted on 19 Oct 2024
28 points (91.2% liked)

Piracy: ꜱᴀɪʟ ᴛʜᴇ ʜɪɢʜ ꜱᴇᴀꜱ

54772 readers
414 users here now

⚓ Dedicated to the discussion of digital piracy, including ethical problems and legal advancements.

Rules • Full Version

1. Posts must be related to the discussion of digital piracy

2. Don't request invites, trade, sell, or self-promote

3. Don't request or link to specific pirated titles, including DMs

4. Don't submit low-quality posts, be entitled, or harass others



Loot, Pillage, & Plunder

📜 c/Piracy Wiki (Community Edition):


💰 Please help cover server costs.

Ko-Fi Liberapay
Ko-fi Liberapay

founded 1 year ago
MODERATORS
 

Seems strange that the dev seems to be keeping quiet on this, no? I'm not telling you to read every comment of every post, you can just skim the post titles. Then you'll see multiple open issues and a few closed issues too going back 5 days to the latest BtS update.

Though I haven't followed this project long enough to tell if this is just the way they normally behave.

Edit:

I'm back at my computer, so it's easier to edit and add info now.

Some key points that have stuck out to me:

  • Previous version released in July only triggers 2 detections on Windows defender versus 29 for the most recent version: https://i.imgur.com/GIoH7eG.png

  • Users getting constantly pestered to update to the latest version: https://i.imgur.com/Oege3kU.png

  • Yeah, naturally, the dev is going to say it's a false positive. Obviously. I've only mentioned that the dev has previously responded because some people barely skimmed through the issues and thought the dev simply hadn't seen the latest open issue from only a few hours ago, when that is not the case.

all 16 comments
sorted by: hot top controversial new old
[–] [email protected] 18 points 1 month ago (1 children)

Seems strange that the dev seems to be keeping quiet on this, no?

the issue was just posted 7 hours ago. maybe they just haven't seen it yet.

someone in issue #573 asked if the dpapi file is really needed, and by looking at the manual installation instructions, yes, because that contains all the code.

the developer loads custom code into the spotify process by using such an "override" dll file. it works because spotify is voluntarily loading a dll with this name, and if there's such a file in the directory besides the .exe file, it'll take precedence over the original file installed in the system.
the trojan warning is probably triggered because this technique is often used by malware to change the behaviour of your programs, but as with most technologies, it has good uses too

[–] [email protected] 0 points 1 month ago (1 children)

the issue was just posted 7 hours ago. maybe they just haven't seen it yet.

There are multiple posts going back 5 days of people asking about it. Check closed issues too, the dev even responded to some of them by saying it's only a false positive.

[–] [email protected] 5 points 1 month ago

It's a dll injection. Of course it gets flagged as a virus, because technically it is. That doesn't mean that it is malicious.

Here is an example... On paper, reshade is a horrifically dangerous piece of software. It doesn't get flagged only because it is well known and virus scanners have an exception for it.

Any of these geniuses stopped to think that Spotify changing its code and altering the way that it interacts with the dll could result in more "detections"?

[–] [email protected] 3 points 1 month ago* (last edited 1 month ago)

I wouldn't download / update until this gets resolved. Or maybe look for alternatives, or compile/build it yourself. It doesn't necessarily mean it's the developers fault. Could be something else. But maybe don't download something that might contain a Trojan.

[–] [email protected] 3 points 1 month ago

Looks like the previous version only had two positive hits on VirusTotal, according to comments, whereas this newest version has 29.

Some said the previous version is still available. I don't really have skin in the game, so nobody should take my advice without doing your due diligence.

[–] [email protected] 2 points 1 month ago (1 children)

did you want to link #573 ? you only linked the issues list

[–] [email protected] 2 points 1 month ago

Nah I linked the issues page on purpose since there are multiple posts talking about it

[–] [email protected] 2 points 1 month ago* (last edited 1 month ago)

So, the "[edit: ~~last~~] previous update" was built from ac41318, since then there were exactly 2 commits:

Both do not immediately look malicious. So, either the release is poisoned (in which case you can build it from source and see if still detected), or the repo was poisoned before, and the payload didn't activate until those changes, or AVs decided to crackdown on random shit running their code in other law-abiding processes' address space 🤣

[–] [email protected] 1 points 1 month ago

They could be away and not checking on things until they get back.

Or potentially their github account was taken over somehow.

[–] [email protected] 1 points 1 month ago

Seems strange that the dev seems to be keeping quiet on this, no?

Which one? The repo owner certainly doesn't seem very active in general.