Mail: Is X1 Really A Rat?
A reader wrote the following about X1, an search and indexing program which I reviewed recently:
I read your article, liked what I heard, and installed the product. It is as good as you described. However, I had reason to run PestPatrol, due to some weird behavior against my ZoneAlarm Pro firewall. The run of PestPatrol identified a program named UPX.exe (in the X1 install directory) as a RAT (remote administration tool) or a Trojan in other words. Their description was: ?provides an attacker with the capability of remotely controlling a machine via a ??client?? in the attacker?s machine and a ??server?? in the victim?s machine.?
I queried their help site (email came back from idealab.com) and the QA person indicated the program was used to unpack the installer file. He/she also indicated they were aware that Pest Patrol identifies it as a rat. The email finished with ?But I don?t think that is what is making your system feel under the weather.?
No comment about whether it is a rat, just that they knew PestPatrol called it one. I still don?t know if my system behavior was due to X1, but thought their tech support would have strongly denied it if it was not a rat.
Here’s the response from X1 chief Mark Goodstein:
UPX is a benign wrapper program, just like a self-extracting zip file, and we use it to install X1. We will probably move away from it because of this problem, though… It just happens that some virus writers use UPX to wrap their illicit programs. Pest Patrol deals with this by classifying anything that uses it as a possible virus carrier (a RAT or Trojan in their terminology). That’s a bit careless on their part — what they ought to be doing is automatically uncompressing the UPX files and running their virus checker on what’s inside. Then they could give an accurate diagnosis and unclassify the 99.9% of UPX-using programs as trojans.
In simple terms — X1 is NOT a virus, and pest patrol knows this, as it’s easy to determine by simply un-UPXing our exe. Even if Pest Patrol doesn’t want to add the proper feature to their product, at least they ought to mark X1 as a non-RAT after they examine it, to put it in a safe category even though it uses UPX.
There you go…I hope that’s clear enough.