Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
Neovim tee.exe binary dependency exhibiting illegitimate / unauthorized behavior (github.com/neovim)
94 points by patadune on Feb 14, 2025 | hide | past | favorite | 12 comments


I forced a refresh of the VirusTotal results. It is only being flagged by a single engine: MaxSecure, an Indian anti-virus vendor that has gone out of business.

https://www.virustotal.com/gui/file/950eea4e17fa3a7e89fa2c55...


Probably Windows checking certificate revocation on a signed binary (or linked library).


Yeah, I'm inclined to agree. The binaries were probably built by mingw and I've seen "hello world" get flagged by virus total when built by mingw.

If it is the binary itself making those calls (and not the OS), then anyone with a little bit of reverse engineering experience should be able to prove it and post the assembly.

Edit: I was wrong about the build toolchain, they were built by visual studio, see comment below.


the virustotal report shows the output from detectiteasy in "Details" -> "Basic properties": DetectItEasy PE64 Compiler: Microsoft Visual C/C++ (19.14.26715) [C++] Linker: Microsoft Linker (14.00.24241) Tool: Visual Studio (2015)

this is not meant to imply anything about whether the binary is malicious or not.


[flagged]


> It is absolutely not that. To suggest this, considering the evidence posted, goes beyond idiocy into potential maliciousness

The scary IPs are part of DigiCert's CDN for OCSP responder (probably depending where you are and their anycast):

https://github.com/hoshsadiq/adblock-nocoin-list/issues/452

The "evidence" is the system made some network calls and DNS lookups. Which you know, you would do when validating a certificate. He also lists some SMB calls to the localnet which are clearly unrelated. tee.c source contains no network code so this would be truly easy to audit. So tell me again what is the damning evidence?

Also, are we to believe malware gangs are hosting on Akamai now? They must be in the major leagues.

And you call me an idiot?

Have a nice day.


Thanks for your research.

Random googling shows lots of people have similar question, and most of time the tread just die out without answer.

phicdn.net as a privacy-protected domain from godaddy sure make the case more suspicious.

DigiCert (or whatever the owner piecdn is) could have save us lots of time just publishing that information on their website.


The potentially malicious IP is owned by akamai. Not sure why tee would want to talk out

https://www.whois.com/whois/23.216.147.64


It's not.

This is almost certainly Windows performing certificate validation.

The "evidence" was just copy pasted from VirusTotal. In fact he forgot to copy from below the cut, which would have shown it also called out to www.microsoft.com - depending who you ask, definitely a malicious address!

VirusTotal just notes all network traffic during the time the binary executed in the sandbox. It doesn't mean it emanated from the binary.


Is tee.exe supposed to be the normal tee unix tool?


yes, there is also a "cat" executable that is being looked at. In this case it is probably harmless, but I am not sure why they have no source for it. someone suggested it came from gvim.

A proposal in the attached issue suggests just building it from openbsd sources which is probably not the worst place to get source for tee.


This looks bad. I'm no expert though, there could be a plausible explanation here. But running it through some common tools all seem to return suspicious behavior.


Like what tools?




Consider applying for YC's Summer 2026 batch! Applications are open till May 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: