Focus on Virus
Malware database Jan 14 2011 03:18PM
Huffen Doback (huffen doback gmail com) (9 replies)
Re: Malware database Mar 01 2011 06:43AM
wt521125 (wt521125 yahoo com cn)
Re: Malware database Mar 01 2011 06:43AM
wt521125 (wt521125 yahoo com cn)
Re: Malware database Mar 01 2011 06:43AM
wt521125 (wt521125 yahoo com cn)
Re: Malware database Jan 14 2011 05:15PM
Jay Scalf (jayscalf comcast net)
Re: Malware database Jan 14 2011 05:08PM
Lorenzo Cavallaro (lorenzo cavallaro gmail com) (1 replies)
Re: Malware database Jan 14 2011 05:28PM
Huffen Doback (huffen doback gmail com)
Re: Malware database Jan 14 2011 05:00PM
Jason Iacono (jasonmiacono gmail com)
Re: Malware database Jan 14 2011 04:24PM
Jose Nazario (jose monkey org) (2 replies)
Re: Malware database Mar 01 2011 06:43AM
wt521125 (wt521125 yahoo com cn)
Re: Malware database Jan 14 2011 09:23PM
David H. Lipman (DLipman verizon net) (1 replies)
I agree with this assertion.

Malware encyclopedias are NOT what they used to be 7~10 years ago.

New variants of malware are created daily and often hourly. So often that encyclopedias (librariies) just can't be
kept up to date.

At best we can talk about families such as MEBRoot, TDSS (TDL3, TDL4, etc), ZBot, Gromozon, FakeAV,
FakeAlert, yada, yada. And in that we can have generalities about how the malware conducts itself and what
changes it makes to the OS.

As for ThreatExpert. It is just OK. I use it but, I find that data colleected is often incomplete. Especially in light
of the AntiVM routines of much of the malware I see. ANUBIS the same and it can't handle .NET files. COMODO
is limited and supplies very little information. The University of Manaheim's sandbox is very good but it is
presently down and won't be back up until the third or 4th week of this month. Stefan B. has an excellent system
but it is underfunded and underpowered and I am afraid if I mention his system you will all use it and it will get
overloaded and it'll take days to get reports returned.

We return back to the original question about 'srvpool.exe'.

Google is ONLY good to tell you if it is a known process. However, any file can be named anything. It isn't
enough to know the name of the file but the fully qualified name and path to the file.

We know SVCHOST.EXE is a legitimate process.
Not if it is loaded from %appdata%.

Malware deliberately hides itsalf in names of legitimate files or slight variation thereof.
SVCHOST.EXE is the most prevalent of names forged or use variations like SCVHOST.EXE or LSASS.EXE as
Isass.exe. Here we have 'srvpool.exe' which is a take on 'spoolsv.exe' the Print Spooler Service. The problem is
any file can be called anything and the libraries are just not able to keep up with all the new malware.

Get me a sample of 'spoolsv.exe' and I'll get the 411 on this. :-)

Dave

Date forwarded: Fri, 14 Jan 2011 09:26:47 -0700 (MST)
Date sent: Fri, 14 Jan 2011 11:24:33 -0500 (EST)
Forwarded by: focus-virus-return-3806 (at) securityfocus (dot) com [email concealed]
From: Jose Nazario <jose (at) monkey (dot) org [email concealed]>
Subject: Re: Malware database
To: Huffen Doback <huffen.doback (at) gmail (dot) com [email concealed]>
Copies to: focus-virus (at) securityfocus (dot) com [email concealed], focus-virus-return-3803 (at) securityfocus (dot) com [email concealed]

> virus names used to be unique, but not so much any more.
>
> prevx, for example, lets you search by filename. plenty of sites have nice
> writeups of "what is file foo.exe and what does it do?" for legitimate
> files. prevx mostly handles malicious files, and their writeups are vague
> or misleading at best in that database.
>
> as for fine grained details sandbox reports are very useful.
> threatexpert.com is one of the more comprehensive and searchable. if you
> have a file hash (md5) that's the best way to get such details.
>
> virustotal.com is also a useful place to get pointers.
>
> i do not trust or respect most AV writeups, they're very inadequate or
> just plain wrong.
>
> ________
> jose nazario, ph.d. http://monkey.org/~jose/
>
>
> ------------------------------------------------------------------------
---
> This list is sponsored by: Black Hat
>
> Attend Black Hat USA, July 28-August 2 in Las Vegas, the world's premier
> technical event for ICT security experts. Featuring 30 hands-on training
> courses and 90 Briefings presentations with lots of new content and new
> tools. Network with 4,000 delegates from 70 nations. Visit product
> displays by 30 top sponsors in a relaxed setting.
>
> http://www.blackhat.com
> ------------------------------------------------------------------------
---
>

--

Mr. David H. Lipman
DLipman (at) Verizon (dot) Net [email concealed]
Yahoo IM: david_h_lipman

------------------------------------------------------------------------
---
This list is sponsored by: Black Hat

Attend Black Hat USA, July 28-August 2 in Las Vegas, the world's premier
technical event for ICT security experts. Featuring 30 hands-on training
courses and 90 Briefings presentations with lots of new content and new
tools. Network with 4,000 delegates from 70 nations. Visit product
displays by 30 top sponsors in a relaxed setting.

http://www.blackhat.com
------------------------------------------------------------------------
---

[ reply ]
Re: Malware database Jan 17 2011 02:08PM
Jay Scalf (jayscalf comcast net)
RE: Malware database Jan 14 2011 04:14PM
Richard High (RichardHigh imgva com)
RE: Malware database Jan 14 2011 04:12PM
PEREZ, ROBERT (RAPEREZ VENTURAFOODS COM)


 

Privacy Statement
Copyright 2010, SecurityFocus