Focus on Virus
Malware database Jan 14 2011 03:18PM
Huffen Doback (huffen doback gmail com) (9 replies)
Re: Malware database Mar 01 2011 06:43AM
wt521125 (wt521125 yahoo com cn)
Re: Malware database Mar 01 2011 06:43AM
wt521125 (wt521125 yahoo com cn)
Re: Malware database Mar 01 2011 06:43AM
wt521125 (wt521125 yahoo com cn)
Re: Malware database Jan 14 2011 05:15PM
Jay Scalf (jayscalf comcast net)
Re: Malware database Jan 14 2011 05:08PM
Lorenzo Cavallaro (lorenzo cavallaro gmail com) (1 replies)
Re: Malware database Jan 14 2011 05:28PM
Huffen Doback (huffen doback gmail com)
Re: Malware database Jan 14 2011 05:00PM
Jason Iacono (jasonmiacono gmail com)
Re: Malware database Jan 14 2011 04:24PM
Jose Nazario (jose monkey org) (2 replies)
Re: Malware database Mar 01 2011 06:43AM
wt521125 (wt521125 yahoo com cn)
Re: Malware database Jan 14 2011 09:23PM
David H. Lipman (DLipman verizon net) (1 replies)
Re: Malware database Jan 17 2011 02:08PM
Jay Scalf (jayscalf comcast net)
This is to notify all that I received a message regarding my supposed
request of Mastercard via this list. I do no have a Mastercard. Everyone
beware. If this happens again I will request to be removed form the list
even though everyone seems knowledgeable and I appreciate reading your
views.

On 1/14/2011 3:23 PM, David H. Lipman wrote:
> I agree with this assertion.
>
> Malware encyclopedias are NOT what they used to be 7~10 years ago.
>
> New variants of malware are created daily and often hourly. So often that encyclopedias (librariies) just can't be
> kept up to date.
>
> At best we can talk about families such as MEBRoot, TDSS (TDL3, TDL4, etc), ZBot, Gromozon, FakeAV,
> FakeAlert, yada, yada. And in that we can have generalities about how the malware conducts itself and what
> changes it makes to the OS.
>
> As for ThreatExpert. It is just OK. I use it but, I find that data colleected is often incomplete. Especially in light
> of the AntiVM routines of much of the malware I see. ANUBIS the same and it can't handle .NET files. COMODO
> is limited and supplies very little information. The University of Manaheim's sandbox is very good but it is
> presently down and won't be back up until the third or 4th week of this month. Stefan B. has an excellent system
> but it is underfunded and underpowered and I am afraid if I mention his system you will all use it and it will get
> overloaded and it'll take days to get reports returned.
>
> We return back to the original question about 'srvpool.exe'.
>
> Google is ONLY good to tell you if it is a known process. However, any file can be named anything. It isn't
> enough to know the name of the file but the fully qualified name and path to the file.
>
> We know SVCHOST.EXE is a legitimate process.
> Not if it is loaded from %appdata%.
>
> Malware deliberately hides itsalf in names of legitimate files or slight variation thereof.
> SVCHOST.EXE is the most prevalent of names forged or use variations like SCVHOST.EXE or LSASS.EXE as
> Isass.exe. Here we have 'srvpool.exe' which is a take on 'spoolsv.exe' the Print Spooler Service. The problem is
> any file can be called anything and the libraries are just not able to keep up with all the new malware.
>
>
> Get me a sample of 'spoolsv.exe' and I'll get the 411 on this. :-)
>
> Dave
>
>
>
>
> Date forwarded: Fri, 14 Jan 2011 09:26:47 -0700 (MST)
> Date sent: Fri, 14 Jan 2011 11:24:33 -0500 (EST)
> Forwarded by: focus-virus-return-3806 (at) securityfocus (dot) com [email concealed]
> From: Jose Nazario<jose (at) monkey (dot) org [email concealed]>
> Subject: Re: Malware database
> To: Huffen Doback<huffen.doback (at) gmail (dot) com [email concealed]>
> Copies to: focus-virus (at) securityfocus (dot) com [email concealed], focus-virus-return-3803 (at) securityfocus (dot) com [email concealed]
>
>> virus names used to be unique, but not so much any more.
>>
>> prevx, for example, lets you search by filename. plenty of sites have nice
>> writeups of "what is file foo.exe and what does it do?" for legitimate
>> files. prevx mostly handles malicious files, and their writeups are vague
>> or misleading at best in that database.
>>
>> as for fine grained details sandbox reports are very useful.
>> threatexpert.com is one of the more comprehensive and searchable. if you
>> have a file hash (md5) that's the best way to get such details.
>>
>> virustotal.com is also a useful place to get pointers.
>>
>> i do not trust or respect most AV writeups, they're very inadequate or
>> just plain wrong.
>>
>> ________
>> jose nazario, ph.d. http://monkey.org/~jose/
>>
>>
>> ------------------------------------------------------------------------
---
>> This list is sponsored by: Black Hat
>>
>> Attend Black Hat USA, July 28-August 2 in Las Vegas, the world's premier
>> technical event for ICT security experts. Featuring 30 hands-on training
>> courses and 90 Briefings presentations with lots of new content and new
>> tools. Network with 4,000 delegates from 70 nations. Visit product
>> displays by 30 top sponsors in a relaxed setting.
>>
>> http://www.blackhat.com
>> ------------------------------------------------------------------------
---
>>
>
>
>
> --
>
> Mr. David H. Lipman
> DLipman (at) Verizon (dot) Net [email concealed]
> Yahoo IM: david_h_lipman
>
>
>
> ------------------------------------------------------------------------
---
> This list is sponsored by: Black Hat
>
> Attend Black Hat USA, July 28-August 2 in Las Vegas, the world's premier
> technical event for ICT security experts. Featuring 30 hands-on training
> courses and 90 Briefings presentations with lots of new content and new
> tools. Network with 4,000 delegates from 70 nations. Visit product
> displays by 30 top sponsors in a relaxed setting.
>
> http://www.blackhat.com
> ------------------------------------------------------------------------
---
>
>

------------------------------------------------------------------------
---
This list is sponsored by: Black Hat

Attend Black Hat USA, July 28-August 2 in Las Vegas, the world's premier
technical event for ICT security experts. Featuring 30 hands-on training
courses and 90 Briefings presentations with lots of new content and new
tools. Network with 4,000 delegates from 70 nations. Visit product
displays by 30 top sponsors in a relaxed setting.

http://www.blackhat.com
------------------------------------------------------------------------
---

[ reply ]
RE: Malware database Jan 14 2011 04:14PM
Richard High (RichardHigh imgva com)
RE: Malware database Jan 14 2011 04:12PM
PEREZ, ROBERT (RAPEREZ VENTURAFOODS COM)


 

Privacy Statement
Copyright 2010, SecurityFocus