Focus on Virus
Re: Malware database Jan 17 2011 02:25PM
Sandeep Cheema (51l3n7 live in) (3 replies)
That's odd. Seriously. I thought all securityfocus mailing lists are manually filtered. Strange I didn't receive that.

Regards, Sandeep
Sent from BlackBerry® on Airtel

-----Original Message-----
From: Jay Scalf <jayscalf (at) comcast (dot) net [email concealed]>
Date: Mon, 17 Jan 2011 14:08:50
To: <focus-virus (at) securityfocus (dot) com [email concealed]>
Subject: Re: Malware database

This is to notify all that I received a message regarding my supposed
request of Mastercard via this list. I do no have a Mastercard. Everyone
beware. If this happens again I will request to be removed form the list
even though everyone seems knowledgeable and I appreciate reading your
views.

On 1/14/2011 3:23 PM, David H. Lipman wrote:
> I agree with this assertion.
>
> Malware encyclopedias are NOT what they used to be 7~10 years ago.
>
> New variants of malware are created daily and often hourly.  So often that encyclopedias (librariies) just can't be
> kept up to date.
>
> At best we can talk about families such as MEBRoot, TDSS (TDL3, TDL4, etc), ZBot, Gromozon, FakeAV,
> FakeAlert, yada, yada.  And in that we can have generalities about how the malware conducts itself and what
> changes it makes to the OS.
>
> As for ThreatExpert.  It is just OK.  I use it but, I find that data colleected is often incomplete.  Especially in light
> of the AntiVM routines of much of the malware I see.  ANUBIS the same and it can't handle .NET files.  COMODO
> is limited and supplies very little information.  The University of Manaheim's sandbox is very good but it is
> presently down and won't be back up until the third or 4th week of this month.  Stefan B. has an excellent system
> but it is underfunded and underpowered and I am afraid if I mention his system you will all use it and it will get
> overloaded and it'll take days to get reports returned.
>
> We return back to the original question about 'srvpool.exe'.
>
> Google is ONLY good to tell you if it is a known process.  However, any file can be named anything.  It isn't
> enough to know the name of the file but the fully qualified name and path to the file.
>
> We know SVCHOST.EXE is a legitimate process.
> Not if it is loaded from %appdata%.
>
> Malware deliberately hides itsalf in names of legitimate files or slight variation thereof.
> SVCHOST.EXE is the most prevalent of names forged or use variations like SCVHOST.EXE or LSASS.EXE as
> Isass.exe.  Here we have 'srvpool.exe' which is a take on 'spoolsv.exe' the Print Spooler Service.  The problem is
> any file can be called anything and the libraries are just not able to keep up with all the new malware.
>
>
> Get me a sample of 'spoolsv.exe' and I'll get the 411 on this.  :-)
>
> Dave
>
>
>
>
> Date forwarded:        Fri, 14 Jan 2011 09:26:47 -0700 (MST)
> Date sent:             Fri, 14 Jan 2011 11:24:33 -0500 (EST)
> Forwarded by:          focus-virus-return-3806 (at) securityfocus (dot) com [email concealed]
> From:                  Jose Nazario<jose (at) monkey (dot) org [email concealed]>
> Subject:               Re: Malware database
> To:                    Huffen Doback<huffen.doback (at) gmail (dot) com [email concealed]>
> Copies to:             focus-virus (at) securityfocus (dot) com [email concealed],  focus-virus-return-3803 (at) securityfocus (dot) com [email concealed]
>
>> virus names used to be unique, but not so much any more.
>>
>> prevx, for example, lets you search by filename. plenty of sites have nice
>> writeups of "what is file foo.exe and what does it do?" for legitimate
>> files. prevx mostly handles malicious files, and their writeups are vague
>> or misleading at best in that database.
>>
>> as for fine grained details sandbox reports are very useful.
>> threatexpert.com is one of the more comprehensive and searchable. if you
>> have a file hash (md5) that's the best way to get such details.
>>
>> virustotal.com is also a useful place to get pointers.
>>
>> i do not trust or respect most AV writeups, they're very inadequate or
>> just plain wrong.
>>
>> ________
>> jose nazario, ph.d.              http://monkey.org/~jose/
>>
>>
>> ------------------------------------------------------------------------
---
>> This list is sponsored by: Black Hat
>>
>> Attend Black Hat USA, July 28-August 2 in Las Vegas, the world's premier
>> technical event for ICT security experts. Featuring 30 hands-on training
>> courses and 90 Briefings presentations with lots of new content and new
>> tools.  Network with 4,000 delegates from 70 nations.  Visit product
>> displays by 30 top sponsors in a relaxed setting.
>>
>> http://www.blackhat.com
>> ------------------------------------------------------------------------
---
>>
>
>
>
> --
>
>                                  Mr. David H. Lipman
>                                  DLipman (at) Verizon (dot) Net [email concealed]
>                               Yahoo IM:  david_h_lipman
>
>
>
> ------------------------------------------------------------------------
---
> This list is sponsored by: Black Hat
>
> Attend Black Hat USA, July 28-August 2 in Las Vegas, the world's premier
> technical event for ICT security experts. Featuring 30 hands-on training
> courses and 90 Briefings presentations with lots of new content and new
> tools.  Network with 4,000 delegates from 70 nations.  Visit product
> displays by 30 top sponsors in a relaxed setting.
>
> http://www.blackhat.com
> ------------------------------------------------------------------------
---
>
>

------------------------------------------------------------------------
---
This list is sponsored by: Black Hat

Attend Black Hat USA, July 28-August 2 in Las Vegas, the world's premier
technical event for ICT security experts. Featuring 30 hands-on training
courses and 90 Briefings presentations with lots of new content and new
tools.  Network with 4,000 delegates from 70 nations.  Visit product
displays by 30 top sponsors in a relaxed setting. 

http://www.blackhat.com
------------------------------------------------------------------------
---

------------------------------------------------------------------------
---
This list is sponsored by: Black Hat

Attend Black Hat USA, July 28-August 2 in Las Vegas, the world's premier
technical event for ICT security experts. Featuring 30 hands-on training
courses and 90 Briefings presentations with lots of new content and new
tools. Network with 4,000 delegates from 70 nations. Visit product
displays by 30 top sponsors in a relaxed setting.

http://www.blackhat.com
------------------------------------------------------------------------
---

[ reply ]
Re: Malware database Mar 01 2011 06:43AM
wt521125 (wt521125 yahoo com cn)
RE: Malware database Jan 17 2011 02:58PM
Graham Scrowther (g scrowther kew org)
Re: Malware database Jan 17 2011 02:39PM
Jay Scalf (jayscalf comcast net)


 

Privacy Statement
Copyright 2010, SecurityFocus