Focus on Virus
Re: Malware database Jan 17 2011 02:25PM
Sandeep Cheema (51l3n7 live in) (3 replies)
Re: Malware database Mar 01 2011 06:43AM
wt521125 (wt521125 yahoo com cn)
RE: Malware database Jan 17 2011 02:58PM
Graham Scrowther (g scrowther kew org)
Re: Malware database Jan 17 2011 02:39PM
Jay Scalf (jayscalf comcast net)
Yeap, me too. If someone can't slip by and take advantage of anything
they will anymore. As someone noted, these attacks happen hourly. The
days of it being a kid in his garage are gone - there is either a
financial or terrorist motive.

On 1/17/2011 8:25 AM, Sandeep Cheema wrote:
> That's odd. Seriously. I thought all securityfocus mailing lists are manually filtered. Strange I didn't receive that.
>
> Regards, Sandeep
> Sent from BlackBerry® on Airtel
>
> -----Original Message-----
> From: Jay Scalf<jayscalf (at) comcast (dot) net [email concealed]>
> Date: Mon, 17 Jan 2011 14:08:50
> To:<focus-virus (at) securityfocus (dot) com [email concealed]>
> Subject: Re: Malware database
>
> This is to notify all that I received a message regarding my supposed
> request of Mastercard via this list. I do no have a Mastercard. Everyone
> beware. If this happens again I will request to be removed form the list
> even though everyone seems knowledgeable and I appreciate reading your
> views.
>
> On 1/14/2011 3:23 PM, David H. Lipman wrote:
>> I agree with this assertion.
>>
>> Malware encyclopedias are NOT what they used to be 7~10 years ago.
>>
>> New variants of malware are created daily and often hourly. So often that encyclopedias (librariies) just can't be
>> kept up to date.
>>
>> At best we can talk about families such as MEBRoot, TDSS (TDL3, TDL4, etc), ZBot, Gromozon, FakeAV,
>> FakeAlert, yada, yada. And in that we can have generalities about how the malware conducts itself and what
>> changes it makes to the OS.
>>
>> As for ThreatExpert. It is just OK. I use it but, I find that data colleected is often incomplete. Especially in light
>> of the AntiVM routines of much of the malware I see. ANUBIS the same and it can't handle .NET files. COMODO
>> is limited and supplies very little information. The University of Manaheim's sandbox is very good but it is
>> presently down and won't be back up until the third or 4th week of this month. Stefan B. has an excellent system
>> but it is underfunded and underpowered and I am afraid if I mention his system you will all use it and it will get
>> overloaded and it'll take days to get reports returned.
>>
>> We return back to the original question about 'srvpool.exe'.
>>
>> Google is ONLY good to tell you if it is a known process. However, any file can be named anything. It isn't
>> enough to know the name of the file but the fully qualified name and path to the file.
>>
>> We know SVCHOST.EXE is a legitimate process.
>> Not if it is loaded from %appdata%.
>>
>> Malware deliberately hides itsalf in names of legitimate files or slight variation thereof.
>> SVCHOST.EXE is the most prevalent of names forged or use variations like SCVHOST.EXE or LSASS.EXE as
>> Isass.exe. Here we have 'srvpool.exe' which is a take on 'spoolsv.exe' the Print Spooler Service. The problem is
>> any file can be called anything and the libraries are just not able to keep up with all the new malware.
>>
>>
>> Get me a sample of 'spoolsv.exe' and I'll get the 411 on this. :-)
>>
>> Dave
>>
>>
>>
>>
>> Date forwarded: Fri, 14 Jan 2011 09:26:47 -0700 (MST)
>> Date sent: Fri, 14 Jan 2011 11:24:33 -0500 (EST)
>> Forwarded by: focus-virus-return-3806 (at) securityfocus (dot) com [email concealed]
>> From: Jose Nazario<jose (at) monkey (dot) org [email concealed]>
>> Subject: Re: Malware database
>> To: Huffen Doback<huffen.doback (at) gmail (dot) com [email concealed]>
>> Copies to: focus-virus (at) securityfocus (dot) com [email concealed], focus-virus-return-3803 (at) securityfocus (dot) com [email concealed]
>>
>>> virus names used to be unique, but not so much any more.
>>>
>>> prevx, for example, lets you search by filename. plenty of sites have nice
>>> writeups of "what is file foo.exe and what does it do?" for legitimate
>>> files. prevx mostly handles malicious files, and their writeups are vague
>>> or misleading at best in that database.
>>>
>>> as for fine grained details sandbox reports are very useful.
>>> threatexpert.com is one of the more comprehensive and searchable. if you
>>> have a file hash (md5) that's the best way to get such details.
>>>
>>> virustotal.com is also a useful place to get pointers.
>>>
>>> i do not trust or respect most AV writeups, they're very inadequate or
>>> just plain wrong.
>>>
>>> ________
>>> jose nazario, ph.d. http://monkey.org/~jose/
>>>
>>>
>>> ------------------------------------------------------------------------
---
>>> This list is sponsored by: Black Hat
>>>
>>> Attend Black Hat USA, July 28-August 2 in Las Vegas, the world's premier
>>> technical event for ICT security experts. Featuring 30 hands-on training
>>> courses and 90 Briefings presentations with lots of new content and new
>>> tools. Network with 4,000 delegates from 70 nations. Visit product
>>> displays by 30 top sponsors in a relaxed setting.
>>>
>>> http://www.blackhat.com
>>> ------------------------------------------------------------------------
---
>>>
>>
>>
>> --
>>
>> Mr. David H. Lipman
>> DLipman (at) Verizon (dot) Net [email concealed]
>> Yahoo IM: david_h_lipman
>>
>>
>>
>> ------------------------------------------------------------------------
---
>> This list is sponsored by: Black Hat
>>
>> Attend Black Hat USA, July 28-August 2 in Las Vegas, the world's premier
>> technical event for ICT security experts. Featuring 30 hands-on training
>> courses and 90 Briefings presentations with lots of new content and new
>> tools. Network with 4,000 delegates from 70 nations. Visit product
>> displays by 30 top sponsors in a relaxed setting.
>>
>> http://www.blackhat.com
>> ------------------------------------------------------------------------
---
>>
>>
> ------------------------------------------------------------------------
---
> This list is sponsored by: Black Hat
>
> Attend Black Hat USA, July 28-August 2 in Las Vegas, the world's premier
> technical event for ICT security experts. Featuring 30 hands-on training
> courses and 90 Briefings presentations with lots of new content and new
> tools. Network with 4,000 delegates from 70 nations. Visit product
> displays by 30 top sponsors in a relaxed setting.
>
> http://www.blackhat.com
> ------------------------------------------------------------------------
---
>

------------------------------------------------------------------------
---
This list is sponsored by: Black Hat

Attend Black Hat USA, July 28-August 2 in Las Vegas, the world's premier
technical event for ICT security experts. Featuring 30 hands-on training
courses and 90 Briefings presentations with lots of new content and new
tools. Network with 4,000 delegates from 70 nations. Visit product
displays by 30 top sponsors in a relaxed setting.

http://www.blackhat.com
------------------------------------------------------------------------
---

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus