Focus on Virus
Re: Malware database Mar 01 2011 06:43AM
wt521125 (wt521125 yahoo com cn)
I wasn't implying to use VirusTotal as a testing solution, but merely
suggesting it to gather information on the suspected malware.

Alternatively, the information you just provided about virustotal is
in fact interesting and I will read your blog for further information.
I looked a little further back regarding others posts and found
trendmicro DB, threatexpert.com.

Thanks for the heads up.

-
A

On Mon, Jan 17, 2011 at 12:38 PM, Jay Scalf <jayscalf (at) comcast (dot) net [email concealed]> wrote:
> From VirusTotal Website:
>
> "Why using VirusTotal for antivirus testing is a bad idea?
>
> Hispasec is rather tired of repeating that VirusTotal was not designed as
a
> tool to perform AV comparative analyses, but as a tool that checks
> suspicious samples with several AV programs and helps AV labs by
forwarding
> them the malware they failed to detect. Those who use VirusTotal to
perform
> AV comparative analyses should know that they are making many implicit
> errors in the methodology, the most obvious being:
>
> VirusTotal AV engines are commandline versions, so depending on the
product,
> they will not behave exactly the same as the desktop versions: for
instance,
> desktop solutions may use techniques based on behavioral analysis and
count
> with personal firewalls that may decrease entry points and mitigate
> propagation, etc.
> In VirusTotal desktop-oriented solutions coexist with perimeter-oriented
> solutions; heuristics in this latter group may be more aggressive and
> paranoid, since the impact of false positives is less visible in the
> perimeter. It is simply not fair to compare both groups.
>
> These are just two examples illustrating why using VirusTotal for
antivirus
> testing is a bad idea, you can read more about this issue in our blog. The
> Prevx team also made an entry in its blog discussing the matter."
>
> Jay
>
>
> On 1/17/2011 10:35 AM, Adrian J Milanoski wrote:
>
> Take a look at www.virustotal.com you can search hashes, names, etc...
>
>
> -
> A
>
> On Mon, Jan 17, 2011 at 11:09 AM, Jay Scalf <jayscalf (at) comcast (dot) net [email concealed]> wrote:
>
> This is what I am getting:
>
> Your request for support has been received. Your service request reference
> number is contained in this email. Please note that email should not be
> used for urgent requests. For issues requiring immediate attention, please
> contact the Information Security HelpDesk at x26122 to speak with a
> representative.
>
> Please retain this notification until such time as your request is
> resolved.  Inquiries about this message should include the SRQ# in the
> subject so all activities and efforts will be tracked and recorded within
> the ticket.
>
> Service Request Reference Number: SRQ506868
> Date Opened: 2011-01-17 08:51:39
> Service Request Description:
> Re: Malware database
>
> Thank you.
>
>
>
> CONFIDENTIALITY NOTICE
> This e-mail message and any attachments are only for the use of the
intended
> recipient and may contain information that is privileged, confidential or
> exempt from disclosure under applicable law. If you are not the intended
> recipient, any disclosure, distribution or other use of this e-mail
message
> or attachments is prohibited. If you have received this e-mail message in
> error, please delete and notify the sender immediately. Thank you.
>
>
> On 1/17/2011 9:24 AM, Martin, Kelly J. wrote:
>
> How do I get off this list?
>
> Sent from my iPhone
>
> On Jan 17, 2011, at 10:24 AM, "Graham Scrowther"<g.scrowther (at) kew (dot) org [email concealed]>
>  wrote:
>
> I didn't get anything either.
>
> Could you please post the message you got?
>
>
>
> -----Original Message-----
> From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]]
> On Behalf Of Sandeep Cheema
> Sent: 17 January 2011 14:25
> To: Jay Scalf ; focus-virus (at) securityfocus (dot) com [email concealed]
> Subject: Re: Malware database
>
> That's odd. Seriously. I thought all securityfocus mailing lists are
> manually filtered. Strange I didn't receive that.
>
> Regards, Sandeep
> Sent from BlackBerry® on Airtel
>
> -----Original Message-----
> From: Jay Scalf<jayscalf (at) comcast (dot) net [email concealed]>
> Date: Mon, 17 Jan 2011 14:08:50
> To:<focus-virus (at) securityfocus (dot) com [email concealed]>
> Subject: Re: Malware database
>
> This is to notify all that I received a message regarding my supposed
> request of Mastercard via this list. I do no have a Mastercard. Everyone
> beware. If this happens again I will request to be removed form the list
> even though everyone seems knowledgeable and I appreciate reading your
> views.
>
> On 1/14/2011 3:23 PM, David H. Lipman wrote:
>
> I agree with this assertion.
>
> Malware encyclopedias are NOT what they used to be 7~10 years ago.
>
> New variants of malware are created daily and often hourly.  So often
> that encyclopedias (librariies) just can't be
> kept up to date.
>
> At best we can talk about families such as MEBRoot, TDSS (TDL3, TDL4,
> etc), ZBot, Gromozon, FakeAV,
> FakeAlert, yada, yada.  And in that we can have generalities about how
> the malware conducts itself and what
> changes it makes to the OS.
>
> As for ThreatExpert.  It is just OK.  I use it but, I find that data
> colleected is often incomplete.  Especially in light
> of the AntiVM routines of much of the malware I see.  ANUBIS the same
> and it can't handle .NET files.  COMODO
> is limited and supplies very little information.  The University of
> Manaheim's sandbox is very good but it is
> presently down and won't be back up until the third or 4th week of this
> month.  Stefan B. has an excellent system
> but it is underfunded and underpowered and I am afraid if I mention his
> system you will all use it and it will get
> overloaded and it'll take days to get reports returned.
>
> We return back to the original question about 'srvpool.exe'.
>
> Google is ONLY good to tell you if it is a known process.  However, any
> file can be named anything.  It isn't
> enough to know the name of the file but the fully qualified name and
> path to the file.
>
> We know SVCHOST.EXE is a legitimate process.
> Not if it is loaded from %appdata%.
>
> Malware deliberately hides itsalf in names of legitimate files or slight
> variation thereof.
> SVCHOST.EXE is the most prevalent of names forged or use variations like
> SCVHOST.EXE or LSASS.EXE as
> Isass.exe.  Here we have 'srvpool.exe' which is a take on 'spoolsv.exe'
> the Print Spooler Service.  The problem is
> any file can be called anything and the libraries are just not able to
> keep up with all the new malware.
>
>
> Get me a sample of 'spoolsv.exe' and I'll get the 411 on this.  :-)
>
> Dave
>
>
>
>
> Date forwarded:        Fri, 14 Jan 2011 09:26:47 -0700 (MST)
> Date sent:             Fri, 14 Jan 2011 11:24:33 -0500 (EST)
> Forwarded by:          focus-virus-return-3806 (at) securityfocus (dot) com [email concealed]
> From:                  Jose Nazario<jose (at) monkey (dot) org [email concealed]>
> Subject:               Re: Malware database
> To:                    Huffen Doback<huffen.doback (at) gmail (dot) com [email concealed]>
> Copies to:             focus-virus (at) securityfocus (dot) com [email concealed],
>  focus-virus-return-3803 (at) securityfocus (dot) com [email concealed]
>
> virus names used to be unique, but not so much any more.
>
> prevx, for example, lets you search by filename. plenty of sites have
> nice
> writeups of "what is file foo.exe and what does it do?" for legitimate
> files. prevx mostly handles malicious files, and their writeups are
> vague
> or misleading at best in that database.
>
> as for fine grained details sandbox reports are very useful.
> threatexpert.com is one of the more comprehensive and searchable. if
> you
> have a file hash (md5) that's the best way to get such details.
>
> virustotal.com is also a useful place to get pointers.
>
> i do not trust or respect most AV writeups, they're very inadequate or
> just plain wrong.
>
> ________
> jose nazario, ph.d.              http://monkey.org/~jose/
>
>
>
>
------------------------------------------------------------------------
---
> This list is sponsored by: Black Hat
>
> Attend Black Hat USA, July 28-August 2 in Las Vegas, the world's
> premier
> technical event for ICT security experts. Featuring 30 hands-on
> training
> courses and 90 Briefings presentations with lots of new content and new
> tools.  Network with 4,000 delegates from 70 nations.  Visit product
> displays by 30 top sponsors in a relaxed setting.
>
> http://www.blackhat.com
>
>
------------------------------------------------------------------------
---
>
>
> --
>
>                                   Mr. David H. Lipman
>                                   DLipman (at) Verizon (dot) Net [email concealed]
>                                Yahoo IM:  david_h_lipman
>
>
>
>
>
------------------------------------------------------------------------
---
> This list is sponsored by: Black Hat
>
> Attend Black Hat USA, July 28-August 2 in Las Vegas, the world's premier
> technical event for ICT security experts. Featuring 30 hands-on training
> courses and 90 Briefings presentations with lots of new content and new
> tools.  Network with 4,000 delegates from 70 nations.  Visit product
> displays by 30 top sponsors in a relaxed setting.
>
> http://www.blackhat.com
>
>
------------------------------------------------------------------------
---
>
>
>
------------------------------------------------------------------------
---
> This list is sponsored by: Black Hat
>
> Attend Black Hat USA, July 28-August 2 in Las Vegas, the world's premier
> technical event for ICT security experts. Featuring 30 hands-on training
> courses and 90 Briefings presentations with lots of new content and new
> tools.  Network with 4,000 delegates from 70 nations.  Visit product
> displays by 30 top sponsors in a relaxed setting.
>
> http://www.blackhat.com
>
>
------------------------------------------------------------------------
---
>
>
>
------------------------------------------------------------------------
---
> This list is sponsored by: Black Hat
>
> Attend Black Hat USA, July 28-August 2 in Las Vegas, the world's premier
> technical event for ICT security experts. Featuring 30 hands-on training
> courses and 90 Briefings presentations with lots of new content and new
> tools.  Network with 4,000 delegates from 70 nations.  Visit product
> displays by 30 top sponsors in a relaxed setting.
>
> http://www.blackhat.com
>
>
------------------------------------------------------------------------
---
>
>
>
>
------------------------------------------------------------------------
---
> This list is sponsored by: Black Hat
>
> Attend Black Hat USA, July 28-August 2 in Las Vegas, the world's premier
> technical event for ICT security experts. Featuring 30 hands-on training
> courses and 90 Briefings presentations with lots of new content and new
> tools.  Network with 4,000 delegates from 70 nations.  Visit product
> displays by 30 top sponsors in a relaxed setting.
>
> http://www.blackhat.com
>
>
------------------------------------------------------------------------
---
>
>
------------------------------------------------------------------------
---
> This list is sponsored by: Black Hat
>
> Attend Black Hat USA, July 28-August 2 in Las Vegas, the world's premier
> technical event for ICT security experts. Featuring 30 hands-on training
> courses and 90 Briefings presentations with lots of new content and new
> tools.  Network with 4,000 delegates from 70 nations.  Visit product
> displays by 30 top sponsors in a relaxed setting.
> http://www.blackhat.com
>
------------------------------------------------------------------------
---
>
>
>

------------------------------------------------------------------------
---
This list is sponsored by: Black Hat

Attend Black Hat USA, July 28-August 2 in Las Vegas, the world's premier
technical event for ICT security experts. Featuring 30 hands-on training
courses and 90 Briefings presentations with lots of new content and new
tools. Network with 4,000 delegates from 70 nations. Visit product
displays by 30 top sponsors in a relaxed setting.

http://www.blackhat.com
------------------------------------------------------------------------
---

__________________________________________________
¸Ï¿ì×¢²áÑÅ»¢³¬´óÈÝÁ¿Ãâ·ÑÓÊÏä?
http://cn.mail.yahoo.com

------------------------------------------------------------------------
---
This list is sponsored by: Black Hat

Attend Black Hat USA, July 28-August 2 in Las Vegas, the world's premier
technical event for ICT security experts. Featuring 30 hands-on training
courses and 90 Briefings presentations with lots of new content and new
tools. Network with 4,000 delegates from 70 nations. Visit product
displays by 30 top sponsors in a relaxed setting.

http://www.blackhat.com
------------------------------------------------------------------------
---

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus