Binary Analysis
RE: [Malware-track] Re: [General-discussion] Secure Science Corporation Malware Case Study Nov 16 2006 08:54PM
Alex Eckelberry (AlexE sunbelt-software com) (1 replies)
Re: [Malware-track] Re: [General-discussion] Secure Science Corporation Malware Case Study Nov 18 2006 12:41AM
Paul Laudanski (paul castlecops com) (1 replies)
Re: [Malware-track] Re: [General-discussion] Secure ScienceCorporation Malware Case Study Nov 18 2006 02:01AM
Paul Laudanski (paul castlecops com)
Based on the file our MIRT hunter fatdcuk provided, I tested it against
currently updated 40 AVs. The results are quite interesting...

Scan report of: ntosEXE

@Proventia-VPS Malicious (Cancelled)
AntiVir HEUR/Crypted
Avast! -
AVG Generic2.IEV (Trojan horse)
BitDefender Generic.Malware.Sdldg.D57882DF (suspected)
ClamAV -
Command -
Dr Web -
eSafe Trojan/Worm [101] (suspicious)
eTrust-INO -
eTrust-INO (BETA) -
eTrust-VET -
eTrust-VET (BETA) -
Ewido -
F-Prot -
F-Secure -
F-Secure (BETA) -
Fortinet -
Fortinet (BETA) -
Ikarus -
Kaspersky -
McAfee -
McAfee (BETA) -
Microsoft -
Nod32 -
Norman -
Panda Trj/Sinowal.BX
Panda (BETA) Trj/Sinowal.BX
QuickHeal -
Rising -
Sophos -
Symantec Trojan Horse
Symantec (BETA) Trojan Horse
Trend Micro -
Trend Micro (BETA) -
UNA -
VBA32 -
VirusBuster Trojan.Agent.FBJ
WebWasher Heuristic.Crypted
YY_Spybot Smitfraud-C.,,Executable

The original thread with the binary and AV results are also posted here:

http://www.castlecops.com/postitle171104-0-0-.html

Paul Laudanski, Microsoft MVP Windows-Security
Phish XML Feed: http://www.castlecops.com/article6619.html
Phish Takedown: http://castlecops.com/pirt
LinkedIn: http://www.linkedin.com/pub/1/49a/17b
www.CastleCops.com | de.CastleCops.com | wiki.CastleCops.com

----- Original Message -----
From: "Paul Laudanski" <paul (at) castlecops (dot) com [email concealed]>
To: "Alex Eckelberry" <AlexE (at) sunbelt-software (dot) com [email concealed]>; "Lance James"
<lancej (at) securescience (dot) net [email concealed]>; "Jose Nazario" <jose (at) arbor (dot) net [email concealed]>
Cc: "Phish-Net" <phish-net (at) ncfta (dot) net [email concealed]>; "Malicious Activity Awareness &,
Response Discussions" <general-discussion (at) mal-aware (dot) org [email concealed]>;
<binaryanalysis (at) securityfocus (dot) com [email concealed]>; "Malware Tracking &, Analysis"
<malware-track (at) mal-aware (dot) org [email concealed]>; "Lance James" <phishing (at) securescience (dot) net [email concealed]>;
"ML-apwg" <apwg (at) antiphishing.kavi (dot) com [email concealed]>
Sent: Friday, November 17, 2006 7:41 PM
Subject: Re: [Malware-track] Re: [General-discussion] Secure
ScienceCorporation Malware Case Study

> Glad to see so many being able to contribute to the paper. :D
>
> Paul Laudanski, Microsoft MVP Windows-Security
> Phish XML Feed: http://www.castlecops.com/article6619.html
> Phish Takedown: http://castlecops.com/pirt
> LinkedIn: http://www.linkedin.com/pub/1/49a/17b
> www.CastleCops.com | de.CastleCops.com | wiki.CastleCops.com
>
> ----- Original Message -----
> From: "Alex Eckelberry" <AlexE (at) sunbelt-software (dot) com [email concealed]>
> To: "Lance James" <lancej (at) securescience (dot) net [email concealed]>; "Jose Nazario"
> <jose (at) arbor (dot) net [email concealed]>
> Cc: "Phish-Net" <phish-net (at) ncfta (dot) net [email concealed]>; "Malicious Activity Awareness &,
> Response Discussions" <general-discussion (at) mal-aware (dot) org [email concealed]>; "Lance James"
> <phishing (at) securescience (dot) net [email concealed]>; "Malware Tracking &, Analysis"
> <malware-track (at) mal-aware (dot) org [email concealed]>; <binaryanalysis (at) securityfocus (dot) com [email concealed]>;
> "ML-apwg" <apwg (at) antiphishing.kavi (dot) com [email concealed]>
> Sent: Thursday, November 16, 2006 3:54 PM
> Subject: RE: [Malware-track] Re: [General-discussion] Secure Science
> Corporation Malware Case Study
>
>
>> Really good piece btw.
>>
>> -----Original Message-----
>> From: malware-track-bounces (at) mal-aware (dot) org [email concealed]
>> [mailto:malware-track-bounces (at) mal-aware (dot) org [email concealed]] On Behalf Of Lance James
>> Sent: Thursday, November 16, 2006 2:48 PM
>> To: Jose Nazario
>> Cc: Phish-Net; Malicious Activity Awareness &, Response Discussions;
>> binaryanalysis (at) securityfocus (dot) com [email concealed]; Malware Tracking &, Analysis; Lance
>> James; ML-apwg
>> Subject: [Malware-track] Re: [General-discussion] Secure Science
>> Corporation Malware Case Study
>>
>> Jose Nazario wrote:
>>> On Thu, 16 Nov 2006, Lance James wrote:
>>>
>>>> http://www.securescience.net/securescienceblog/malwarecasestudy.html
>>>
>>> PDF link yields a Tomcat 404 page:
>>>
>>> URL:
>>>
>> http://www.securescience.net/securescienceblog/Secure%20Science%20Corpor

>> ation%20%28www.securescience.net%29%20and%20Michael%20Ligh%20of%20http:/

>> /mnin.org%20put%20together%20a%20paper%20on%20an%20interesting%20piece%2

>> 0of%20malware.%20We%20include%20a%20removal%20kit,%20snort%20signatures,

>> %20and%20source%20code%20and%20decryptor%20are%20available%20by%20reques

>> t.
>>>
>>
>> Fixed.
>>>
>>> HTTP Status 404 - /securescienceblog/Secure Science Corporation
>>> (www.securescience.net) and Michael Ligh of http://mnin.org put
>>> together a paper on an interesting piece of malware. We include a
>>> removal kit, snort signatures, and source code and decryptor are
>> available by request.
>>>
>>> type Status report
>>>
>>> message /securescienceblog/Secure Science Corporation
>>> (www.securescience.net) and Michael Ligh of http://mnin.org put
>>> together a paper on an interesting piece of malware. We include a
>>> removal kit, snort signatures, and source code and decryptor are
>> available by request.
>>>
>>> description The requested resource (/securescienceblog/Secure Science
>>> Corporation (www.securescience.net) and Michael Ligh of
>>> http://mnin.org put together a paper on an interesting piece of
>>> malware. We include a removal kit, snort signatures, and source code
>>> and decryptor are available by request.) is not available.
>>> Apache Tomcat/5.5.17
>>>
>>>
>>>
>>> -------------------------------------------------------------
>>> jose nazario, ph.d. <jose (at) arbor (dot) net [email concealed]>
>>> software and security engineer Arbor Networks
>>> v: (734) 821 1427
>>> PGP: 0x40A7BF94
>>> http://asert.arbornetworks.com/
>>> -------------------------------------------------------------
>>>
>>
>>
>> --
>> Best Regards,
>> Lance James
>> Secure Science Corp.
>> http://www.securescience.net
>> _______________________________________________
>> Malware-track mailing list
>> Malware-track (at) mal-aware (dot) org [email concealed]
>> http://mal-aware.org/mailman/listinfo/malware-track
>> _______________________________________________
>> Malware-track mailing list
>> Malware-track (at) mal-aware (dot) org [email concealed]
>> http://mal-aware.org/mailman/listinfo/malware-track
>>
>
> _______________________________________________
> General-discussion mailing list
> General-discussion (at) mal-aware (dot) org [email concealed]
> http://mal-aware.org/mailman/listinfo/general-discussion
>

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus