| View previous topic :: View next topic |
| Author |
Message |
nosirrah
Security Expert
Special Response Team
Joined: Apr 19, 2006
Posts: 6301
Location: USA
|
 Posted: Thu Nov 02, 2006 5:01 am Post subject: New additional regulations |
|
|
There will be a lot of helpers and vendors handling these samples so we need to keep things organized .
All samples must be zipped and password protected with the word "infected" .
These free applications can easily do this :
7zip : http://www.7-zip.org/
Zipgenius : http://www.zipgenius.it/eng/index.php
Each thread can only have a single attachment . That one attachment can contain multiple files though .
Post all samples with a virustotal log : http://www.virustotal.com/en/indexf.html and jotti log : http://virusscan.jotti.org/ . Include the MD5 hash as well . Also include any other antimalware applications that miss your sample(s) .
Last edited by nosirrah on Wed Nov 08, 2006 1:41 am, edited 1 time in total |
|
| Back to top |
|
 |
dvk01
Security Expert
Joined: Mar 31, 2004
Posts: 540
Location: Uk
|
| Posted: Tue Nov 07, 2006 10:23 pm Post subject: |
|
|
Can I suggest NOT using 7zip as the automatic analysers at most AV companies cannot cope with it and they prefer a standard winzip with the industry standard password of "infected"
There are already several submission services & I can see CC being a major player so from the start it will be much better to use the accepte3d way that all the other submitters do
_________________
Derek
Microsoft MVP/Windows - Security
Malware Research
Hedgehog Rescue
The Spykiller
|
|
| Back to top |
|
|
nosirrah
Security Expert
Special Response Team
Joined: Apr 19, 2006
Posts: 6301
Location: USA
|
| Posted: Tue Nov 07, 2006 10:29 pm Post subject: |
|
|
| dvk01 wrote: | Can I suggest NOT using 7zip as the automatic analysers at most AV companies cannot cope with it and they prefer a standard winzip with the industry standard password of "infected"
There are already several submission services & I can see CC being a major player so from the start it will be much better to use the accepte3d way that all the other submitters do |
I was seeing .zip password protected malware getting killed when I did some email tag experimentation .
I will try other zipping methods to see what happens .
As far as I know every vendor that I deal with has a host of unzipping software . The same software that they use to test malware is capable of extracting just about any zipping tech .
The only reason I suggested 7zip is that the samples always went through .
|
|
| Back to top |
|
|
Paul
CastleCops Founder
Joined: Feb 22, 2002
Posts: 27351
|
|
| Back to top |
|
|
nosirrah
Security Expert
Special Response Team
Joined: Apr 19, 2006
Posts: 6301
Location: USA
|
| Posted: Tue Nov 07, 2006 11:01 pm Post subject: |
|
|
| Paul wrote: | | fwiw, I haven't seen any rejections yet on zips. |
Is winzip ok with you Paul ?
I have always used 7zip and zip genius .
Does it matter as long as it is password protected ?
|
|
| Back to top |
|
|
Paul
CastleCops Founder
Joined: Feb 22, 2002
Posts: 27351
|
|
| Back to top |
|
|
nosirrah
Security Expert
Special Response Team
Joined: Apr 19, 2006
Posts: 6301
Location: USA
|
| Posted: Wed Nov 08, 2006 12:50 am Post subject: |
|
|
| Paul wrote: | | I'm fine either way, but I'm in agreement in using pre-existing standards. If its zip, that is fine. The 'infected' password is also standard. |
I will edit the opening accordingly .
Any opposition to deleting all but the top post once it is agreed upon ?
|
|
| Back to top |
|
|
Paul
CastleCops Founder
Joined: Feb 22, 2002
Posts: 27351
|
|
| Back to top |
|
|
jonpoon
Lieutenant
Joined: Mar 28, 2006
Posts: 154
|
| Posted: Wed Nov 08, 2006 6:55 am Post subject: |
|
|
we can still use 7zip to create archives in zip format and that should be the best of both worlds 
|
|
| Back to top |
|
|
dvk01
Security Expert
Joined: Mar 31, 2004
Posts: 540
Location: Uk
|
| Posted: Wed Nov 08, 2006 7:31 am Post subject: |
|
|
| nosirrah wrote: | | dvk01 wrote: | Can I suggest NOT using 7zip as the automatic analysers at most AV companies cannot cope with it and they prefer a standard winzip with the industry standard password of "infected"
There are already several submission services & I can see CC being a major player so from the start it will be much better to use the accepte3d way that all the other submitters do |
I was seeing .zip password protected malware getting killed when I did some email tag experimentation .
I will try other zipping methods to see what happens .
As far as I know every vendor that I deal with has a host of unzipping software . The same software that they use to test malware is capable of extracting just about any zipping tech .
The only reason I suggested 7zip is that the samples always went through . |
Yes the vendors do have a host of extraction facilities that are manually used BUT the major ones all use an auto analysing system that has strict limits/formats for speed & throughput and when the archive isn't in their recommended format or using one a small number of recognized passwords it gets put to one side in the queue for manual analysis which can be slow & some times takes weeks to get to the top of the pile
The auto ones are not by any means 100% efficient but do flag the common malware types & suspicious behaviour
Almost all AV's nowadays alert on password protected archives because of bagle but any reliable AV shouldn't disinfect automatically just alert. I know KAV autocleans all passworded archives you attempt to send so I have to disable it when sending samples to vendors but only alerts on receipt
I am sure other AV's will have similar idiosyncratic behaviour
Be careful with the file size & number limit inside any archive or the submission will get rejected by several AV companies and the worst offenders are Symantec & Trend who routinely reject anything NOT in a zip archive including RAR & 7zip or contains more that 10 files inside archive
Bulk submissions from addresses to tend to get a lower priority with many vendors, For example VT & Jotti send all samples that any AV detect as infect but often weeks later they still aren't detected because the bulk queue gets put to one side
I do want to see this get off to a good start so while it is still small we can iron out the little quirks that might slowdown or prevent it's effectiveness
_________________
Derek
Microsoft MVP/Windows - Security
Malware Research
Hedgehog Rescue
The Spykiller
|
|
| Back to top |
|
|
dvk01
Security Expert
Joined: Mar 31, 2004
Posts: 540
Location: Uk
|
| Posted: Wed Nov 08, 2006 7:42 am Post subject: |
|
|
| jonpoon wrote: | | we can still use 7zip to create archives in zip format and that should be the best of both worlds |
You can use whatever program you want. The problem is the (password) encryption type
Winzip allows several types
zip 2.0 compatible
128 bit AES
256 bit AES
stick to zip 2.0 compatible for malware samples
we have all tried the others, thinking it will be safer or better & it causes delays or rejection at the other end as detailed in my other posts
Yes it's important to password to give a minimal level of protection but remember this malware is in the wild & in circulation otherwise we wouldn't be getting it and getting an AV to respond & include speedy detection is the primary function we are after
_________________
Derek
Microsoft MVP/Windows - Security
Malware Research
Hedgehog Rescue
The Spykiller
|
|
| Back to top |
|
|
nosirrah
Security Expert
Special Response Team
Joined: Apr 19, 2006
Posts: 6301
Location: USA
|
| Posted: Wed Nov 08, 2006 1:05 pm Post subject: |
|
|
@ everyone
Is there anything that should be fixed in the top post or is everyone happy .
This is only a request but formatting like this :  /t171246-zlob.html makes it very easy to pick out all of the important information .
|
|
| Back to top |
|
|
Paul
CastleCops Founder
Joined: Feb 22, 2002
Posts: 27351
|
|
| Back to top |
|
|
faith_michele
PIRT Handler
Joined: Dec 26, 2005
Posts: 2662
|
| Posted: Thu Nov 09, 2006 10:13 am Post subject: |
|
|
Are we going to be using CounterSpy Research's sandbox to submit suspected files?
http://research.sunbelt-software.com/Submit.aspx
I have used this, at times and they have pretty good results that are returned by email. I'm just brainstorming a little bit because ever since we started discovering malware links in phish submissions, I had always asked, what can we do about it.
I wonder if there is an automated way to submit to them and get results back faster than the others?
|
|
| Back to top |
|
|
Paul
CastleCops Founder
Joined: Feb 22, 2002
Posts: 27351
|
|
| Back to top |
|
|
|
|
Forum FAQ
Search
Usergroups
Profile
Login to check your private messages
Login
