Malware Activity

2006-11-29

VirusTotal.com

VirusTotal.com is a well-known multi-scanner interface, available for free via web upload. In order to be better comparable to other anti-virus scanners, EmsiSoft recently decided to ask them, to add their A-Squared engine (for free as well, of course). At first, nobody at Hispasec had any problems with this and they put them in the queue to be added (due to backend redesign, this lasted for weeks).

Then suddenly, Oliver Auerbach from Avira started to complain, just because he had some unsettled issues with one of the developers at EmsiSoft and therefore declared EmsiSoft as an untrustworthy corporation. Hispasec immediately reacted and rejected EmsiSoft.

Seems like VirusTotal.com is not that independent, as they always try to look like. This also fits into my image of them, distributing samples, even if you ask them not to do so. The little ``don't distribute'' button at the upload interface really seems useless, at least it was in 2005.

Back then, I was developing some proof of concept samples for the c't Magazine and tested them with VirusTotal.com. Since they were obfuscated and 0day, nobody of course detected them. A few weeks later, when the magazine wrote their article, Symantec and a couple of other scanners were detecting them (funnily enoguh as RBot variants, just because it was IRC proof of concept malware). The samples never left my harddrive, except for going to VT or to the magazine...

So be careful with VirusTotal.com (there is also an alternative, Jotti's Online Scanner).

Update: jcanto@hispasec.com informed me in a closed forum:

"This also fits into my image of them, distributing samples, even if you ask them not to do so."
Anybody in the sample distribution system knows this is simply a lie. Simply ask any person dealing with VT in that labs and you'll know it.

We don't distribute samples that are not detected by any engine. Besides that, Symantec is curiouslly the only company participating in VirusTotal that has never received a sample from us as they've never wanted it. We contacted repeated times with people at the company but never gave us an email to send that samples. I suppose they are not interested in them because they've enough with their sources.

I never said that Symantec was the only to detect it, though.

Labels: ,

posted by oxff @ 12:13   0 Comments Links to this post

2006-11-07

Microsoft Powerpoint, please.

I will soon stay in at a security conforence for someone else from the Honeynet project and today received this amusing email from the `Marketing and Events Manager':

Thanks for your presentation which we received this morning. However I'm having trouble inserting it as it's a PDF file. Could you please send this on again as a PowerPoint Presentation.

Of course I did the presentation with LaTeX and latex-beamer (yes, no funny animations). Ouch.

Update: Just to clarify, I certainly did not want to blame the organizators for anything, I just wanted to point out that it's sometimes useful to stay `compliant'.

Labels:

posted by oxff @ 13:02   0 Comments Links to this post