[ale] [OT] Databases of viruses/malware

Greg Freemyer greg.freemyer at gmail.com
Wed Mar 2 15:28:27 EST 2011


You can submit malware to "totalvirus.com" (or is it virustotal.com)
to see who has it in their malware av signature list.  Almost
immediate results.

You can submit it to cw sandbox for a automated sandbox test.  Takes
an hour or two for results.

There is also a site called bin9, but I have not used them.

My clients typically have a contract with their AV provider to also
let them send in malware for a human to analyse.  This takes days to
get results.

The human analysis is typcally the best, but I don't know how you get
that done without a pre-existing contract.  (Truly, I just have a lack
of knowlege.  I have never tried.)

HTH
Greg

On 3/2/11, Michael B. Trausch <mike at trausch.us> wrote:
> Well, alright, so I'm not technically sure if this would be considered
> off-topic or not.  I'm going to err on the side of safety and say that
> it most likely is, though this is something that has to be dealt with on
> Linux servers that handle Windows clients.
>
> In any event, I'm looking into a problem, and one of the things that I
> need to do is find (good, useful) information on the particular item
> that is being problematic.  How it works and so forth.  I'd assume that
> there is a database of viruses and malware somewhere that provides such
> useful information, but I'm missing it if there is.
>
> In lieu of that, is there a place somewhere out there that makes these
> sorts of things available?  Obviously, I can see the abuse potential for
> something like that, but it would also be useful for finding things and
> obtaining them to run them in isolated sandboxes in order to assess
> their total impact to a system.  It seems that even with all the
> well-known problems that exist in the Windows world, it's difficult for
> legitimate AV/AM solutions to clean up after cruft that manages to land
> in a system.
>
> In particular, the baddie that I'm looking at has managed to get around
> the permissions setup in the system (we're talking about a completely
> restricted user account environment) and infect the system proper.  I
> want to know just how it did that.
>
> 	--- Mike
>

-- 
Sent from my mobile device

Greg Freemyer
Head of EDD Tape Extraction and Processing team
Litigation Triage Solutions Specialist
http://www.linkedin.com/in/gregfreemyer
CNN/TruTV Aired Forensic Imaging Demo -
   http://insession.blogs.cnn.com/2010/03/23/how-computer-evidence-gets-retrieved/

The Norcross Group
The Intersection of Evidence & Technology
http://www.norcrossgroup.com


More information about the Ale mailing list