miƩrcoles, 28 de octubre de 2009
viernes, 16 de octubre de 2009
Anyone out there?
Hi malware collectors of the world!
Lately I´m not writing new posts much often because I don´t get any feedback.
I don´t know if I´m writing for anyone or just for myself.
If anyone is listening I´ld appreciate some comments. If there is no feedback I will understand that there is no interest on this blog and I´ll stop it.
Regards.
Lately I´m not writing new posts much often because I don´t get any feedback.
I don´t know if I´m writing for anyone or just for myself.
If anyone is listening I´ld appreciate some comments. If there is no feedback I will understand that there is no interest on this blog and I´ll stop it.
Regards.
lunes, 21 de septiembre de 2009
Example of the importance of unpacking
Hi, malware collectors of the world!
Today I will make an entry in the blog to talk about the importance of unpacking packed samples.
Remember that with packed samples I mean setup, installations, embedded files, files that can be dropped to disk, auto-extractable files (Rar, ZIP, etc).
KAV can help you to identify that kind of files. Just enable the "Show pack info in the report" option. You can find it at "Options" menu.
To prove the importance of unpacking I will show an example.
9E3F66B6.EX_ is a packed file. Let´s see how many time needs KAV to scan it:
c:\test\9E3F66B6.EX_/file7 Infected Backdoor.Win32.PcClient.bdud
Scan time 05:50
Almost 6 minutes to scan the packed file! And that is in a Core i7 computer!!!
Imagine you have 300 files like that one. Scan them would take over a complete day, probably much more in slower computers, to scan just 300 files. Crazy!
Now let´s see how many time is required to detect the detected sample inside the packed file:
c:\test\MSDN_VC.EXE Infected Backdoor.Win32.PcClient.bdud
Scan time 00:00
The file is scanned in no time.
Big big difference, isn´t it?
Now you should realize the real importance and impact that unpacking stuff may have in the required time to scan your collection.
See you in next post!
Today I will make an entry in the blog to talk about the importance of unpacking packed samples.
Remember that with packed samples I mean setup, installations, embedded files, files that can be dropped to disk, auto-extractable files (Rar, ZIP, etc).
KAV can help you to identify that kind of files. Just enable the "Show pack info in the report" option. You can find it at "Options" menu.
To prove the importance of unpacking I will show an example.
9E3F66B6.EX_ is a packed file. Let´s see how many time needs KAV to scan it:
c:\test\9E3F66B6.EX_/file7 Infected Backdoor.Win32.PcClient.bdud
Scan time 05:50
Almost 6 minutes to scan the packed file! And that is in a Core i7 computer!!!
Imagine you have 300 files like that one. Scan them would take over a complete day, probably much more in slower computers, to scan just 300 files. Crazy!
Now let´s see how many time is required to detect the detected sample inside the packed file:
c:\test\MSDN_VC.EXE Infected Backdoor.Win32.PcClient.bdud
Scan time 00:00
The file is scanned in no time.
Big big difference, isn´t it?
Now you should realize the real importance and impact that unpacking stuff may have in the required time to scan your collection.
See you in next post!
viernes, 18 de septiembre de 2009
Speed up collection scanning
Hi, malware collectors of the world!
Nowadays one of the problems that collectors have is the required amount of time to generate new logs. Today I will discuss several methods to speed up collection scanning times.
In the past virus collections used to take around 200 or 300 MB. With that size it was possible to generate new logs every day, even using several antivirus.
After year 2000 the amount of samples started to increase heavily and collectors began to generate new logs weekly instead of daily. At the same time all the antivirus used to exchange were dropped and only KAV remained, being the standard antivirus to exchange.
Actually KAV is still the standard antivirus for malware exchange as I commented in other post. So apart of generic ways, I will focus in methods to speed up KAV scanning.
1.- The most obvious way to boost things is to use the best available hardware. The Intel Core i7 is a good choice. The amount of RAM is not so important but a fast H.D. is.
2.- An even more obvious way to speed up log creation is to use several computers. Just share the task load between several computers.
3.- If you are creating logs to trade scan only your exchange collection.
The exchange collection will be formed by unique samples. Don´t keep several copies of the same identified sample.
4.- Something that slows down KAV very much are the packed samples, so unpack all possible packed samples.
Extract detected files from setups/installations, embedded and dropper files.
Examples of that kind of samples are setups created with: NSIS, Setup Factory, autoextractable files (RAR, ZIP, ...), etc.
Don´t extract compressed files. I mean files packed with UPX, Armadillo, Themida, MEW, etc. Only extract that kind of files when a setup or installation file is compressed with any of them.
You will recognize what stuff you must unpack looking at KAV log. Here you can see some examples of the kind of stuff you should process:
Move apart old files (files you got from year 2002 and older) and don´t scan them every week. Maybe once per month will be enough.
Why this? Because KAV probably will not change the identification names of that samples, so the ID will remain equal week after week.
If anyone have any other trick to speed up log creation he will be welcome.
Nowadays one of the problems that collectors have is the required amount of time to generate new logs. Today I will discuss several methods to speed up collection scanning times.
In the past virus collections used to take around 200 or 300 MB. With that size it was possible to generate new logs every day, even using several antivirus.
After year 2000 the amount of samples started to increase heavily and collectors began to generate new logs weekly instead of daily. At the same time all the antivirus used to exchange were dropped and only KAV remained, being the standard antivirus to exchange.
Actually KAV is still the standard antivirus for malware exchange as I commented in other post. So apart of generic ways, I will focus in methods to speed up KAV scanning.
1.- The most obvious way to boost things is to use the best available hardware. The Intel Core i7 is a good choice. The amount of RAM is not so important but a fast H.D. is.
2.- An even more obvious way to speed up log creation is to use several computers. Just share the task load between several computers.
3.- If you are creating logs to trade scan only your exchange collection.
The exchange collection will be formed by unique samples. Don´t keep several copies of the same identified sample.
4.- Something that slows down KAV very much are the packed samples, so unpack all possible packed samples.
Extract detected files from setups/installations, embedded and dropper files.
Examples of that kind of samples are setups created with: NSIS, Setup Factory, autoextractable files (RAR, ZIP, ...), etc.
Don´t extract compressed files. I mean files packed with UPX, Armadillo, Themida, MEW, etc. Only extract that kind of files when a setup or installation file is compressed with any of them.
You will recognize what stuff you must unpack looking at KAV log. Here you can see some examples of the kind of stuff you should process:
c:\test\ASTRUM.EX_/data0004 Infected Backdoor.IRC.Seiseni5.- Don´t scan very old files.
c:\test\ASTRUM.EX_/data0008 Infected Backdoor.IRC.Seiseni
c:\test\ASTRUM.EX_/data0009 Infected not-a-virus:Client-IRC.Win32.mIRC.601
c:\test\HMIMYS.EX_/123.exe Infected Backdoor.Win32.Hupigon.ejub
c:\test\INIT1.EX_/data0000 Infected Trojan.Win32.Chinaad.ni
c:\test\INIT2.EX_/data0000 Infected Trojan.Win32.Chinaad.ne
c:\test\INNO.EX_/file19 Infected not-a-virus:FraudTool.Win32.AntiSpywareSoldier.b
c:\test\INNO2.EX_/data0032 Infected not-a-virus:Monitor.Win32.ParentsFriend.a
c:\test\INSTYLER.EX_/astem.as Infected Backdoor.IRC.Zapchast
c:\test\INSTYLER.EX_/bstem.as Infected Backdoor.IRC.Zcrew
c:\test\INSTYLER.EX_/oystem.er Infected Backdoor.IRC.Zcrew
c:\test\KAOS.EX_/data0000.cab/2.exe Infected Backdoor.Win32.Hupigon.ehnx
c:\test\MSC.EX_/MSC.EX_ Infected Trojan-Downloader.Win32.Banload.ddh
c:\test\NBINDER1.EX_/ppp.exe Infected Backdoor.Win32.Turkojan.bkn
c:\test\NBINDER2.EX_/testxxx4.exe/rbot2.exe Infected Backdoor.Win32.Rbot.wnl
c:\test\NBINDER3.EX_/server.exe-crypted.exe Infected Trojan-Dropper.Win32.VB.azv
c:\test\NBINDER4.EX_/svchost.exe Infected Backdoor.Win32.SdBot.ewp
c:\test\NBINDER5.EX_/crypted1.exe Infected Backdoor.Win32.Bifrose.uzu
c:\test\NBINDER6.EX_/dl.exe Infected Trojan-Downloader.Win32.Agent.ahbi
c:\test\NSIS.EX_/data0002 Infected Backdoor.Win32.Visel.afy
c:\test\NSPACKER.EX_/data0000.cab/SERVER~1.EXE Infected Backdoor.Win32.Hupigon.dsx
c:\test\ORIEN.EX_/data0000.cab/SERVER~1.EXE Infected Backdoor.Win32.Hupigon.dsx
c:\test\ORIEN2.EX_/data0000.cab/7.exe Infected Trojan-GameThief.Win32.OnLineGames.tkws
c:\test\PCGUARD1.EX_/data0000.cab/server.exe Infected Trojan.Win32.Midgare.aamx
c:\test\PCGUARD2.EX_/data0000.cab/server.exe Infected Trojan.Win32.Midgare.aadg
c:\test\QBFC.EX_/1 Infected Flooder.Win32.Assault.10
c:\test\QBFC2.EX_/0 Infected Backdoor.Win32.Netbus.170
c:\test\RAP.EX_/rinst.exe Infected Trojan.Win32.KillAV.dt
c:\test\SEA.EX_/setup.zip/1/ver.2/AUR.exe Infected IM-Flooder.Win32.AUR.c
c:\test\SEA.EX_/setup.zip/5/HM_comC.exe Infected Trojan.Win32.Delf.kl
c:\test\SEA.EX_/setup.zip/6/icq-brute.exe Infected HackTool.Win32.BruteForce.u
c:\test\SEA.EX_/setup.zip/8/1.5.191_Pro/IPDbrute_1.5.191.exe Infected not-a-virus:PSWTool.Win32.IpdBrute.15
c:\test\SEA.EX_/setup.zip/8/IPDbrute_2.0_Lite/IPDbrute_2.0_Lite.exe Infected not-a-virus:PSWTool.Win32.IpdBrute.20
c:\test\SEA.EX_/setup.zip/8/IPDbrute_2.0_Pro_old/IPDbrute2.exe Infected not-a-virus:PSWTool.Win32.IpdBrute.20
c:\test\SEA.EX_/setup.zip/11/recover.exe Infected not-a-virus:PSWTool.Win32.ICQ.y
c:\test\SEA.EX_/setup.zip/12/UIC.exe Infected Flooder.Win32.Agent.bb
c:\test\SEA.EX_/setup.zip/16 Infected not-a-virus:PSWTool.Win32.ICQ.v
c:\test\SEA2.EX_/setup.zip/25 Infected not-a-virus:Client-IRC.Win32.mIRC.603
c:\test\SEA2.EX_/setup.zip/26 Infected not-a-virus:RiskTool.Win32.HideWindows
c:\test\SIM.EX_/data1 Infected Trojan.BAT.KillFiles.ge
c:\test\SVKP.EX_/data0000.cab/4_BK_BK.exe Infected Packed.Win32.PolyCrypt.b
c:\test\THINSTAL.EX_/AQ.exe Infected Trojan-Downloader.Win32.Small.akjq
c:\test\UPACK.EX_/data0000.cab/lin2.exe Infected Trojan-Downloader.Win32.BHO.un
c:\test\UPACK.EX_/data0000.cab/rmt-live.exe Infected Trojan.Win32.Inject.ihr
Move apart old files (files you got from year 2002 and older) and don´t scan them every week. Maybe once per month will be enough.
Why this? Because KAV probably will not change the identification names of that samples, so the ID will remain equal week after week.
If anyone have any other trick to speed up log creation he will be welcome.
viernes, 4 de septiembre de 2009
Hi, malware collectors of the world. I hope you have had nice holidays!
After a vacational stop I continue the activity of the blog.
Today I will make an entry commenting how many collections you should have and what kind of trader you can be.
I suggest you build two malware collections:
Collection number one would be a collection used to exchange with other collectors. This collection must contain only unique samples; That means one file for each uniquely identified malware, virus, worm or whatever. We will call this collection the 'trading collection'.
Collection number two would be a collection containing all the malware samples you got minus the samples you already have in the collection number one. We will call this collection as the 'main collection'.
You should scan and make new log of trading collection weekly. Depending of the size of this collection and the hardware you use, it should not take more than a few hours to scan it.
Main collection, depending also of its size and the hardware you use, will take much more time than trading collection to scan. You will have to evaluate the amount of time required to scan main collection and decide how often you want to scan it.
The objective of scanning main collection should be to find new unique malwares and add them to trading collection.
There are two types of malware collectors: there is the traditional collector that only exchanges new unique samples and there is a collector that will exchange samples using a hash to know if a sample is new for him.
In the first case, the collector that exchanges for unique samples uses KAV log to know what he has in the collection and what he misses from other trader´s logs.
In the second case, the collector does not need to make KAV logs because he uses MD5, SHA-1 or whatever hash to exchange. This kind of collector would not need to make a trading and a main collection. He only would build a main collection.
Mainly you will meet traditional collectors, people that will exchange for unique samples using KAV log. Some of them will accept to make hash trades also. The problem with hash trades is the amount of information that must be exchanged. Doing hash trades over internet will be really difficult.
See you soon!
After a vacational stop I continue the activity of the blog.
Today I will make an entry commenting how many collections you should have and what kind of trader you can be.
I suggest you build two malware collections:
Collection number one would be a collection used to exchange with other collectors. This collection must contain only unique samples; That means one file for each uniquely identified malware, virus, worm or whatever. We will call this collection the 'trading collection'.
Collection number two would be a collection containing all the malware samples you got minus the samples you already have in the collection number one. We will call this collection as the 'main collection'.
You should scan and make new log of trading collection weekly. Depending of the size of this collection and the hardware you use, it should not take more than a few hours to scan it.
Main collection, depending also of its size and the hardware you use, will take much more time than trading collection to scan. You will have to evaluate the amount of time required to scan main collection and decide how often you want to scan it.
The objective of scanning main collection should be to find new unique malwares and add them to trading collection.
There are two types of malware collectors: there is the traditional collector that only exchanges new unique samples and there is a collector that will exchange samples using a hash to know if a sample is new for him.
In the first case, the collector that exchanges for unique samples uses KAV log to know what he has in the collection and what he misses from other trader´s logs.
In the second case, the collector does not need to make KAV logs because he uses MD5, SHA-1 or whatever hash to exchange. This kind of collector would not need to make a trading and a main collection. He only would build a main collection.
Mainly you will meet traditional collectors, people that will exchange for unique samples using KAV log. Some of them will accept to make hash trades also. The problem with hash trades is the amount of information that must be exchanged. Doing hash trades over internet will be really difficult.
See you soon!
viernes, 31 de julio de 2009
How to sort a malware collection
Hi, malware collectors of the world!
Today I´ll discuss the different options we can decide about how to sort our malware collection.
Collection packed or collection unpacked?
I always have considered that having the collection packed is the best decission for multiple reasons. Almost every consideration is a pro for having the collection packed and there are no contras almost; meanwhile having the collection unpacked has lots of contras in my opinion.
Pros of having the collection packed:
* Making backups will be easier.
You create new archives containing new stuff so backups are incremental, no need to backup everything everytime.
* C0llection will take less space on hard disk.
* KAV scans a packed collection as fast as an unpacked one. Some tests even say that it´s faster.
* Verifying the integrity of the collection is easier.
You just need to run the test function of WinZIP to know if everything is ok. Checking if something is wrong with an unpacked collections takes more time as you must run a check of the whole drive storing the collection.
The only contra is the amount of time required to compress new files but as we will compress just a few files every day that´s not relevant.
There are other reasons but I´ll discuss some of them in future posts.
How to name files?
Some traders used to like to name files by the identification given by KAV. I always considered this as a mistake because identifications may be modified so the file name would be wrong.
I consider that it has more advantages having the files named by a hash, like MD5, SHA-1 or SHA-256.
You can use RenFiles to rename files to MD5 or SHA-256.
How to name file extensions?
Using KAV the file extension is not relevant as identification will not change depending if the file has the right extension or not.
Some collectors prefer extensions like .VXE or .VLL instead .EXE and .DLL to avoid infections.
A good collector should be able to manage a collection having the right extensions on files because he manages the files in a safe environment. A safe environment is that one where you can not run a virus or malware accidentally.
If you want to name files by their right extension use RenFiles.
What folder structure should I use to store the collection?
If you decide to follow my tip and keep the collection packed you don´t need a folder structure. Just decide a file size limit for the ZIP (I recommed ZIP to pack) and add new files until you reach the limit. When you reach it continue compressing on next archive. You can use consecutive numbers to name archives. Like:
MALW00001.ZIP
MALW00002.ZIP
MALW00003.ZIP
MALW00004.ZIP
.
.
.
If you decide you want an unpacked collection then continue reading.
Years ago many collectors liked having the folder structure based in the KAV identification name. Something like:
C:\COLLECTION\T\Trojan\Win32\Example\a\FILE.EXE
or
C:\COLLECTION\T\Trojan.Win32.Example.a\FILE.EXE
Several tools were created to process files and copy/move them to such structures using KAV logs.
If you like that folder structure method to sort the collection you can download VS2000 GUI and use it. You can get VS2000 GUI from here.
You have that feature under "Virus organizer" tab.
There are 5 different folder structure types available. You can see examples of how collection will look like clicking in the "?" buttons.
If I´m forced to use a folder structure then the folder structure method I prefer is the one called "Bulk". It´s based in the hash of the file. There is a root folder and inside 16 folders, from 0-9 and A-F. Inside those folders there are other 16 subfolders with the first 2 chars of the hash. 16*16 folders in total. Something like:
C:\MALWARE\0\00
C:\MALWARE\0\01
C:\MALWARE\0\02
.
.
C:\MALWARE\A\A0
C:\MALWARE\A\A1
C:\MALWARE\A\A2
.
.
C:\MALWARE\F\FE
C:\MALWARE\F\FF
This is one of the five available structures in VS2000 GUI.
And that´s all you must decide about how to sort your malware collection. A fast resume:
Decide if you want collection packed or unpacked
Decide how to name files
Decide how to name extensions
If you decide an unpacked collection then decide the folder structure.
My "setup" is:
Collection packed (using ZIP format).
File names by their SHA-256
Files having the right extension
File size for archives: around 200 and 300 MB. More can be problematic for KAV.
File names for archives: VIRUS001.ZIP, VIRUS002.ZIP, etc
And that´s all for now. See you soon!
Today I´ll discuss the different options we can decide about how to sort our malware collection.
Collection packed or collection unpacked?
I always have considered that having the collection packed is the best decission for multiple reasons. Almost every consideration is a pro for having the collection packed and there are no contras almost; meanwhile having the collection unpacked has lots of contras in my opinion.
Pros of having the collection packed:
* Making backups will be easier.
You create new archives containing new stuff so backups are incremental, no need to backup everything everytime.
* C0llection will take less space on hard disk.
* KAV scans a packed collection as fast as an unpacked one. Some tests even say that it´s faster.
* Verifying the integrity of the collection is easier.
You just need to run the test function of WinZIP to know if everything is ok. Checking if something is wrong with an unpacked collections takes more time as you must run a check of the whole drive storing the collection.
The only contra is the amount of time required to compress new files but as we will compress just a few files every day that´s not relevant.
There are other reasons but I´ll discuss some of them in future posts.
How to name files?
Some traders used to like to name files by the identification given by KAV. I always considered this as a mistake because identifications may be modified so the file name would be wrong.
I consider that it has more advantages having the files named by a hash, like MD5, SHA-1 or SHA-256.
You can use RenFiles to rename files to MD5 or SHA-256.
How to name file extensions?
Using KAV the file extension is not relevant as identification will not change depending if the file has the right extension or not.
Some collectors prefer extensions like .VXE or .VLL instead .EXE and .DLL to avoid infections.
A good collector should be able to manage a collection having the right extensions on files because he manages the files in a safe environment. A safe environment is that one where you can not run a virus or malware accidentally.
If you want to name files by their right extension use RenFiles.
What folder structure should I use to store the collection?
If you decide to follow my tip and keep the collection packed you don´t need a folder structure. Just decide a file size limit for the ZIP (I recommed ZIP to pack) and add new files until you reach the limit. When you reach it continue compressing on next archive. You can use consecutive numbers to name archives. Like:
MALW00001.ZIP
MALW00002.ZIP
MALW00003.ZIP
MALW00004.ZIP
.
.
.
If you decide you want an unpacked collection then continue reading.
Years ago many collectors liked having the folder structure based in the KAV identification name. Something like:
C:\COLLECTION\T\Trojan\Win32\Example\a\FILE.EXE
or
C:\COLLECTION\T\Trojan.Win32.Example.a\FILE.EXE
Several tools were created to process files and copy/move them to such structures using KAV logs.
If you like that folder structure method to sort the collection you can download VS2000 GUI and use it. You can get VS2000 GUI from here.
You have that feature under "Virus organizer" tab.
There are 5 different folder structure types available. You can see examples of how collection will look like clicking in the "?" buttons.
If I´m forced to use a folder structure then the folder structure method I prefer is the one called "Bulk". It´s based in the hash of the file. There is a root folder and inside 16 folders, from 0-9 and A-F. Inside those folders there are other 16 subfolders with the first 2 chars of the hash. 16*16 folders in total. Something like:
C:\MALWARE\0\00
C:\MALWARE\0\01
C:\MALWARE\0\02
.
.
C:\MALWARE\A\A0
C:\MALWARE\A\A1
C:\MALWARE\A\A2
.
.
C:\MALWARE\F\FE
C:\MALWARE\F\FF
This is one of the five available structures in VS2000 GUI.
And that´s all you must decide about how to sort your malware collection. A fast resume:
Decide if you want collection packed or unpacked
Decide how to name files
Decide how to name extensions
If you decide an unpacked collection then decide the folder structure.
My "setup" is:
Collection packed (using ZIP format).
File names by their SHA-256
Files having the right extension
File size for archives: around 200 and 300 MB. More can be problematic for KAV.
File names for archives: VIRUS001.ZIP, VIRUS002.ZIP, etc
And that´s all for now. See you soon!
jueves, 30 de julio de 2009
RenFiles: the file renamer for malware collectors
Hi, malware collectors of the world!
Today I´ll introduce RenFiles.
RenFiles is a tool (command line) designed to rename file names and file extensions on demand.
This tool is recursive, so you can specify a folder and all files inside will be renamed.
RenFiles is able to rename file names to their CRC32, MD5 or SHA-256 hash depending of the used command.
RenFiles is also able to rename file extensions to the proper of each file with big accuracy.
Having the files named by their proper extension used to be very important because some antivirus were giving a different report depending of the file extension. KAV 4.5 doesn´t have this problem but anyway having files named properly is more "professional".
RenFiles has other features but the most important ones are the described above.
You can find a manual of RenFiles here.
You can get RenFiles binary here.
Next posts will be related to collection storage and sorting methods.
Today I´ll introduce RenFiles.
RenFiles is a tool (command line) designed to rename file names and file extensions on demand.
This tool is recursive, so you can specify a folder and all files inside will be renamed.
RenFiles is able to rename file names to their CRC32, MD5 or SHA-256 hash depending of the used command.
RenFiles is also able to rename file extensions to the proper of each file with big accuracy.
Having the files named by their proper extension used to be very important because some antivirus were giving a different report depending of the file extension. KAV 4.5 doesn´t have this problem but anyway having files named properly is more "professional".
RenFiles has other features but the most important ones are the described above.
You can find a manual of RenFiles here.
You can get RenFiles binary here.
Next posts will be related to collection storage and sorting methods.
Suscribirse a:
Entradas (Atom)