Results 1 to 12 of 12

Thread: Best place to submit a new threat?

  1. #1

    Best place to submit a new threat?

    I was looking through someones photos on ImageShack account and one of those rogue anti-malware scanner pages loads up and attempts to automatically download a setup file which I'm sure won't be what it claims it is.

    My guess is that it is that it is a simple client that will download something far nastier given the chance

    Neither my firewall or AV blinked an eye at this which is worrying.
    I've attached the URL and the suspect setup file (which I haven't run) in case anyone would like a look.

    I also wanted to ask if there was a particular security site or repository that all the AV and firewall vendors use to tackle new threats found in the wild?

    Thanks for reading.

    Password is 'malware'.

    UPDATE: NOD32 now detects it as a variant of the Win32/Kryptic.AMH trojan.
    Attached Files Attached Files
    Last edited by 5aLIVE; October 21st, 2009 at 10:35.

  2. #2
    Yep, rogue anti-malware app that downloads a payload from turkish website. Drops two *.tmp.exe files, one is a rogue windows xp security center. While scanning your computer, the rogue anti-malware app `finds` a large list of false positive files (harmless, mainly exe, dll and ocx) dropped into windows/system32. I suspect to do the dropjob itself.

    EDIT: hmm yeap





    EDIT2: As for your question, I'm not aware of sites where you can upload suspicious file for entire AV community, but some AV sites allows you to send them samples.
    Last edited by Silkut; October 22nd, 2009 at 10:07. Reason: question
    Please consider donating to help Woodmann.com staying online (here is why).
    Any amount greatly appreciated. Thank you.

  3. #3
    Thank you very much for taking a look at this, you have confirmed my suspicions. This is first time in a long while since I have came across a malware nasty that got past my security software.

  4. #4
    <script>alert(0)</script> disavowed's Avatar
    Join Date
    Apr 2002
    Posts
    1,281
    Quote Originally Posted by 5aLIVE View Post
    I also wanted to ask if there was a particular security site or repository that all the AV and firewall vendors use to tackle new threats found in the wild?
    Yes there is, but there's no public access to it; you have to be a vetted member of the industry.

    You're best off submitting the sample to your AV/FW vendor through their submission mechanism. Almost every vendor has an online web form (such as https://www.microsoft.com/Security/portal/Submission/Submit.aspx) or an e-mail address to submit new samples. Look around on the vendor's webpage to find it.

  5. #5
    CyberSorcerer
    Guest
    This particular setup.exe is already being detected by 50% of and AV companies, so more than likely the AV your using is already aware of it.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  6. #6
    son of Bungo & Belladonna bilbo's Avatar
    Join Date
    Mar 2004
    Location
    Rivendell
    Posts
    310
    In fact 21 over 41 tested antivirus are reporting it, at date of yesterday:
    https://www.virustotal.com/analisis/89210d942c2e34bcb87dc90d4e3a5f0c40c11f626aaa54ca65c0b6426d925cf2-1256300301
    Non quia difficilia sunt, non audemus, sed quia non audemus, difficilia sunt.[Seneca, Epistulae Morales 104, 26]

  7. #7
    Thanks for the replies.

    @disavowed, I thought that this type of thing would be for security restricted to security pros only. I'll send any further threats I find to Eset and Agnitum in the future should the need arise.

    @CyberSorcerer/bilbo, my AV didn't detect the file in the morning but I found it but was able to catch it in the afternoon.
    Positive proof that your defence is only as your latest update.

  8. #8
    schizim
    Guest
    Because it can be a pain to find an email address to send samples to on some of the AV companies websites here is a list I have and use in case it is of use to someone out there.

    AhnLab-V3 - samples@ahnlab.com;
    AntiVir - virus@avira.com;
    Antiy-AVL - submit@virusview.net;
    Arcabit - virus@arcabit.com;
    Authentium - virus@authentium.com;
    Avast - virus@avast.com;
    AVG - virus@avg.com;
    BitDefender - EMsamples@bitdefender.com;
    CAT-QuickHeal - viruslab@quickheal.com;
    DrWeb - vms@drweb.com;
    eSafe - virus@esafe.com; esafe.virus@eAladdin.com;
    eTrust-Vet - virus@ca.com;
    Ewido - submit@ewido.net;
    FileAdvisor - submitvirus@fortinet.com;
    Fortinet - submitvirus@fortinet.com;
    Ikarus - samples@ikarus.at;
    Immunet - submit@samples.immunet.com;
    K7AntiVirus - k7viruslab@k7computing.com;
    Kaspersky - newvirus@kaspersky.com;
    McAfee - virus_research@avertlabs.com;
    NOD32v2 - samples@eset.sk;
    NOD32 - samples@eset.sk;
    Norman - analysis@norman.no;
    Panda - virussamples@pandasecurity.com;
    Sophos - samples@sophos.com;
    TheHacker - virus@hacksoft.com.pe;
    VBA32 - newvirus@anti-virus.by;
    VirusBuster - virus@vbuster.hu;

    - Cheers
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  9. #9
    <script>alert(0)</script> disavowed's Avatar
    Join Date
    Apr 2002
    Posts
    1,281
    You can add to that list:
    Microsoft - avsubmit@submit.microsoft.com;

  10. #10
    If I may update this thread, I'd add two more links for malware submission. For the record.
    F-Prot - http://www.f-prot.com/virusinfo/submission_form.html
    F-Secure - http://www.f-secure.com/en_UK/security/security-lab/submit-samples/
    Please consider donating to help Woodmann.com staying online (here is why).
    Any amount greatly appreciated. Thank you.

  11. #11
    I also thought submission to VirusTotal et al, automatically forwards a sample to AV companies?

  12. #12
    Yes sir !

    Collection and use of submit samples and personal information
    When you submit a sample file to VirusTotal for scanning, we may store it and share these with anti-malware and security companies (normally the companies participants in VirusTotal receives the samples cataloged as malware that theirs engines do not detect). The samples can be analysed by automatic tools and security analysts to detect malicious code and to improve anti-virus engines.

    Your personal data may also be anonymised and used for statistical purposes.
    http://www.virustotal.com/privacy.html
    Please consider donating to help Woodmann.com staying online (here is why).
    Any amount greatly appreciated. Thank you.

Similar Threads

  1. Is this not the right place to ask for help on this?
    By Crackin_Newbie in forum Malware Analysis and Unpacking Forum
    Replies: 5
    Last Post: March 16th, 2002, 11:15
  2. Greetings for all of you, infos on this place
    By tsehp in forum Malware Analysis and Unpacking Forum
    Replies: 3
    Last Post: October 30th, 2000, 17:03

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •