Malware collections

Forum for analysis and discussion about malware.

User avatar
EP_X0FF
Global Moderator
Posts: 4803
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

May 2011

Post by EP_X0FF » Sat Jun 18, 2011 11:20 am

May 2011 collection
944 Mb multi-part RAR archive (split on four parts), uncompressed size is about 1.21 Gb

Generated files info (Note: only detected files. MD5 hash + Dr.Web style detection name) in attach.

http://www.megaupload.com/?d=LFCLQAKV
http://www.megaupload.com/?d=JVZBL2EQ
http://www.megaupload.com/?d=Z9G7G91C
http://www.megaupload.com/?d=4E5HSW4K

Pass: malware
If someone willing to do some additional mirrors - it's appreciated.
You do not have the required permissions to view the files attached to this post.
Ring0 - the source of inspiration


User avatar
EP_X0FF
Global Moderator
Posts: 4803
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Ransomware dump

Post by EP_X0FF » Sat Sep 17, 2011 9:17 am

Ransomware samples collected in July-August + beginning of September, including all pornoroliks (WinAD), LockEmAll, Pornoblockers etc. Can be used as perfect test for revealing FakeAV widely installed on Virustotal (see numbers of incorrect detection's, hash sum calculated detection's, stolen detection's or no detection's at all even after 2 months).

http://www.megaupload.com/?d=PR8N7N1V

Pass: malware
Compressed size 56.1 Mb
Uncompressed 98.7 Mb
1479 files.
Ring0 - the source of inspiration

User avatar
kmd
Posts: 268
Joined: Mon Mar 15, 2010 4:09 am
Location: Russian Federation

Re: Malware collections

Post by kmd » Sat Sep 17, 2011 12:46 pm

tnx
stolen detection's
what does it means?

User avatar
EP_X0FF
Global Moderator
Posts: 4803
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: Malware collections

Post by EP_X0FF » Sat Sep 17, 2011 1:27 pm

kmd wrote:what does it means?
For example this.

Some of AV installed on VT is multi-engine based, so it's Ok, when GData and Bitdefender or IKarus and Emsisoft shows the same detection for example. But most of scanners are not multi-based.
Take a look on Avira.

TR/Ransom.DN.332

it was created from initial Microsoft detection Trojan:Win32/Ransom.DN, later in August/September DN was extended to ER, exactly this you see in report.

Another example. Friend of mine send me Avira response on submitted ticket.
Avira wrote:The file cd627d26e92e.... has been determined to be 'RISK'. Our analysts named the threat SPR/Tool.Vbcrypt.H.2. The term "SPR/" ("Security or Privacy Risk") denotes a program that might possibly be able to affect the security of your system, might trigger activities you might not want or might violate your privacy.Detection is added to our virus definition file (VDF) starting with version 7.11.12.143.
Response time Jul 28, 2011 09:32 AM UTC
SPR/Tool.Vbcrypt.H.2

this file is Trojan Ransom Pornorolik/WinAD (crypted by VBCrypt variant), clearly detection name is not completely correct. But how they generated it?

cd627d26e92e.... has been received Jul 28, 2011 04:18 AM UTC
cd627d26e92e.... analysis was finished in Jul 28, 2011 04:45 AM UTC

On object was casted VirTool:Win32/Vbcrypt.gen!H (it is generic detection based on crypter used).

Updated definitions released. Likely Avira has a special multi-scanner in their lab (just like VT but without FakeAV's). Seems due to lack of resources (or qualification to write real automatic analysis system) some percent of submitted to Avira files processed by special bots (or maybe human-bots) which doing only one thing - scheduled re-scan with multi-scanner and if somebody from "trusted partners" releases malware detection - these bots copies it (seems only name) + some quick hash based signature + number. According to ransoms Avira also loves to steal detections for Trojan:Win32/Ransom.ER, Trojan:Win32/Ransom.DF. Seems their multi-scanner includes the following products - BitDefender, Dr.Web, Ikarus, Kaspersky, MSE and maybe Symantec. The initial copy-pasted detection may change in future when some of Avira analyst finally will take a look on crap they have generated as detection. IDK how many in percents in Avira DB is stolen from others. I think it will be sufficient number.
Ring0 - the source of inspiration

User avatar
rkhunter
Posts: 1152
Joined: Mon Mar 15, 2010 12:51 pm
Location: Russian Federation
Contact:

Re: Malware collections

Post by rkhunter » Sat Sep 17, 2011 1:41 pm

I noticed the stolen detection's also for ZeroAccess/Sirefef and Alueron/Tidserv. Even when Kaspersky added dropper false detection, for example, naming tdss dropper as ZAccess and vice versa, some vendors have similar errors; and it was not once. Simply because of the large number samples of ransoms, unlike dropper ZAccess or Alureon/Tdss you can more clearly see it. I did not analyze the date of tickets as EP_XOFF, but the result was obvious.

User avatar
kmd
Posts: 268
Joined: Mon Mar 15, 2010 4:09 am
Location: Russian Federation

Re: Malware collections

Post by kmd » Sat Sep 17, 2011 1:48 pm

thanks for explanations!
i also found this http://www.anti-malware.ru/forum/index. ... =3930&st=0
very fun reading :D

markusg
Posts: 733
Joined: Mon Mar 15, 2010 2:53 pm

Re: Malware collections

Post by markusg » Sat Sep 17, 2011 2:12 pm

can you perhaps post the ransom link again, its not working i think

User avatar
rkhunter
Posts: 1152
Joined: Mon Mar 15, 2010 12:51 pm
Location: Russian Federation
Contact:

Re: Malware collections

Post by rkhunter » Sat Sep 17, 2011 2:17 pm

Last link working perfectly.

Post Reply