Descriptions of malware behavior?

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
Is there a good resource with a listing of malware and their impact on
users' systems? For example, if one wants to know what the "Artemis!"
malware does, where would one look, since Googling it turns up links to
conflicting information about it.

--
Neil



Re: Descriptions of malware behavior?

Neil Gould wrote:
Quoted text here. Click to load it
Artemis! is the particular detection engine (or routine) that made the
detection, not the malware name.

Re: Descriptions of malware behavior?


Quoted text here. Click to load it

And most likely Heuristic detection.

--
Dave
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
http://www.pctipp.ch/downloads/dl/35905.asp



Re: Descriptions of malware behavior?

David H. Lipman wrote:
Quoted text here. Click to load it
OK, then what I'd like to know is whether there is a good resource (or set
of resources) to find out the impact and/or behavior of malware that has
been identified, even if identified "by" Artemis!.

--
Neil



Re: Descriptions of malware behavior?


| David H. Lipman wrote:
Quoted text here. Click to load it
| OK, then what I'd like to know is whether there is a good resource (or set
| of resources) to find out the impact and/or behavior of malware that has
| been identified, even if identified "by" Artemis!.
|

There is none for Heuristics.  One needs a specific declaration or for a
family of malware such as ; Zlob, Zbot, FakeAlert, Swen, NetSky, MyDoom,
Nimda, etc.


--
Dave
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
http://www.pctipp.ch/downloads/dl/35905.asp


Re: Descriptions of malware behavior?

Neil Gould wrote:
Quoted text here. Click to load it
If you take the malware name, and search for it on the website of the
vendor that gave it that name, you sometimes get lucky. Not only is
there not such a resource as you describe - they all use different names
for the malware that they detect.

There used to be a website that attempted to cross-reference the
different names used for the same malware, but I don't remember hearing
of it lately, nor have I heard of another to replace it.

Re: Descriptions of malware behavior?


| Neil Gould wrote:
Quoted text here. Click to load it
| If you take the malware name, and search for it on the website of the
| vendor that gave it that name, you sometimes get lucky. Not only is
| there not such a resource as you describe - they all use different names
| for the malware that they detect.
|
| There used to be a website that attempted to cross-reference the
| different names used for the same malware, but I don't remember hearing
| of it lately, nor have I heard of another to replace it.

MITRE kept the Common Malware Enumeration (CME) project that is now defunct.

The naming convention was supposed to be that a CME suffix would add the
exclamation mark (!)and CME-### where ### is the number representing the
commonality.
Suffix example !CME-711
Full name example:  Win32/Stration.DH@mm!CME-416



--
Dave
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
http://www.pctipp.ch/downloads/dl/35905.asp


Re: Descriptions of malware behavior?

David H. Lipman wrote:
Quoted text here. Click to load it
Thanks for the insights, David.

--
Neil




Re: Descriptions of malware behavior?

FromTheRafters wrote:
Quoted text here. Click to load it
Thanks for your explanation. That is consistent with my admittedly limited
experience in trying to find some basic answers to help friends sort out
some odd behavior on their systems.

--
Neil




Re: Descriptions of malware behavior?

kurt wismer wrote:
Quoted text here. Click to load it
It appears that you're right about there not being any good resource, but to
take it one step further, I doubt that the anti-malware vendor would be of
much help, either. They may know and not want to be bothered with providing
an explanation, or they may not, and just rely on the code structure of
previously identified malware to ferret it out during a scan.

Thanks...

--
Neil




Re: Descriptions of malware behavior?


Quoted text here. Click to load it

Yep, it all depends.

For example if we discuss it in advance often I tell someone to submit the
sample to
UploadMalware.Com and I'll analyze it and provide a report of my findings to the
submitter.



--
Dave
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
http://www.pctipp.ch/downloads/dl/35905.asp



Re: Descriptions of malware behavior?

[snip]
Quoted text here. Click to load it

you're the customer. it's their job to make you happy. if they fail
then you move on to a vendor who will satisfy your needs.

Re: Descriptions of malware behavior?

On 02/07/2012 10:58 AM, Neil Gould wrote:

Quoted text here. Click to load it

you could just switch to linux and stop worrying about such things...
--
Perhaps my purpose in life is to serve as a warning to others
Registered Linux User #393236

Re: Descriptions of malware behavior?


Quoted text here. Click to load it

Man, you are Grumpy  ;-)

--
Dave
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
http://www.pctipp.ch/downloads/dl/35905.asp



Re: Descriptions of malware behavior?

On 02/08/2012 06:10 PM, David H. Lipman wrote:
Quoted text here. Click to load it

well, I pop in here every once in a while and it's the same 'ol same 'ol

oy vey
--
Perhaps my purpose in life is to serve as a warning to others
Registered Linux User #393236

Re: Descriptions of malware behavior?


| On 02/08/2012 06:10 PM, David H. Lipman wrote:
Quoted text here. Click to load it
| well, I pop in here every once in a while and it's the same 'ol same 'ol
|
| oy vey

;-)



--
Dave
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
http://www.pctipp.ch/downloads/dl/35905.asp


Re: Descriptions of malware behavior?

On 2/8/2012 1:21 PM, Grumpy wrote:
Quoted text here. Click to load it

Or simply stick with Windows and have a great recovery plan. Tis what I
do because IME it is the richest computing environment.

I could care less if I get infected...it takes 15 minutes to remedy the
issue.

I disagree with the prevention first concept. There is no silver bullet.

BTW, Linux /is/ virtually impervious to malware as malware hasn't access
to root. Only about 800 pieces of malware have been discovered that
affect Linux since Linux has been around. Not so for Windows where 10's
of thousands of new malware are discovered every year.

So if you are a Windows user, you had better be recovery conscious.
Unless you are a malware expert or ready to shell out the bucks for
those who are, cleaning is a shot in the dark and takes a lot of
experience and time - even for the experts. Besides, the experts are
always a step behind the malware purveyors...it's the nature of the game.

I think Dustin and David would have to agree that even them and other
malware experts are challenged at times in this game.

--
Bear
http://bearware.info
The real Bear's header path is:
news.sunsite.dk!dotsrc.org!filter.dotsrc.org!news.dotsrc.org!not-for-mail

Re: Descriptions of malware behavior?

"Bear" wrote:

Quoted text here. Click to load it

I don't believe that for a minute. A limited Win user also doesn't
have root access. The main problem, apart from social engineering, is
exploitable software vulnerabilities which lead to root (system)
access. If you follow Bugtraq you will see just how many of these
apply to various distributions of Linux and other unix-like systems.

Quoted text here. Click to load it

I don't know where that comes from but it may be true.

Quoted text here. Click to load it

More likely a few dozen or less. You'll find that while the packers
vary every day or hour, the underlying malware is the same.

The reason Windows is targeted is because that's the OS of the general
public and provides the greatest return to criminals. If a 'nix
variant held market dominance you can be sure that would be the choice
or target for malware.



Re: Descriptions of malware behavior?


| "Bear" wrote:
|
Quoted text here. Click to load it
|
| I don't believe that for a minute. A limited Win user also doesn't
| have root access. The main problem, apart from social engineering, is
| exploitable software vulnerabilities which lead to root (system)
| access. If you follow Bugtraq you will see just how many of these
| apply to various distributions of Linux and other unix-like systems.
|
Quoted text here. Click to load it
|
| I don't know where that comes from but it may be true.
|
Quoted text here. Click to load it
|
| More likely a few dozen or less. You'll find that while the packers
| vary every day or hour, the underlying malware is the same.
|
| The reason Windows is targeted is because that's the OS of the general
| public and provides the greatest return to criminals. If a 'nix
| variant held market dominance you can be sure that would be the choice
| or target for malware.
|

Like there are no new Linux RootKits either.
zer0byte.com/2012/01/19/kbeast-kernel-beast-linux-rootkit-2012

--
Dave
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
http://www.pctipp.ch/downloads/dl/35905.asp

Re: Descriptions of malware behavior?

Bear wrote:
Quoted text here. Click to load it

What happens *while* you're 'infected' and how long are you going to run
in that infected state before you decide to reload the known clean image?

Quoted text here. Click to load it

Why do you seem to equate prevention with silver bullets? Nobody is
suggesting and silver bullet. The bottom line is that without prevention
you have already lost the battle. Not all malware will be as well
behaved as the malware we are now accustomed to. This commercially
motivated stuff wants to persist and dig in, but cryptovirological
ransomware can still ruin your day.

Quoted text here. Click to load it

This advice goes equally well for non-Windows users. There are
catastrophes, other than malware attacks, which cannot be prevented.
*That* is why you need a recovery/restore scheme, not so you can operate
while infected without a care because it is so easy to recover.

[...]

Site Timeline