Wuzzup from BugBopper: What do you think of it?

ok waiting for my ftp access, pm send.

 

sort of an odd question, but how are you guys naming malware your product encounters? looking at your malware index, it seems like you're adopting the name given to a particular threat by (presumably) the first third party scanner that classifies it..is this the case?

just asking out of curiosity.

 

Jim wrote you last night. Let me know if things don't get set up perfectly.

 

A very long story, but the short answer is No.

Since the first viruses and Patti Hoffman's VSum, I've been frustrated by malware naming. There are few conventions, in part because a given recognition method can find just one variant, or can find multiple variants, and whatever a product finds, it must name.

We built BugBopper with several objectives:

• We need a name immediately, at the moment we determine that the file is malware.
• We want our names to be as precise as possible. That is, a name should distinguish between variants. "Win32/Malware" can serve in a pinch, but will never be as useful as "Trojan-Banker.Win32.Banker.hmk" or "Backdoor.Win32.Bifrose.axy".
• We have no business making up names, and adding to the naming confusion, when there are other products that use perfectly good malware names for a given file.

I personally like one product for its naming precision, but it is so slow that it can't be used realtime in our malware analysis system. So our approach is to use a name provided by a fast scanner -- and we use a half dozen or more to find such a name -- and then later rename the malware once our slow scanner provides a name. Because of zero-day concerns, we always re-scan our collection regularly, and adjust our database as needed.

It doesn't take long before we've applied that precise name, after which the name is not changed again. You can take a look here at some of the 2.5 million names we use. (I see I need to fix the program that generates this page, but it serves to show a sample of our names.)

 

Hi David,
here are few points..
1. When I perform a scan and some malware get detected, I get the results in the Scan Progress Tab, like Files Examined, Malware Found, Suspects Uploaded and Tracking Cookies Found. But after the scanning is completed and suppose i start a new scan, everything gets reset except the Malware Found and Tracking Cookies found. So for scanning in different folders I need to close the application an open again to reset stuffs. Can you fix this or add an option to open a new scan...!! I understand that you may have kept this to rescan a folder after the suspects have been uploaded, so that the total result can be found. But this is a annoyance most of the time.
2. Secondly I have a request. Please add detection of archives too. Although this cannot harm without being extracted, this can be harmful as bugbopper do not provide real time protection yet.
3. Another request.. Can you provide Cookies cleaning in the free version like HMP?

 

I hope I'm not the cause of any bandwidth traffic jams I currently have about 15 megabits worth of upload, so I'm uploading every executable

 

At the registration screen of Wuzzup, the title bar says Regisister.

 

Also in the Scan Progress bar in the number of files examined it also includes the number of folders scanned in the file number.

 

No traffic jams here. There was a time today when our queue was 10 minutes deep, but right now, the 11 files in the queue arrived in the last 60 seconds. I think we'll be able to keep up -- at least until we have a boatload of customers, at which time we can add more hardware and bandwidth. This is going to work!

 

• I think #1 is pretty close to "bug". Yes, it will be fixed.
• #2 is a very good idea, and is going into our list of specs for future versions. I think we will be able to scan archives pretty fast.
• #3 will require lots of thought and care. But I've added it to the to-do list.

 

Hi David,
I am getting very slow webpage loading while suspects are being uploaded. How come upload affects webpage loading....


Another suggestion:
Add an option to turn off PC after files have finished uploaded...

 

slow loads are normal i think. when my upload speed is 100 % in use i have also slow loads.

 

Web page loading might slow because our uploads are done via http, to prevent firewall issues in user machines. So if you have somewhat limited bandwidth, that might be the cause.

We have a new release that does better with your collection, but it does not detect them all. I think the issue is that many of your samples were once DOS .com files, that don't have much of an internal structure, so that without the extension, if you look inside, it is hard to tell offhand that they are executables... so they get bypassed. If your set 2 collection was all renamed to their original names, or all has a .com or .exe extension, then we'd detect it on our second pass.

Let me know what you think.

 

Have you considered allowing file hashes to be searched via the Web?

 

Hi,

Can you include an exclude dir option. There are proprietary executables, dll's and etc that could be uploaded due to being unknown. This is problematic and is one reason we are unable to try your product.

Hawk

 

Thanks for the update David... Yes in the first set it can scan 497 files now and in the second ~3500. Improved....

I have noticed few things...
1. Scanning speed is very fast on clean set of files. On malware samples it is verry slow ~1file/sec.
2. Removal is slow too. It would be nice if you add a progress bar there.
3. Where is the quarantine located? Put an option to parmanently delete threats.
4. In the scan progress bar threat count still not reset in a new scan (already reported)
5. Add an option in the scan progress window to show the last infected file and the time passed.

 

what is NO_MALWARE Compressed: NO ?
Is this a malware?
BB detected two files as this malware. One is a part of PDF OCR and other is a part of Spyware Blaster...

 

I think this is a great idea. Can you tell me a little about how you'd use it, and what interface you'd want? For instance would you only enter MD5s? or would you want other hashes supported too? Would you want to look up on any other criteria, such as a filename, or a file size? Would you want to be able to reference a link to a specific results page (like a Google address)? Give me a little feedback, and I'll build a prototype front end for you to review.

 

Our plan is to add a tab with Upload/Analyze controls and info. You'll be able to choose what may/may not be uploaded. When it finally ships, I'll be glad to get feedback from you on whether it meets your needs.

 

Thank you .

If I have a given file on my computer that I'd like to check, I would get its hash (either MD5 or SHA-1) and then look it up with the hash search. If there is only one record in your database for a given hash, and if you restrict hash types to just MD5 or SHA-1, then a hash search will result in either 0 or 1 item - i.e. no need for a listing of results.

Having such capability could perhaps serve as free advertising for your products, especially if you also allow other hash checking sites to use your hash checking service. Here are the file hash sites I have in my bookmarks:
http://isc.sans.edu/tools/hashsearch.html
https://www.vicheck.ca/md5query.php
http://www.virustotal.com/search.html
http://fileadvisor.bit9.com/services/search.aspx
http://hash.cymru.com/cgi-bin/bulkmhr.cgi

An advantage that your service would have over most of the aforementioned services is that your service can have big files in your database.

Also, I wonder if it would be possible to have http://bugbopper.com/SubmitAFile.asp submit a (computed) hash before it submits a file.

 

Thanks for all your help on this idea. I will see what I can get going this week, and be back here when I've got something.

SubmitAFile does a little trick involving hashes: it computes the hash of the uploaded file, checks our database for a page for that hash, parses the page, and merges the parsing results with its live analysis. Of course, if we don't have a page for that hash, our results are thinner. That code behind that page was hairy enough that I want to start fresh with the hash lookup project.

 

Hello David,

and congrats for your bugbopper/wuzzup antimalware.

-How exactly do you plan to implement such a feature? I think that you should not give the users the ability to select what they want to be uploaded (malware writers will use it to test the detection of their new creations).
Instead you should add an dir exclusion from scanning as hawkeen suggested; and maybe only for the paid version .

-Wuzzup and bugbopper are the same app? Why wuzzup asks for registration?

thanks,
Panagiotis

 

They can do this now, by putting new code in an empty directory, and scanning just that directory, then scanning again in 10 minutes.

I don't know how this upload/analysis tab will come out. Jim is doing the coding, and we can guess it will be pretty nice, and have something to annoy everyone. But we'll be a step closer to Nirvana.

I once knew of a company that couldn't find a buyer because they hadn't tracked their user base, and that's what buyers were looking for. In the old days of antivirus, poor Central Point was acquired for its mailing list, not its product. So was Quarterdeck, and many others. I thought we'd be prepared, and try to track who had our product, even if we hadn't sold it to them.

 

Hi David,
will you please answer my queries in posts #291 & #292 ..

 

Thanks for this feedback. I've added it to our growing to-do list. You'll see some of these fixes/improvements in our next release.