Great & fast analysis ;-)

Discussion in 'Trojan Defence Suite' started by Godzilla, Dec 18, 2003.

Thread Status:
Not open for further replies.
  1. Godzilla

    Godzilla AV Expert

    Joined:
    Nov 1, 2003
    Posts:
    63
    Hey Gavin,

    just wanna make a short note for your costumers here.

    Rokop did send a "unknown" trojan to various AV/AT vendors (however, it was a variant of AFCORE Trojan, i did get this malware in this morning) and your answer was so far the only correct answer out of other AT vendors ;)

    Great support and fast reply Gavin :D
    Means you are doing a good job at analysing malware ;)

    Regards,
    Michael
     
  2. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Thanks for the kind words Michael, looking for Gavin's own reaction.
    We know that Diamond guy is really good and on top!
     
  3. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    Michael,
    Thanks, that's very noble of you to acknowledge that :)

    But Gavin will just shrug and tell you he was just doing his job :) (but it seems that others perhaps aren't doing their job?)
     
  4. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Fastest "Kid" on the block (sic)! Well done Gavin :D
     
  5. Andreas Haak

    Andreas Haak Guest

    You both missed a very important point. Roman sent out the sample at 11 pm CET. Normally AT vendors in Europe would sleep at this point of time. In Perth (GMT+8 am I right?) it was 6 am. So its not a big surprise DCS was faster. They simply didn't sleep at this time or at least started working 7 hours before vendors in Europe.

    Example:
    I got the file. Asked Roman where he found it and if there are other files, too. After this I went to bed and sleept for 8 hours. In the morning someone just said the problem is solved and I didn't analysed it instantly. Instead I just putted it the the "Incoming" folder and it was processed later.

    If I would send out a sample at 0 am WST (which is in fact 7 hours before CET - so it would be 5 pm CET) to DCS and a European vendor the Europe vendor would be faster. Simply cause DCS is sleeping while the other has time to process my sample ;).

    So be carefull with such statements ;).

    BTW: Its exactly the same with reaction times to "high outbreaks" of certain AV vendors. In fact most vendors get the sample at one and the same point of time. But they are all in diffrent time zones. So maybe the analysis department isn't occupied cause its night there ;).
     
  6. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Truth is this is not a great example. Why ? well it took literally 2 seconds to know what it was.. 2 seconds to see the standard AF / AP (AFlooder / AProxy) trademark text at the start of the file "engineering sample not for private use blah blah" and that it was a randomly named DLL. There wasnt any difficulty in identifying it as one of those 2, so I answered without even looking at the file closely. The reason was so that the user could be told sooner, rather than saying "okay I'll take a look at it" and leaving them with a flooder trojan on their machine.

    A LOT of users seem to be finding that their ISP calls or emails them and says they are flooding, and they have to go get a scanner to remove it. The threat is also "or we cut you off". The amount of these trojans flying around suggests to me that a lot of them have been victim of this exact trojan, AFlooder. Also is the problem of AProxy, which helps attackers be anonymous.

    Funnily enough, after the effort we put into NTFS Stream detection long ago, no real malware surfaced. More than a year on, a prime example is these samples.. known as Afcore and Apdor. TDS should detect ANY of these samples simply by the fact that it highlights any EXE file embedded in a stream with a special warning. Once you know its there you are 99% of the way to being clean :)

    :rolleyes: but anyway it doesnt matter really to argue about things. It was a very quick analysis and didnt expect to be a big deal. Merry Christmas Andreas
     
  7. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    You missed a point too ;) Some were WRONG apparently, I dont know who was wrong nor does it matter. Maybe they havent seen Apdor and Afcore before. Maybe they were busy or overworked :) a lot of us are
     
  8. Jason_DiamondCS

    Jason_DiamondCS Former DCS Moderator

    Joined:
    Nov 11, 2002
    Posts:
    1,046
    Location:
    Perth, Western Australia
    Just another reason for manual signatures, you have someone who knows trojans. Seems logical to me that someone who spends all their time analysing trojans will be faster and better at it then someone who doesn't, regardless of time-zone.

    Good work! :)

    -Jason-
     
  9. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Isn't it wonderful for us users who know bits or nothing ourselves of the nasties to know ourselves in safe hands all around the clock world wide where always some vendor is adding detection to a database while others might be still asleep or put it in their inbox for later analysis?

    Merry Christmas all and keep it safe!
     
  10. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Yes, It is good to know that the malware hunters & killers are working round the clock for our security.
    Merry Christmas to them all! :D
     
Thread Status:
Not open for further replies.