Great & fast analysis ;-)

Hey Gavin,

just wanna make a short note for your costumers here.

Rokop did send a "unknown" trojan to various AV/AT vendors (however, it was a variant of AFCORE Trojan, i did get this malware in this morning) and your answer was so far the only correct answer out of other AT vendors

Great support and fast reply Gavin
Means you are doing a good job at analysing malware

Regards,
Michael

 

Thanks for the kind words Michael, looking for Gavin's own reaction.
We know that Diamond guy is really good and on top!

 

Michael,
Thanks, that's very noble of you to acknowledge that

But Gavin will just shrug and tell you he was just doing his job (but it seems that others perhaps aren't doing their job?)

 

Fastest "Kid" on the block (sic)! Well done Gavin

 

You both missed a very important point. Roman sent out the sample at 11 pm CET. Normally AT vendors in Europe would sleep at this point of time. In Perth (GMT+8 am I right?) it was 6 am. So its not a big surprise DCS was faster. They simply didn't sleep at this time or at least started working 7 hours before vendors in Europe.

Example:
I got the file. Asked Roman where he found it and if there are other files, too. After this I went to bed and sleept for 8 hours. In the morning someone just said the problem is solved and I didn't analysed it instantly. Instead I just putted it the the "Incoming" folder and it was processed later.

If I would send out a sample at 0 am WST (which is in fact 7 hours before CET - so it would be 5 pm CET) to DCS and a European vendor the Europe vendor would be faster. Simply cause DCS is sleeping while the other has time to process my sample .

So be carefull with such statements .

BTW: Its exactly the same with reaction times to "high outbreaks" of certain AV vendors. In fact most vendors get the sample at one and the same point of time. But they are all in diffrent time zones. So maybe the analysis department isn't occupied cause its night there .

 

Truth is this is not a great example. Why ? well it took literally 2 seconds to know what it was.. 2 seconds to see the standard AF / AP (AFlooder / AProxy) trademark text at the start of the file "engineering sample not for private use blah blah" and that it was a randomly named DLL. There wasnt any difficulty in identifying it as one of those 2, so I answered without even looking at the file closely. The reason was so that the user could be told sooner, rather than saying "okay I'll take a look at it" and leaving them with a flooder trojan on their machine.

A LOT of users seem to be finding that their ISP calls or emails them and says they are flooding, and they have to go get a scanner to remove it. The threat is also "or we cut you off". The amount of these trojans flying around suggests to me that a lot of them have been victim of this exact trojan, AFlooder. Also is the problem of AProxy, which helps attackers be anonymous.

Funnily enough, after the effort we put into NTFS Stream detection long ago, no real malware surfaced. More than a year on, a prime example is these samples.. known as Afcore and Apdor. TDS should detect ANY of these samples simply by the fact that it highlights any EXE file embedded in a stream with a special warning. Once you know its there you are 99% of the way to being clean

but anyway it doesnt matter really to argue about things. It was a very quick analysis and didnt expect to be a big deal. Merry Christmas Andreas

 

You missed a point too Some were WRONG apparently, I dont know who was wrong nor does it matter. Maybe they havent seen Apdor and Afcore before. Maybe they were busy or overworked a lot of us are

 

Just another reason for manual signatures, you have someone who knows trojans. Seems logical to me that someone who spends all their time analysing trojans will be faster and better at it then someone who doesn't, regardless of time-zone.

Good work!

-Jason-

 

Isn't it wonderful for us users who know bits or nothing ourselves of the nasties to know ourselves in safe hands all around the clock world wide where always some vendor is adding detection to a database while others might be still asleep or put it in their inbox for later analysis?

Merry Christmas all and keep it safe!

 

Yes, It is good to know that the malware hunters & killers are working round the clock for our security.
Merry Christmas to them all!