VirusTotal & Jotti's, when is enough...enough?

Discussion in 'other security issues & news' started by MrGump, Jul 2, 2010.

Thread Status:
Not open for further replies.
  1. MrGump

    MrGump Registered Member

    Joined:
    Sep 5, 2009
    Posts:
    394
    If I scan a file using VirusTotal and Jotti's and Jotti's finds nothing but ViustTotal only has one program that detects a possible threat, is the file most likly a false alarm?


    Can anyone recommend other online scanner similar to VT and Jotti's?


    Thank you *puppy*
     
  2. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    20,910
    Location:
    U.S.A.
  3. MrGump

    MrGump Registered Member

    Joined:
    Sep 5, 2009
    Posts:
    394
    Thanks JR, but most of those are already used by VT or Jotti, I was hopping for websites similar to those websites. But thanks none the less *puppy*
     
  4. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    20,910
    Location:
    U.S.A.
    MrGump, you're welcome! FYI. Both NoVirusThanks and VirusChief are multi-engine scanners, like VirusTotal and Jotti's.
     
  5. MikeBCda

    MikeBCda Registered Member

    Joined:
    Jan 5, 2004
    Posts:
    1,627
    Location:
    southern Ont. Canada
    Mr Gump, getting back to your first question ... most of us would agree that if there are few if any "hits" when you submit a file to Jotti and/or VT, the odds are pretty good that yes, it's a false positive if one of your own apps identified it as a threat.

    Even a "unanimous opinion" (that the file's clean, that is) from the online scans is no guarantee, of course, but it's a pretty safe bet. A copy should be submitted to the developers of whatever flagged it as bad in the first place so they can evaluate it further and (hopefully) revise their defs appropriately.
     
  6. MrGump

    MrGump Registered Member

    Joined:
    Sep 5, 2009
    Posts:
    394
    thanks everyone *puppy*
     
  7. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    That is not a wise assumption to make.

    1) It's well known that the on-board scanner is more often to be better uptodate than the online scanner. One developer remarked that the online scanner was not as thorough as its home product.

    2) Today's polymorphic malware is very capable of fooling scanners. An early example was the Storm malware which updated every few hours. A recent blog on TDSS/TDL3 malware indicated repacking every few minutes, in some cases.

    3) Javascript obfuscation (disguising) where the code is so heavily disguised that scanners fail to create a signature. Another type of obfuscation is "clutter." A good example was the Conficker autorun.inf file which many vendors failed to flag at first because the inclusion of 50+ KB of nonsense ASCII characters.

    4) Modularization is a recent phenomenon. See Bojan Zdrnja's excellent analysis here:

    Malware modularization and AV detection evasion
    http://isc.sans.edu/diary.html?storyid=8857

    Read how he discovered that a file marked clean by all products turned out to be malicious.

    ---------
    rich
     
  8. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    What about online sandbox analyzers like Anubis and ThreatExpert?
     
  9. lordpake

    lordpake Registered Member

    Joined:
    Aug 7, 2004
    Posts:
    563
    Location:
    Helsinki ~ European Union
    AFAIK it is possible to write code that checks whether the code is run inside VM/sandbox. This is to thwart analysis, file simply won't execute.
     
  10. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    In the Diary I cited,the author mentioned that Anubis was fooled by the file:

    Another analysis tool is Wepawet, for javascript/flash/pdf. It also has been fooled:

    Sophisticated, targeted malicious PDF documents exploiting CVE-2009-4324
    http://isc.sans.edu/diary.html?storyid=7867
    Static analysis of malicous PDFs (Part #2)
    http://isc.sans.edu/diary.html?storyid=7906
    ----
    rich
     
  11. Hermescomputers

    Hermescomputers Registered Member

    Joined:
    Jan 9, 2006
    Posts:
    1,069
    Location:
    Toronto, Ontario, Canada, eh?
    Hello All!

    Here is my own two cents on this issue...

    First malware is complex, varied and ever changing as in a true polymorphic sense...

    The second variable is that even Virustotal and Jotti scans are based on known variants already included in some database part of the scan member group. This in turns means that if none of them know of the malware it will more than likely be very successful, many will be infected and no one will be the wiser...

    If you have reasons to believe that you have new unknown malware. You can try and use a sandbox analysis project such as JoeBox.org or Anubis and even wepawet. They will even process potentially hostile .pdf or even flash...

    I have written an article The Best Defense is a Powerful Offense! if you read up on SandBox Malware Analyzers (near middle of article) you will find more information and resources listed.
     
    Last edited: Jul 7, 2010
  12. Brian_12

    Brian_12 Guest

  13. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    VirusTotal and Jotti are looking for known threats. One a few occasions I've had malicious files that weren't recognized my most of the scanners. Those that did alert warned on the packing more than the file itself. One additional thing you can do when you're not sure of the results is to wait a couple of days, then check the file again. The files I tested that only a couple flagged the first time were flagged by about 3/4 of them a few days later.

    If you can't wait for some reason, launch them on a virtual environment, or better yet, a well equipped test PC that monitors the entire install/launch process.
     
  14. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    File 31553543.exe received on 2010.08.03 - Result: 0/42 (0.00%)

    Uploaded for another scan just now:
    31553543.exe received on 2010.08.09 - Result: 22/42 (52.39%)

    test.PNG
     
Loading...
Thread Status:
Not open for further replies.