Wuzzup from BugBopper: What do you think of it?

i agree i also would like to be able to mark specific files or programs as safe if you are 100% sure they are safe , but i do like the scoring system also so i would like bugbopper to keep that

 

Good Morning ! Mr. Bugbopper...during I suspect the scan end, the following box and declaration pops up...Application Error...Exception EAccess Violation in module Bugbopper.exe at 00000000.Access violation at Address 00000000...Read of Address 00000000. This is after that other warning Program Error 2123-125EF Create Error makes itself known. As you can appreciate I'm wondering if the scan has been completed or does the application have a bug that has to be bopped...er...fixed. Sincerely...Securon

 

I think that the problem is likely this: In Vista or Windows 7, your ran BugBopper as a mortal, rather than Administrator. On exit, after the scan was totally complete, BugBopper tried to update BugBopper.ini, to remember your settings for next time. Not being Administrator, the OS might have blocked it. If this is the case, then when you run BB again, you should see that your most recent changes to your settings were not saved.

Assuming that I'm right, then you can "fix" the problem by always running as Administrator.

Let me know if this was a good guess, or if I'll need to call in the smart guys.

 

@ BugBopperGuy

Further to my other suggestions in the other thread.

All files to be uploaded should be HEAVILY compressed to limit both ours and your bandwith. This could be on an individual file basis, or on the whole lot compressed into one big Zip etc. Or you could compress/upload in batches per so many Mbytes.

Also this would be a way so people could choose when to upload, at their convenience, maybe at night etc.

My brief encounter with the upload process, was that they start getting uploaded straightaway. This need not be the case, as files flagged by you, and allowed by us, could be getting compressed straightaway instead, then uploaded later. All of these suggestions could of course be options, but i believe HEAVY compression at least is the only sensible/realistic way to go.

 

Sometimes the CPU power is more expensive than the bandwidth, I mean for the BugBopper servers. The process of decompress the files uses the 100% of the CPU. Maybe this is why...

 

Good suggestion. We compress now, but don't go to the maximum possible compression because of the CPU costs (and extra time) in the user's machine, v. the modest additional improvement in size. We have a lot of bandwidth at our end, and a lot of horsepower in our servers, so the issues are entirely keeping the load light in the user's machine.

We are now at work at allowing control over what is sent, and details of what is sent. I think folks here will like what we've designed. It will probably be 2 weeks before anyone sees it, though.

 

@BugBopper, on another thread you talked about real time protection. Is this coming soon? Will it be similar to MBAM or will it be an sufficient as a stand alone?

 

Our approximate development sequence:

• Upload/Analysis log, with controls, messages. A new tab. Maybe 2 weeks.
• Right-click scanning.
• Command-line version.
• On Access scanner. Not sure how this will be implemented -- we haven't started.
• Machine rescue tool.

Guessing dates for various goals is hard. On Access might be a Christmas present.

 

Yesterday I used Wuzzup in a clean computer with 2 0day malware in the desktop.
Wuzzup didnt detect anything, so what happens with this 2 files that were not detected? they are include in the whitelist forever?
What happens if another person have the same files? he will not upload the files because the files are safe?

 

Good questions.

First, let's make sure that Wuzzup looked at these files. Can you save them to some directory on disk, such as c:\badboys, and then just scan that directory? If these files don't have the standard extensions of an executable, then also click "Any Extension" before you scan. Does Wuzzup now identify these files as malware, or upload them for analysis? If so, that means Wuzzup didn't scan the desktop after all.

If these files are not uploaded, and not identified as malware, but are scanned, it means that in the lab we decided that they were not malware. Can you please email them to me, as attachments, to David@BugBopper.com I'll take a look at them right away.

Nothing is ever stuck on a whitelist or blacklist. We have many procedures in place that allow us to change our judgments when new information comes along. Recently, we found 2 files that we once thought were good, but in fact were malware. These files were nestled in a group of 7 million files we had thought were clean. So mistakes sometimes happen. But our back office procedures are designed to not let them last for long. And our use of multiple approaches in the lab assures that we usually get it right the first time.

 

I put the malware in a folder and now they are identify as malware.
Anyway yesterday I checked the option "all executable files" so the files probably were uploaded, but maybe I didnt give enough time to BugBopper when I scaned the computer again.

Anyway this are the MD5 of both files
•MD5: 779ea5edb09095289c477db11b90936d
•MD5: 2c8e799ac0f185fc61dde388a7b1bb47
I uploaded now the files also using http://bugbopper.com/scan.php

I have notice that now we can't see in the report which engines are you using

 

We had a little analysis backlog yesterday -- I think up to 10 minutes or more -- but things are back under control now. Info on your first MD5 is now published at http://BugBopper.com/MalwareInfo/MD5/77/779ea5edb09095289c477db11b90936d.asp. Our crazy name for this malware is "VirTool.Win32.Obfuscator.da!a (v)" and a page on it is at http://BugBopper.com/MalwareInfo/Name/vi/VirTool_Win32_Obfuscator_da_a_v.asp

Info on the second is at http://BugBopper.com/MalwareInfo/MD5/2c/2c8e799ac0f185fc61dde388a7b1bb47.asp, we call it "AutoIt.BEJ", and some more info may be found at http://BugBopper.com/MalwareInfo/Name/au/AutoIt_BEJ.asp.

BugBopper uses our own engine, which is why it is so small, runs so fast, and has such great detection. It was designed to address our modern circumstances, and doesn't take the same approaches as other traditional scanners.

 

@BugBopperGuy is online now

i wrote a pm to you but got no answer, so i will ask here, i need an e-mail-adress to submit malware.

 

But when you scan the files online I saw in the report that you used some Comercial AV like QuickHeal, CA, Sunbelt... no? something like Hitman Pro.

 

For our online analysis at http://www.bugbopper.com/SubmitAFile.asp, we provide info on other scanner detections. When a file is malware, having the names used by a variety of scanners helps figure what it does, and even whether it is "real". For instance, if the word "packed" or "suspicious" occurs in most of the names, it could be a false alarm.

For our back office analysis, we usually use many tools, including many scanners, and count on Norman Sandbox for another view. You can see such results at http://www.bugbopper.com/MalwareInfo/MD5/04/04871d17dbbd1911afc76aad6d9dbd20.asp

For BugBopper, very little "analysis" occurs in your machine, because too many resources -- including time, CPU, various other tools -- are required to do it right, and we want to do it right. So BugBopper's "engine" draws from our database, which in turn is populated by the firepower in our lab.

 

My apologies! I sent you a private reply, and will write again this afternoon. My email address: David@BugBopper.com

 

no problem.
are rar archives ok or did your server not accept rar-archives?

 

@ BugBopperGuy

Extra suggestion

I wonder if = IF it "might" be possile to locally scan ONLY the headers, initial significant bytes etc, of files, maybe in a sandbox within WU/BB ? This way just this data could be uploaded for comparison etc etc, saving Lots of time/CPU/bandwith etc.

May not be enough data there for you ? but if it could work then Just an idea

 

.Rar is just fine. Thanks.

 

yes i saw, adress works and i send you the first file, today was not so much :d

 

For a file with a whacky extension, we do check the first bytes to see if it is executable. But I don't know of any way to learn whether a file is definitely a bad thing or not by looking at just the top of it. Some guesses can be made from things like the Copyright notice, but many executables won't have such characteristics. Many prepending viruses can be identified by looking at the first 100 bytes or so, but most of our malware is of other sorts.

I think this idea is worth continued thought... I don't mean to shoot it down.

 

I received it, and have tossed it into our queue for processing. Thanks.

If you will have some quantity in the future, I'll give you an FTP account, and you can upload them for processing that way.

 

WOW~~these new things look very good

Hopes to see them asap

When will have these things?
- Right-click scanning.
- Command-line version.
- Machine rescue tool.

 

Thanks

No offence taken

 

We're beavering away here. And of course, there are lots of other little things to do along the way. I think that the three things in your list will likely be ready in 2-3 months. But I usually confuse hope and expect, and some might take longer.