Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
ThreatExpert
344 views
Skip to first unread message
~BD~
Nov 1, 2014, 5:17:05 AM11/1/14
to
ThreatExpert is an advanced automated threat analysis system designed to
analyze and report the behavior of computer viruses, worms, trojans,
adware, spyware, and other security-related risks in a fully automated mode.
In only a few minutes ThreatExpert can process a sample and generate a
highly detailed threat report with the level of technical detail that
matches or exceeds antivirus industry standards such as those normally
found in online virus encyclopedias.
http://www.threatexpert.com
--
I wondered if it is a tool used by anyone reading here!
analyze and report the behavior of computer viruses, worms, trojans,
adware, spyware, and other security-related risks in a fully automated mode.
In only a few minutes ThreatExpert can process a sample and generate a
highly detailed threat report with the level of technical detail that
matches or exceeds antivirus industry standards such as those normally
found in online virus encyclopedias.
http://www.threatexpert.com
--
I wondered if it is a tool used by anyone reading here!
Virus Guy
Nov 1, 2014, 9:58:39 AM11/1/14
to
According to ThreatExpert:
===========
~BD~ asks:
> I wondered if it is a tool used by anyone reading here!
I submitted the two samples I posted yesterday to threat expert about
1/2 hour ago. But their site is currently listing the results of
submissions that happened 2 hours ago.
So their claim of "in only a few minutes" is clearly wrong.
The most recent submission they are listing which caused a malware
detection happened at 5:30 am today. This is their so-called "highly
detailed threat report" for that submission:
http://www.threatexpert.com/report.aspx?md5=db6e928b77e28b0a0dd846343e8e4319
=========================
* Submission details:
o Submission received: 1 November 2014, 05:23:50
o Processing time: 6 min 7 sec
o Submitted sample:
+ File MD5: 0xDB6E928B77E28B0A0DD846343E8E4319
+ File SHA-1: 0x13B03F908CEF4B986FE136640420455AD7121362
+ Filesize: 167,936 bytes
+ Alias: Trojan.Win32.Spy [Ikarus]
Technical Details:
* The new window was created, as shown below:
http://www.threatexpert.com/getimage.aspx?uid=76a2c2ee-e078-4b72-95fb-36e6059a5d6e&image=screen&sub=1
(that image shows a window with the title "Weather Watcher Live 7.x")
Memory Modifications
* There were new processes created in the system:
Process Name Process Filename Main Module Size
Tempweather.exe %LocalSettings%\tempweather.exe 94,208 bytes
[filename of the sample #1][file and pathname of the sample #1]N/A
=========================
A web-search for "Weather Watcher Live 7.x" turns up many hits. Here's
one:
http://www.highpcspeed.com/errors-exe/weather.watcher.live.7.x-patch.exe.html
Here's more:
http://www.herdprotect.com/weather.watcher.live.7.x-patch.exe-aa31d377ac9db51bfd701cb7f5297b4c36f5e4c2.aspx
https://www.virustotal.com/en/file/57f24605f29aa7e59d1f3346cfcde49adeaffc2f6d551a8a6450ff670e9ac444/analysis/
VirusTotal has several information pages or tabs that tell you more
about the files being submitted. One of those tabs is "Behavioural
information" which tells you what files were opened, created, deleted,
DLL's used, UDP/TCP communications.
So basically I don't see how Threat Expert can make the claims that you
posted about the level of detail of its reports. Their reports are
pretty bland, actually.
It is now 9:53 am, and I still don't see my submissions showing up.
They have 2 new posted results from earlier submissions. Here is the
latest one:
http://www.threatexpert.com/report.aspx?md5=d766ec998f96e6269011465b20c45c63
Submission received: 1 November 2014, 08:44:49
So clearly it is taking more than 1 hour to process and post results.
And again, the level of analysis detail that they publish is pretty
lame.
So I expect the results of my 2 submissions to show up in 15 to 30
minutes. I'll post back here those results when or if I see them.
===========
In only a few minutes ThreatExpert can process a sample and generate
a highly detailed threat report with the level of technical detail
that matches or exceeds antivirus industry standards such as those
normally found in online virus encyclopedias.
http://www.threatexpert.com
===========
a highly detailed threat report with the level of technical detail
that matches or exceeds antivirus industry standards such as those
normally found in online virus encyclopedias.
http://www.threatexpert.com
~BD~ asks:
> I wondered if it is a tool used by anyone reading here!
1/2 hour ago. But their site is currently listing the results of
submissions that happened 2 hours ago.
So their claim of "in only a few minutes" is clearly wrong.
The most recent submission they are listing which caused a malware
detection happened at 5:30 am today. This is their so-called "highly
detailed threat report" for that submission:
http://www.threatexpert.com/report.aspx?md5=db6e928b77e28b0a0dd846343e8e4319
=========================
* Submission details:
o Submission received: 1 November 2014, 05:23:50
o Processing time: 6 min 7 sec
o Submitted sample:
+ File MD5: 0xDB6E928B77E28B0A0DD846343E8E4319
+ File SHA-1: 0x13B03F908CEF4B986FE136640420455AD7121362
+ Filesize: 167,936 bytes
+ Alias: Trojan.Win32.Spy [Ikarus]
Technical Details:
* The new window was created, as shown below:
http://www.threatexpert.com/getimage.aspx?uid=76a2c2ee-e078-4b72-95fb-36e6059a5d6e&image=screen&sub=1
(that image shows a window with the title "Weather Watcher Live 7.x")
Memory Modifications
* There were new processes created in the system:
Process Name Process Filename Main Module Size
Tempweather.exe %LocalSettings%\tempweather.exe 94,208 bytes
[filename of the sample #1][file and pathname of the sample #1]N/A
=========================
A web-search for "Weather Watcher Live 7.x" turns up many hits. Here's
one:
http://www.highpcspeed.com/errors-exe/weather.watcher.live.7.x-patch.exe.html
Here's more:
http://www.herdprotect.com/weather.watcher.live.7.x-patch.exe-aa31d377ac9db51bfd701cb7f5297b4c36f5e4c2.aspx
https://www.virustotal.com/en/file/57f24605f29aa7e59d1f3346cfcde49adeaffc2f6d551a8a6450ff670e9ac444/analysis/
VirusTotal has several information pages or tabs that tell you more
about the files being submitted. One of those tabs is "Behavioural
information" which tells you what files were opened, created, deleted,
DLL's used, UDP/TCP communications.
So basically I don't see how Threat Expert can make the claims that you
posted about the level of detail of its reports. Their reports are
pretty bland, actually.
It is now 9:53 am, and I still don't see my submissions showing up.
They have 2 new posted results from earlier submissions. Here is the
latest one:
http://www.threatexpert.com/report.aspx?md5=d766ec998f96e6269011465b20c45c63
Submission received: 1 November 2014, 08:44:49
So clearly it is taking more than 1 hour to process and post results.
And again, the level of analysis detail that they publish is pretty
lame.
So I expect the results of my 2 submissions to show up in 15 to 30
minutes. I'll post back here those results when or if I see them.
Virus Guy
Nov 1, 2014, 10:54:19 AM11/1/14
to
Virus Guy wrote:
> So I expect the results of my 2 submissions to show up in 15 to 30
> minutes. I'll post back here those results when or if I see them.
So here is one result:
> So I expect the results of my 2 submissions to show up in 15 to 30
> minutes. I'll post back here those results when or if I see them.
http://www.threatexpert.com/report.aspx?md5=41b50686b86af4d679b735ce456d539b
* The following Internet Connection was established:
Server Name Server Port Connect as User Connection Password
198.74.56.121 443 (null) (null)
There was an outbound traffic produced on port 443:
00000000 | 504F 5354 202F 696E 6465 782E 7068 7020 | POST /index.php
00000010 | 4854 5450 2F31 2E31 0D0A 4163 6365 7074 | HTTP/1.1..Accept
00000020 | 3A20 2A2F 2A0D 0A43 6F6E 7465 6E74 2D54 | : */*..Content-T
00000030 | 7970 653A 2061 7070 6C69 6361 7469 6F6E | ype: application
00000040 | 2F78 2D77 7777 2D66 6F72 6D2D 7572 6C65 | /x-www-form-urle
00000050 | 6E63 6F64 6564 0D0A 5573 6572 2D41 6765 | ncoded..User-Age
00000060 | 6E74 3A20 4D6F 7A69 6C6C 612F 352E 3020 | nt: Mozilla/5.0
00000070 | 2857 696E 646F 7773 204E 5420 362E 313B | (Windows NT 6.1;
00000080 | 2057 4F57 3634 3B20 7276 3A32 382E 3029 | WOW64; rv:28.0)
00000090 | 2047 6563 6B6F 2F32 3031 3030 3130 3120 | Gecko/20100101
000000A0 | 4669 7265 666F 782F 3238 2E30 0D0A 486F | Firefox/28.0..Ho
000000B0 | 7374 3A20 6C6F 6361 6C68 6F73 740D 0A43 | st: localhost..C
000000C0 | 6F6E 7465 6E74 2D4C 656E 6774 683A 2033 | ontent-Length: 3
000000D0 | 3037 0D0A 4361 6368 652D 436F 6E74 726F | 07..Cache-Contro
000000E0 | 6C3A 206E 6F2D 6361 6368 650D 0A0D 0A80 | l: no-cache.....
000000F0 | 0000 0074 81F4 DAA5 DD40 8E02 D83A 2B38 | ...t.....@...:+8
00000100 | 7CA4 51E4 BA0E ACE1 AE5D 478C 1BB1 C845 | |.Q......]G....E
00000110 | 1CDE 8E2B 0B82 96C6 D949 CAF9 E7B0 B50A | ...+.....I......
00000120 | 4280 3CA4 EF6C C47D D0BC E9FE 8812 533D | B.<..l.}......S=
00000130 | F5BC 64FE 9310 F339 A8FD 2FDA 8423 5DA0 | ..d....9../..#].
00000140 | DCEF B36F 4101 528C 1D09 D10F 6553 9D8B | ...oA.R.....eS..
00000150 | B419 BC84 A02D A94E A4B3 6574 11B7 FE34 | .....-.N..et...4
00000160 | A9C5 D1B9 B4DF B4C3 DA33 1B6B BA7B CA4C | .........3.k.{.L
00000170 | 3F80 69AB 0000 006C D8B9 A1CD 6B05 B417 | ?.i....l....k...
00000180 | 6E19 1F42 AA48 4FAB F47E F838 C291 A725 | n..B.HO..~.8...%
00000190 | 3785 D850 B386 9285 2CB1 EBBA 7FF4 C131 | 7..P....,......1
000001A0 | 52B8 42C5 4CCD 8F70 F5FA CD8F E289 D3BA | R.B.L..p........
000001B0 | A241 FEC8 57C2 3D9A 895D 065C 13C4 DC89 | .A..W.=..].\....
000001C0 | 4E93 EFF8 5088 3551 8D7A 2C46 95EB 2D3C | N...P.5Q.z,F..-<
000001D0 | 039E F73E C135 312C 6B7C F61C 0C7D 9A3D | ...>.51,k|...}.=
000001E0 | 7971 AC01 6AB4 1F2C 1242 BC36 8DF7 2863 | yq..j..,.B.6..(c
000001F0 | 5A96 4A10 993A BD60 8DE7 4E06 A341 7EE6 | Z.J..:.`..N..A~.
00000200 | BF7E E27E 57A6 6DF1 618F 53E9 B015 3F8E | .~.~W.m.a.S...?.
00000210 | 387E A399 C9D1 4778 FBFD 2730 94C1 21B7 | 8~....Gx..'0..!.
00000220 | A485 | ..
Trying to bring up that IP as an HTTPS requests gives an error. Trying
just http redirects to:
http://198.74.56.121/install.php?profile=default
Which is either trying to install or offering me something called
"Drupal".
The IP rDNS is rockfish.pelagicsoftware.com.
http://rockfish.pelagicsoftware.com/
Pelagic Software
5501 Patterson Ave
Suite 201
Richmond, VA 23226
804.631.3474
So they seem to have a web server that is hacked. Is anyone here going
to tell them?
You will note that there is no indication in this ThreatExpert report
that this file was detected as malware/viral. It is not yet showing up
in the public files-analyzed page.
~BD~
Nov 1, 2014, 11:11:16 AM11/1/14
to
On 01/11/2014 14:55, Virus Guy wrote:
> Which is either trying to install or offering me something called
> "Drupal".
Drupal is a free and open-source content-management framework written in
> Which is either trying to install or offering me something called
> "Drupal".
PHP and distributed under the GNU General Public License.It is used as a
back-end framework for at least 2.1% of all Web sites worldwide ranging
from personal blogs to corporate, political, and government sites
including WhiteHouse.gov and data.gov.uk. It is also used for knowledge
management and business collaboration.
The standard release of Drupal, known as Drupal core, contains basic
features common to content management systems. These include user
account registration and maintenance, menu management, RSS feeds,
taxonomy, page layout customization, and system administration. The
Drupal core installation can serve as a simple Web site, a single- or
multi-user blog, an Internet forum, or a community Web site providing
for user-generated content.
http://en.wikipedia.org/wiki/Drupal
It seems bonio fido! ;-)
David Ritz
Nov 1, 2014, 2:22:27 PM11/1/14
to
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Saturday, 01 November 2014 10:55 -0400,
in article <m32s6m$t48$1...@speranza.aioe.org>,
BLOCKED (127.0.0.2)
http://www.spamhaus.org/sbl/query/SBL235769
<quote>
Asprox botnet controller @198.74.56.121 [compromised server]
</quote>
$ whois -h whois.abuse.net linode.com
ab...@linode.com (for linode.com)
- --
David Ritz <dr...@mindspring.com>
Be kind to animals; kiss a shark.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0
iEYEARECAAYFAlRVJOAACgkQUrwpmRoS3usquwCgkFIAl987LN8XKH9mJv7gdW7g
tSoAn05ew+lTLwYefZrTkAgJi1oO78+A
=hnHg
-----END PGP SIGNATURE-----
Hash: SHA1
On Saturday, 01 November 2014 10:55 -0400,
in article <m32s6m$t48$1...@speranza.aioe.org>,
Virus Guy <Vi...@Guy.com> wrote:
> Virus Guy wrote:
>> So I expect the results of my 2 submissions to show up in 15 to 30
>> minutes. I'll post back here those results when or if I see them.
> So here is one result:
> http://www.threatexpert.com/report.aspx?md5=41b50686b86af4d679b735ce456d539b
> * The following Internet Connection was established:
> Server Name Server Port Connect as User Connection Password
> 198.74.56.121 443 (null) (null)
198.74.56.121 rockfish.pelagicsoftware.com : zen.spamhaus.org :
> Virus Guy wrote:
>> So I expect the results of my 2 submissions to show up in 15 to 30
>> minutes. I'll post back here those results when or if I see them.
> So here is one result:
> http://www.threatexpert.com/report.aspx?md5=41b50686b86af4d679b735ce456d539b
> * The following Internet Connection was established:
> Server Name Server Port Connect as User Connection Password
> 198.74.56.121 443 (null) (null)
BLOCKED (127.0.0.2)
http://www.spamhaus.org/sbl/query/SBL235769
<quote>
Asprox botnet controller @198.74.56.121 [compromised server]
</quote>
$ whois -h whois.abuse.net linode.com
ab...@linode.com (for linode.com)
- --
David Ritz <dr...@mindspring.com>
Be kind to animals; kiss a shark.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0
iEYEARECAAYFAlRVJOAACgkQUrwpmRoS3usquwCgkFIAl987LN8XKH9mJv7gdW7g
tSoAn05ew+lTLwYefZrTkAgJi1oO78+A
=hnHg
-----END PGP SIGNATURE-----
0 new messages