Re: win2kup2date.exe ?

[James Tucker <jftucker () gmail com>]

On Fri, 03 Sep 2004 11:19:41 +1200, Nick FitzGerald
<nick () virus-l demon co uk> wrote:
> Über GuidoZ wrote:
>
> > ...  If you want to email me a copy of it, I'll
> > rip it apart and see what can be seen.
>
> And world plus dog should entrust you with such material because???
... most viruses, trojans and malware to not store copies of stolen
data in their executables. Furthermore the file size is very small.

> > P.S. Send it to [...] - it's my "catch all" for
> > virus/unknown files. Just be sure to ZIP it up or else the web host
> > won't let it through. Otherwise I have disabled all checks/scan.
> > Downloads directly to a secured Linux box.
>
> That's all very nice, but alone, far from the makings of someone to
> entrust arbitrary, suspected malware samples to.

"Entrust", just what exactly are you thinking you might be giving away?
 
> I'm also rather suspicious of your promotion of Virus Total.  Hispasec,
> as far as I can tell (Spanish being something I have to have translated
> via online services), has no antivirus or similar product of its own,

I do not necessarily trust this company or their service. Having said
that, if they produced their own Anti-Virus package, to put other
vendors scanning engines in a publicly available service would either
be damaging to their business, or considered anti-competitive.

> yet it has set up, and some folk seem to be promoting, what is
> effectively a sample collection mechanism.  I've also heard vague
> rumblings that Hispasec/Virus Total does not have suitable licenses for
> at least some of the scanners used in its service (and strongly suspect
> that several of the AV vendors whose products are currently used would
> not allow their products to be licensed for use in a service of the
> kind Virus Total offers anyway because it paints a rather disturbing
> trust picture -- "You can trust me because I can run a virus
> scanner...").

Again, you suspect allot of deception here, and while it is of course
possible you are correct, I have yet to see this ever done in
practice. Samples of non-data carrying viruses or trojans are of
little use to anyone other than Anti-Virus firms, as it is easy to
collect raw source for most if one is so inclined.
I agree that it is unlikely they have sufficient client licenses to
provide such a service; however I can see that there are a great deal
of arguments in law about how their case may be won. They may for
example only be required to carry one license, they could argue that
they are simply allowing users to deliberately infect their systems,
and making portions of the logs publicly available.

If there are viruses which commonly copy target system data, or
sensitive data into their binaries at the present time (I imagine the
mention of this deception may well spring at least one such virus)
then I apologise that I am not aware of it. If the report of the virus
name in question is accurate (which IIRC it has been now verified by
someone else) then the binary is not carrying sensitive data.

Having said all of the above, your concern is not mis-placed, and if
you feel uncomfortable with any such possibility of giving away a
minor amount of data, then certainly make good your freedom and choose
not to do so.

There is always no need for aggressive statement of suspicion, which
you are close to here. While I understand aggression due to anger, I
am concerned that one should not get angry at someone offering them a
service merely because one is suspicious of them. What if the offer of
help is entirely genuine?

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html