![]() Rather than sending the malware archive as an email attachment, consider uploading it to a website from which the other researcher will be able to download it. Download LinksĮmail gateways might be configured to block messages that contain password-protected archives, regardless of the password used to protect them. Using a less common password increases the chances that the sample won't be blocked or flagged when you share it with someone, though this approach is not without fault. For instance, VirusTotal automatically tries this password when you upload a zip'ed file to this popular malware-researching site, as shown in the screenshot below. On the other hand, using the password "infected" is convenient when uploading the sample to third-party tools that know about this common practice. Google Drive appears to automatically try "infected" to scan password-protected zip files, and will flag them accordingly, stating "Sorry, this file is infected with a virus" and "Only the owner is allowed to download infected files." This behavior occurred due to the automated actions performed by the antivirus engine used by Google to scan email attachments. The classic problem with "infected" was outlined by Brian Baskin, who noticed that Gmail was blocking access to email attachments that contained malware zip'ed with that password. This action can cause unnecessary alarms and can prevent the sample from reaching the intended recipient. ![]() Antivirus tools know about the password "infected" and can use it to extract and scan the archive's contents. ![]() I prefer the recipient to give explicit consideration to the nature of the file they are about to extract from the archive. Researchers are so used to the password "infected", that they might type it without giving it a second thought.It was followed by the password "malware" as the distant second, which happens to be my choice for several reasons: The informal poll I conducted on Twitter confirmed the use of "infected" as the most common password, which has long been considered the industry standard. When sharing malware samples with other researchers, what password do you use for the archives? Password-protecting the file aims at getting the specimen past antivirus scanners and makes it harder for the recipient to inadvertently infect their system. ![]() The most common way of sharing a malware sample with another researcher involves embedding the malicious file in a zip archive that has been protected with the password "infected". Below are some considerations for engaging in such activities. See the end of this post for the summary of advice on sharing malware samples. Because of the risks and the associated security precautions, sharing malicious program artifacts with other researchers can be tricky. This might involve sending malicious files as password-protected email attachments or providing a link where the specimen might be downloaded. One of the possible counter-measures to this, is to increase the specifity of the Malware signature, to make sure it matches the Malware variant, and not the Benign file. The increased specifity of the signature not always resolves the collisions, but I will give it a try, and come back to you with our results.Malware analysts often need to share samples with each other. The reason why we can't disable the signature, is because that would mean that we would allow both the Benign installer, and the trojanized version, resolving the problem for you, but exposing everyone else to get infected. In general, the recommendation in cases like these is to create an Antivirus Exception in the Antivirus profile tied to the Security Policy matching you traffic. In this particular case, the Signature Collision is with sample f70870509dc2845e1720e68957f7a159b2cd7a2f69950d4707119f9bd5a6c5cc which is a trojanized version of the 7zip installer. Signature collisions happen when the digital patterns of a Benign file that the firewall looks at to determine a match with a virus signature, coincide with those of a sample that has been determined to be Malware (which includes the possibility of a signature collision with a False Positive). If the file triggers an Antivirus signature, this is most likely the case of a signature collision. Virus Total link you submitted is for the URL of the installer, not for the file.į1601b09cd0c9627b1aab7299b83529e8fbc6b5078e43dfd81a1b0bfcdf4a308
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |