[ale] [OT] Databases of viruses/malware

Watson, Keith krwatson at cc.gatech.edu
Thu Mar 3 08:36:48 EST 2011


> -----Original Message-----
> From: ale-bounces at ale.org [mailto:ale-bounces at ale.org] On Behalf Of
> Michael B. Trausch
> Sent: Wednesday, March 02, 2011 17:47
> To: Atlanta Linux Enthusiasts
> Subject: Re: [ale] [OT] Databases of viruses/malware
> 
> Signatures are one thing; the payloads themselves are quite another.  I
> have found one site that seems to have what I'm looking for, but they
> charge > $1,000/mo for access to it.
> 
> Tonight I will be picking up an external HDD that has the critter on it
> (I dd'd the drive it was on to an image file on the external HDD), but I
> was hoping for some sort of a resource that would have the bugs
> themselves.  I would wager a guess that since most of the bugs are out
> there and in the wild, that there has to be someone or someplace that
> has a collection online that would have a list of them as well as the
> actual contents of the program.
> 
> Most of the knowledge bases that I have found in my hunting today have
> proved to be useless; either they are completely unaware of the thing
> that I'm looking for, or they have minimal information on it and the
> family of critters that it belongs to.  Certainly none of them have made
> available the binary, or a disassembly, or any other similarly useful
> information that could be looked at to assess first-hand the impact that
> it might have on a system that it's found its way into.
> 
> I wish I could say that it's an extraordinary event in the world of
> Windows workstations, but it is not.  This is far from the first time
> that I have encountered a piece of software that managed to jump over
> several different hurdles and get into the system itself.  I'm seriously
> considering setting up something such that if a system winds up with
> something nasty on it, one can boot using PXE and select an option that
> will wipe the drive and deploy its own image back to it.  That would
> require about two weeks of active work, of course, but it'd have the
> ability to ntfsclone back to a working state.  What passes for a usable
> OS in Microsoft-land **really** agitates me.
> 
> I will say this: I am really starting to reconsider whether or not I
> want anything to do with networks that have Windows workstations on
> them.  They are awful, nasty things.  I should be spending my time
> incrementally improving network operations and working on project work.
> Instead, every bloody time I turn around, there is SOMETHING that's
> broken.  And as far as this computer system goes, this is the second
> time that it has acquired something... but not the same thing as last
> time, either.
> 
> 	--- Mike

Mike,

What you're asking for is access to a virus zoo. All AV companies and researches keep one. They are very particular who they share specimens with so the will only give you one if you are a known AV company or researcher and then only through secure channels.

If you know some researchers I would recommend contacting them directly and see if they will give you a sample otherwise you will have to collect your own samples form the wild.

keith

-- 

Keith R. Watson                        Georgia Institute of Technology
Systems Support Specialist IV          College of Computing
keith.watson at cc.gatech.edu             801 Atlantic Drive NW
(404) 385-7401                         Atlanta, GA 30332-0280




More information about the Ale mailing list