Re: [Full-Disclosure] win2kup2date.exe ?

From: James Tucker (
Date: 09/03/04

  • Next message: Scenobro: "[Full-Disclosure] Where to submit a suspected trojan or virus?"
    Date: Fri, 3 Sep 2004 02:19:07 +0100

    On Fri, 03 Sep 2004 11:19:41 +1200, Nick FitzGerald
    <> wrote:
    > Über GuidoZ wrote:
    > > ... If you want to email me a copy of it, I'll
    > > rip it apart and see what can be seen.
    > And world plus dog should entrust you with such material because???
    ... most viruses, trojans and malware to not store copies of stolen
    data in their executables. Furthermore the file size is very small.

    > > P.S. Send it to [...] - it's my "catch all" for
    > > virus/unknown files. Just be sure to ZIP it up or else the web host
    > > won't let it through. Otherwise I have disabled all checks/scan.
    > > Downloads directly to a secured Linux box.
    > That's all very nice, but alone, far from the makings of someone to
    > entrust arbitrary, suspected malware samples to.

    "Entrust", just what exactly are you thinking you might be giving away?
    > I'm also rather suspicious of your promotion of Virus Total. Hispasec,
    > as far as I can tell (Spanish being something I have to have translated
    > via online services), has no antivirus or similar product of its own,

    I do not necessarily trust this company or their service. Having said
    that, if they produced their own Anti-Virus package, to put other
    vendors scanning engines in a publicly available service would either
    be damaging to their business, or considered anti-competitive.

    > yet it has set up, and some folk seem to be promoting, what is
    > effectively a sample collection mechanism. I've also heard vague
    > rumblings that Hispasec/Virus Total does not have suitable licenses for
    > at least some of the scanners used in its service (and strongly suspect
    > that several of the AV vendors whose products are currently used would
    > not allow their products to be licensed for use in a service of the
    > kind Virus Total offers anyway because it paints a rather disturbing
    > trust picture -- "You can trust me because I can run a virus
    > scanner...").

    Again, you suspect allot of deception here, and while it is of course
    possible you are correct, I have yet to see this ever done in
    practice. Samples of non-data carrying viruses or trojans are of
    little use to anyone other than Anti-Virus firms, as it is easy to
    collect raw source for most if one is so inclined.
    I agree that it is unlikely they have sufficient client licenses to
    provide such a service; however I can see that there are a great deal
    of arguments in law about how their case may be won. They may for
    example only be required to carry one license, they could argue that
    they are simply allowing users to deliberately infect their systems,
    and making portions of the logs publicly available.

    If there are viruses which commonly copy target system data, or
    sensitive data into their binaries at the present time (I imagine the
    mention of this deception may well spring at least one such virus)
    then I apologise that I am not aware of it. If the report of the virus
    name in question is accurate (which IIRC it has been now verified by
    someone else) then the binary is not carrying sensitive data.

    Having said all of the above, your concern is not mis-placed, and if
    you feel uncomfortable with any such possibility of giving away a
    minor amount of data, then certainly make good your freedom and choose
    not to do so.

    There is always no need for aggressive statement of suspicion, which
    you are close to here. While I understand aggression due to anger, I
    am concerned that one should not get angry at someone offering them a
    service merely because one is suspicious of them. What if the offer of
    help is entirely genuine?

    Full-Disclosure - We believe in it.

  • Next message: Scenobro: "[Full-Disclosure] Where to submit a suspected trojan or virus?"