Reporting of undetected threats

[Adam Piggott]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hiya,

I have been testing AntiSpyware against a spyware-supported install of
Grokster.
Suffice to say, that amount of spyware kept AntiSpyware busy

It seems to have done a fairly thorough job, but has left behind some files
and (active) executables.

I don't have a Microsoft Beta account for this product - will I still be
able to report undetected threats effectively?

What method should I use to ensure the details are communicated to
Microsoft correctly? I am very keen to donate my time to helping this sort
of effort and have submitted samples to Lavasoft and Safer Networking in
the past but it still seems that most of them are still not detected.


Adam Piggott,
Proprietor,
Proactive Services (Computing)

- --
Please replace dot invalid with dot uk to email me.
OpenPGP key ID: 0xD3EC5C39

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (MingW32)

iD8DBQFB3Y6i7uRVdtPsXDkRAj93AJ0fnbJCeKjZ2FJlajnZ7JWln0zyqwCfeoxt
rOIc9wrb6oPXJjKi3AAMEpk=
=y24K
-----END PGP SIGNATURE-----

 

[Bill Sanderson]

There is a reporting mechanism built-in to the product at Tools, Suspected
Spyware Report.

I'm doing some guessing, but heres what I think would help make such a
report useful:

1) complete path and filename of the threat
2) the information that Tools, Advanced tools, Advanced File Analyzer
reports about the executable or other code file.
3) if possible, information about how to replicate the infection.

I can't tell for sure that this mechanism is "live"--maybe you can try it
out and let us know?

 

[Adam Piggott]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Bill Sanderson wrote:
| There is a reporting mechanism built-in to the product at Tools, Suspected
| Spyware Report.
|
| I'm doing some guessing, but heres what I think would help make such a
| report useful:
|
| 1) complete path and filename of the threat
| 2) the information that Tools, Advanced tools, Advanced File Analyzer
| reports about the executable or other code file.
| 3) if possible, information about how to replicate the infection.
|
| I can't tell for sure that this mechanism is "live"--maybe you can try it
| out and let us know?

Hah, not like me to miss a button marked "Advanced Tools". Can't see the
wood for the trees! Thanks for pointing that out, Bill.

The reporter doesn't let you upload specific files with it, or checksums of
them etc. The fields that one enters information about the spyware are
rather limited as well - I had to compress the file listing to make it fit.

The Advanced File Analyser didn't show up much, unknown publishers etc. It
didn't seem to have any integration into the reporting tool which would
have been nice.

I sent the report off anyway, with a list of leaf names of the files in
question.

FYI, the the paths and SHA1 sums of the files are below.


Regards,


Adam.

C:\Documents and Settings\All Users\Application Data\wsxs
d5b79c75cac69d2b67cc1bee039acfbb *delfinAD.ebd
fde879b993186c1289e24bd56573fb70 *delfinAF.edx
93e0b4449f686b3924cf2d27da8f2663 *delfinBD.edx
89ab51c565b9c0cfdcd99c1f614d00d5 *delfinCO.edx
db8e1baf092a488dd7fc0562b82fa19e *delfinDL.edx
43a78d4b39f4a3893dd76c37dac34a34 *delfinED.edx
b5227db5beb5f4ae999e268a39822b01 *delfinID.edx
2ea178fd23e12b9709e11905b05abf7f *delfinKY.edx
89ab51c565b9c0cfdcd99c1f614d00d5 *delfinLD.edx
b12327e72d55549fa46f624016267b7c *delfinLO.ebd
47d28bf123e2ebbd80217201b787da3d *delfinSI.edx
af868b9b25b6c5b49071ac8616725cfd *delfinST.ebd
8bb6cc4c2104a339b76ddcb25b35cbb2 *delfinTG.ebd
d9c3af4e56e13e8ae2988f632ac051f6 *index.dat

C:\Program Files\Common Files\nlnlfllr\lelclfct
bd88f9dc736da87f9351d197a2861628 *fnfpjllah.jct
89e37b8815609f91c539348d7f2379e0 *rhadhfln.exe

C:\Program Files\Common Files\nlnlfllr\nfdcanhplr
89e37b8815609f91c539348d7f2379e0 *anafheeba.exe
6cd5875d287b9c62e5004661fb945d2f *hbfbjpljfh.rtc

C:\WINNT\system32\vmss
29c2cd97f85e4a06e9fb068ff6e60c13 *vmss.exe

C:\WINNT\system32\wsxsvc
d61a55c2537012f7eea4007f6321129c *wsx.dll
ddc6ce2e29aa19093dcf721df1210ce1 *wsxsvc.exe
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (MingW32)

iD8DBQFB3ca+7uRVdtPsXDkRAntLAJ96EvjDn8D9Q5Ec38ifpWNp4p2sBgCfeN1H
KXJj8ABiYPdF3MtzXQmEV3Q=
=7XZv
-----END PGP SIGNATURE-----

 

[Bill Sanderson]

If I learn of a better way to do this, I'll let you know. I'd be surprised
if there weren't a team of folks at Microsoft with Virtual PC running
collecting stuff of this sort, but I know from previous beta experience that
every bit of input helps.

 

[Adam Piggott]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Bill Sanderson wrote:
| If I learn of a better way to do this, I'll let you know. I'd be surprised
| if there weren't a team of folks at Microsoft with Virtual PC running
| collecting stuff of this sort, but I know from previous beta experience that
| every bit of input helps.

Well there is at least a team[1] of folks at Proactive Services using
Virtual PC to test this out against spyware. ;-)


Adam.

[1] The team being the Proprietor.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (MingW32)

iD8DBQFB3dIA7uRVdtPsXDkRAu+mAKCiVWpOss9fS9oR4AsvQuBCg99m1gCeOhHC
XcYy2ntxM63MG2LGMxIP+w0=
=TY/9
-----END PGP SIGNATURE-----