Threat Simulator

[Art]

The below web site offers a complex malicious code simulator which is
likely to be controversial:

http://www.morgud.com/interests/security/dfk-threat-simulator.asp

The simulated malicious program in the kit is named
Office_Idiots_ (funny)_.exe
I've not yet run it on my Win 2K PC since I would want to have some
kind of test plan in mind, and I've not yet given it enough thought.
The kit does contain a remover utility.

The author compares his complex simulator to the eicar.com test
antivirus test file, which I think is quite a stretch. Eicar is a
simple test string. The DFKS kit is far more, and it might lead to
serious problems. Seems to me most users might benefit from limiting
their exposure to just a thorough read of the description at the web
site ... and leave it at that

Here's a Virus Total result on the program file:
************************************
This is a report processed by VirusTotal on 10/28/2005 at 19:35:12
(CET) after scanning the file "Office_Idiots__funny_.exe" file.

Antivirus Version Update Result
AntiVir 6.32.0.6 10.28.2005 no virus found
Avast 4.6.695.0 10.27.2005 no virus found
AVG 718 10.24.2005 no virus found
Avira 6.32.0.6 10.28.2005 no virus found
BitDefender 7.2 10.28.2005 no virus found
CAT-QuickHeal 8.00 10.26.2005 no virus found
ClamAV devel-20050917 10.27.2005 no virus found
DrWeb 4.32b 10.23.2005 no virus found
eTrust-Iris7.1.194.0 10.27.2005 no virus found
eTrust-Vet11.9.1.0 10.28.2005 no virus found
Fortinet 2.48.0.0 10.27.2005 W32/RootkitDFKTS.A-tr
F-Prot 3.16c 10.26.2005 no virus found
Ikarus 0.2.59.0 10.28.2005 no virus found
Kaspersky4.0.2.24 10.28.2005 Trojan-Dropper.Win32.Agent.zn
McAfee 4615 10.28.2005 no virus found
NOD32v2 1.1266 10.26.2005 no virus found
Norman 5.70.10 10.28.2005 no virus found
Panda 8.02.00 10.28.2005 no virus found
Sophos 3.99.0 10.28.2005 no virus found
Symantec 8.0 10.27.2005 Trojan.Dropper
TheHacker5.8.4.128 10.26.2005 no virus found
VBA32 3.10.4 10.28.2005 no virus found
*******************************************
It looks to me like Fortinet is the only product that gives a exact
ID. NAV with its "Trojan.Dropper" report sees something malicious
but doesn't know exactly what. The KAV report suggests something
similar ... but it looks more to me like KAV might be misidentifying.
I might submit the file to Kaspersky to see what they have to say
about the alert.

Anyway, thoughts anyone? Is this sort of thing a GOOD THING or
a BAD THING or what? Has anyone worked with it and found it useful
for learning more about protection?

Art

http://home.epix.net/~artnpeg

 

[Bart Bailey]

The below web site offers a complex malicious code simulator which is
likely to be controversial:

As controversial as VirSim was?

 

[kurt wismer]

Art wrote:
[snip]

The author compares his complex simulator to the eicar.com test
antivirus test file, which I think is quite a stretch. Eicar is a
simple test string. The DFKS kit is far more, and it might lead to
serious problems.

indeed... the value of the eicar standard anti-virus test file is in the
fact that most anti-virus vendors have agreed to detect it, not because
it does anything (all it does is print a string on the console)...

the person writing the copy for that website clearly has no idea what
the eicar standard anti-virus test file is or what it's used for... its
only meant to test whether an anti-virus product is installed properly -
it is *not* a simulator, and simulators have zero value outside of
providing minor educational experience for those without the resources
to safely test real malware...

then there's the possibility of the simulator being hacked into real
malware...

all in all, i think it's a bad idea...

 

[kurt wismer]

In Message-ID:<[email protected]> posted on
Sat, 29 Oct 2005 01:16:44 GMT, Art wrote: Begin




As controversial as VirSim was?

exactly as controversial - and for exactly the same reasons (with the
possible exception of the person behind it - he who cannot be named was
certainly controversial all on his own)...

 

[Bart Bailey]

simulators have zero value outside of
providing minor educational experience for those without the resources
to safely test real malware...

Anyone capable of doing a dasm and examination of the sim for
"undocumented" features doesn't really need it, and those lacking that
level of analytical capability might not be adequately prepared for full
recovery if a sufficiently destructive hidden payload gets deployed.

 

[Bart Bailey]

exactly as controversial - and for exactly the same reasons (with the
possible exception of the person behind it - he who cannot be named was
certainly controversial all on his own)...

Was the ineffable one driven to social extreme by the flack his creation
spawned, or was it an integral part of his personality all along?

 

[kurt wismer]

Sat, 29 Oct 2005 12:19:21 -0400, kurt wismer wrote: Begin


Was the ineffable one driven to social extreme by the flack his creation
spawned, or was it an integral part of his personality all along?

the processes that went on in the head of he who cannot be named are as
unfathomable as his name is unmentionable...