Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC: Hi, remember me?... - SANS Internet Storm Center SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Hi, remember me?...

Ever read through your spam sometimes to see what's popular? Of course you may also get a fresh serving of malware, which makes it very worthwhile. "Hi, remember me?..
new fotos(archived) you asked ;))
Angella O."

Well, no I don't remember an Angella that I have met recently, particularly not someone who might send me photos. But I'll bite. A simple wget scores me an exe. Virustotal results are depressingly consistent. 4/32.

AntiVir     2008.05.02     TR/Crypt.XPACK.Gen
CAT-QuickHeal     9.50     2008.05.01     (Suspicious) - DNAScan
eSafe     2008.04.28     Suspicious File
Webwasher-Gateway     6.6.2     2008.05.02     Trojan.Crypt.XPACK.Gen
Additional information
File size: 167936 bytes
MD5...: cb1de4847ca840f8837fc8381ec6b0cb
SHA1..: 26c018e4968e6dc092d5389759e939f741bb66b3

So, only generic detection when the file was first seen, how about 12 hours later? Nope, same results.

Adrien de Beaupré
Bell Canada


Adrien de Beaupre

353 Posts
ISC Handler
May 2nd 2008
YOU received the only sample ever distributed from that server!
The sample was changed right after your download (Rem: we already see servers that change the binary every 30 mins!)

Every sample is well tested against all know AV so that generic detection will not fire!

NO AV-Vendor will ever be able to write a siganture against that sample, unless you send that sample and if he does, he will publish a signature to millions of users for which that signature is simply useless! We already have over 700.000 detections in F-Secure and I personally expect over 1.3 Mio until End 2008!

If you want to be protected you need a good HIPS based behavioral blocking!
Install the ISTP (Internet Security Technology Preview) from F-Secure and START that EXE.

THAT is the future how to combat malware! No more "scan-before-start"! It is just "monitor-while-running"

So please stop complaining about AVs not detecting unless you run that malware while you are protected by that AV!

BTW: AV-Vendors meet these days im Amsterdam to discuss about new AV-testing. see
Can you submit it to cwsandbox so we can check out what it does? Maybe it can be linked to a better known variant that way.
Adrians sample does not match the scenario, that I discribed above. He told me, that the sample was available quite some time. Nevertheless the story stays the same as that is what we will be threatned by: malware that is not detected by AVs based on signatures!

Sign Up for Free or Log In to start participating in the conversation!