Huge samples collection

[Guest]

[Burillo]

I've got something for ya :-))))))

these are links to HUGE (~300M) malware collection!

WARNING!!! DO NOT TRY TO EXECUTE ANY OF THESE !!!

if you are REALLY sure you want to download - go ahead. and remember - this is REAL malware. you were warned.

PM me to have the links

i don't want to distribute malware to some "haxor" kiddies, so this is what i say - i'll give you the links ONLY if you have 200+ messages on these forums.

Of course, i have no 100% guarantee that these files are malware, but since they're detectable - they most likely are. You should also take into account that these are probably old viruses, not widespread ones, and interpret test results according to this consideration.


----------------------------------------------------------

ADDED LATER:

9000+ trojan horses (190Mb + 190Mb + 190Mb + 190Mb + 68Mb 5 parts)

have not tested these yet, but probably will. Though i won't have internet connection for next 10 days so i won't be able to post results.

PM me for links

i hope this can help CAVS team make a better product.

[Burillo]

A little bit of tests...

First of all, something that bothers me - not a single sample was detected while unpacking. Where is on-access scanner?

EDIT: sorry, my bad. on-access scan wasn't configured properly. (scanned only certain filetypes, while all the malware in these archives have their filenames equal to their viral name e. g. Win32.Worm)

Technical info:

Using latest CAVS 2.0 beta with latest by this moment definitions.

Build version:      2.0.17.58
Virus DB version: 2.0.0.388

On-demand scan results:

NOT-A-VIRUS
Samples count:         116
Samples detected:     72
Samples disinfected:   0
Detection rate:          ~62%

WORMS
Samples count:         2350
Samples detected:    1741
Samples disinfected:  11
Detection rate:         ~74%

VIRUSES
Samples count:         23573
Samples detected:    13422
Samples disinfected:  1228
Detection rate:         ~56%

OTHER MALWARE
Samples count:         2035
Samples detected:    1365
Samples disinfected:  3
Detection rate:         ~67%

---------------------------------------
Overall detection rate: ~65%



EDIT2: all scans were performed using default settings. Will now re-scan the remaining files with higher heuristics settings.

EDIT3: results after scanning with high heuristics settings:

Additional not-a-viruses detected:       0
Additional worms detected:                 0
Additional viruses detected:               15
Additional other malware detected:      0

note:  12 out of 15 heuristically detected viruses seem to be mislabeled or incorrectly detected (virus name and filename don't match)

[Burillo]

for the comparison:

latest NOD32 3.0 with 2755 (20071229) signature database and highest heuristics settings

on demand scan results:

not-a-viruses detected:     42/116 (~36%)
worms detected:             2223/2350 (~94%)
viruses detected:             11390/23573 (~48%)
other malware detected:  1755/2035 (~86%)
------------------------------------------------------------------------
Overall detection:            ~66%

*** not that i'm advertising NOD32 and dissing CAVS... CAVS just needs more work to do before it can compete with the dinosaurs of AV software. Anyway, CAVS detected more viruses than NOD32! And NOD32's overall detection rate is just 1% higher than CAVS!

[Burillo]

latest Kaspersky Internet Security 7.0 (freshly downloaded from official website) with latest signatures and maximum heuristcs:

Not-a-viruses detected:         114/116 (~98%)
Worms detected:                 2336/2350 (~99%)
Viruses detected:                 23545/23573 (~99%)
Other malware detected:      1993/2053 (~97%)
--------------------------------------------------
Overall detection:                 ~98%

note that i don't work for Kaspersky Labs, i use NOD32 in fact :-)))) KAV is great but it's also slow (i mean SLOW AS HELL!!!)...

[Burillo]

some info regarding these 9000+ trojans... these files:

Backdoor.Win32.DSNX.02
Backdoor.Win32.MoSucker.06
Backdoor.Win32.Knightseven.10
Trojan.Win32.Avkillah.10
Trojan-Downloader.Win32.IED.11
Trojan-Dropper.Win32.MultiJoiner.16
Backdoor.Win32.Wow.23
Backdoor.Win32.NerTe.77
Trojan.DOS.Ra.574
Backdoor.Linux.Cyrax.a
Backdoor.Linux.UDP.a
Trojan-Notifier.Win32.OptixPager.SE.a
Trojan.FreeBSD.RootKit.a
Trojan.Java.ClassLoader.Dummy.a
Trojan.VBS.Foomol.a
Trojan.Win32.Smell.a
Trojan-Downloader.Win32.Delf.af
Trojan-Downloader.Win32.IstBar.ag
Trojan-Downloader.Win32.Small.aj
Trojan-Dropper.Win32.VB.al
Trojan.Win32.Aldy
Trojan-Dropper.Win32.Small.ao
Trojan-Downloader.Win32.Wintrim.av
Trojan-Downloader.Win32.Dyfuca.aw
Backdoor.Linux.BO.121.b
Trojan-AOL.Win32.Oscar.b
Trojan-Dropper.JS.Mimail.b
Trojan-PSW.Win32.Wortron.10.b
Trojan.DOS.Rebootpc.b
Trojan-Dropper.VBS.Inor.bp
Trojan.Win32.KillFiles.bx
Backdoor.Win32.Slackbot.c
Trojan-PSW.Win32.GinaPass.c
Trojan-Dropper.Win32.Delf.cf
Trojan-PSW.Win32.Delf.cz
Trojan-Downloader.Win32.QDown.d
Trojan.Java.ClassLoader.e
Trojan.Win32.DiskFill.f
Trojan-Dropper.Win32.Small.fk
Trojan.BAT.FormatCQ
Trojan-Downloader.Win32.Small.ga
Trojan.Java.ClassLoader.h
Trojan.Win32.Pandora.i
Trojan.Java.ClassLoader.j
Trojan-Downloader.Win32.Small.jl
Backdoor.Win32.VB.jm
Backdoor.Java.JRat
Backdoor.Win32.ControlTotal.k
Trojan-Dropper.Win32.Kifer
Trojan.Win32.Delf.l
Trojan.Win32.Pandora.l
Backdoor.Win32.Ciadoor.logger
Backdoor.Win32.Delf.mj
Backdoor.Win32.ControlTotal.o
Trojan-Downloader.Win32.Agent.p
Trojan-Downloader.Win32.Perfiler
Backdoor.Win32.VB.po
Trojan-Proxy.Win32.Portram
Trojan-Downloader.Win32.Agent.r
Trojan-PSW.HTML.Snix
Trojan.BAT.Swap
Backdoor.Win32.Small.t
Trojan-Downloader.Win32.Agent.t
Trojan.BAT.FormatCQ.t
Backdoor.Win32.Valvoline

are not harmful and are a kind of "false signatures"... at least that's what "specialists" say - they were designed as malware but contain errors which render them harmless

[panic]

Hey Burillo,

Interesting stuff, but you have made the same mistake that most other testing sites have done - you're testing CAVS solely on its detection capabilities and totally ignoring the fact that it has a HIPS component to prevent the infection occuring in the first place.

It would be interesting to see the results if each application was first installed onto a known clean system and scanned after installing, or attempting to install, each malware component and then recording the quantity of undetected malware samples remaining on the system after HIPS prevention and AV detection.

In this case, the HIPS component in CAVS would alert on each attempted malware install which you could block, and then it's number of "undetected malware samples"  would be negligible. AVs without HIPS would not, however, vary in their results.

Ewen :-)

[Ganda]

Hey Burillo,

Interesting stuff, but you have made the same mistake that most other testing sites have done - you're testing CAVS solely on its detection capabilities and totally ignoring the fact that it has a HIPS component to prevent the infection occuring in the first place.

It would be interesting to see the results if each application was first installed onto a known clean system and scanned after installing, or attempting to install, each malware component and then recording the quantity of undetected malware samples remaining on the system after HIPS prevention and AV detection.

In this case, the HIPS component in CAVS would alert on each attempted malware install which you could block, and then it's number of "undetected malware samples"  would be negligible. AVs without HIPS would not, however, vary in their results.

Ewen :-)

but now that would be unfair isn't it?  HIPS doesn't "detect" anything, it just simply block any app. we'll get 100% result forever 

[Blas]

I think Burillo was testing only CAVS's detection capabilities not its overall anti malware efficiency. Most people are concerned about its detection rate. I am using cfp 3 which has a much more advanced HIPS than CAVS so why would I use CAVS if not for its detection capability as a backup?

[Ragwing]

Greetings!

It's a really good job you're doing Burillo, BUT I think I must ask you to remove the links, as it's against the forum policy to post links to malware (I doubt anyone except me have read it lol), even tho you did include warnings.
And I really doubt all those are FP's lol (can only happen with Norton ).

Quoted from the Forum Policy:

• Live Malware. Comodo is in the business of helping secure the internet, not distributing malware.  Thus, it is not the appropriate place to attach or link live malware (viruses, trojans, rootkits, etc) to posts.  In general, a link to the download site for 'malware' tests/demos and other 'proof of concept' applications are acceptable, provided they are not intended or designed to cause harm to a computer.

The reason for why I'm not deleting it myself, is so that you can copy the links, so you don't have to upload it all again.
Anyways, you're still allowed to PM/e-mail it to someone if they're interested.

Also, I will test them with Avira Free 7, fully updated, in around half an hour when my download is finished.

Cheers,
Ragwing

[panic]

I think Burillo was testing only CAVS's detection capabilities not its overall anti malware efficiency. Most people are concerned about its detection rate. I am using cfp 3 which has a much more advanced HIPS than CAVS so why would I use CAVS if not for its detection capability as a backup?

What is the ultimate, long-term goal of an AV? Surely it is so you end up with a virus free PC, regardless of the mechanisms employed in achieving this. The fact that CAVS employs a prevention - detection - removal cycle, whereas other AVs only use a detection - removal cycle, doesn't mean that CAVS is deficient. To my way of thinking, it serves to highlight the inadequacies of the others.

It's like saying

"At the four furlong mark, my horse was running at 98 MPH and yours was only running at 92 !"

"Yeah bud, but who won the race?"

Ewen :-)

[Blas]

I totally agree with the prevention approach of comodo. So I don't need to be shown the right way of thinking. Anyway this horse race was a good example. What you are saying is true. period. I didn't say that it is not like that nor that CAVS is deficient. Maybe you misunderstood my post or it is just my lack of English. When I was using cpf 2.4 my AV was CAVS and I was pleased with it. Liked its application control module. But now that I am using cfp 3 which employs a much more sophisticated prevention mechanism it takes over CAVS prevention part of its "prevention-detection-removal/cure" cycle. What remain is detection and removal. Which are currently not the best part of CAVS. So right now I don't know why should I use CAVS. In its own it could be a very efficient anti malware product regardless of its detection rate. But in my case as for me cfp 3 copes with prevention I prefer to have an av only for detection. Which could still be useful even using a hips alongside. There are a lot of legit applications not to mention the not-so-legit ones containing malware  that a user may want to run. In this case when I am not sure to trust a program a good file scanner could be handy.

[panic]

[at] Blas,

Please don't misunderstand me, there are many AVs out there with a greater detection rate than CAVS and CAVS definitely needs to improve.

CAVS3 is currently in development and promises to have vastly improved detection capabilities, along with the ability to co-operatively use the HIPS component of the firewall (if it's installed and the user agress with this, of course). The merging of the BOClean and CAVS signature bases will bring further improvements.

LOL. Gotta agree about the efficiency of CFP as an anti-malware measure. AVs are starting to seem almost irrelevant (AV lovers please note - I did say ALMOST), but, at a minimum, an on demand scanner is still needed, if only as a safety net.

Cheers,
Ewen :-)

[Rednose]

And here we are : The same old discussion about Prevention ( HIPS ) versus Detection ( Defenition ). But what I miss in most of the discussions is the usability of HIPS. Ofcource you can use a Whitelist to make things easier for the user like Comodo does, but with HIPS it will always come to a point were the user has to decide if something is good or bad. And the majority of users won't have a clue what to decide than. That is why detection is, and will be so important
 
Back to the race track : You can have the fastest horse, but if hardly no one can rides it you won't win much races

Greetz, Red.

[panic]

Hey Red,

Of course detection is important (I never said it wasn't), but I firmly believe that detection is part of a structured, layered defense strategy, but just one part. Hopefully CAVS3 will have a greatly improved detection rate.

For me, the most important part of our e-defenses is knowledge. The more info a user can get (and understand) the better they can determine what to do. Clear descriptions of an intended action during the prevention phase can surely help users make up their mind what to do in the event of a HIPS alert (whether that HIPS alert came from the firewall or from the AV is irrelevant).

To continue the analogy of signature based detection and racetracks.....

"coming in to the home straight with 2 furlongs to run it's Detection Based AV out in front by a mile, but wait a minnute .... the finish line just got moved because there's X thousand new viruses released - guess we'll just have to keep running. And running. And running. And running ............" 

cheers,
Ewen :-)

[Ganda]

Greetings!

It's a really good job you're doing Burillo, BUT I think I must ask you to remove the links, as it's against the forum policy to post links to malware (I doubt anyone except me have read it lol), even tho you did include warnings.
And I really doubt all those are FP's lol (can only happen with Norton ).

Quoted from the Forum Policy:

The reason for why I'm not deleting it myself, is so that you can copy the links, so you don't have to upload it all again.
Anyways, you're still allowed to PM/e-mail it to someone if they're interested.

Also, I will test them with Avira Free 7, fully updated, in around half an hour when my download is finished.

Cheers,
Ragwing

heeeey, don't delete the links.i'll have to write it somewhere   

[Tags:]