The SRI International Nonprofit Research Institute has a few lists that I like to review on a regular basis. 

• Most Effective Antivirus Tools Against New Malware Binaries – These detection rates represent the TRUE POSITIVE detection rates of these various antivirus tools on the limited corpus of malware binaries captures by our honeynet. The results do not take into consideration the false positive rate of a given tool, and thus a tool that declares everything to be infected would appear to have the highest true positive percentage rate. All antivirus results provide via www.virustotal.com
• Most Prolific BotNet Command and Control Servers and Filters – most observed botnet command and control server IP addresses, includes port numbers, filters, and examples of chatter.
• Most Aggressive Malware Attack Source and Filters – list of known infected malware clients currently propagating through the Internet
• Most Aggressively Spreading Malware Binaries – most aggressively spreading malware MD5s
• Most Effective Malware-Related Snort Signatures – most effective malware infection detection Snort signatures as experienced by the SRI Malware Honeynet
• Most Observed Malware-Related DNS Names – the most observed malware DNS names that SRI has seen looked up during malware infections or embedded within malware binaries

I use this data to tweak firewall and IDS/IPS rulesets, especially with Snort systems.  On a semi-related note, another great resource for Snort rules is Emerging Threats.

Related Posts

• mrt.exe reports back to Microsoft
• Bhutto Assassination video codec malware from Blogger in my content filter logs

Microsoft’s Malicious Software Removal Tool (MRT) helps remove malware infections of specific, prevalent malicious software—including Blaster, Sasser, and Mydoom.

If your machine run Windows 2000, XP, Vista, or Windows Server 2003 and you have Automatic Updates enabled on your computer, MRT is automatically updated on the second Tuesday of each month. After MRT runs, it logs it’s findings to the %windir%\debug directory, which is typically c:\Windows\Debug.

Buried in the fine print on the Microsoft web site is the following sentence:

“Also, please be aware that this tool reports anonymous information back to Microsoft in the event that an infection is found or an error is encountered.”

What information is sent to Microsoft? Here is the current list:

• The name of the malicious software that is detected
• The result of malicious software removal
• The operating system version
• The operating system locale
• The processor architecture
• The version number of the tool
• An indicator that notes whether the tool is being run from Microsoft Update, from Windows Update, from Automatic Updates, from the Download Center, or from the Web site.
• An anonymous GUID
• A cryptographic one-way hash (MD5) of the path and file name of each malicious software file that is removed from the computer

If apparently malicious software is found on the computer, the tool prompts you to send information to Microsoft beyond what is listed above. You are prompted in each of these instances, and this information is sent only with your consent. The additional information includes the following:

• The files that are suspected to be malicious software. The tool will identify the files for you.
• A cryptographic one-way hash (MD5) of any suspicious files that are detected.
No other information is sent to Microsoft.

I’m not sure how others feel, but I don’t like any of my information being sent to Microsoft, whether it be anonymous or not. For example, lets say my machine has an infected copy of wgaremover.exe. I can’t believe that Microsoft doesn’t have ways of connecting this program, which allows you to bypass Windows Genuine Advantage, back to my IP address.

Luckily, KB 891796 describes how to disable this reporting component that sends the results of your scan to Microsoft, along with the information regarding the infected files. You can perform the following registry changes to disable the reporting:

Logging is automatically disabled if the following registry key value exists:

This registry key value indicates that the computer is connected to an SUS server. You can download an updated version of the Malicious Software Removal Tool here, or the 64-bit version here. Note that KB 890830 states:

“The first time that you download and run the tool by using Automatic Updates, Microsoft Update, or Windows Update, you must be logged on to the computer by using an account that is a member of the Administrators group. After you accept the one-time license terms, you can receive future versions of the tool without being logged on to the computer as an administrator.”

If you are experiencing problems with MRT, consult KB 891717 for troubleshooting guidance.

Related Posts

• Determining when a local Windows account password was last changed
• Direct patch download links for MS10-002 KB978207
• Microsoft releases load simulation tools for desktops
• Find Windows system uptime from the command line
• Fix: The IP address you have entered for this network adapter is already assigned to another adapter that is hidden from the Network Connections folder because it is not physically in the computer

This morning I’ve taken some time to scan my content filter logs from the past two weeks.  Normally I look through them every few days, but I’ve been on a well deserved extended vacation.

It seems that some network users have been searching for video of the Benazir Bhutto assassination.  There have been quite a few recent reports of malicious Blogger sites that advertise the video, but when users try to view it, they are told they do not have a required codec installed.  They are prompted to download the codec, which results in a Zlob trojan downloading and installing to their system – see the McAfee blog for details and images.

CastleCops, Sunbelt Blog, and SANS Internet Storm Center have examples of an infected site.

My content filter logs show four or five users successfully downloading the offensive codec.  I’m hoping that our desktop anti-virus software and group policy stopped the malware installation, but I’m not holding my breath.  I wrote a script that’s scanning all machines for the fake codec, but I’ll probably have to wait until school resumes on Monday, January 8th to scan the entire network.  Only a very few users are woring this week, so hopefully that will help contain the infestation.

If I do find Zlob installations, I plan on using the SmitFraudFix removal tool and the free removal tool I found on ParasiteDB.  You can read all about SmitFraudFix and Zlob at the S!Ru.URZ blog.

Related Posts

• Global Fix: Windows Media Player audio works, video does not
• MS08-067 vulnerability, exploit, and reverse engineering in detail
• Using Current Data from SRI’s Malware Threat Center for Firewall and IDS / IPS rulesets
• MS08-001 details and exploit video
• mrt.exe reports back to Microsoft