A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #18820  by EP_X0FF
 Wed Apr 03, 2013 5:39 am
360Tencent wrote:from reddit

http://malshare.com/daily/?
I will try some of archives and let you know. 1 April 1Gb look promising. But it can be just repacks of repacks of repacks.

edit: Well it seems this 1Gb pack created from malc0de, vxvault.siri-urz.net and cleanmx. Will try other archives.
Last edited by EP_X0FF on Wed Apr 03, 2013 8:08 am, edited 1 time in total. Reason: edit
 #18824  by EP_X0FF
 Wed Apr 03, 2013 8:21 am
Well, absolutely no filtering found, except checking for duplicate hash. A lot of trash like aa6608ec87572c4ef52751b415eef1caeeb19210 - FL Studio 10.0.9 with size 234 MB, tons of useless adware etc.

Attached MD5, SHA1 hash tables of all malshare files currently available. It will take hours to scan all this crap. If you need specific file from these lists and do not want/able to download it from malshare -> let me know hash, I will attach this file.
Attachments
SHA1 hash table of all malshare files
(232.48 KiB) Downloaded 33 times
MD5 hash table of all malshare files
(188.62 KiB) Downloaded 33 times
 #18831  by SC_
 Wed Apr 03, 2013 10:33 pm
EP_X0FF wrote:Well, absolutely no filtering found, except checking for duplicate hash. A lot of trash like aa6608ec87572c4ef52751b415eef1caeeb19210 - FL Studio 10.0.9 with size 234 MB, tons of useless adware etc.

Attached MD5, SHA1 hash tables of all malshare files currently available. It will take hours to scan all this crap. If you need specific file from these lists and do not want/able to download it from malshare -> let me know hash, I will attach this file.
Hey EP_X0FF, I run malshare.

You make a great point and I'll offer some explanation. So, I am doing absolutely no filtering in the slightest, and I think you're right, some is needed. I think some basic filtering {ex:
if (SIZEOF($FILE) > 3 MB) { TRASH()
}
I'm still thinking about what other filtering I can do to improve the quality, but in the interim, I think that'll cut out some of the noise. This feed, is designed to be a noise feed. It isn't a feed of spear phish samples that are coming out of a large highly targeted company. It is however, open for anyone to pull from. There aren't a lot of sites that are as fully open and I think that there ought to be.

However, it is a staging area for more. Once I get things settled and running more smoothly, I want to start publishing more data that I have beyond samples.
 #18833  by EP_X0FF
 Thu Apr 04, 2013 2:07 am
SC_ wrote:You make a great point and I'll offer some explanation. So, I am doing absolutely no filtering in the slightest, and I think you're right, some is needed. I think some basic filtering {ex:
if (SIZEOF($FILE) > 3 MB) { TRASH()
}
Well then you can skip some adware bundles and some mad skills malware that can be packed with commercial protectors like vmprot or themida which greatly increase original size. I think everything > 10 MB is definitely trash and most usual malware <= 2 MB (well maybe except few fat fakeav's). Anyway thank you for this free service and hope it will work for a long.
 #18834  by SC_
 Thu Apr 04, 2013 1:45 pm
I've also added a file called changelog in the daily dir so you can see the progression of what I change in my filtering.

I'm also setting up ssdeep scanning to filter out any that are too similar.
 #18837  by Buster_BSA
 Thu Apr 04, 2013 4:23 pm
SC_ wrote:I'm also setting up ssdeep scanning to filter out any that are too similar.
You should filter by MD5 but not by ssdeep.

My 2 cts.
 #18839  by r3shl4k1sh
 Thu Apr 04, 2013 6:26 pm
Buster_BSA wrote:
SC_ wrote:I'm also setting up ssdeep scanning to filter out any that are too similar.
You should filter by MD5 but not by ssdeep.

My 2 cts.
ssdeep gives you similarity between files.
I don't know why for example i wouldn't want 2 samples of zeus with 95% similarity (except gate url, which mean two different operators), so maybe md5 is better.
 #18848  by EP_X0FF
 Fri Apr 05, 2013 11:51 am
I've downloaded all 8+ Gb of data from malshare.
Well after analyzing about 75% of all these files I found a big amount of false positives and simple trash.

~3.5 GB is Soft32 Downloader (http://www.soft32.com)
I.T.N.T., S. R.L., a Romanian company whose registered office is in Sibiu (Romania), on C.Negri, no.9 holder of tax identification number RO15123346 (hereinafter, ITNT), grants its users a free non-exclusive and non-transferable license (hereinafter, the License) to use the software named Soft32 Downloader.
This is signed downloader with certificate of I.T.N.T., S. R.L., Symantec Time Stamping Services Signer - G4. Both valid.

e.g. of detection https://www.virustotal.com/en/file/44a2 ... 365161588/

While Installation process this downloader asks for SmartPCFix installation, see http://www.smartpcfix.com/ and http://www.softpedia.com/get/Tweak/Syst ... CFix.shtml (user can decline and continue). Signed by WeDownload, Ltd, Symantec Time Stamping Services Signer - G4. Both valid.

After this Soft32 downloader will install AVG toolbar (in default install configuration) and set AVG Secure Search as default homepage.

AVG Toolbar is singed by AVG, COMODO Time Stamping Signer. Both valid.

Yes, Soft32 Downloader is a sort of trashware, but I don't really know what malicious found ESET inside this bundle.
Yes SmartPCFix is a trashware and Fake RAM optimizer (like every RAM optimizers - just because RAM optimising is a complete nonsense and BS on a Windows NT platform). But what kind of malware ESET found inside, I don't know, it can uninstalled from Start menu and seems not joined/infected with anything else.

This kind of bundle trash/crapware is about 50% of all files inside these packs. You can check yourself - see every binary with size 830-9XX Kb or/and signed by I.T.N.T., S. R.L. or/and signed by WeDownload, Ltd. It is a trashware but not malware at all. You can safely filter these files out - they are garbage.

I don't suggest everyone send any of these files to the AV companies, to save their time, which will be wasted with this garbage.

So to summarise - until all this obvious garbage will not be removed/filtered this free service is unfortunately unusable.
 #18869  by EP_X0FF
 Mon Apr 08, 2013 10:26 am
Final statistic for malshare files.

8 April 2013.

Total unique hashes: 13845
Total size: 10936753763 bytes (10.18 Gb)
Total signed files: 10097
Total size of signed files: 7764431328 bytes (7.23 Gb) 70.99% of all files. Digital signatures not verified, but I think they all OK.
Most frequently signed by: I.T.N.T. SRL (4073 files), WeDownload (1019 files), appbundler.com (758 files), LLC Mail.Ru (580 files), 19 files signed by AVG Technologies CZ, s.r.o.
Actual confirmed and recognized malware in bytes: 2382506601 (2.27 Gb), 21.78% of all files
Clean, false-positives, damaged or unprocessed files in bytes: 789815834 (0.7 Gb), 7.22% of all files

Additional note: some archives contain duplicate files from other archives - lack of filtering even by MD5.

And too many trash.

In attach full hash list of signed binaries.
Attachments
(280.07 KiB) Downloaded 42 times