May 2011 collection
944 Mb multi-part RAR archive (split on four parts), uncompressed size is about 1.21 Gb
Generated files info (Note: only detected files. MD5 hash + Dr.Web style detection name) in attach.
http://www.megaupload.com/?d=LFCLQAKV
http://www.megaupload.com/?d=JVZBL2EQ
http://www.megaupload.com/?d=Z9G7G91C
http://www.megaupload.com/?d=4E5HSW4K
Pass: malware
If someone willing to do some additional mirrors - it's appreciated.
A forum for reverse engineering, OS internals and malware analysis
Attachments
(107.83 KiB) Downloaded 62 times
Ring0 - the source of inspiration
Ransomware samples collected in July-August + beginning of September, including all pornoroliks (WinAD), LockEmAll, Pornoblockers etc. Can be used as perfect test for revealing FakeAV widely installed on Virustotal (see numbers of incorrect detection's, hash sum calculated detection's, stolen detection's or no detection's at all even after 2 months).
http://www.megaupload.com/?d=PR8N7N1V
Pass: malware
Compressed size 56.1 Mb
Uncompressed 98.7 Mb
1479 files.
http://www.megaupload.com/?d=PR8N7N1V
Pass: malware
Compressed size 56.1 Mb
Uncompressed 98.7 Mb
1479 files.
Ring0 - the source of inspiration
tnx
stolen detection'swhat does it means?
kmd wrote:what does it means?For example this.
Some of AV installed on VT is multi-engine based, so it's Ok, when GData and Bitdefender or IKarus and Emsisoft shows the same detection for example. But most of scanners are not multi-based.
Take a look on Avira.
TR/Ransom.DN.332
it was created from initial Microsoft detection Trojan:Win32/Ransom.DN, later in August/September DN was extended to ER, exactly this you see in report.
Another example. Friend of mine send me Avira response on submitted ticket.
Avira wrote:The file cd627d26e92e.... has been determined to be 'RISK'. Our analysts named the threat SPR/Tool.Vbcrypt.H.2. The term "SPR/" ("Security or Privacy Risk") denotes a program that might possibly be able to affect the security of your system, might trigger activities you might not want or might violate your privacy.Detection is added to our virus definition file (VDF) starting with version 7.11.12.143.SPR/Tool.Vbcrypt.H.2
Response time Jul 28, 2011 09:32 AM UTC
this file is Trojan Ransom Pornorolik/WinAD (crypted by VBCrypt variant), clearly detection name is not completely correct. But how they generated it?
cd627d26e92e.... has been received Jul 28, 2011 04:18 AM UTC
cd627d26e92e.... analysis was finished in Jul 28, 2011 04:45 AM UTC
On object was casted VirTool:Win32/Vbcrypt.gen!H (it is generic detection based on crypter used).
Updated definitions released. Likely Avira has a special multi-scanner in their lab (just like VT but without FakeAV's). Seems due to lack of resources (or qualification to write real automatic analysis system) some percent of submitted to Avira files processed by special bots (or maybe human-bots) which doing only one thing - scheduled re-scan with multi-scanner and if somebody from "trusted partners" releases malware detection - these bots copies it (seems only name) + some quick hash based signature + number. According to ransoms Avira also loves to steal detections for Trojan:Win32/Ransom.ER, Trojan:Win32/Ransom.DF. Seems their multi-scanner includes the following products - BitDefender, Dr.Web, Ikarus, Kaspersky, MSE and maybe Symantec. The initial copy-pasted detection may change in future when some of Avira analyst finally will take a look on crap they have generated as detection. IDK how many in percents in Avira DB is stolen from others. I think it will be sufficient number.
Ring0 - the source of inspiration
I noticed the stolen detection's also for ZeroAccess/Sirefef and Alueron/Tidserv. Even when Kaspersky added dropper false detection, for example, naming tdss dropper as ZAccess and vice versa, some vendors have similar errors; and it was not once. Simply because of the large number samples of ransoms, unlike dropper ZAccess or Alureon/Tdss you can more clearly see it. I did not analyze the date of tickets as EP_XOFF, but the result was obvious.
thanks for explanations!
i also found this http://www.anti-malware.ru/forum/index. ... =3930&st=0
very fun reading :D
i also found this http://www.anti-malware.ru/forum/index. ... =3930&st=0
very fun reading :D
can you perhaps post the ransom link again, its not working i think
