Follow by Email

May 4, 2010

Reporting Unknown Computer Viruses

I was recently on Facebook and came accrossed an App that required me to download a windows file. I thought the whole thing seemed to be suspicous. But because I was running a Linux distro that I made I didn't fear this to much. I downloaded the file and used clam av to scan for a virus. Well no virus was detected.

My suspicion still was very strong. Could it be that AV's just haven't found out about this file yet. So I ended trying to determine if this file really was malicous. Back in the good old days if I wanted to do this I would have to decompile the virus. This took alot of experience. However life does get easier. Theirs a site called Virus Total that scans files that have malicous things in it. To best explain this. I will say this. Alot of programs use existing programs inside of that program. This is why installers are required when installing Windows program. Because the programs sometimes have 100's of other files that need to be certain locations on the computer. Instead a program writing detailed instructions on where each file needs to be placed. The programmer makes an installer that places all of those files in the correct places. A program in it's self may not be malicous, but the files that the program uses can be. With Virus Total it detects all of these files in that program and checks to see if any of them are malicous.

So I uploaded the file to Virus Total it started to scan it. I then was told that it found two files that where malicous. Bingo good thing I was smart and I was running Unix based machine. So I now knew that this file was in fact bad. I also knew that chances are if one AV doesn't have the file in their Database chances are none of them would. This is because alot of those companies trade information. So I only really needed to report the file to just one company. But I decided to report it to more then one.

I found that reporting such things to be more trivial then it should be. In my opinion the forms I had to fill out should of been in links on the front page of these site. Instead I had to do alot of hunting around.

I uploaded the file to Clam, Synaptic, McAfee, AVG, Kaspersky and TrendMicro. The easiest one to find was clam. The most complicated one was Synaptic. I would have never found the way to report it to synaptic if I didn't get into support chat. And even in that chat it was like talking to moron.

Me: I would like to report malicous file to you guys. I don't believe it is in your databases.
Support: What is the error that Synaptic is giving you?
Me: None I don't have Synaptic installed I'm running a Linux system.
Support: Unfortantly we don't provide support for Linux. If you want to install Synaptic please use Windows.
Me: I have no intention on using your software or Windows. However I'm concerned for users who are using Windows. I want to report this file so you guys can help protect Windows users.
Support: In order for us to give you any information you need to have Synaptic installed on Windows computer.
Me: I don't mean to sound threatening. But your taking big risk. I'm sure you don't want to be investigated by the Attorney Generals office by knowingly not having a malicous file in your databases that could protect people. If a crime is commited and I report it to the police and the police did nothing, then they face going to trial.
Support: Please hold on a second while I redirect you to another agent.
Support2: I understand your having a problem using our product. I will try my best to help solve the problem.

My patients was running low.

Me: I do not use your software. I do not want to use your software. Please give me information on how to report a virus to Synaptic. If you fail to do so, I will report you for illeagal activities.
Support2: No Synaptic stops viruses we don't give viruses. We want to protect you.
Me: If you want to protect me and others then please understand that when I go to you guys to report something that may help you protect others then you should cooperate.

After one more support agent and explaining the issue all over again I finnally got the link. The form was setup as if I knew every little aspect about the virus. As if I made it. In fact it would ask me as if I where the maker of it.

With TrendMicro I had to call them. And since it was weekend no one would answer. But the answering machine gave me instructions on getting support online.

McAfee I also called. The call lasted less then 5 minutes. The person on the phone had deep indian accent and gave me the URL to go to. Yes it was correct. I uploaded the file. Less then 24hrs later I recieved thank you email from them. Telling me that they will put the file in their next update.

I also did who is on the domain name that the app was stored on. I reported the app to the facebook abuse department. Giving the owners info domain name NS info, IP address and more. I didn't get an email back from Facebook for 2 days. Then I recieved thank you email telling me that the app has been removed.

In short I hope that people understand that anti virus companies aren't perfect. And if they are unaware of a threat it doesn't matter what AV you use. You will get infected. If you do get infected I hope you upload all files that you suspect may be the cause to Virus Total. Then report the file to your AV company. Even if it isn't malicous or if they already do have it in their databases, you did the write thing. Because everyone who does report such things ends up helping tons of people.

No comments: