Slashdot Mirror

← Back to Stories (view on slashdot.org)

A Searchable Virus Database?

Posted by Cliff on from the hunt-by-description dept.

PktLoss asks: "I recently got hit with a worm/trojan, it was my own fault, I got sloppy. Anyways, once I got hit with the virus it was time to get rid of it. It had infected my system while my A/V program was running, so I presumed it was rather new. I already knew a bunch about it: it was a Messenger Worm; it killed regedit, msconfig or taskmanager upon being run; and it turned off viewing hidden/system files, in Explorer. This information in hand, I thought I would have an easy time figuring out what it was, and hopefully locating a dedicated cleaner, I was wrong. In my mind I envision a page with an advanced search allowing you to give it the information you have (attack vector/type, symptoms, etc) one at a time, each new piece of information cutting down the list of possibilities. Does such a page exist? If not why not?" "Instead of an easy search, I started off Googling in the dark, dropping key words in the hope they would point me in the right direction. When that failed I moved to the websites of major anti-virus vendors, either continuing to search based on key words I felt were relevant, or just listing viruses in reverse chronological order and reading their summaries.

No dice.

For the curious, I think it was Chode-e. I cleaned it manually."

44 comments

  1. Simple enough... by Otter · · Score: 4, Insightful
    Does such a page exist? If not why not?

    Because that's the single most precious asset the anti-virus makers have!!! There's no way they're going to give that away! And it doesn't seem like a huge priority for a volunteer effort as the sort of people capable of and interested in doing that work don't often get viruses.

    --
    What I'm listening to now on Pandora...
    1. Re:Simple enough... by bhtooefr · · Score: 1

      Explain the existence of ClamAV, then.

    2. Re:Simple enough... by Anonymous Coward · · Score: 0

      Why did clamav flag my google desktop search files as a virus? Maybe they could use a better database themselves.

    3. Re:Simple enough... by Otter · · Score: 1

      So, does ClamAV have such a page (as opposed to their virus defs and a searchable database of names of identified viruses)? If so, that answers the original question; if not, I'm not sure what your point is.

      --
      What I'm listening to now on Pandora...
    4. Re:Simple enough... by Bloater · · Score: 1

      > Because that's the single most precious asset the anti-virus makers have.

      I hear that they actually communicate the information to each other (after they've released their own identities). The anti-virus world is still very academic. The AV companies have a handful of virus analysts in various timezones and analysing viruses is a very small cost compared to producing the AV frontends/engine/management tools. Ever wondered why your domestic subscription is so much cheaper than the business subscriptions? You don't get the management tools with it.

    5. Re:Simple enough... by mysidia · · Score: 1

      I think the information is out there, it's just not organized in an appropriate way to allow such a search. The author seems to be thinking of a wizard where he can execute an advanced search involving specifying various details, symptom lists, etc; almost like an expert system.

      I think it would be a cool tool, but it would have a limited audience: your average computer user won't be able to evaluate their situation well enough to use the system to perform a search, since the average computer user has no idea what msconfig or regedit is, they will have no idea that they do not work.

      Plus there's the problem of threats being similar, i.e. variants of the same piece of malware may appear to have the same symptoms, but require a different method of removal, the process of attempting to remove a later variant by a method that worked on an earlier variant may fail and trigger some retaliatory payload the early variant did not have.

      Since the audience is limited, and it's risky to attempt to use that information to attempt to remove an infection by hand: it's much more likely for AV makers to be able to successfully sell an all-in-one tool, whose owners do not have to have much as knowledge of their systems to use effectively.

      Whereas the primary audience for a search tool like that would be security geeks whose systems are not normally infected, anyway.

      Run a good AV; popular AVs are not necessarily good AVs, all-in-one solutions are not good AVs, either, it's important to pick a scanner with good heuristic scanning that performs highly on independent AV tests -- better not to pick any of the most well known ones, products which viruses may specifically target; don't make your machine's defenses look like the average PC user's, and keep the thing up to date.

      The scanner is the most likely means at your disposal to identify precisely which piece of malware is present; without a positive confirmation, you're just guessing.

      The search tool already exists (in the form of AVs), though not as flexible, and good ones certainly aren't free, they do exist.

    6. Re:Simple enough... by Xenophon+Fenderson, · · Score: 1

      Screw that. I want a public malicious code archive. As soon as I figure out the legal ramifications and code up a web interface, I'm going to set one up. I'm tired of all of the "in the know" companies and researchers having access to information that mere mortals can't touch.

      --
      I'm proud of my Northern Tibetian Heritage
  2. Taught thinking by A+beautiful+mind · · Score: 4, Insightful

    MS and the companies profiting from malware (Anti-virus companies, etc) taught people into the "I recently got hit with a worm/trojan, it was my own fault, I got sloppy." mindset. But in reality, this shouldn't be and isn't like that.

    True, a user needs education to use a computer intelligently, but it is largely up to the given software platform's coders to fix issues like that.

    Don't assume you were at fault, just because you need to jump through hoops to prevent your computer from getting infected.

    --
    It takes a man to suffer ignorance and smile
    Be yourself no matter what they say
    1. Re:Taught thinking by c_fel · · Score: 3, Interesting

      Don't assume you were at fault, just because you need to jump through hoops to prevent your computer from getting infected.

      Yes, but an OS can't know if the program run by a user is a trojan or a clean program. It's the user responsability to care of it. I agree that there should be a clear gap between user space and system and that's a big hole in most Windows configurations anyway, but everybody still need to care when they run any program. Period.

      --
      I hate all sigs, mine included.
    2. Re:Taught thinking by Anonymous Coward · · Score: 1, Interesting

      I could not disagree more. Any piece of consumer hardware comes with a certain degree of risk to life and limb if improperly used. Certainly, no one who burned him/herself with the kitchen coffee maker would indicate it 'was my own fault' because given a sufficient level of care in its manufacture (perhaps even a rating from Underwriters Labs or the equivalent) there's nothing short of gross user error that would result in such an occurance.

      Software need be no different.

      Pretending that vendors need to protect us from every random or malicious occurance involving their products is the same broken thinking that has resulted in the hideous state of tort law in the US, has driven production and insurance costs through the roof and makes us all look like morons when some idiot spills hot coffee in his lap or catches a virus and needs someone to blame, sue, leech off of, etc.

    3. Re:Taught thinking by PktLoss · · Score: 2, Informative

      The virus/worm spread via MSN Messenger, I knew what the link was when I got a strange message from a friend (the worm spreading) but I needed to know what virus it was in order to help the friend remove it. So I downloaded the file to disk, and told my AV programs to take a look. When they couldn't figgure it out from the file I presumed it might be either compressed or obfuscated in such a way that the AV programs wouldn't be able to tell what it was untill it ran. So I disconnected myself from the network physically and ran the file, expecting the AV programs to catch it at that point. They didn't and so my search began.

      I knew what it was, and still ran it. I really feel I have to take full responsibility.

      --
      paul reinheimer
    4. Re:Taught thinking by A+beautiful+mind · · Score: 1

      Ah, this puts the situation into a different light indeed in your case.

      --
      It takes a man to suffer ignorance and smile
      Be yourself no matter what they say
    5. Re:Taught thinking by NullProg · · Score: 1

      So I disconnected myself from the network physically and ran the file, expecting the AV programs to catch it at that point. They didn't and so my search began.

      Next time, run it through a disassembler first. strings can also be your friend. You also may want to try the free f-prot A/V, it uses heuristics as well as signature detection.

      Not that these suggestions will do you any good at the moment :)

      Enjoy.

      --
      It's just the normal noises in here.
    6. Re:Taught thinking by Lord+Dreamshaper · · Score: 1

      yeah, the difference is that it's obvious (to most) that coffee is scalding hot and that sticking your fingers in a live blender or wall socket is bad. That's why we shouldn't be able to sue those manufacturers when we ignore warning labels and safety mechanisms. The same can't be said when grandma opens an e-mail attachment thinking that she's opening an actual e-mail from her 7 y/o grandson. Hell, that scenario even explains away a spammers typical bad grammar and spelling (at least if the subject line isn't sexual in nature...)

      The burden should be on the designers of the website, software, OS, etc. whom have the expertise. When lawsuits (however ridiculous the settlements may be) start biting the companies in the bottomline, software will get a lot more secure and a lot more user friendly.

      --
      When all of your wishes have been granted, many of your dreams will be destroyed - Marilyn Manson
    7. Re:Taught thinking by bedessen · · Score: 1

      Next time sent it to the Norman sandbox or virustotal.

  3. that'll teach you. by Anonymous Coward · · Score: 0

    why should av-companies help you out of the mess you got yourself into?

    1. Re:that'll teach you. by PktLoss · · Score: 1

      I would have paid probably up to $5 for a dedicated cleaner, assuming I could use it to help other friends who were infected.

      Had one of the Anti Virus programs I tried actually cleaned the machine it would have been serious karma, and a likely purchase.

      --
      paul reinheimer
  4. Sure there is.... by Anonymous Coward · · Score: 0

    http://support.microsoft.com/

  5. Yes, there is. by NorbrookC · · Score: 3, Informative

    You should check out F-Secure , they have a very good, searchable database with descriptions of various viruses, worms, and spyware.

  6. clamav by Anonymous Coward · · Score: 0

    clamav

    you can pull the DB apart and add your own entries

  7. Sounds like a lame worm by brunes69 · · Score: 1

    If it's killing off regedit then it is probably not a virus but a lame worm that has just added it'self into the registry to start at bootup.

    Rebooting into safe mode, or with a Linux boot disk with Windows rescue tools installed, and you should be able to remove it from the registry.

    1. Re:Sounds like a lame worm by PktLoss · · Score: 1

      Cleaning went something like this Safe Mode -> Find random directory in system32, write it down -> safemode w/ command prompt, erase file -> regular boot -> regedit to clean out all the crap it left in the registry -> re-install comprimised a/v software.

      --
      paul reinheimer
  8. Good AV database searchable by PontifexMaximus · · Score: 3, Informative

    http://www.symantec.com/avcenter/global/vinfodb.ht ml

    This is the one I always have bookmarked. It seems to be the most comprehensive database on the Internet.

    --
    Pax Vobiscum
    1. Re:Good AV database searchable by Tango42 · · Score: 1

      That's pretty much just searching by name (you can search by type (worm/virus/trojen/whatever) or a string involved (subject line of an email, etc), but that's all) - the question clearly asked for a way to search by symptoms.

    2. Re:Good AV database searchable by PontifexMaximus · · Score: 1

      I have searched by symptoms before on there. It's not the best way to search (obviously), but it does work.

      --
      Pax Vobiscum
  9. Try them out by PktLoss · · Score: 1

    A couple people have been kind enough to post links to some of the major a/v vendor's pages. They're there, and they work, but they don't seem to give the results i'm looking for. Try using those search engines entering some of the information given in the original post. I would consider getting: Chode-d, Chode-e or Landis-B the 'right' answer. Can you get that answer out of it?

    I think tabular data rather than wrapping google or standard full text searches would be great, but there doesn't seem to be such a beast out there.

    --
    paul reinheimer
    1. Re:Try them out by Anonymous Coward · · Score: 0

      I agree with you, and have had issues with this as well.

      You can look *SOME* of them up under the CME numbers (http://cme.mitre.org/), and you can try the vendor sites, including Kaspersky labs (http://viruslist.com./

      To answer your question: NO! there is no comprehensive list.

      BTW: Don't try to create one it'll be an exercise in futility!

    2. Re:Try them out by Anonymous Coward · · Score: 0

      The problem is that there are hundreds of Messenger worms and pretty much all of them have similar behaviors to your list of symptoms.

      Therefore a search using your list of symptoms generates far too many hits.

      Using BartPE to analyse and clean the registry, etc. is definitely the way to go when hit with something like this.

    3. Re:Try them out by Anonymous Coward · · Score: 0

      What you want, it seems, is a virus Expert System. I'm not sure if this exists, but it's not hard to write... the problem is getting the massive amount of virus data into it from a usually prosaic format.

    4. Re:Try them out by PktLoss · · Score: 1

      My list of symptoms was an example, I could have been more exhaustive. Additionally it appeared it was a quite new variant since two different a/v programs failed to detect it. So I would have been confident restricting search results to viruses/variants introduced within the past month.

      --
      paul reinheimer
  10. McAfee's Virus Information Librar by borfast · · Score: 1

    Unless I misunderstood the question, besides the ones already pointed by some other folks, there's also http://vil.nai.com/vil/default.asp It even has a section dedicated to hoaxes, which I regularly use to educate my friends and family about those "Microsoft warned about this virus yesterday, anti-virus vendors don't know about it yet, pass this to all your contacts" e-mails.

    1. Re:McAfee's Virus Information Librar by Steve+Florkey · · Score: 1

      You ended your post with what I consider the most obvious sign of a hoax (or worse): "...forward this to everyone you know!" I have *never* seen valid e-mail with this request. Now if we could just get our innocent friends to realize this, we would have a lot less spreading of malware. [big sigh]

      I have been impressed with ClamAV on other features, but checking http://clamav-du.securesites.net/cgi-bin/clamgrok for the keywords PktLoss gave us did not produce anything even remotely useful. Since ClamAV is FOSS, perhaps someone might be interested in improving their database search. It would be a nice enhancement.

      One of the UK Linux magazines just ran a review of several AV packages for Linux. ISTR ClamAV caught all the samples they offered it. This suggests their signature database is as good as anyone else's so it would make a nice foundation for the kind of search PktLoss suggests.

      BTW, kudos to PktLoss for trying to help a friend. He might consider installing Windows in VMWare on BSD or Linux as a way to more easily recover from a test gone bad. It should be pretty easy to restore the OS image file that was backed up before testing the malware.

    2. Re:McAfee's Virus Information Librar by PktLoss · · Score: 1

      I think you get all the bonus points for trying out the search engine before giving it the gold star :)

      Yeah, a VM probably would have been a good way to go, but honestly I really thought the A/V programs would catch it once it started trying to do naughty things.

      Next time (and i've got a lot of non-pc-savy friends so there will be a next time) I'm going to:
      Save the file to disk
      Upload it to Virus Total (http://www.virustotal.com/flash/index_en.html) and see if it has any clue
      If not, move the file over to an expendable (or at least non mission critical) machine (laptop, old pos, etc) and run it with a recent back up of the registry & a few other critical files so at the very least I can run a diff.
      Run the virus with my a/v packages running, and hope for the best :)

      --
      paul reinheimer
  11. Maybe it's too new for that vendor by karolgajewski · · Score: 1

    There have been a number of stories that compared how fast the different A/V companies respond to a threat. I seem to recall that for really bothersome stuff, the updates are usually ready to go around 48-56 hours after they're picked up.

    Having said that, it wouldn't hurt to install a free A/V scanner such as ClamAV, AVG or even something like Trend Micro's free online scanner.

    Moreover, one of the key issues is that some companies are not picking up on some of the malware, which makes the occasional install of a free product worthwhile, in addition to an AdAware/Spybot/foo scan.

    --
    - .k. -
  12. uh, google? by RevAaron · · Score: 1

    I know in this case google didn't work out for you, but I can't say I've ever had to do more than the following:

    1. Norton AV pops and says "Danger! Danger! Virus found! Something.Win32.A2; clean failed; quarantine (failed|successful)."
    2. Then I google "Something.Win32.A2" and usually the first link is Symantec's page on that virus/worm.
    3. Click that link. Read that page.
    4. Either download the removal tool, which is on that page, or follow the manual removal directions they give.

    Not sure about MSNM worms or even if something like Norton detects them. But I can't say I've ever had any viral/worm experience above and beyond the above in the last 5 years; and that is not as an individual running Windows, but as someone who does desktop support for a few labfulls of PCs at a university library and a bunch of staff machines and the same held true when I worked the Uni-wide helpdesk.

    Good luck!

    --

    Working toward a usable PDA environment in the spirit of Newton OS: Dynapad
  13. We've had two new ones in the past year by Meostro · · Score: 3, Informative

    At my company, we've had at least two virus infections before definitions were released. We worked through symptoms and used stuff like HijackThis! and Process Explorer to find out what was going on, plus a few of the PS Tools to get rid of it and Bart's PE to clean-room the system to remove persistent files. It took our virus vendor a week to come up with definitions, but a few others had them earlier and we could use their online or free versions to clean the systems.

    Generally, when we get a suspicious file, it goes to VirusTotal first. If any of the 20-or-so listed AV vendors have a definition for the virus, you can usually find some information about it (at least a name) and from there figure out how to clean it. If nobody has a definition, next stop is Norman Sandbox to figure out what the beastie does, at least from a high-level point of view. If nothing else, it will probably give you a mutex that you can create to block execution/further infection, and sometimes it even gives you a clue as to what the virus would be or if it's a variant of something else. I found that we had a new variant of W32/Sality based on its mutex, which was one version number incremented from the info available online.

    If there are no hits after that, there are some more things you can try, but they're mostly shots in the dark. Unless you can un-UPX the file and do some serious reverse-engineering on your own, you probably have to wait for a definition or post your symptoms in a newsgroup or forum and hope someone can help.

    One good thing about VirusTotal is that it submits your sample to AV vendors (if you give it permission) so they are alerted and can start to develop definitions. It's difficult to find contact info for some vendors, but McAfee, ClamAV, CA and others have places you can submit a sample, you would do well to try them all if you have non-sensitive information in an infected file.

    1. Re:We've had two new ones in the past year by PktLoss · · Score: 1

      Thanks, VirusTotal would have been very useful for my pre-infection investigations.

      thank you very much

      --
      paul reinheimer
  14. Causality. by In+Fraudem+Legis · · Score: 0, Flamebait

    One word: causality! Instead of trying to get rid of the consequence, try to avoid the cause, which is in this case the operating system.

    --
    Per Aspera Ad Astra.
  15. Fweep Fweep!!!! by Anonymous Coward · · Score: 0

    We have a penalty for blatant ignorance. This results in a two year internet privilege suspension and an additional beating around the ears with an Internet for Total Fucking Dummies book. PLease step away from the keyboard and assume the position!

    Symantec Antivirus Center
    Computer Associates Virus Information Center"
    McAfee Virus Library
    Kaspersky Virus Encyclopedia
    Panda Software Virus Encyclopedia
    Sophos virus analyses
    BitDefender Virus Encyclopedia

    For those that will argue that these search engines do not behave as the article requested; it is simply a matter of searching for the right symptoms. If you accurately describe the behavior of the virus, all of these search engines give you the answer.

    The fact of the matter is that the very best solution is simply to use a commercial antivirus solution. If you are infected with a 0hour virus, simply wait an hour and run the update utility. Such a product will at least see the virus and tell you its name, even if it is unable to clean it. Worst case you have to use a bootable CD-ROM OS to catch/clean it.

  16. Why rely on Explorer? by scdeimos · · Score: 1

    C:\>attrib -r -a -s -h C:\*.* /s

    And there's plenty of Registry Editors out there besides RegEdit.exe (even RegEdt32.exe ships with Windoze so you can modify Registry ACL's).

  17. Virus by Mike570 · · Score: 1

    A few years ago, before I had any idea what I was doing, I got this annoying virus that began a countdown to restart my computer every time I connected to the internet or went to Microsoft's website. I can't remember what it was called but apparently it caused some havoc. When I found out how easy it was to stop, I was so embarrassed. That was the first day I found out that Windows XP has a built in "firewall" that could be activated. Later that month Microsoft released an update that activated the "firewall". Thanks for the foresight, Microsoft!
    Anyway, with that being said, a searchable database would not be used by the average computer user. It may help those of us who know what we're doing but I think we're in the minority. It surely wouldn't have helped me back then.

    1. Re:Virus by Anonymous Coward · · Score: 0

      Seems to me you still don't have any idea what you are doing.

    2. Re:Virus by Mike570 · · Score: 1

      I haven't had a single virus since then so I must be doing something right.