[This post from our internal blog has been sitting in the queue for a couple of months now. And then got bumped by the post on Flame, and had to wait until I got back from vacation… Thanks for being patient, Jim! — C.L.]
Back in March, we were setting up for a round of testing on a new ProxyAV build. One of the items we wanted to test was scanning of file archives.
So, where's a good place to get a bunch of ZIP'ed, GZ'ed and RAR'ed files? How about sourceforge.net?
Accordingly, we downloaded over 4,000 file archives, and stored them on a local server. The ProxyAV was connected to a ProxySG, and a workstation then ran a script to retrieve each file via the SG, which in turn passed them to the AV for scanning.
Rather unexpectedly, we saw some hits from the downloads, which we were expecting to be clean. It seems that there may be a few surprises lurking in some of the files there!
Here is the list, along with notes from the malware team:
//16 hits in VT (shows scanned in April 2012)
//this is a Snort tester, so assume payload is part of test set
//18 hits in VT (shows scanned in June 2011)
//1 hit in VT (shows scanned in July 2011); reanalyzing got 22 hits
softlayer.dl.sourceforge.net/project/wsfuzzer/wsfuzzer/version1.9.5/wsfuzzer-1.9 .5.tar.gz
//SOAP fuzzing tool for pentesting, so assume payload is part of kit; 0 hits now
//5 hits in VT (shows scanned in Feb 2011); reanalyzing got 16 hits
//5 hits in VT (shows scanned in Feb 2011); reanalyzing got 35 hits
//24 hits in VT on 5/31/2012 (hadn't been scanned before)
//29 hits in VT on 5/31/2012 (hadn't been scanned before)
iweb.dl.sourceforge.net/project/file-transfer/file-transfer/File%20Transfer%201. 2j/FileTransfer_1_2_j.zip
//2 hits in VT (shows scanned in Apr 2012); still just 2 hits
//27 hits in VT on 5/31/2012 (hadn't been scanned before)
//35 hits in VT on 5/31/2012 (hadn't been scanned before)
//17 hits in VT 5/31/2012 (hadn't been scanned before)
//love the "comment/description" for this project: "sdfasfasdfsadfasdfsadfadsfasdfasdfsad"
//9 hits in VT (Oct 2011 scan); reanalyzing got 26 hits
//note that it's a keylogger, and should trigger hits…
//36 hits in VT (Jun 2011 scan); reanalyzing got 37 hits
//note that it's a keylogger, and should trigger hits…
www.cpan.org/authors/id/M/MS/MSTEVENS/Mail-DeliveryStatus-BounceParser-1.530.tar .gz
//30 hits in VT (Apr 2012)
//10 hits in VT on 5/31/2012 (hadn't been scanned before)
//3 hits in VT 5/31/2012 (hadn't been scanned before)
iweb.dl.sourceforge.net/project/datingbynumber/Dating%20by%20Number%20and%20Bonu s%20Colour%20Styl%20Advisor.zip
//30 hits in VT (Feb 2012)
Overall, 17 hits (discounting the two that look like the malware may be part of a test set) out of 4,000+ file archives. This may not represent a huge danger, but it should serve as a reminder to be cautious when downloading files, even from "safe" sources.
–C.L. & J.S.
Leave a reply