[nsp-sec] [OT] New feed - ClamAV signatures

Dimitrios Kalogeras D.Kalogeras at noc.ntua.gr
Mon Jan 28 06:03:52 EST 2008 

Hi  Rob,


Thanks for the nice service.

We did a short of comparison with the respect to our daily channel. It
is nice that we find differences and that there is a hit in the scanning
    feed which in different case, it would have gone unnoticed. Is there
a correspondence between the signature feed and the viruses /trojan names ?

Regards,
Dimitris

Segment of the comparison follows :

- Νormal
/artifacts/binaries/0f8f00b9bb264ea4c7129fbfc4ada24d: OK
/artifacts/binaries/1cd42b27c7ea9c5f43e1e2de1dad25a8: OK
/artifacts/binaries/21e0e2bb5d7c0c0b5342de6229cb49f8: OK
/artifacts/binaries/29f0569b6b287b09a0a296e8eb616566: OK
/artifacts/binaries/45fc0e9e1285e77456fead2cf2f02820: OK
/artifacts/binaries/4f64d8c58fc352c308d946546adcb547: Trojan.Agent-8231
FOUND
/artifacts/binaries/5ae700c1dffb00cef492844a4db6cd69: Worm.Blaster.A FOUND
/artifacts/binaries/6b58d96801ee561e9b9e2204811caefd: OK
/artifacts/binaries/8caaebe038838614d51f852f75918d68: OK
/artifacts/binaries/8e0975e55e29ad1a85d47e80ab00e2bc: Trojan.SdBot-7769
FOUND
/artifacts/binaries/ad410dbfeaeea4ed9c253a2140d1004b: OK
/artifacts/binaries/c2204a662150d482795816ca7b0699c6: OK
/artifacts/binaries/cb032b12af742555e60124f6d7d2d2ea: OK
/artifacts/binaries/e92a8302b8fab21cdc8b7f191a584f06: W32.Virut.ci FOUND
/artifacts/binaries/ecaea72984c74bc57f9221d506bc55d5: OK
/artifacts/binaries/f89c3a4394bd82d3aaf68fa4513008cc: OK

- 0 day
/artifacts/binaries/0f8f00b9bb264ea4c7129fbfc4ada24d: DETECT_25.00 FOUND
/artifacts/binaries/1cd42b27c7ea9c5f43e1e2de1dad25a8: DETECT_11.11 FOUND
/artifacts/binaries/21e0e2bb5d7c0c0b5342de6229cb49f8: DETECT_19.44 FOUND
/artifacts/binaries/29f0569b6b287b09a0a296e8eb616566: DETECT_28.57 FOUND
/artifacts/binaries/45fc0e9e1285e77456fead2cf2f02820: DETECT_17.14 FOUND
/artifacts/binaries/4f64d8c58fc352c308d946546adcb547: DETECT_32.26 FOUND
/artifacts/binaries/5ae700c1dffb00cef492844a4db6cd69: Worm.Blaster.A FOUND
/artifacts/binaries/6b58d96801ee561e9b9e2204811caefd: DETECT_37.14 FOUND
/artifacts/binaries/8caaebe038838614d51f852f75918d68: DETECT_77.78 FOUND
/artifacts/binaries/8e0975e55e29ad1a85d47e80ab00e2bc: Trojan.SdBot-7769
FOUND
/artifacts/binaries/ad410dbfeaeea4ed9c253a2140d1004b: DETECT_41.67 FOUND
/artifacts/binaries/c2204a662150d482795816ca7b0699c6: DETECT_31.43 FOUND
/artifacts/binaries/cb032b12af742555e60124f6d7d2d2ea: DETECT_65.71 FOUND
/artifacts/binaries/e92a8302b8fab21cdc8b7f191a584f06: W32.Virut.ci FOUND
/artifacts/binaries/ecaea72984c74bc57f9221d506bc55d5: DETECT_31.43 FOUND
/artifacts/binaries/f89c3a4394bd82d3aaf68fa4513008cc: DETECT_11.43 FOUND

Rob Thomas wrote:
> ----------- nsp-security Confidential --------
> 
> Hi, team.
> 
> We are pleased to announce that our ClamAV signatures project is now  
> ready for release.  We base our signatures on our large malware  
> menagerie.  Each sample we collect is scrutinized by 33+ anti-virus  
> packages and several sandboxes.  The resulting analysis determines if  
> the sample is malware.  We then generate ClamAV signatures for those  
> samples that are tagged as malware by our malware analysis process.   
> We're processing circa 15K new malware samples per day, so this is a  
> significant amount.
> 
> Many of you are likely already familiar with ClamAV, which runs on a  
> wide variety of platforms.  You can read a bit about ClamAV and all  
> about our ClamAV Signatures Project at the following URL:
> 
>     URL:   <https://clamsigs.cymru.com/avsigs/>
>     Login: tcsigs
>     Pass:  klams1gz
> 
> Please do take the time to read the verbiage regarding installation.   
> Our thanks to Larry Lidz for providing a handy Unix-based download  
> shell script, which you'll find referenced on the main page.
> 
> The actual signature files can be found at the following  
> authenticated URL.  Please use your nsp-sec mailing list login and  
> password to access the download section of our ClamAV Signatures  
> Project page.
> 
>     URL:   <https://clamsigs.cymru.com/avsigs/downloads/>
> 
> If you have forgotten or need to reset your nsp-sec mailing list  
> login and password, you'll find a handy reset tool at the bottom of  
> the following page:
> 
>     URL:   <https://puck.nether.net/mailman/listinfo/nsp-security>
> 
> We do not intend to make this fully public, but instead will confine  
> it to vetted communities such as nsp-sec and FIRST.  You may freely  
> use these signatures on any platform capable of running ClamAV.  You  
> may redistribute the signatures within your organization.  These  
> signatures are for non-commercial use ONLY.  If you are interested in  
> redistributing these signatures in your products or through your  
> customer services, you MUST obtain our written permission to do so.   
> We don't want to spend time debugging flash-crowd DDoS.  :)
> 
> Please remember that this is a *FREE* service and we provide no  
> warranties or guarantees.  We strive for high quality in all of our  
> feeds, but there exists the possibility that these signatures will  
> generate false positives, impact the performance of ClamAV, or  
> increase the carbon footprint of Al Gore's mansion.  Use at your own  
> risk.
> 
> We remain keenly interested in any and all suggestions, feedback, and  
> reports of false positives.  Please send those to <team- 
> cymru at cymru.com>.
> 
> Thanks!
> Rob.

_______________________________________________
nsp-security mailing list
nsp-security at puck.nether.net
https://puck.nether.net/mailman/listinfo/nsp-security

Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
community. Confidentiality is essential for effective Internet security
counter-measures.
_______________________________________________


-- 
Dimitrios K. Kalogeras

Electrical Engineer, Ph.D.
Network Engineer
NTUA/GR-Net Network Management Center
_____________________________________
icq:   11887484
voice: +30-210-772 1863
fax:     +30-210-772 1866
e-mail: D.Kalogeras at noc.ntua.gr
pub   1024D/0E421B50 2007-01-17 [expires: 2008-01-17] Dimitrios
Kalogeras (dkalo) <D.Kalogeras at noc.ntua.gr>
       Key fingerprint = F8C8 7B67 74A4 1F82 CDDF 8554 E1EF 7FAE 0E42 1B50
PGP-KEY: http://ajax.noc.ntua.gr/~dkalo/dkalo_pgp.txt

More information about the nsp-security mailing list