funsec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Re: Malware sharing? People are full of shit [was: Getyour computer viruses here!]

From: val smith <mvalsmith () gmail com>
Date: Wed, 28 Dec 2005 17:59:41 -0700

I. Have users authenticate themselves to the website after first
registering via email.



Im doing that one already

    A   Optionally, New users can only get credentials after being

nomimated by two existing members
         1.   Optionally, Seed the first users with well known AV vendor
people



If i could get any feedback whatsoever from well know AV people Id be
intersted in looking into this. Not sure about the vetting process however
thats a pretty good start for one.

II.  Only post samples that are detected by at least one major AV


vendor; send undetected  samples to legit AV vendors
     (this will discourage people from writing new stuff and uploading it)



This really defeats the purpose of being able to rapidly anlayze new stuff
hats not detected yet. I do indeed already send undetected samples to legit
AV vendors

III.  Remove samples after a period of time.

      Most legit analysis only need be done for a period of time
shortly after discovery



Not sure about this  one, have to think on it.


IV. Don't provide access to file infectors.

     These are relatively rare and easy to mishandle
V. Don't provide any source of any kind



I think this falls into the argument of just not doing it at all then. The
source is of greatest use if I can get it. However I wasnt planning on
source since I assumed I'd never get it anyway.

VI.  Limit the amount of stuff that someone can download so that they


can't leech the site



I can definitly at least prevent things like wget, etc.

VII.  Encrypt samples in storage and unencrypt (or provide the key) on

the fly when the file is requested.  This should raise the bar should
your server itself be compromised.



Have to think about this one. Not sure if thhe work outweighs the benefit,
but possibly.

VIII.  Freely provide as much information as possible about the sample


so that users may use that information and don't need to get the
sample itself.
  e.g.   filenames used, bot C&Cs, URLs it requests, MD5 / SHA-1
hashes, CLAM sig, etc.



Already do this except for the "don't need to get the sample itself"

I'm sure there's more, but that's a off the top of my head...


-John



Mostly good suggestions! Thanks!

V

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.
Previous By Date Next
Previous By Thread Next

Current thread: