4 Replies Latest reply on Aug 10, 2011 9:17 AM by stonent

    What to do with large malware samples

      I'm finding more and more we are getting malware which contains files that are 20+ MB in size.

       

      When submititng these files zipped to Mcafee they usually compress to less than 200KB or so but we get an immediate e-mail back that they are inconclusive and there's never a followup.

       

      In the e-mail it will look like this:

       

      McAfee Labs - Beaverton                                                               

      Current Scan Engine Version:5400.1158                                                 

      Current DAT Version:6419.0000                                                         

      Thank you for your submission.                                                        

       

      Analysis ID: 6704276

       

      File Name            Findings                       Detection                    Type         Extra

      --------------------|------------------------------|---------------------------- |------------|-----

      da56.zip            |inconclusive                  |                            |            |no  

       

      inconclusive [da56.zip]                                                                            

       

         Automated analysis was not able to determine that this file is malware. This file is  

      being sent for further processing and the DAT files will potentially be updated if    

      detection of this sample is warranted.                                                

       

            

       

      Notice the zip file is not unpacked, so no matter how many samples are in the file, if one is large, the file won't be unpacked.

       

      A normal submission will look like this:

       

      McAfee Labs - Beaverton                                                               

      Current Scan Engine Version:5400.1158                                                 

      Current DAT Version:6419.0000                                                         

      Thank you for your submission.                                                        

       

      Analysis ID: 6704275

       

      File Name            Findings                       Detection                    Type         Extra

      --------------------|------------------------------|---------------------------- |------------|-----

      f3ezsetp.dll        |inconclusive                  |                            |            |no  

      f3plugin.dll        |inconclusive                  |                            |            |no  

      npfunweb.dll        |inconclusive                  |                            |            |no  

       

      inconclusive [f3ezsetp.dll f3plugin.dll npfunweb.dll]                                             

                                      

      Since these files were small, they were unpacked.

       

       

      Most of these oversized files are executables with megabytes of repeating garbage.  In the first submission, there is 24MB of "¸^<" repeating.

       

      So I will manually open these file in notepad and select all the junk and delete it. Does mcafee have a utility that can simply the submission process for these files?

        • 1. Re: What to do with large malware samples
          wwarren
          Does mcafee have a utility that can simply the submission process for these files?

          Not that I'm aware of but I'm not tightly grafted into our McAfee Labs processes.

          I would suggest calling into Support to speak with a McAfee Labs trained technician for answers to your questions.

           

          As a related comment, I can see why malware is coming in that size - some orgnaizations have policies in place, be it at gateways, mail servers or clients, the do not scan the larger files, accepting it as a trade off between performance and security. It's not a good policy in my opinion, and you have the proof right there.

          1 of 1 people found this helpful
          • 2. Re: What to do with large malware samples

            Ok so here's what I did, but it doesn't seem to be having the results that I wanted.

             

            I downloaded the Unix command DD that had been ported to windows which will let you read from a file and output it to another file

             

            dd if=bigmalwaresample of=smallersample.300 bs=1024 count=300

             

            What that does is reads the first 300KB of the big file and outputs it into a file with the extension 300 on it.

             

            So I took all my  trimmed malware samples and sent them off. Within 2 or 3 hours extra.dats were generated for me via the e-mail submission process.

             

            I waited a few days and rescanned the folders.  All the 300KB files were removed with the current daily dats without the extra dats. The original 20+MB samples were untouched.

             

            It looks like it used an MD5 match on the files and killed them but didn't realize the other samples were mostly identical.

             

            Today I resent more samples of different sizes, first 100KB and first 1024KB. Perhaps it will catch on?

             

            I also took these trimmed samples and originals and ran them through the Kaspersky removal tool.  They all got hits as being the same malware so it looks like Kaspersky can catch the similarities between the files.

             

            It is unfortunate that my organization keeps getting hit with these types of infections. We're running VS 8.7 and HIPS 7.0

             

            Message was edited by: stonent on 8/2/11 10:38:26 AM CDT
            • 3. Re: What to do with large malware samples
              jeffreychirino

              When the samples are 5mb+, just create a SR with gold support.

              They can setup a ftp location and make sure that the samples are delivered to McAfee Labs.

              • 4. Re: What to do with large malware samples

                Ok we sent them to Gold support and they took them. Still we see so many of these types of malware that seem to evade our scanners because of the size. We can always find them with Kaspersky but that's always after the fact.