Skip navigation.
Home

executables and other binaries

|

A number of samples on this site and others (like heavens) do not run because they are memory dumps of malware processes that were running on a machine, because they are damaged PE images, or because they are a driver or dll file (or other non-executable) that got renamed to "exe". For example, if you search for "Rootkit" on this site's database, 8 samples are listed currently (08_30_06). The six that are labelled "trojan" or "backdoor" will never run as an executable because of the two issues above.
Could there be categories in the database separately identifying "self contained executables" from "components of malware that do not run on their own" and "malformed or damaged PE files"? Maybe a listing of the OS's that the samples can run on?

I think that certain scanners (possibly KAV) can rate higher in evaluations where a pile of unexamined files are thrown into a directory and scanned because they have loose cannon signatures for all malware components, including components that will not run on a system by themselves or are not executables or are malformed or are damaged, and these detected components are not reported any differently.

Implementation?

Whenever we get a request to add a new field to the database, we have to come up with a method to do it automatically. If you have a way to tag these broken exectuables, please email me and we'll talk about it.