Skip navigation.
Home

Site feature requests

|

Val says I can start this discussion, so here I go.

A number of features appear to be missing. Apologies if it's there and I didn't see it.

-There ought to be links to the various AV sites and their analysis and name(s) for the sample. I see some of them already have aggregate scan results, those should be turned into fields and links.

-I assume the scan is done once at submission time. There should be a backend process that periodically rescans samples, to reflects changes in the signature databases.

-There ought to be a bunch more cross-reference type fields. Specific examples:
--Does it use an exploit? If so, then link to BugtraqID, CVE, etc...
--Link to CME number
--What platform(s) does it affect?
--What is it packed with?
--What is it written in?
--General malware classifications (worm, virus, etc..)
--Dates

-Is there a list of samples that need analysis (haven't been analyzed yet.) Or in general, a todo list for contributors? Any of the fields above could be blank, it would be nice to throw those into a work queue.

-Set up a backend IDA collaboration server, ala OpenRCE.

Just brainsotrming... I'm sure there's lots more.

Ah, and a desired sample

Ah, and a desired sample list. In the form of a todo list/queue. For example, I'd be pleased to see a lot of the historical stuff, myself.

automation

One of the things we are working on and need to get done is automation. As crazy as it sounds all of my posts have been done 100% manually from the checksumming to the virus scanning to the disassembly.

So an automated way to upload a sample and have it unpacked,disassembled, scanned, checksumed, etc is SORELY needed.

If anyone has ideas / ability to help with this it would be HUGELY appreciated.

One of the things I'm wreastling with is I like the fluid nature of the drupal postings where people can just keep adding information to each post. but on the other hand its kind of a crappy way to organize large numbers of things. I havent solved this problem yet.

I have access to tons of old malware archives (more growing all the time) so I'm not adverse to adding this. I just need the time (or volunteers) to do it.

Good post!

V.

Auto-unpacking and

Auto-unpacking and disassembly will be a challenge.

However, scanning and checksumming are solved problems. Look at virustotal.com, for example. In fact, have you tried asking them if you can use their infrastructure as a backend for your site? I.e. just resend files to their site, if it's a new checksum?

Administrative-related, but not feature request.

There was a Cross Site Scripting bug released for Drupal yesterday. Since this site is running Drupal; (I think) you should look into this.
For reference: http://liz0zim.no-ip.org/drupal.txt or
http://packetstormsecurity.org/0601-exploits/drupal.txt
or the same thing posted to [Bugtraq].
According to security@drupal.org in Message-ID: <20060103214349.4169.qmail@securityfocus.com> this has been fixed, or something.

--
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*