A
Art
The below web site offers a complex malicious code simulator which is
likely to be controversial:
http://www.morgud.com/interests/security/dfk-threat-simulator.asp
The simulated malicious program in the kit is named
Office_Idiots_ (funny)_.exe
I've not yet run it on my Win 2K PC since I would want to have some
kind of test plan in mind, and I've not yet given it enough thought.
The kit does contain a remover utility.
The author compares his complex simulator to the eicar.com test
antivirus test file, which I think is quite a stretch. Eicar is a
simple test string. The DFKS kit is far more, and it might lead to
serious problems. Seems to me most users might benefit from limiting
their exposure to just a thorough read of the description at the web
site ... and leave it at that
Here's a Virus Total result on the program file:
************************************
This is a report processed by VirusTotal on 10/28/2005 at 19:35:12
(CET) after scanning the file "Office_Idiots__funny_.exe" file.
Antivirus Version Update Result
AntiVir 6.32.0.6 10.28.2005 no virus found
Avast 4.6.695.0 10.27.2005 no virus found
AVG 718 10.24.2005 no virus found
Avira 6.32.0.6 10.28.2005 no virus found
BitDefender 7.2 10.28.2005 no virus found
CAT-QuickHeal 8.00 10.26.2005 no virus found
ClamAV devel-20050917 10.27.2005 no virus found
DrWeb 4.32b 10.23.2005 no virus found
eTrust-Iris7.1.194.0 10.27.2005 no virus found
eTrust-Vet11.9.1.0 10.28.2005 no virus found
Fortinet 2.48.0.0 10.27.2005 W32/RootkitDFKTS.A-tr
F-Prot 3.16c 10.26.2005 no virus found
Ikarus 0.2.59.0 10.28.2005 no virus found
Kaspersky4.0.2.24 10.28.2005 Trojan-Dropper.Win32.Agent.zn
McAfee 4615 10.28.2005 no virus found
NOD32v2 1.1266 10.26.2005 no virus found
Norman 5.70.10 10.28.2005 no virus found
Panda 8.02.00 10.28.2005 no virus found
Sophos 3.99.0 10.28.2005 no virus found
Symantec 8.0 10.27.2005 Trojan.Dropper
TheHacker5.8.4.128 10.26.2005 no virus found
VBA32 3.10.4 10.28.2005 no virus found
*******************************************
It looks to me like Fortinet is the only product that gives a exact
ID. NAV with its "Trojan.Dropper" report sees something malicious
but doesn't know exactly what. The KAV report suggests something
similar ... but it looks more to me like KAV might be misidentifying.
I might submit the file to Kaspersky to see what they have to say
about the alert.
Anyway, thoughts anyone? Is this sort of thing a GOOD THING or
a BAD THING or what? Has anyone worked with it and found it useful
for learning more about protection?
Art
http://home.epix.net/~artnpeg
likely to be controversial:
http://www.morgud.com/interests/security/dfk-threat-simulator.asp
The simulated malicious program in the kit is named
Office_Idiots_ (funny)_.exe
I've not yet run it on my Win 2K PC since I would want to have some
kind of test plan in mind, and I've not yet given it enough thought.
The kit does contain a remover utility.
The author compares his complex simulator to the eicar.com test
antivirus test file, which I think is quite a stretch. Eicar is a
simple test string. The DFKS kit is far more, and it might lead to
serious problems. Seems to me most users might benefit from limiting
their exposure to just a thorough read of the description at the web
site ... and leave it at that
Here's a Virus Total result on the program file:
************************************
This is a report processed by VirusTotal on 10/28/2005 at 19:35:12
(CET) after scanning the file "Office_Idiots__funny_.exe" file.
Antivirus Version Update Result
AntiVir 6.32.0.6 10.28.2005 no virus found
Avast 4.6.695.0 10.27.2005 no virus found
AVG 718 10.24.2005 no virus found
Avira 6.32.0.6 10.28.2005 no virus found
BitDefender 7.2 10.28.2005 no virus found
CAT-QuickHeal 8.00 10.26.2005 no virus found
ClamAV devel-20050917 10.27.2005 no virus found
DrWeb 4.32b 10.23.2005 no virus found
eTrust-Iris7.1.194.0 10.27.2005 no virus found
eTrust-Vet11.9.1.0 10.28.2005 no virus found
Fortinet 2.48.0.0 10.27.2005 W32/RootkitDFKTS.A-tr
F-Prot 3.16c 10.26.2005 no virus found
Ikarus 0.2.59.0 10.28.2005 no virus found
Kaspersky4.0.2.24 10.28.2005 Trojan-Dropper.Win32.Agent.zn
McAfee 4615 10.28.2005 no virus found
NOD32v2 1.1266 10.26.2005 no virus found
Norman 5.70.10 10.28.2005 no virus found
Panda 8.02.00 10.28.2005 no virus found
Sophos 3.99.0 10.28.2005 no virus found
Symantec 8.0 10.27.2005 Trojan.Dropper
TheHacker5.8.4.128 10.26.2005 no virus found
VBA32 3.10.4 10.28.2005 no virus found
*******************************************
It looks to me like Fortinet is the only product that gives a exact
ID. NAV with its "Trojan.Dropper" report sees something malicious
but doesn't know exactly what. The KAV report suggests something
similar ... but it looks more to me like KAV might be misidentifying.
I might submit the file to Kaspersky to see what they have to say
about the alert.
Anyway, thoughts anyone? Is this sort of thing a GOOD THING or
a BAD THING or what? Has anyone worked with it and found it useful
for learning more about protection?
Art
http://home.epix.net/~artnpeg