用过threatexpert的来评价下

jefffire

theartexpert我用了一下，发现它对病毒的分析比较到位可以和手工分析媲美了。它运行原理有谁清楚啊？？

hum

我估计
上传样本后会被ThreatExpert服务器在虚拟环境下运行（使用沙盘，虚拟机等）
并且监视他的一些动作
然后写出报告发给你，上传的样本加入PC TOOLS杀软的病毒库

[ 本帖最后由 hum 于 2008-8-26 22:37 编辑 ]

我怎么只看到什么MD5

文件名什么的

jefffire

就一沙盘？我还以为它用了VMware之类的虚拟机再加上入侵检测

hum

就是在虚拟环境运行。
不一定是沙盘

jefffire

不可能只看到MD5啊，它有详细报告的

Submission Summary:
Submission details:
Submission received: 25 August 2008, 10:17:25
Processing time: 4 min 47 sec
Submitted sample:
File MD5: 0x75393CC2B2EA6AD931DACB95338DC1F9
Filesize: 264,084 bytes


Technical Details:


File System Modifications

The following file was created in the system:
# Filename(s) File Size File MD5
1 [file and pathname of the sample #1]  264,084 bytes 0x75393CC2B2EA6AD931DACB95338DC1F9

嘁。不稀罕~

因为你上传的样本没有威胁。。。或者无法执行。。。当然无法给你更详细的信息。。。

What's been found        Severity Level
Contains characteristics of an identified security risk.       


Technical Details:


        Possible Security Risk

    * Attention! The following threat category was identified:

Threat Category        Description
        A malicious backdoor trojan that runs in the background and allows remote access to the compromised system


        File System Modifications

    * The following file was created in the system:

#        Filename(s)        File Size        File MD5        Alias
1         [file and pathname of the sample #1]         211,456 bytes         0xA8F263E0C2CDC105B6736F62720BB562         Backdoor.Win32.Delf.jpi [Kaspersky Lab]

hum

Possible Security Risk

Attention! The following threat category was identified:
Threat Category        Description
        A malicious backdoor trojan that runs in the background and allows remote access to the compromised system


        File System Modifications

The following file was created in the system:
#        Filename(s)        File Size        File MD5        Alias
1        [file and pathname of the sample #1]
%Windir%\XP professional.exe         716,288 bytes        0x93D0CA4131148FCF2F999A9E57DB4819        Backdoor.Win32.Hupigon.btrm [Kaspersky Lab]
Mal/Behav-058 [Sophos]



        Memory Modifications

There were new processes created in the system:
Process Name        Process Filename        Main Module Size
xp professional.exe        %Windir%\xp professional.exe        745,472 bytes
[filename of the sample #1]        [file and pathname of the sample #1]        745,472 bytes

There was a new service created in the system:
Service Name        Display Name        Status        Service Filename
XP professional        XP professional        "Stopped"        %Windir%\XP professional.exe



        Registry Modifications

The following Registry Keys were created:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\XP professional
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\XP professional\Security
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XP professional
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XP professional\Security
The newly created Registry Values are:
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\XP professional\Security]
Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\XP professional]
Type = 0x00000110
Start = 0x00000002
ErrorControl = 0x00000000
ImagePath = "%Windir%\XP professional.exe"
DisplayName = "XP professional"
ObjectName = "LocalSystem"
Description = "XP professional����"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XP professional\Security]
Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XP professional]
Type = 0x00000110
Start = 0x00000002
ErrorControl = 0x00000000
ImagePath = "%Windir%\XP professional.exe"
DisplayName = "XP professional"
ObjectName = "LocalSystem"
Description = "XP professional����"