[bmir-alum-007]

It seems like a scraper which could manage submitting to and checking virustotal would be a good idea.

Also, perhaps wikileaks / virustotal could come to sort of agreement to scan things and flag them while still making assets available to researchers whom still need raw docs, but with large virus warnings which intercept downloads to a warning landing page confirmation if there's no referrer (direct, deep linking).

Finally, the other issue is that not all malware (past, current or future) is known. We ran Windows Servers (NT, 2003) boxes directly on the internet (before I forced them to offer departmental firewalls) and these boxes had already attracted all sorts of multi-vendor unseen malware, rootkits and backdoors long before I got there. After deploying WOLF to a number of boxes, Mark Russinovich was like "yea, you should probably take [the IT sec depts advice]" by just get firewalls and then format all these boxes back to clean image, fully-patched and strong, production-usable, security policy state. Most IT folks don't conduct forensics research... they see strange behavior, try to find a scanner/remover (maybe 80% success), or partially remove it and continue despite unprovable to fully remove all traces... Or they wipe the boxes, start over and guess/pray that the same 'sploit doesn't exist twice. There's just too many unknown variants of existing sploits and too many new sploits to have much faith in antivirus (it's reactive, last line-of-defense security). Antivirus is an opposite Bloom filter... it'll tell you if you're pwned or may not pwned. It's a good to have, just not a complete holistic security posture.

[bmir-alum-007]

Edit: One box had really crazy, clever malware (backdoor IRC bot which was firmly detectable by NIDS (snort) and by remote nmap) which defeated local nmap, portmon and rootkitrevealer... and it was a 24x7 production oracle box (no HA or archive log mode master-slave repl) running the dining order, meals and inventory databases, so live cd / usb-hdd-specialized hdd dongle (better forensics) weren't possible.

0. If I had budget authority, I would've ordered something which could grab memory and disk images on a live system and sign-up multiple .edu researchers & symantec security group and equivalent shops under NDA to analyze them.

1. And I would've yanked all those janky (R)ILO (aka RMSA, aka DRAC) cards with their always outdated Linux / Java / PHP "wifi router"-like whatever embedded systems.

2. Finally, I would've spent some cash on honeynet setups and cc: to item 0.

Edit^2: Props to Josh Wieder for taking sounding the sec awareness alarm. I would only do active sec research on untrusted materials within a decent hypervisor's VM on a virtual desktop (VDI) which has "nonpersistence" on all storage, so it's clean on every power cycle.

[joshwieder]

IRC is notorious for this type of garbage. Its pretty neat that the one you found disabled nmap (zenmap?). Did you ever find out what is was, or do you have a hash of the irc bot?

[contingencies]

format all these boxes back to clean image, fully-patched and strong, production-usable, security policy state

No. You can't do that. Maybe in 1995. These days you have to throw out the hardware, due to the plethora of firmware rootkits: IPMI BMCs, network cards, hard disk controllers, etc.

[eli]

A script that automatically submits to virustotal is like reinventing a very slow virus scanner.

[bmir-alum-007]

Exactly, hence the preference for a partnership directly to get some more API access priority / infrastructure $ for dedicated scanner worker bots (virustotal is probably a bunch of internal VMs with COM instrumentation agents to WinRM or CLI Linux scanner versions, so more of those for private/dedicated users * ).

* I think virustotal could be easily monetized (without altering or cheapening itself) by freemium to orgs, nonprofits, govts that want faster, private, shared/dedicated access to the same "cloud" capabilities. There was HitmanPro which was good early on, but it didn't seem to be stay anywhere near as comprehensive as virustotal.

[Istof]

Would you rather have a slow virus scanner or a computer that is constantly slowed down by a virus scanner that is not always needed?

[eli]

Pretty much every virus scanner since the dawn of viruses can be set to only scan on-demand.

[bmir-alum-007]

Virustotal doesn't run locally, there's zero client impact!

[nsajko]

Wikileaks' purpose is to publish leaked data, not tamper with it.

[bmir-alum-007]

Please have a look at what I wrote... Not tamper, inform (least surprises).