Author Topic: how are URLs verified to be malicious?  (Read 6149 times)

0 Members and 1 Guest are viewing this topic.

February 29, 2008, 07:23:08 am
Read 6149 times

tjs

  • Special Members
  • Sr. Member

  • Offline
  • *

  • 248
I'm just curious-- how are URLs verified to be malicious? Is it a manual process or do you just trust user submissions? I sometimes see malware names- what vendors name do you use when you do find malware?

I understand if you don't want to share this information.   :-X

TJS

February 29, 2008, 09:09:13 am
Reply #1

sowhat-x

  • Guest
Sure,why shouldn't we share this kind of information...it's not a trade/military secret,he-he...
Verification is done manually by JohnC after submission,quite a bit of work there...
(makes me feel kind of guilty for not being able to help more at the current moment...)  :-[

Regarding names,I think he prefers using the ones that are used,
by most AVs at the time of scanning...if they've flagged the sample yet of course.
Else,you might see a name like "Generic Downloader","Exploit" or something similar...
But JohnC will provide more accurate detail/info himself in this area...

February 29, 2008, 02:42:44 pm
Reply #2

JohnC

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1964
Precisely what sowhat-x stated. I try to use a known name, rather than giving it something original just for the sake of it. Then people that come here looking for a specific piece of malware can try and find it based on the name if it is in the list. I try and use a common name that most AVs recognise it by, but if they use multiple names, sometimes I will use different names seperated by a slash. Sometimes it is quite generic though, such as "Downloader" or "Exploits" or "Trojan" etc... I have had requests to try and be more specific with regards to exploits, which is something I would like to do. But with exploit packs that try a variety of exploits, I either would have to put the name of the exploit pack or list all exploits etc... plus this takes more time. Maybe in the future I will do this, but for now this seems alright.