Day in the life of a researcher
Wednesday October 24, 2007 at 3:29 pm CST
Posted by Allysa Myers
Most of the virus researchers in Avert spend their days analyzing samples coming in from customers. With a good percentage of the samples coming in every day being unknown, there’s plenty to keep us busy, 24/7/365. But what is it like, sorting through an unending stream of samples every day? What does that entail?
It’s a bit like trying to identify a life-form from a disconnected body part. Sometimes the body part is actually the whole animal, but it’s often just a toenail or a feather. There are times where we don’t even get a body part, but a footprint or a piece of the animal’s droppings.
Sometimes we’ll get lucky and it’s an animal whose footprint we know really well, or which has very distinctive feathers. Then we can say “there’s a good chance what you have is a peacock”, based on just that feather. But more often than not, people are dealing with something entirely new or rare. Perhaps this critter only displays its distinctive traits in very specific circumstances.
Of course, our favorite sort of sample is one which is a complete body with a good explanation of where and how the animal was found. Whereas a foot accompanied by no information may get an answer of “This is an amphibian”, more of the animal or more context can increase the odds of us being able to say something more specific: “This is Litoria caerulea - aka the Dumpy Tree Frog. It lives in Australia and it is often found hiding in downspouts.”
So how does someone wishing to submit something for analysis go about doing it?
For starters, include as much info as you can: What version of security product are you using? In the case of our products, what version of the product, what engine and DAT files are you using? Are you seeing detection with some AV product? What filename and virus name was given? Are you seeing strange behavior that you associate with the file?
Getting the whole beast can be a bit more tricky. There’s sort of a continuum of sneakiness, from very spammy looking emails with attachments, to bots which get in through software vulnerabilities and then drop rootkits. If you’re the “lucky” recipient of the easy variety, ZIP up that email and send it to us.)
If your sample falls somewhere on the sneakier side of the spectrum, files can really be scattered all over a machine, and some of them are particularly good at hiding. You may want to try scanning your system with the Rootkit Detective or the Beta DATs from the Avert Tools page. This can help identify more suspicious files.
Maybe you’re pretty astute and you’ve noticed that after you ran a file a strange file, it created hundreds of randomly named files in your Windows directory. We may or may not need more than one of those files. You’ll want to check for duplicates, to make sure. If you know how to generate hashes for a file, just make sure you have one of each unique hash, up to about 10. (If you have something parasitic or polymorphic this will give us a decent representation) If you’re not sure how to create a hash, there are certain programs which can help you. One of my favorites is the CRC option in WinZIP (in Configurations, under the Options menu). This allows you to group by CRC and get rid of any duplicates.
In short, try not to just send a blurry video of Sasquatch (or is that a guy in a gorilla suit?) or to send us a hundred disembodied ant legs. The more thorough and complete the sample, the better the chances of getting a complete picture of what’s plaguing your machine.
October 25th, 2007 at 1:36 am
This is a 2 way street really. While submitters can do better, so can Avert.
Here are some of the places where I think Avert can improve:
1. Enhance Webimmune. If you want the information above, then ask for it when submitting it through Webimmune. Webimmune should also be able to show you details later about a sample that you submitted when it is classified and detected rather than just ‘unknown’.
2. When a sample is submitted to Avert, have a batch job running every time the beta dat files are updated to remove those detections that are now known, and email the customer back informing them of this fact. I don’t need to know 2 days later that Avert now detect this threat when the researcher gets to my email.
3. I get feedback from a researcher from about 40% of all submissions. Sometimes I don’t even receive the confirmation email back from the automated acceptor of samples. If you automate better, then I should hopefully get better feedback on my samples.
4. If you choose to not add detection for whatever reason, please let me know. I have some banker variants from early 2007 which are still not detected by McAfee - yet they were submitted and other AV companies detect them fine.
I do appreciate the work Avert does - it really must be tricky dealing with the multitude of new threats and rehashing of old threats, and would be more than happy to shout any Avert staff a drink or two if they were in my town. But things can be made easier both for Avert staff and customers if some simple changes were made.
October 25th, 2007 at 12:09 pm
I sent a lot of banker droppers samples to AVERT using WebImmune and when I receive an answer is too late, 20 days later. WebImmune are the fastest way to send a sample to McAfee?
Why minor AV companies with fifty employers can handlle a lot of samples in 2 days?
Wrong way to work with us, local virus hunters, McAfee!
October 25th, 2007 at 6:35 pm
I must be doing something wrong, because I currently have over 500 pieces of verified malware in my Webimmune queue, and I get zero feedback, and they don’t seem to be getting analyzed, as I find when I pull out a two-week-old sample and test again. I also would love to be able to give more information about the samples, the context and the big picture, but there is no provision for supplying it.
mechBgon
Microsoft MVP, Windows Shell/User
October 27th, 2007 at 8:13 pm
As an additional remark, if AVERT wants the “whole organism,” it would help to eliminate the 3-megabyte size limit on submissions. As a point in case, go hunt down the installers for something like SpyHeal or its kin. These are typically 3.7MB or so, so they would be rejected.
Suggestion: use a 10MB limit, like Microsoft’s and Symantec’s malware-upload portals are using.
mechBgon
MVP, Windows Shell/User