[OPLINTECH] [OPLINLIST] One way to check on a suspicious email

Ron Woods woodsro at oplin.org
Thu Jan 24 11:41:38 EST 2013 

I do little explorations like this sometimes as well, curiosity really. Of
course its done in a virtual machine on its own network segment.

 

That being said, if folks want a safter way to do this, I find these tools
invaluable:

 

1.       Anubis <http://anubis.iseclab.org/>  (Analyzing Unknown Binaries)
This online service allows you to submit URLS or programs to it, and it will
execute them and tell you every registry key, file file name, temp file, etc
created by the file along with a plethora of information. I have used this
service to remove viruses and other malware from machines where no such
definitions to remove it are known to MalwareBytes, Symantec, etc. It's a
very useful service and it accept either uploading suspect files, or
actually submitting URL's to it.

2.       ThreatXpert <http://www.threatexpert.com/>  -  Is similar to
Anubis, except it only excepts files. It will email detailed reports about
what files do to a system they are installed on and if it's a known malware
or not. It is owned and run by PCTool which was bought by Symantec.

3.       VirusTotal <https://www.virustotal.com/>  -  Allows you to submit
URL or Files to them, which is then scanned 46 scanners from different 46
Anti-Virus/Anti-Malware vendors and will give you a verdict on each one. The
URL scanning works similar.

 

Whenever I hear of a new program, the 1st thing I do is download it and
upload it to Virus Total and get a verdict.see if any vendor has classified
it as some sort of malware is a good 1st step.

 

I just thought I would share these, especially Anubis.it is a very
interesting tool and gives a ton of info on what files, even malware, does
to a computer when its executed. 

 

Great discussion guys!

 

 

Ron Woods

Computer Services Mananger

St.Clairsville Public Library

108 West Main Street

St.Clairsville, Ohio 43950

Phone 740-695-2062

http://www.stclibrary.org

 

From: oplintech-bounces at lists.oplin.org
[mailto:oplintech-bounces at lists.oplin.org] On Behalf Of Chad Neeper
Sent: Wednesday, January 23, 2013 2:56 PM
To: OPLINTECH
Cc: Oplinlist at lists.Oplin.Org
Subject: Re: [OPLINTECH] [OPLINLIST] One way to check on a suspicious email

 

Just to expound on part of Bob's message a bit:

 

If you ever decide to ignore his warning and try something like this, be
aware that even though you may be playing with a "frozen" computer, you're
still not playing in a true sandbox if your test computer is attached to
your production (patron/staff/otherwise) network. As soon as you infect your
test computer, you potentially expose ALL of the other devices
(computers/printers/portable/etc) attached to that local network. If the
malware that gets installed decides to scan the local network for other
devices to infect, it will no longer matter that the test computer is
protected by Deep Freeze because the malware will begin to try to infect all
of the other devices on the network, frozen or not.

 

In Bob's case, the particular network segment he used as his sandbox, while
not a perfect sandbox, mitigates his exposure risk, even in a network
scanning scenario. He still took some risk, but it was a known and
calculated risk.

 

So, if you DO ever decide to play, please play with extreme caution.

 

 

 

Actually, on second thought, never mind. My phone number is in my sig. Go
ahead and play carelessly!  ;-)

 

 

Chad




______________________________
Chad Neeper
Senior Systems Engineer

Level 9 Networks
740-548-8070 (voice)
866-214-6607 (fax)

Full LAN/WAN consulting services -- Specialized in libraries and schools

 

On Wed, Jan 23, 2013 at 1:54 PM, Bob Neeper <neeperro at oplin.org> wrote:

You generally should stop here and delete the message, but I went a bit
farther.
       (Don't do this on a PC you really care about, or is connected to the
staff network. Better yet, just don't do it.)
Using a Deepfreezed PC, I entered just the link {link removed} This is a
valid Korean company.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.oplin.org/pipermail/oplintech/attachments/20130124/64cd98e5/attachment-0001.html>

More information about the OPLINTECH mailing list