13

I have a new piece of malware that isn't detected by current anti-virus vendors. How do I report it to them?

I want to do a good turn and help protect as many people as possible. What is the best and easiest way to get it to as many anti-virus vendors as possible, to help them detect it? Is there a list of sites where I should upload the sample, or email addresses where I should send it to?

I know about Virustotal. I could submit the sample to Virustotal. Will that be sufficient? Currently few or no antivirus engines detect this malware. Will submitting the sample be enough for antivirus engines to know that it is malicious and should have been detected, and trigger them to analyze it and develop a signature/detector for it?

(It's not obvious to me how anti-virus vendors would know that my sample is malicious, just because it was uploaded to Virustotal. I didn't see any user interface in Virustotal where I indicate "yes, this really is malicious, even though no one detected it", so I wonder if it will get lost in amongst all the other benign samples. I've heard of plenty cases of malware that had been uploaded to Virustotal for months or years before any antivirus engine started detecting it. So it makes me wonder whether uploading it to Virustotal is enough.)

I've looked, but I haven't found an answer on this site. Here's what I found:

  • Where to report malicious URLs, phishing, and malicious web sites? provides a list of where to report phishing web sites and other malicious web sites, but it doesn't say where to submit malware samples.

  • Unknown malware, how to report it and whom to report it to? asks a related question in a more specific situation. One answer mentions Virustotal, but it doesn't answer my question of whether submitting to Virustotal actually works, in terms of notifying A/V vendors to trigger analysis. Another answer gives links to forms where you can upload malware samples to two anti-virus vendors, but that's just two of the dozens of vendors out there -- if I need to submit directly to A/V vendors, I am hoping for a more comprehensive list that is easy to refer to.

D.W.
  • 98,860
  • 33
  • 271
  • 588

4 Answers4

7

Note: All the information on this post has been copied from the TechSupport article here.

Every major antimalware vendor has a dedicated E-mail address through which new samples can be submitted. The procedure is as follows:

  1. Configure your Email client
  2. Make a password protected archive and add the sample to it. The password should be "infected".
  3. Send the sample to the following email addresses, with the subject "The password is infected":

Ahnlab Antivirus - v3sos@ahnlab.com
AVAST Antivirus - virus@avast.com
Avira Antivirus - virus@avira.com
Bit Defender - virus_submission@bitdefender.com
Bluepoint Security - samples@bluepointsecurity.com
Comodo Antivirus - malwaresubmit@avlab.comodo.com
Dr Web - vms@drweb.com
EMCO Antivirus - malware@emcosoftware.com
Emsisoft Antivirus - submit@emsisoft.com
eSafe Security - virus@esafe.com
eScan Antivirus - samples@escanav.com
Fortinet Antivirus - submitvirus@fortinet.com
Spy Emergency - research@spy-emergency.com
F-PROT Antivirus - viruslab@f-prot.com
FSB Antivirus - labs@fsb-antivirus.com
F-Secure - vsamples@f-secure.com
Orbitech Hazard Shield - virus@orbitech.org
IKARUS Security Software - samples@ikarus.at
Immunet Antivirus - submit@samples.immunet.com
K7 Antivirus - k7viruslab@labs.k7computing.com
Kaspersky - newvirus@kaspersky.com
Jiangmin Antivirus - support@jiangmin.com
Lavasoft Antivirus and Antimalware - research@lavasoft.com
McAfee Avert Stinger - virus_research@avertlabs.com
Micropoint Anrivirus - virus@micropoint.com.cn
Microsoft Security Essentials - avsubmit@submit.microsoft.com
Nano Antivirus - virus@nanoav.ru
ESET Antivirus - samples@eset.com
Noralabs Norascan Antivirus - support@noralabs.com
Norman Security Suite - analysis@norman.no
enter link description herenProtect - virus_info@inca.co.kr
Panda Security - virus@pandasecurity.com
Psafe Total - psafe@psafe.com
360Safe - kefu@360.cn
Rubus Ozone Antivirus - support@rubus.co.in
Smartcop Antivirus - virus@s-cop.com
Sophos - samples@sophos.com
Spybot Search and Destroy - detections@spybot.info
SRN Micro Antivirus - vlab@srnmicro.com
Symantec Antivirus - avsubmit@symantec.com
Moosoft Antivirus - trojans@moosoft.com
Hacksoft Antivirus - virus@hacksoft.com.pe
Thirtyseven4 Antivirus - virus@thirtyseven4.com
CA Technologies - virus@ca.com
Trojan Hunter - submit@trojanhunter.com
Simply Super Trojan Remover - support@simplysup.com
Filseclab Antivirus - virus@filseclab.com
ThreatTrack Security - malware-cruncher@sunbelt-software.com
ViRobot Antivirus - viruslab@hauri.co.kr
Virus Block Ada - newvirus@anti-virus.by
Webroot Antivirus - esupport@webroot.com
Zillya! Antivirus - virus@zillya.com
Kingsoft Antivirus - huangruimin@kingsoft.com
MKS - pomoc@mks.com.pl
Aegislab Antivirus - support@aegislab.com
Quick Heal Antivirus - viruslab@quickheal.com
Outpost Antivirus - trojans@agnitum.com
Baidu Antivirus - bav@baidu.com

D.W.
  • 98,860
  • 33
  • 271
  • 588
void_in
  • 5,541
  • 1
  • 21
  • 28
5

TL;DR: I would suggest that submitting to VirusTotal is enough.

Details:

Because there are so many samples of malware and the fact that each binary in modern malware campaigns can be tested to be FUD (fully undetectable), VirusTotal is your best best I would argue. It may or may not be picked up by vendors, but this gives you the best shot of doing some good.

Here is a older link speaking to FUD and why your sample might not be detected: http://www.symantec.com/connect/blogs/fully-undetectable-cryptors-and-antivirus-detection-arms-race

My only caveat to this recommendation would be if you think you have something really interesting or unique (think Flame, Stuxnet, etc.). If that is the case, I would suggest contacting a vendor directly and provide some evidence of why you think this is unique.

Here is some information from VirusTotal about what/who they share with (https://www.virustotal.com/en/about/):

VirusTotal and confidentiality

Files and URLs sent to VirusTotal will be shared with antivirus vendors and security companies so as to help them in improving their services and products. We do this because we believe it will eventually lead to a safer Internet and better end-user protection.

By default any file/URL submitted to VirusTotal which is detected by at least one scanner is freely sent to all those scanners that do not detect the resource. Additionally, all files and URLs enter a private store that may be accessed by premium (mainly security/antimalware companies/organizations) VirusTotal users so as to improve their security products and services.

Hope that helps!

you
  • 69
  • 5
  • I confess I don't understand your argument why submitting to VirusTotal is enough. Can you explain? I know about FUD; but I don't see how/why that implies that submitting to VirusTotal is sufficient, or how it relates to this question. – D.W. Jul 09 '14 at 04:09
  • Hi DW, I am suggesting VirusTotal is enough because you get the most centralized coverage of any place (that I know of) and those samples are available to those vendors. My comment about FUD was just to say that there are **so** many samples, VirusTotal appears the best way to handle submissions en masse. From another point, VT is the best option because the only other options are a) do nothing b) submit to a smaller, less centralized resource or c) try to email to a vendor and justify why this is really special and needs to looked at carefully. – you Jul 09 '14 at 04:16
  • Well, this doesn't answer my question. The problem is, people upload benign .exe's to VirusTotal, too (e.g., to check them), so the .exe's on VirusTotal are a mixture of benign and malicious. They are not labelled: when I upload a .exe, there's no way to mark it as malicious. So, yes, A/V vendors can download all those .exe's (the mixture of malicious and benign ones), but how would they know which ones are malicious? How would they know that the one I uploaded is actually malicious and should have been detected? Seems like they can't know that, so I'm not sure uploading to VT is enough. – D.W. Jul 09 '14 at 17:00
  • I'm not happy with submitting only to VirusTotal. I just ran across a bit of malware that was first submitted to them over a year ago and today got only 3/53. This doesn't seem to be a very fast method of submission. – Michael Hampton Nov 23 '14 at 01:34
4
  1. http://www.uploadmalware.com/
  2. http://www.virussign.com/
  3. https://www.mywot.com/wiki/Malware_submission

Hope that this is enough, you may want to make your own publication about this malware after time you can put it into your CV.

user3395407
  • 621
  • 1
  • 5
  • 8
  • Excellent! The uploadmalware.com and mywot.com links look very helpful. For Virussign, I couldn't find a place to upload anything: did I miss it? – D.W. Jul 09 '14 at 17:03
0

Anti-virus companies have a 'submit a sample' option but don't expect them to review it by hand in detail. They have automated dynamic behaviors analysis tools (i.e sandbox) to run those executable and see if any red flag is raised there. Virus Total also runs it in its sandbox and provide details to its users. Submitting there has much better affect than submitting it to an individual vendors b/c this makes the file available to a wider audience faster.

That being said, if the malware is targeting large corporate or critical infrastructure or large masses in critical amount, they would all be interested in analyzing that if you can convince them that's the case. If the malware is targeting regular users and not affecting large masses, there is not much incentive for vendors to analyze files on request (many will likely be false-positive) without getting paid for it.

Your best bet would to convince an independent/freelance security researcher. You can access them many of them through Twitter or their blogs. If you can provide some convincing details, they can decide to analyze it in more details for free as it is good material for their reputation and their blog. But, I'm sure, they will also run it through a smell test, before fully diving into it. Manual analysis is not cheap (i.e. takes time).

See here for some relevant details

Where can I find an engineer who can examine an exe and verify its legitimacy?

K4M
  • 572
  • 3
  • 8