Hello and welcome to the Tuesday, September 13th, 2020 edition of the Sansonet Storm Center's Stormcast.

My name is Johannes Ulrich, and today I'm recording back in Jacksonville, Florida.

Today we've got another post by Jesse LaCrew.

When dealing with Malware samples from honeypots, a quick triage

is important. You usually have so many samples to work with. And one of the things I usually

recommend is, well, a check with virus total. Is it already known? That particular sample,

how old is it? So that's a quite useful initial triage tool. And Jesse took a

closer look at the results that he has been getting from Virus Total when submitting matter

from his honeypots. Just to summarize some of the key observations and of course there's more

detail in his full post. First, there are a number of vendors

that will not flag any of the malware caught by the honeypot as malicious. Well, not really such a big

problem necessarily. Some vendors are just not focusing on, for example, Linux malware. This is usually Linux malware we're

talking about here because it is a Raspberry Pi Honeypot. Also, it usually is being attacked

by most of these IoT-style malware families like Mirai. And of course, a lot of IoT vendors and such, there is no real anti-malware

for it. So some of the large malware vendors don't really cover these samples very well.

So vendor not finding these samples malicious is not necessarily a sign that this vendor's

anti-malware product is of lower quality. Secondly,

Jesse noted that the number of AV engines detecting a particular sample will increase over time.

Now, of course, that's not a big surprise. After all, it takes a while for different vendors to find a new

sample. They have, of course, in the past been some evidence of vendors just sort of blindly

copying signatures after a sample was found malicious on a virus total. But it was a little bit

surprising is that it sometimes takes weeks or months after

...