Dustin wrote:
 
> I couldn't help but notice you didn't respond to my reply
> concerning your unncessary attack and attempted (yet failed
> miserably) education on basic emailing concepts... but

Many residential ISP's are blocking their customer's ability to
communicate beyond the ISP's network out to the internet on port 25. 

They can do that because:

1) they host their own mail server (possibly on port 25 but more
   likely on other higher ports like 465 or 587) within their own 
   network, so customers can communicate with those servers to
   send mail, but spammers can't send direct-to-mx from 
   infected PC's because of the block on port 25.

2) customers bypass their ISP's mail servers or MTA's entirely
   and access a third-party server (gmail, etc), again on a 
   higher port (like 465, etc).

3) customers are increasingly not even using a mail client, but
   instead experience mail through a web interface.

So as you can see, you bone head, many residential ISP's can easily
block outbound port 25 on their boundary with the internet for the vast,
vast majority of their customers, without these customers even knowing
such a block exists, because there really isin't any need or use by
those people for port-25 outbound in the first place.

Anyone running their own mail server at home probably needs to be using
(and paying for) a business-level internet connection from their ISP,
and there wouldn't (nessarily) be a block on port-25 for that.

> I didn't get the chance to ask why you dodged the analysis of the
> website url you decided to place the malware sample on?

I download a fair amount of music, movies, magazines from filepost -
because it happens to be a primary file-locker used by uploaders that
use listing sites like avax.  So I'm somewhat familiar with filepost.

I also have about a dozen entries in my hosts file that block all the
junk that filepost throws at you.  I've had such a block in place for a
long time, so I don't even remember what gets thrown up.  I can only
recommend that people close any popups that get spawned while following
my links.  I wouldn't think that would be too hard for people using more
recent versions of IE or FF.  I use FF2 as my default browser, and I can
navigate filepost with ease.

I have tried to use other filelockers, but even with Opera 12.02 (my
most "advanced" browser) I haven't found a filelocker that I can
successfully perform file-uploading without some web-based or browser
incompatibility from preventing the interface from working properly.  

> Nor did you have any comments concerning what anubis reported back
> (which is essentially the actions of a dropper file).

When I submit files to anubis, it's mainly because I want to see if a
download URL is revealed.  Something I can access myself.  I've looked
through the various other sections of their reports (registry keys read,
modified, created, etc) but they are of little interest to me (what can
I do with them?).

But yes- I did find your discovery of a file being inserted into a run
key to be informative. 

> It would take me all of ten seconds or less to acquire the real
> malware sample, inside the dropper. Without posing any risk to myself
> or equipment. Do you suppose you can send me the real malware sample?

I didn't (I don't) run these files.  If I'm sufficiently interested,
I'll give them to anubis to run.

So what I put up on filepost is what I get via email (spam) attachment.

> So I'm asking if you can extract the real exe inside the dropper
> and upload that to virustotal. I suspect the scan results will be
> different.

Well, unless the internal binary can be extracted using 7-zip or maybe
"uniextract", then you're going to have to point me to a utility that
will extract them (so I can upload them to VT), or you're going to have
to continue downloading these dropper files from filepost, or you're
going to have to point me to an alternate file locker that I can fully
access with the browsers I have.
 
> And I'm serious, why did you suggest I or others visit such a nasty
> site to obtain the file? It was only 11kilobytes rar'd..

Like I said, the stuff that I download is usually hosted on filepost,
and when I first started to access filepost a long time ago, I had no
problems deflecting or evading what-ever that site was throwing at me
until I had that crud blocked using hosts entries.  So I wasn't aware
that accessing the site and just focusing on and downloading the file of
interest wasn't safe - I wasn't aware that the site is attempting any
browser exploits (maybe you are, or are not saying it is - I'm not
sure).

> Want me to send you a simple program that would let you post it right
> here? 

Even if I wanted to, AIOE doesn't allow posting attachments to usenet
posts.  The software I'm using now (Netscape Communicator 4.79) can
easily add attachments - that's not the problem.  I would need access to
an NNTP server that allows it.  Do any free usenet servers allow posting
of attached files?

> That way, I wouldn't have to surf to ... painful websites to
> get the sample.

I'm open to a more friendly file-locker if you know of one.
--- NewsGate v1.0 gamma 2