Malware Reverse Engineering

Hi guys I've started diffing the unpatched verstion of win32k (5.1.2600.6149) with patched one (5.1.2600.6178) for finding the bug . So I came up with lots of pointer corruption suspicious instruction bug at sfac_GetSbitBit which is gonna used for parsing TTF. but I don't how what user land APIs used for triggering GetSbitComponent function. Can u guys give me some suggestion ? thanks

Honeynet Project - Forensic Challenge 8 - "Malware Reverse Engineering" />https://www.honeynet.org/node/668 Ted. Malware Reverse Engineering.zip

Hi guys .... I've started analyzing the Duqu's Driver which is gonna lead to the most of the its skeleton ... so I have no problem with static analysis but I want to debug it under windbg or IDA... so I've setup a virtual lab with vmware just like always and configured it for kernel debugging but I cannot set a Breakpoint at DriverEntry ..... so I got a nice range of memory address which is being repeated everytime but how can I set a BP on them so that I can hit it ? bu command just not working.... I have tried "on access memory bp" so ain't Any good suggestion ? Thanks

I've been running my computer just fine with no problems for as long as I can remember. Any type of malware seems to get eliminated right away if found. However, whenever I see the small java icon in the sys tray popup I know an exploit it being executed and usually my AV will pop up and eliminate the threat. Yes, I know java isn't bad but the only time I see it executing it seems to be. The other day this same thing happened but it managed to get through and instantly shut the computer down and cause many other problems. My question is, why is it always java doing this? Yes, I know what java is, for the most part, and no I wasn't looking at porn when it happened. These j…

Hi anyone know somethings about "Beijing-based KnownSec" that want to share it's malware db? see below link http://www.first.org.../20090703a.html or http://www.cio.co.uk...rity-companies/ please help me to find this database!!!

As descriped above in the title.. How Anti-Malware Applications Work ? How does it find the sign. for specific malware. And a cerious question is how scan works.. It is very fast so it approximately not searching in databases >?! Any comments will be appreciated

Anyone have a copy of this new malware that was discovered last week?

Using Exception Table hook to spread malicious code, paper by Peter Ferrie. http://pferrie.host22.com/papers/holey.pdf

Hi all please help me to virus reverse engineering and find virus source code Through reverse engineering

.NET/MSIL Malicious Code and AV/Heuristic Engines />http://www.symantec.com/connect/articles/netmsil-malicious-code-and-avheuristic-engines Nice article; the only thing nice from Symantec

Does anyone have any archive of this great site? I've bought Subverting the Windows Kernel book but without sources from site the book is only partially useful. Please help. Thanks in advance.

IEEE Software Taggant System For Exposing Malware Creators Well... I have been hearing and reading about this everywhere for a while now. Numerous packer and protector developers have already been trumping this up as the bee-all for software developers who use their packer/protector products as a means to stop false positives and at the same time be used to identify/flag stolen or bogus protector licences used on files. For those who do not know (yet) if it becomes standard we may see this being common place. />http://standards.ieee.org/news/2011/icsg_software.html How practical and to what purpose it will end up serving exactly I still have doubts to. Have a read and…

Virus Bulletin Jully 2011 />http://www.sysreveal.com/uploads/vb/VBJuly2011.pdf

Since noboy is interested, thread can be deleted please. zbot.zip

A collection of (so far) 6 magazines HITB.......on malware analysis and exploiting among other issues free distribution http://magazine.hackinthebox.org/hitb-magazine.html

This is the new trick in Unicode string that could deceive users to open and exe file that showing pdf txt etc. It could be new way to spammers For more information check out F-Secure analyze: Redirect to F-Secure

I downloaded stuxnet from http://tuts4you.com/download.php?view.3011. The files seem valid as I scanned the contents at virustotal. Then I inserted a flash drive and executed the dropper.exe file. According to Microsoft (http://blogs.technet.com/b/mmpc/archive/2010/07/16/the-stuxnet-sting.aspx), the dropper (TrojanDropper:Win32/StuxnetA) should drop the following into the system: Worm:Win32/Stuxnet.A Trojan:WinNT/Stuxnet.A Trojan:WinNT/Stuxnet.B (initially called VirTool:WinNT/Rootkitdrv.HK) Trojan:Win32/Stuxnet.A Worm:Win32/Stuxnet.B Although, it seemed to have triggered some components of stuxnet,(the shortcut and tmp files got hidden, so the rootkit was on its way) I a…

Honeynet Project Challenge 9 Submissions to be submitted by September 4th 2011. https://www.honeynet.org/node/751 http://malphx.free.f...es-final.tar.gz Ted.

A nice paper I found on the utter trash that is Sophos.... />http://lock.cmpxchg8b.com/Sophail.pdf Sophail.pdf

Joebox Joebox is an extensive runtime analysis system. It is designed for automatic runtime analysis of malware and other software on Windows based operating systems. Joebox executes a potential malicious program on a full Windows system and observes the behavior of the program during execution. It manages the complete analysis cycle automatically. Link: />http://www.joebox.ch/

/>http://www.wired.com/threatlevel/2011/07/how-digital-detectives-deciphered-stuxnet/all/1 Ted.

Patent application title: Heuristic detection of malicious code />http://www.faqs.org/patents/app/20090013405

The following statistics were compiled in June using data from computers running Kaspersky Lab products: 249,345,057 network attacks blocked. View the full article

Hey guys, i just want to brainstorm an idea so please be patient. I have made a c-program which writes all the images(rgb content) in a folder to a structure in another c-file( along with the needed code to compile and execute) and deletes the images. Now if i compile and run the new .c-file, i am able to restore these images lets say on providing a password or something. But of-course i need a c-compiler to do the compiling. So i have the question: 1.> I want to make it independent in the sense that i want the compiler to travel with the original exe file and later when needed it compiles the second c-file that contains the structure for the images. Is it possible? t…

Hi there, i am wondering, how antivirus systems can find viruses in packed software. Do they know every unpacking routine and first look at with with protector it is packed and unpack it then to perform a search or do they wait till the exe unpacked itself and is on oep or how does this happen?