Malware Reverse Engineering

Hi, I am quite new to malware analysis.I want to know do we need to fix imports that that are resolved dynamically using loadLibary() and getProcAddress() as we do case of import Resolved by IAT If so how to do it?

In an effort to keep my system safe from hidden modules (i.e. modules that have been manually unlinked from PEB->LDR_MODULE), I coded up a little tool that scans the memory of my process and attempts to identify any dll's that do not resolve using normal toolhelp API. See below (apologies for large image); This immediately aroused my suspicions, so I checked out the code section of this phantom module. See attachment. Here's my plea. I'm confident this is some kind of trojan periodically sending off critical information pertaining to my browsing. Suffice to say, this is of gross concern. How can I permanently delete this omnipresent module. Regards, Ksb NB: If …

Original Post: http://www.nsaneforums.com/?showtopic=18612Eye Chart: http://anonym.to/?http://www.confickerworkinggroup.org/infection_test/cfeyechart.html

Hi All I'm not sure if these kind-a requests are welcome'd. Am trying to reverse a worm and having troubles in doing it. I found that the worm is packed using autoit. Please can somebody assist me in reversing it. Let me know if you need the source. I understood the behavior of the worm, but trying to dig deep into the code to understand things better. Thanks for your assistance in advance, Note: I've already tried using autoit decompiler with no luck. It doesn't identify the executable

Hi everyone I'm trying to unpack a certain malware file which has some sort of protector on it and i can't seem to manually unpack it. I'm pretty new to the trade and maybe i "over shot" a little here but is there anyone who can help me? I'd appreciate some pointers on how to solve this. I'm uploading the sample here. Password: malware Thanks in advance! p.s: needless to say, this is Malware, so use a Virtual Machine malware.zip

Links to infected files: xttp://www.freshwap.net/forums/applications/200445-aoa-dvd-ripper-5-1-9-1208-a.html xttp://www.freshwap.net/forums/applications/201009-cute-ftp-pro-v8-3-2-build-09-02-2008-1-a.html xttp://www.freshwap.net/forums/applications/201788-winrar-3-80-pro.html from what I saw all his posts contains same malware: xttp://www.freshwap.net/forums/applications/index1083.html?sort=postusername&order=asc&daysprune=-1 lemutyt210 had 60 post now has 70! How many peoples will be infected whit files posted by him? This sucker also removed .NFO of cracks so you won't have any contact information! The file is a Rar SFX archive (self extracting archive), also t…

Link to tutorial: http://www.plunder.com/-download-45f2240fd7.htm Link to discussions regarding this: http://snd.astalavista.ms/board/index.php?...c=2288&st=0 Ace Translator use google free service for translating so this program is a joke and whit no contribution at all. Also under the "cracked" version it will grab all you information (include your email addresses from outlook) and send it to a server - they already grab my own useless information. After that they send you some warning emails (at email addresses from outlook): just a scare tactic to make another sale.

Hey, My windows xp installation recently has created a random Nimda user on my computer, i'm aware that the Nimda.A virus is supposed to do this by enabling the guest account and then renaming it and adding to the Administrator group. What concerns me the most is that i have run multiple Nimda virus scanners/removers and also NOD32, but none have detected the Nimda virus on my computer.... what am i supposed to do? Also, i've done some looking online about the nimda virus, and it says to look for specific files in certain locations, these files also are not present on my XP Installation, but the account keeps re-appearing... any help would be appreciated EDIT: Also…

Is it just me or are there others out there that look at the use of OpenID as a disaster waiting to happen? For those of you who do not know about OpenID it is a technology that has been around for a few years already. It is being pushed in to popular use by some of the big guns of the internet. It allows you to create one centralised username, password, contact details and a profile on a website. You can then use the associated OpenID to login, register and use your OpenID details on other sites without filling out all their registration information - all using the one password which you used to setup your OpenID account. All good in principle... Unfortunately I see this…

Link: http://www.theregister.co.uk/2008/08/22/an...hack/print.html Here is the hole description of what XP Antivirus 2008 does. Stay away from this malware scam.

I tried to play with one virus that a friend gave to me. well I discovered that it was an autoit script. What it does: creates a .bat file that has a shutdown command. creates an autorun.inf on all drives replicates itself on all drives I plan to reverse with little patches it and make it delete all that it created but I have no idea on what API it uses to create those stuff. Can someone tell me (or just pointers) on where to start or what to look for. thanks...

A blog about activities, products and ideas regarding malwares: http://sunbeltblog.blogspot.com/2007_12_01_archive.html Criminals try to 'copyright' malware: http://www.msnbc.msn.com/id/24394270/ Conficker Malware to Return April 1: http://itmanagement.earthweb.com/secu/arti...urn-April-1.htm Websense: Cybercriminals Imitating Social Networks To Spread Malware: http://www.darkreading.com/security/client...client+security

Link: http://laptoplogic.com/resources/your-guid...tanding-malware May 17, 2009 at 07:05:34 AM, by Gilberto J. Perera Learn what separates viruses from worms, bots from Trojans and other nasty creatures in Gilberto J. Perera's guide to malware.

Link: http://www.kishorethakur.com/2008/12/advan...-forensics.html Here are a few quick steps for performing malware analysis on various badware (viruses, works, trojans, rootkits) that you may find in the course of a computer forensics investigation. In this case, I'm analyzing a variant of Sohanad, a Instant Messaging Worm, also known as "the cool pics worm".

I believe there may have been 3 viruses that were attached to the infected file I executed but here are samples of two of them. One is a dump while the other is just the original file that was copied into the temp folder at execution. Anyways I've attached a rar file with the two infected files. Anyone that collects malware enjoy. Anyways as I'm still in the process of trying to remove it so hopefully I don't run into any big difficulties. PASS - aztecx Malware.rar

http://mtc.sri.com/Conficker/ http://blog.fortinet.com/the-art-of-unpack...conficker-worm/

Any more information needed just ask. Thanks in advance.

Something I found last week - can't remember where from though How_Conficker_makes_use_of_MS08_067.pdf

Getting into virus analyzes(anyone have any recommendation for articles?). Right now I am doing it on my pc . Really need to setup a VM . Although Comodo is doing nicely against small viruses. Anyone know anything about this one? (DO NOT DOWNLOAD IF YOU DO NOT KNOW WHAT YOU ARE DOING) http://rapidshare.com/files/220676862/ViSA...ViRuSHaCkEr.exe

This's un unpackme from the unpackmes collection uploaded on tuts4you server It has a very strange behavior, it replaces the svchost.exe sercive + tries to scan all opened processes + tries to change the page protection of some places in these processes After each run, It crashes all opened apps (even kaspersky AV + Outpost firewall + explorer olso ...) all processes are closed It's very strange I first lunched it under vista no sp -> crashes all and then I tried to figure out what happened (but leak of time) and can't go further now Please if someone has some extra time and can analyse this unpackme, it will be a great help thank you. BE CAREFULL, DON'T RUN IT OUT OF…

Hi, I've released Backdoor.Win32.UltimateDefender.gtz Reverse Engineering: http://evilcry.netsons.org/tuts/Mw/Backdoo...ateDefender.pdf Regards, Giuseppe 'Evilcry' Bonfa'

Hy, recently i`ve search on the internet for an PaiN RAT Portable and I found the last version of the producer, and I`m happly to share this with you. PaiN RAT v0.1 RC1 Portable I`ve scan on Novirusthanks.com to check it, here is the log. File Info Report generated: 17.2.2009 at 20.33.00 (GMT 1) Filename: PaiN RAT.exe File size: 1,331 KB MD5 Hash: 8DD76D109D233BCF8BA8216959937067 SHA1 Hash: 7A1138F999E50238A3C2B8D2073F8EBCADD90B79 Packer detected: Nothing found Self-Extract Archive: Nothing found Binder Detector: Nothing found Detection rate: 4 on 23 Detections a-squared - Trojan-Downloader.Win32.Delf.CQ!IK Avira AntiVir - Nothing found! Avast - Nothing…

I posted some information regarding this project in my blog here on tuts4you. I thought I would share it here as well to hopefully gain some support. The main goal of this project is to improve the quality of scanning techniques used in anti-virus software. The issue I have is that there are not methods of "detecting the usage of strong cryptography, secure key management, and obfuscation that can be used inside malware. I have a lot of love for the researchers and I know they work extremely hard and are very talented. The issue I have is that there is a lot of room for improvement and I would like to see that improvement made. We need stronger methods of attacking crypto…

Can anyone point me to any resource that talks about analyzing an Internet Explorer Browser Helper Object? I am semi competent in analyzing typical executables, however I don't really know where to start with a BHO dll other than looking at the strings, since it doesn't look like it executes like an exe. Any help would be appreciated, I'm really just looking for a starting point.

Hello, Please, can someone help me to know what is required to made an Anti-virus: - Which language is more efficient ? - What's required like Windows Internals / Coding in low level / Good know in x86 family / File systems (PE) / Reversing / Unpacking... ? It will be helpful if you make it clear. Thanks.