Malware Reverse Engineering
Debugging, disassembling and documenting interesting malware...
367 topics in this forum
-
Conficker "eye chart"
by What- 1 reply
- 4.7k views
Original Post: http://www.nsaneforums.com/?showtopic=18612Eye Chart: http://anonym.to/?http://www.confickerworkinggroup.org/infection_test/cfeyechart.html
-
Reversing worm
by ~karthikeyanck~- 2 replies
- 22.5k views
Hi All I'm not sure if these kind-a requests are welcome'd. Am trying to reverse a worm and having troubles in doing it. I found that the worm is packed using autoit. Please can somebody assist me in reversing it. Let me know if you need the source. I understood the behavior of the worm, but trying to dig deep into the code to understand things better. Thanks for your assistance in advance, Note: I've already tried using autoit decompiler with no luck. It doesn't identify the executable
-
Can't identify packer
by Fizban- 2 replies
- 7.3k views
Hi everyone I'm trying to unpack a certain malware file which has some sort of protector on it and i can't seem to manually unpack it. I'm pretty new to the trade and maybe i "over shot" a little here but is there anyone who can help me? I'd appreciate some pointers on how to solve this. I'm uploading the sample here. Password: malware Thanks in advance! p.s: needless to say, this is Malware, so use a Virtual Machine malware.zip
-
Members of freshwap.net post infected files
by CodeExplorer- 5 replies
- 5.1k views
Links to infected files: xttp://www.freshwap.net/forums/applications/200445-aoa-dvd-ripper-5-1-9-1208-a.html xttp://www.freshwap.net/forums/applications/201009-cute-ftp-pro-v8-3-2-build-09-02-2008-1-a.html xttp://www.freshwap.net/forums/applications/201788-winrar-3-80-pro.html from what I saw all his posts contains same malware: xttp://www.freshwap.net/forums/applications/index1083.html?sort=postusername&order=asc&daysprune=-1 lemutyt210 had 60 post now has 70! How many peoples will be infected whit files posted by him? This sucker also removed .NFO of cracks so you won't have any contact information! The file is a Rar SFX archive (self extracting archive), also t…
-
Ace Translator - scam software in all its entirety
by CodeExplorer- 1 reply
- 6.7k views
Link to tutorial: http://www.plunder.com/-download-45f2240fd7.htm Link to discussions regarding this: http://snd.astalavista.ms/board/index.php?...c=2288&st=0 Ace Translator use google free service for translating so this program is a joke and whit no contribution at all. Also under the "cracked" version it will grab all you information (include your email addresses from outlook) and send it to a server - they already grab my own useless information. After that they send you some warning emails (at email addresses from outlook): just a scare tactic to make another sale.
-
Nimda
by Nieylana- 10 replies
- 8.5k views
Hey, My windows xp installation recently has created a random Nimda user on my computer, i'm aware that the Nimda.A virus is supposed to do this by enabling the guest account and then renaming it and adding to the Administrator group. What concerns me the most is that i have run multiple Nimda virus scanners/removers and also NOD32, but none have detected the Nimda virus on my computer.... what am i supposed to do? Also, i've done some looking online about the nimda virus, and it says to look for specific files in certain locations, these files also are not present on my XP Installation, but the account keeps re-appearing... any help would be appreciated EDIT: Also…
-
OpenID - The Doomsday Effect...
by Teddy Rogers- 6 replies
- 4.9k views
Is it just me or are there others out there that look at the use of OpenID as a disaster waiting to happen? For those of you who do not know about OpenID it is a technology that has been around for a few years already. It is being pushed in to popular use by some of the big guns of the internet. It allows you to create one centralised username, password, contact details and a profile on a website. You can then use the associated OpenID to login, register and use your OpenID details on other sites without filling out all their registration information - all using the one password which you used to setup your OpenID account. All good in principle... Unfortunately I see this…
-
The evil genius of XP Antivirus 2008
by CodeExplorer- 6 replies
- 5.3k views
Link: http://www.theregister.co.uk/2008/08/22/an...hack/print.html Here is the hole description of what XP Antivirus 2008 does. Stay away from this malware scam.
-
AutoIt script
by Bleed- 0 replies
- 14.4k views
I tried to play with one virus that a friend gave to me. well I discovered that it was an autoit script. What it does: creates a .bat file that has a shutdown command. creates an autorun.inf on all drives replicates itself on all drives I plan to reverse with little patches it and make it delete all that it created but I have no idea on what API it uses to create those stuff. Can someone tell me (or just pointers) on where to start or what to look for. thanks...
-
Activities regarding malwares
by CodeExplorer- 0 replies
- 5k views
A blog about activities, products and ideas regarding malwares: http://sunbeltblog.blogspot.com/2007_12_01_archive.html Criminals try to 'copyright' malware: http://www.msnbc.msn.com/id/24394270/ Conficker Malware to Return April 1: http://itmanagement.earthweb.com/secu/arti...urn-April-1.htm Websense: Cybercriminals Imitating Social Networks To Spread Malware: http://www.darkreading.com/security/client...client+security
-
Your Guide to Understanding Malware
by CodeExplorer- 0 replies
- 4k views
Link: http://laptoplogic.com/resources/your-guid...tanding-malware May 17, 2009 at 07:05:34 AM, by Gilberto J. Perera Learn what separates viruses from worms, bots from Trojans and other nasty creatures in Gilberto J. Perera's guide to malware.
-
- 1 reply
- 5.1k views
Link: http://www.kishorethakur.com/2008/12/advan...-forensics.html Here are a few quick steps for performing malware analysis on various badware (viruses, works, trojans, rootkits) that you may find in the course of a computer forensics investigation. In this case, I'm analyzing a variant of Sohanad, a Instant Messaging Worm, also known as "the cool pics worm".
-
First virus in 2 years...
by aztecx- 3 replies
- 4.5k views
I believe there may have been 3 viruses that were attached to the infected file I executed but here are samples of two of them. One is a dump while the other is just the original file that was copied into the temp folder at execution. Anyways I've attached a rar file with the two infected files. Anyone that collects malware enjoy. Anyways as I'm still in the process of trying to remove it so hopefully I don't run into any big difficulties. PASS - aztecx Malware.rar
-
ConF(u)cker
by Willi000- 6 replies
- 6.9k views
http://mtc.sri.com/Conficker/ http://blog.fortinet.com/the-art-of-unpack...conficker-worm/
-
Am I infected?
by Victor- 7 replies
- 7.7k views
Any more information needed just ask. Thanks in advance.
-
- 1 reply
- 5.2k views
Something I found last week - can't remember where from though How_Conficker_makes_use_of_MS08_067.pdf
-
ViSA_Coding_By_Mr.ViRuSHaCkEr.exe
by high6- 3 replies
- 4.7k views
Getting into virus analyzes(anyone have any recommendation for articles?). Right now I am doing it on my pc . Really need to setup a VM . Although Comodo is doing nicely against small viruses. Anyone know anything about this one? (DO NOT DOWNLOAD IF YOU DO NOT KNOW WHAT YOU ARE DOING) http://rapidshare.com/files/220676862/ViSA...ViRuSHaCkEr.exe
-
SimbiOZ, is that a malware
by movzxEax- 7 replies
- 5k views
This's un unpackme from the unpackmes collection uploaded on tuts4you server It has a very strange behavior, it replaces the svchost.exe sercive + tries to scan all opened processes + tries to change the page protection of some places in these processes After each run, It crashes all opened apps (even kaspersky AV + Outpost firewall + explorer olso ...) all processes are closed It's very strange I first lunched it under vista no sp -> crashes all and then I tried to figure out what happened (but leak of time) and can't go further now Please if someone has some extra time and can analyse this unpackme, it will be a great help thank you. BE CAREFULL, DON'T RUN IT OUT OF…
-
- 5 replies
- 5.3k views
Hi, I've released Backdoor.Win32.UltimateDefender.gtz Reverse Engineering: http://evilcry.netsons.org/tuts/Mw/Backdoo...ateDefender.pdf Regards, Giuseppe 'Evilcry' Bonfa'
-
PaiN RAT v0.1 RC1 Portable
by unbanhub- 4 replies
- 8.7k views
Hy, recently i`ve search on the internet for an PaiN RAT Portable and I found the last version of the producer, and I`m happly to share this with you. PaiN RAT v0.1 RC1 Portable I`ve scan on Novirusthanks.com to check it, here is the log. File Info Report generated: 17.2.2009 at 20.33.00 (GMT 1) Filename: PaiN RAT.exe File size: 1,331 KB MD5 Hash: 8DD76D109D233BCF8BA8216959937067 SHA1 Hash: 7A1138F999E50238A3C2B8D2073F8EBCADD90B79 Packer detected: Nothing found Self-Extract Archive: Nothing found Binder Detector: Nothing found Detection rate: 4 on 23 Detections a-squared - Trojan-Downloader.Win32.Delf.CQ!IK Avira AntiVir - Nothing found! Avast - Nothing…
-
- 5 replies
- 5.3k views
I posted some information regarding this project in my blog here on tuts4you. I thought I would share it here as well to hopefully gain some support. The main goal of this project is to improve the quality of scanning techniques used in anti-virus software. The issue I have is that there are not methods of "detecting the usage of strong cryptography, secure key management, and obfuscation that can be used inside malware. I have a lot of love for the researchers and I know they work extremely hard and are very talented. The issue I have is that there is a lot of room for improvement and I would like to see that improvement made. We need stronger methods of attacking crypto…
-
How to Analyze a BHO?
by pichoo- 3 replies
- 5.1k views
Can anyone point me to any resource that talks about analyzing an Internet Explorer Browser Helper Object? I am semi competent in analyzing typical executables, however I don't really know where to start with a BHO dll other than looking at the strings, since it doesn't look like it executes like an exe. Any help would be appreciated, I'm really just looking for a starting point.
-
Anti-Virus Coding Requirement
by maxil122- 8 replies
- 5.8k views
Hello, Please, can someone help me to know what is required to made an Anti-virus: - Which language is more efficient ? - What's required like Windows Internals / Coding in low level / Good know in x86 family / File systems (PE) / Reversing / Unpacking... ? It will be helpful if you make it clear. Thanks.
-
Help Unpacking
by pichoo- 4 replies
- 13.9k views
Hi, can anyone help me to figure out what this malware is packed with. PeID does not identify it, and VirusTotal gives these results from F-Prot and Authentium: packers (F-Prot): PE-Armor, Malware_Prot.V packers (Authentium): PE-Armor, Malware_Prot.V I've attached the file in a password protected Rar, password is "password". Any help would be appreciated. Thank you Also, I'm new to these forums, so if I'm breaking any rules, please let me know. malware.rar
-
- 8 replies
- 17k views
get the whole exploit code here: http://www.milw0rm.com/exploits/6031 i think this exploit is dangerous. maybe some software will use it to avoid debugging? or probably malware will use it. keep your eyes open
