Malware Reverse Engineering

hi everyone! as you know after dumping from a process we must rebuild import table to execute the dump file but why? another questions related to this: is address of system dlls (e.g kernell32.dll) changes after each execution of program or after each system reboot? (if the anwer is "yes" is loader reconstruct import table after each execution?) is system dlls loads in the process address range or they have a uniqe address and all of processes access to the dll by that address? i know there are alot of reasons for import reconstruction after dump. but i want to know about in mentioned reason in detail. thanks in advance!!!

http://recode.net/2014/11/23/symantec-uncovers-sophisticated-stealthy-computer-spying-tool/

https://www.virusbtn.com/virusbulletin/archive/2014/11/vb201411-optimized-mal-ops https://www.virusbtn.com/virusbulletin/archive/2014/11/vb201411-Bootkits https://www.virusbtn.com/virusbulletin/archive/2014/11/vb201411-Apple-without-shell https://www.virusbtn.com/virusbulletin/archive/2014/10/vb201410-iWorm

Since I'm Taking Programming Course , I'm Interested With Virus Stuff. I Hope You Guys Have Any Introduction Or Reference That I Can Follow To Successful My Point.?

Hello I have a Win 7 computer that has been infected with a bruteforce password virus. When the computer is able to connect to a DC the computer constantly tries to determine the password for some user account that it has chosen. I've tried scanning the computer with a number of AV's without success: MBAM MBAR TDSKiller Gmer Vipre After doing some analysis on the computer I've been able to determine that the infected process on the computer is the Windows System process. Worked this out by identifying which ports the virus was using from the server logs and then using CurrPorts (from Nirsoft) and Process Monitor (SysInternals) to monitor the deskto…

I have a win32 app which is c++ programmed with qt . I tried to decompile it with boomerang but boomerang soddenly get closed when it reaches to 99% of decompilation progress. Now I am trying to look in parameters that this program sends over SSL/TLS connection to its own server. I found some articles about this and I found that actually the program stores Some valuable data in the memory in order to decrypting the SSL/TLS traffic using wire-shark witch is Session-id and Master-secret . As i read , I found that actually there is a way to extract master-secret from the memory but I don't know how to do that. Is there any one that can direct me to a right di…

On October 25, 2013, a Linux kernel bug CVE-2013-6282 was published. It was largely exploited around that time to get root access on existing Android devices. After reading tons of user review, I also applied the rootkit to get root access on my Sony Xperia - L handeset successfully. It was quite surprising that even the latest firmware update, too, didn't fix the vulnerability. What the flaw basically says is, The rootkit has its source code attached. /* getroot 2013/12/07 */ /* * Copyright (C) 2013 CUBE * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software…

Security journalist Brian Krebs revealed details yesterday surrounding the malware sample used in the Target cyber-attacks, which originally took place November 27 – December 15, 2013. On Sunday, Target CEO and President Gregg Steinhafel conducted an interview with CNBC over the recent Target security breach. During that interview, he mentioned that a malware infection was involved, but no specific samples were identified. According to Krebs, a report of the malware used during the breach was uploaded to ThreatExpert, an automated analysis system run by Symantec. The report has since been removed, but Krebs managed to save a copy of the cached report (found here on h…

working on doing a lil phishing expedition (yea its for the birds but i gotta write a good one in C# before i move on) Grabbed CheatEngine to scan through some memory (cheat engine is not bad, but i dont like the crap it tries to install with it - GOT A BETTER ONE LEMME KNOW-) using Chrome to login in to GMAIL I put a fake password as 16 A's: GALX=p_COcLCigQk&continue=https%3A%2F%2Fmail.google.com%2Fmail%2F&service=mail&rm=false&ltmpl=default&hl=en&scc=1&ss=1&_utf8=%E2%98%83&bgresponse=%21A0I0ITH9HDNvS0R6sejAokAPWwIAAADsUgAAAA0qAQ54RhVt-Qu2LVKb4J23WkCZueD1ffB8V_ZSE_jIE04XOzOSUwm16rZ2suDsEJH9riKKR60AWqjQpirqHTN-qJ64hB7Rl61SZaj_8K…

Hello all.. i ran into this file "out there" and it looks sketchy... anybody here want to check it out and see if its legit or a virus?? it says its a SKIDROW rar password unlocker..(yeah i know sounds sketchy as hell lol) supossedly written by there group..theres a pdf in the file that i opened that says something like that.. http://www30.zippyshare.com/d/99176948/18810/RAR%20Password%20Unlocker%20v4.3.146_by%20SKIDROW_updated%2001-01-2014.zip if this post is bad please dump it teddy...not sure... but i figured id ask if anybody wants to check it out and see what the hell it is...if it was a rar password dycrypter it would be neat but if not it…

in no way is this my code at all: simply added/modify 2 lines to make it work correctly for Dev-C++ 1) LONG (NTAPI *NtSystemDebugControl)(int,void*,DWORD,void*,DWORD,DWORD*); 2) *(DWORD*)&NtSystemDebugControl =(DWORD)GetProcAddress(LoadLibrary("ntdll"),"NtSystemDebugControl"); #define WIN32_LEAN_AND_MEAN #include <windows.h> #include <stdio.h> #include <shlwapi.h> #include <iostream> using namespace std; typedef LONG NTSTATUS; #define STATUS_SUCCESS ((NTSTATUS)0x00000000L) //ivanlef0u's code //xp sp2 ntoskrnl 5.1.2600, les chiffre indiquent la taille de la struct à passer en argument typedef enum _DEBUG_CONTROL_CODE { Deb…

Introduction This is a school project (educational purpose), so I don't care about hacking any website. Its a bit over my head so thats why I am posting this project.Basically I need to reproduce the ''Samy worm'' known also as "myspace worm" in a controlled environment. Requierements For starters I need a "mini" myspace/facebook to test the worm. To make it simpler , there are some free social networks available like Ellg, Oxwall that you can use. (I have an old version of Oxwall already vulnerable to basic XSS) Or you can make it vulnerable yourself by editing it. (I know for sure that this is possible) Or maybe its easier for you to build it from scratch implementin…

A news story direct from the FBI on some of the pitfalls of pirated software... http://www.fbi.gov/news/stories/2013/august/pirated-software-may-contain-malware Ted.

#include <windows.h> //DEV-C++ //link with -masm=intel asm(".intel_syntax noprefix"); static long csx; static char* test; int main(void) { asm("pop ebp"); asm("pop ebp"); asm("pop ebp"); //asm("push 0x11111111"); //asm("push 0xEEEEEEEE"); //asm("push 0xAAAAAAAA"); //asm("push 0xCCCCCCCC"); //char *test = "\x31\xC9\x51\x68" //"\x63\x61\x6C\x63" //"\x54\xB8\xC7\x93" //"\xC2\x77\xFF\xD0"; asm("push 0xD0FF77C2"); asm("push 0x93C7B854"); asm("push 0x636C6163"); asm("push 0x6851C931"); asm("push 0x004012E6"); asm("mov ebp,0x33333333"); asm("mov edx, esp"); asm("SYSENTER"); asm("push 0"); asm("call _ExitProcess@4"); asm("call esp"); return 0; …

Malware Analysis Tutorials: a Reverse Engineering Approach Author: Dr. Xiang Fu Roadmap: You need to first follow Tutorials 1 to 4 to set up the lab configuration. Then each tutorial addresses an independent topic and can be completed separately (each one will have its own lab configuration instructions). link: http://fumalwareanalysis.blogspot.ro/p/malware-analysis-tutorials-reverse.html

while cruising around China (looking for setcsum.exe to reset the tcpip.sys checksum), enjoying the scenery and attractions, (damn those chinese women are sexy ) i was redirected to a web site saying YOUR PC IS INFECTED! In Chinese... even the download exe under chrome was in Chinese.. we all know the one: Your redirected to a site and it scrolls through about a 1000 list of trojans and the number increases by the second syaing your PC is infected with 100's of malware and you need this program to remove them so i downloaded the exe and rar'd it up pass:infected Havent had the time to really go through this exe.... and it may not even be a virus (they…

Spy-ware check - list of antyspyware tools />http://www.alken.nl/spy.htm Anti-Spyware: Reviews />http://www.consumersearch.com/anti-spyware-reviews

0day Wednesday – Newish Malware That Came Across My Desk... http://www.gironsec.com/blog/2013/12/0day-wednesday-newish-malware-that-came-across-my-desk/ Malware sample can be found here: http://www.gironsec.com/blog/wp-content/uploads/2013/12/0daywednesday.7z Ted.

The situation: I have a malicious Word document from which I have extracted the shellcode and loaded it in Ollydbg. The shellcode assumes it executes within a copy of Microsoft Word which has the malicious DOC file open. The Shellcode will search for the DOC file by going over the list of open open file handles. When it finds a possible match, it (or a part of it) is loaded into memory. The shellcode then proceeds to decrypt the payload in memory etc etc ... My question: While debugging a program in Ollydbg, can I manually open a file so that the file handle becomes available to the debugged process? also, is there a way to have the deb…

Short of it is: I was working on long pointer strings and found this This exception may be expected and handled. eax=0022fc54 ebx=00000000 ecx=0022fca7 edx=7c90e514 esi=80000003 edi=00000000 eip=80000003 esp=0022fc5c ebp=0022fca4 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202 80000003 ?? ??? 0:000> gh (1650.139c): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=0022fc54 ebx=00000000 ecx=0022fca7 edx=7c90e514 esi=80000003 edi=00000000 eip=80000003 esp=0022fc5c e…

Came across a cool little prog called ioctlbf... Its used to try and BSOD the system via DeviceIOControl IRQ's which is how user talks to kernel via its sys drivers For a quick example: C:\ioctlbf_0.4\bin>ioctlbf -d IP -r 120040-120050 _ _ _ ___ (_) _ | || | / __) _ ___ ____ _| |_| || |__ _| |__ | |/ _ \ / ___|_ _) || _ (_ __) | | |_| ( (___ | |_| || |_) )| | |_|\___/ \____) \__)\_)____/ |_| v0.4[~] Open handle to the device \\.\IP ... OK Summary ------- IOCTL scanning mode : Range mode 0x00120040 - 0x00120050 Filter mode : Filter disabled Symbolic Device Name : \\.\IP Device han…

The source code for ZeuS has been leaked for weeks, so what is known? />http://blog.trendmicro.com/the-zeus-source-code-leaked-now-what/ Sophos Technical Paper />http://www.sophos.com/medialibrary/PDFs/technical%20papers/Sophos%20what%20is%20zeus%20tp.pdf?dl=true ZeuS 2.0.8.9.rar Ted.

Hi, I'm new to tuts4you, I found all other posts are UnpackMe, and I want to analyze a virus to see what it does but I don't know unpack it. It's packed with VMProtect 2.07. Anyone could shed some light on this? A tutorial would be great:) again, it a virus, don't run it directly. the virus deletes itself after running, so the unpacking would be successful if it's disappeared when executed. Thanks. virus.rar

iRemova [Visual Removal Tool Builder] A tool to help you on creating virus removal tools. For more information watch the Demo tut. By in4matics | AT4RE Download: http://www.at4re.com/download.php?view.161