Malware Reverse Engineering
Debugging, disassembling and documenting interesting malware...
369 topics in this forum
-
- 1 reply
- 6.3k views
Nice little article. Not a particularly complex packer but it describes a nice way of injecting into a process without using the WriteProcessMemory API (potentially avoiding malware scanners that hook WriteProcessMemory) Article: http://resources.infosecinstitute.com/deep-dive-into-a-custom-malware-packer/
-
Carberp source leaked
by deepzero- 3 replies
- 6.3k views
Source of Cerberp Bot was leaked as pw protected zip a while back, and is now available : https://github.com/hzeroo/Carberp more info: https://threatpost.com/carberp-source-code-leaked/ http://touchmymalware.blogspot.de/2013/06/carberp-source-code-now-leaked.html About 750K LOCs. Guess everyone will find something interesting inside...
-
Crypter overview
by cipher- 6 replies
- 12.7k views
hello i am here today with the executable that can obfuscate the virus and makes it fully undetectable from anti-viruses.This executable uses runPE techniques to inject into other process and to dump the crypted code into memory and hence the executable's code remain undetected by Anti-viruses. These crypters are programmed by individuals and hence remains undetected most of the time .Mostly they are coded in VB or .Net and hence you will find most of the viruses showing vb attributes during PE Scans ,but mostly the viruses/RATs/Stealers/Bots/Worms are coded in borland Delphi. Examples : 1) RATS : cybergate,Blackshades,pixel,spynet,darkcomet etc 2) STEALERS …
-
Unpack malware
by difazabi- 0 replies
- 22.5k views
Hi, I would like to ask for my help. I can't unpack this malware. My result is only crash. (OEP: 0047FDB0) Protection: Autoit Cryptor + UPX Someone can help me? Thanks! pass: infected* http://rghost.net/private/44963997/cb94ba6b77c6b5e619bf2468de56e0f1 or attach BF76F84A49E53133E6FEAD862114DB56_.zip
-
Decompile perl2exe ?
by Cyb3rHack3r- 5 replies
- 9.1k views
Hay, Guys So i need little help, I am new to malaware reverse engineering but i really love to learn more Now i am trying to Decompile a malware which is complied using perl2exe Now like i said i am new i tried my best but because i have never Decompiled a perl2exe file before So i am not fully sure how i should do it, I tried to search on the net and found some really Interesting information like the exe contains encrypted perl code but its decrypted during runtime So can any one tell me how i can decompile the file and get the decrypted source code By the way i tried this tool called exe2perl which is suppose to be decompiler but i g…
-
Doorgets Tutorials
by Ali.Dbg- 1 reply
- 5.6k views
Hello Doorgets Turorials is a good cms for video tutorials site (youtube videos) Offical Web Site http://www.doorgets.biz/ Download Latest Version http://sourceforge.n...ad?source=files Demo http://www.professeur-php.com/
-
How to get the API sequence of a PE file
by hardikmb- 1 reply
- 5.6k views
Hello, I am Hardik.I am working on a malware detection system, I've been using IDA pro to reverse engineer one PE file for identifying the API sequence, I am able to get the imports from IAT, and also the call graph which shows the hierarchy of functions including API function but how do I get the API sequence for identifying the virus?
-
What is basethreadinitthunk?
by r42fr- 1 reply
- 16.8k views
What is basethreadinitthunk?I dont find it on msdn.
-
Reversing malware questions
by Downloading...- 23 replies
- 11k views
Hey there, I managed to get a sample of a "Ransomware" type of virus, which just locked the computer until one paid and got puts in a code to unlock (which I doubt would actually unlock it) Anyhow, I grabbed the virus.exe and it's getting detected by 22/40 AV's. I looked at it witrh PEiD which couldn't find anything, I assume the file is most likely packed. I also ran a string command on it, nothing came out (except assembly XML file, so even more chance it's packed) Then I disassembled the with IDA (all this in linux since it's risky :3 ) Here is a list of the imports: 10004000 RegOpenKeyExW ADVAPI32 10004008 GetSaveFileNameW …
-
sality32
by Dreamer- 0 replies
- 8.2k views
Discovered: June 4, 2003 Updated: August 8, 2012 2:28:32 PM Also Known As: W32/Kookoo-A [sophos] Type: Virus Systems Affected: Windows 98, Windows 95, Windows XP, Windows Server 2008, Windows 7, Windows Me, Windows Vista, Windows NT, Windows Server 2003, Windows 2000 W32.Sality is an entry-point obscuring (EPO) polymorphic file infector. It will infect executable files on local, removable and remote shared drives. The virus also creates a peer-to-peer (P2P) botnet and receives URLs of additional files to download. It then attempts to disable security software. Infection W32.Sality will infect executable files on local, removable and remote shared driv…
-
Malware Removal Guide
by Brian- 2 replies
- 6.4k views
Guide: http://www.selectrea...-removal-guide/ Comments and Reviews: http://www.selectrea...ts-and-reviews/
-
- 1 reply
- 5.6k views
Just as Oracle is ramping up for the September 30 start of JavaOne 2012 in San Francisco, researchers from the Polish firm Security Explorations disclosed yet another critical Java vulnerability that might “spoil the taste of Larry Ellison's morning…Java.” If you disabled Java when the last zero-day exploit was spotted in the wild, then you might consider doing so again . . . or dumping Java altogether? According to Security Explorations researcher Adam Gowdiak, who sent the email to the Full Disclosure Seclist, this Java exploit affects “one billion users of Oracle Java SE software.” Appalled to learn that Oracle/Java has another huge critical hole, I reached out to Adam…
-
All network traffic sniffer
by R4ndom- 5 replies
- 6.8k views
I think I may have a rootkit or keylogger on my other computer and I'm wondering if someone can recommend a good program to see ALL data that leaves your computer over a wired network, sort of like what wireshark does for wifi. It doesn't need to be complicated, just something that shows me every bit that goes over the wire so I can see if there is suspicious data flowing from my computer. I tried running the rootkit detection software out there but it doesn't work very well for 64-bit windows. Thanks for you help.
-
Visual Basic Malware
by waliedassar- 1 reply
- 6.6k views
Here is a small tutorial (Part 1) for analyzing Visual Basic Malware. />http://waleedassar.blogspot.com/2012/03/visual-basic-malware-part-1.html Waliedassar
-
W32 USB Rootkit
by JMC31337- 12 replies
- 11.3k views
USB Rootkit (minus the extras) 2 sys files 1 Dll 1 Exe dropper
-
- 1 reply
- 5.3k views
FakeNet is Windows network simulation tool designed for malware analysis. It redirects all traffic leaving a machine to the localhost (including hard-coded IP traffic and DNS traffic) and implements several protocols to ensure that malicious code continues to execute and can be observed by an analyst. The tool supports DNS, HTTP, and SSL protocols and provides a python extension interface for implementing new or custom protocols. It also the capability to listen for traffic to any port as well as create packet capture on the localhost. Right now the tool only supports WinXP Service Pack 3. The tool runs fine on Windows Vista/7 although certain features will be automatical…
-
[ BBC Tech ] Massive cyber-attack discovered
by News Feeder- 10 replies
- 8k views
A cyber-attack which has covertly collected vast amounts of sensitive data from countries like Israel and Iran has been uncovered, Russian researchers say. View the full article
-
Computer Virus Hits U.S. Drone Fleet...
by Teddy Rogers- 3 replies
- 5.3k views
Computer Virus Hits U.S. Drone Fleet You have to ask questions... I mean common really!? http://www.wired.com...ts-drone-fleet/ Ted.
-
WinRAR Parasite
by JMC31337- 5 replies
- 9k views
;TASM32 /ml seppuku ;tlink32 -x -c -aa seppuku,,,import32 .386 .model flat,StdCall jumps include windows.inc ;========================== FILETIME STRUC FT_dwLowDateTime DD ? FT_dwHighDateTime DD ? FILETIME ENDS MAX_PATH EQU 260 WIN32_FIND_DATA STRUC WFD_dwFileAttributes DD ? WFD_ftCreationTime FILETIME ? WFD_ftLastAccessTime FILETIME ? WFD_ftLastWriteTime FILETIME ? WFD_nFileSizeHigh DD ? WFD_nFileSizeLow DD ? WFD_dwReserved0 DD ? WFD_dwReserved1 DD ? WFD_szseppuku …
-
Analyzing FUD Virus
by idragon- 3 replies
- 6.4k views
Hey, I am new here and found this interesting virus, seems to be FUD for a long time as it says here: https://www.virustotal.com/file/380ab99f217e3100da2d74d374978e70010dc88897c40ccc29058323b853ea21/analysis/ But it can't be a real "Steam Key generator". There doesn't exist something. Could someone analyze it ? http://www.mediafire.com/?4fzw9ikazj7loub
-
The Koobface malware gang - exposed!
by Teddy Rogers- 2 replies
- 5.7k views
The Koobface malware gang - exposed! This makes for an interesting read... />http://nakedsecurity.sophos.com/koobface/ Ted.
-
Duqu's Vulnerabilty
by Pouyaaa- 0 replies
- 5.3k views
Hi guys I've started diffing the unpatched verstion of win32k (5.1.2600.6149) with patched one (5.1.2600.6178) for finding the bug . So I came up with lots of pointer corruption suspicious instruction bug at sfac_GetSbitBit which is gonna used for parsing TTF. but I don't how what user land APIs used for triggering GetSbitComponent function. Can u guys give me some suggestion ? thanks
-
Honeynet Project Challenge 8...
by Teddy Rogers- 5 replies
- 7.4k views
Honeynet Project - Forensic Challenge 8 - "Malware Reverse Engineering" />https://www.honeynet.org/node/668 Ted. Malware Reverse Engineering.zip
-
Need help at runtime analysis
by Pouyaaa- 0 replies
- 4.9k views
Hi guys .... I've started analyzing the Duqu's Driver which is gonna lead to the most of the its skeleton ... so I have no problem with static analysis but I want to debug it under windbg or IDA... so I've setup a virtual lab with vmware just like always and configured it for kernel debugging but I cannot set a Breakpoint at DriverEntry ..... so I got a nice range of memory address which is being repeated everytime but how can I set a BP on them so that I can hit it ? bu command just not working.... I have tried "on access memory bp" so ain't Any good suggestion ? Thanks
-
Malware/Java Issue
by cozofdeath- 8 replies
- 6.9k views
I've been running my computer just fine with no problems for as long as I can remember. Any type of malware seems to get eliminated right away if found. However, whenever I see the small java icon in the sys tray popup I know an exploit it being executed and usually my AV will pop up and eliminate the threat. Yes, I know java isn't bad but the only time I see it executing it seems to be. The other day this same thing happened but it managed to get through and instantly shut the computer down and cause many other problems. My question is, why is it always java doing this? Yes, I know what java is, for the most part, and no I wasn't looking at porn when it happened. These j…
