Malware Reverse Engineering
Debugging, disassembling and documenting interesting malware...
364 topics in this forum
-
Doorgets Tutorials
by Ali.Dbg- 1 reply
- 5.4k views
Hello Doorgets Turorials is a good cms for video tutorials site (youtube videos) Offical Web Site http://www.doorgets.biz/ Download Latest Version http://sourceforge.n...ad?source=files Demo http://www.professeur-php.com/
-
How to get the API sequence of a PE file
by hardikmb- 1 reply
- 5.4k views
Hello, I am Hardik.I am working on a malware detection system, I've been using IDA pro to reverse engineer one PE file for identifying the API sequence, I am able to get the imports from IAT, and also the call graph which shows the hierarchy of functions including API function but how do I get the API sequence for identifying the virus?
-
What is basethreadinitthunk?
by r42fr- 1 reply
- 16.3k views
What is basethreadinitthunk?I dont find it on msdn.
-
Reversing malware questions
by Downloading...- 23 replies
- 10.6k views
Hey there, I managed to get a sample of a "Ransomware" type of virus, which just locked the computer until one paid and got puts in a code to unlock (which I doubt would actually unlock it) Anyhow, I grabbed the virus.exe and it's getting detected by 22/40 AV's. I looked at it witrh PEiD which couldn't find anything, I assume the file is most likely packed. I also ran a string command on it, nothing came out (except assembly XML file, so even more chance it's packed) Then I disassembled the with IDA (all this in linux since it's risky :3 ) Here is a list of the imports: 10004000 RegOpenKeyExW ADVAPI32 10004008 GetSaveFileNameW …
-
sality32
by Dreamer- 0 replies
- 7.9k views
Discovered: June 4, 2003 Updated: August 8, 2012 2:28:32 PM Also Known As: W32/Kookoo-A [sophos] Type: Virus Systems Affected: Windows 98, Windows 95, Windows XP, Windows Server 2008, Windows 7, Windows Me, Windows Vista, Windows NT, Windows Server 2003, Windows 2000 W32.Sality is an entry-point obscuring (EPO) polymorphic file infector. It will infect executable files on local, removable and remote shared drives. The virus also creates a peer-to-peer (P2P) botnet and receives URLs of additional files to download. It then attempts to disable security software. Infection W32.Sality will infect executable files on local, removable and remote shared driv…
-
Malware Removal Guide
by Brian- 2 replies
- 6.2k views
Guide: http://www.selectrea...-removal-guide/ Comments and Reviews: http://www.selectrea...ts-and-reviews/
-
- 1 reply
- 5.4k views
Just as Oracle is ramping up for the September 30 start of JavaOne 2012 in San Francisco, researchers from the Polish firm Security Explorations disclosed yet another critical Java vulnerability that might “spoil the taste of Larry Ellison's morning…Java.” If you disabled Java when the last zero-day exploit was spotted in the wild, then you might consider doing so again . . . or dumping Java altogether? According to Security Explorations researcher Adam Gowdiak, who sent the email to the Full Disclosure Seclist, this Java exploit affects “one billion users of Oracle Java SE software.” Appalled to learn that Oracle/Java has another huge critical hole, I reached out to Adam…
-
All network traffic sniffer
by R4ndom- 5 replies
- 6.6k views
I think I may have a rootkit or keylogger on my other computer and I'm wondering if someone can recommend a good program to see ALL data that leaves your computer over a wired network, sort of like what wireshark does for wifi. It doesn't need to be complicated, just something that shows me every bit that goes over the wire so I can see if there is suspicious data flowing from my computer. I tried running the rootkit detection software out there but it doesn't work very well for 64-bit windows. Thanks for you help.
-
Visual Basic Malware
by waliedassar- 1 reply
- 6.4k views
Here is a small tutorial (Part 1) for analyzing Visual Basic Malware. />http://waleedassar.blogspot.com/2012/03/visual-basic-malware-part-1.html Waliedassar
-
W32 USB Rootkit
by JMC31337- 12 replies
- 11k views
USB Rootkit (minus the extras) 2 sys files 1 Dll 1 Exe dropper
-
- 1 reply
- 5.1k views
FakeNet is Windows network simulation tool designed for malware analysis. It redirects all traffic leaving a machine to the localhost (including hard-coded IP traffic and DNS traffic) and implements several protocols to ensure that malicious code continues to execute and can be observed by an analyst. The tool supports DNS, HTTP, and SSL protocols and provides a python extension interface for implementing new or custom protocols. It also the capability to listen for traffic to any port as well as create packet capture on the localhost. Right now the tool only supports WinXP Service Pack 3. The tool runs fine on Windows Vista/7 although certain features will be automatical…
-
[ BBC Tech ] Massive cyber-attack discovered
by News Feeder- 10 replies
- 7.7k views
A cyber-attack which has covertly collected vast amounts of sensitive data from countries like Israel and Iran has been uncovered, Russian researchers say. View the full article
-
Computer Virus Hits U.S. Drone Fleet...
by Teddy Rogers- 3 replies
- 5.1k views
Computer Virus Hits U.S. Drone Fleet You have to ask questions... I mean common really!? http://www.wired.com...ts-drone-fleet/ Ted.
-
WinRAR Parasite
by JMC31337- 5 replies
- 8.8k views
;TASM32 /ml seppuku ;tlink32 -x -c -aa seppuku,,,import32 .386 .model flat,StdCall jumps include windows.inc ;========================== FILETIME STRUC FT_dwLowDateTime DD ? FT_dwHighDateTime DD ? FILETIME ENDS MAX_PATH EQU 260 WIN32_FIND_DATA STRUC WFD_dwFileAttributes DD ? WFD_ftCreationTime FILETIME ? WFD_ftLastAccessTime FILETIME ? WFD_ftLastWriteTime FILETIME ? WFD_nFileSizeHigh DD ? WFD_nFileSizeLow DD ? WFD_dwReserved0 DD ? WFD_dwReserved1 DD ? WFD_szseppuku …
-
Analyzing FUD Virus
by idragon- 3 replies
- 6.3k views
Hey, I am new here and found this interesting virus, seems to be FUD for a long time as it says here: https://www.virustotal.com/file/380ab99f217e3100da2d74d374978e70010dc88897c40ccc29058323b853ea21/analysis/ But it can't be a real "Steam Key generator". There doesn't exist something. Could someone analyze it ? http://www.mediafire.com/?4fzw9ikazj7loub
-
The Koobface malware gang - exposed!
by Teddy Rogers- 2 replies
- 5.5k views
The Koobface malware gang - exposed! This makes for an interesting read... />http://nakedsecurity.sophos.com/koobface/ Ted.
-
Duqu's Vulnerabilty
by Pouyaaa- 0 replies
- 5.1k views
Hi guys I've started diffing the unpatched verstion of win32k (5.1.2600.6149) with patched one (5.1.2600.6178) for finding the bug . So I came up with lots of pointer corruption suspicious instruction bug at sfac_GetSbitBit which is gonna used for parsing TTF. but I don't how what user land APIs used for triggering GetSbitComponent function. Can u guys give me some suggestion ? thanks
-
Honeynet Project Challenge 8...
by Teddy Rogers- 5 replies
- 7.2k views
Honeynet Project - Forensic Challenge 8 - "Malware Reverse Engineering" />https://www.honeynet.org/node/668 Ted. Malware Reverse Engineering.zip
-
Need help at runtime analysis
by Pouyaaa- 0 replies
- 4.7k views
Hi guys .... I've started analyzing the Duqu's Driver which is gonna lead to the most of the its skeleton ... so I have no problem with static analysis but I want to debug it under windbg or IDA... so I've setup a virtual lab with vmware just like always and configured it for kernel debugging but I cannot set a Breakpoint at DriverEntry ..... so I got a nice range of memory address which is being repeated everytime but how can I set a BP on them so that I can hit it ? bu command just not working.... I have tried "on access memory bp" so ain't Any good suggestion ? Thanks
-
Malware/Java Issue
by cozofdeath- 8 replies
- 6.6k views
I've been running my computer just fine with no problems for as long as I can remember. Any type of malware seems to get eliminated right away if found. However, whenever I see the small java icon in the sys tray popup I know an exploit it being executed and usually my AV will pop up and eliminate the threat. Yes, I know java isn't bad but the only time I see it executing it seems to be. The other day this same thing happened but it managed to get through and instantly shut the computer down and cause many other problems. My question is, why is it always java doing this? Yes, I know what java is, for the most part, and no I wasn't looking at porn when it happened. These j…
-
Malware Database
by ramtin- 2 replies
- 5.4k views
Hi anyone know somethings about "Beijing-based KnownSec" that want to share it's malware db? see below link http://www.first.org.../20090703a.html or http://www.cio.co.uk...rity-companies/ please help me to find this database!!!
-
[ Discussion ] How Anti-Malware Applications Work ?
by CodeXpert- 1 reply
- 6.1k views
As descriped above in the title.. How Anti-Malware Applications Work ? How does it find the sign. for specific malware. And a cerious question is how scan works.. It is very fast so it approximately not searching in databases >?! Any comments will be appreciated
-
W32.Duqu a.k.a. Stuxnet II
by PaperBall- 10 replies
- 8.1k views
Anyone have a copy of this new malware that was discovered last week?
-
The Exception Table hook
by STRELiTZIA- 0 replies
- 4.5k views
Using Exception Table hook to spread malicious code, paper by Peter Ferrie. http://pferrie.host22.com/papers/holey.pdf
-
Virus reverse engineering
by linuscomex- 8 replies
- 7.4k views
Hi all please help me to virus reverse engineering and find virus source code Through reverse engineering
