Skip navigation.


Backdoor UltimateDefender Reverse Engineering


Here the reverse engineering of Backdoor UltimateDefender
a malware that presents also Rootkit Functionalities.

Giuseppe 'Evilcry' Bonfa'

My Ether Installation Method

I've gotten a few emails from people asking questions about how to install Ether. I thought I would put some very rough notes together for my general method to install it. Artem Dinaburg and crew have some good notes at the official Ether website but there are a few more things I do to get things rolling.

Here goes:

  1. Download the Debian AMD64 5.x net installation ISO and install it. Get your network card and configuration working.
  2. Install ONLY the linux-image-2.6.26-*-xen-amd6 package. You just want the kernel for this one. This is where I've gotten myself into trouble by installing the kernel source that comes with the patched Xen system.
  3. Download the Xen and the ether_ctl source and patch as described on the Ether installation instructions page.
  4. Install the Debian packages necessary to get the system up and running. I recently installed a system and this is the output of dpkg --get-selections command: ether_install_packages.log
    Hint: grep '[[:space:]]install$=' ether_install_packages.log| awk '{print $1}'| xargs aptitude install
  5. Start compilation of Ether in the following directories not the main xen-3.1.0-src directory
    1. cd xen ; make && make install
    2. cd ../tools ; make && make install
    3. cd firmware ; make && make install
  6. Edit the /boot/grub/menu.lst to have an entry that looks something like this (be sure to substitute your information):

    title Debian GNU/Linux, kernel 2.6.26-2-xen-amd64
    root (hd0,0)
    kernel /boot/xen-3.1.0.gz dom0_mem=1G
    module /boot/vmlinuz-2.6.26-2-xen-amd64 root=/dev/sda1 ro quiet
    module /boot/initrd.img-2.6.26-2-xen-amd64

  7. Reboot. You should see a Xen logo then your system will start up and look like normal.
  8. Make a Windows VM and follow the modification instructions on the Ether website.

That should be all it takes to get a working system up and running. While you're playing with Ether be sure to check out Vera as well.


  • 10/9/2009 - I've heard from a number of people that you may have to disable NX protection in your motherboard's BIOS to get this to work correctly.
  • 10/27/2009 - Updated to not need compilation of libdisasm, updated installed modules list

Trojan-Dropper.Win32.Agent.aang - focusing on the rootkit

Hi all!
Today I will show you the analysis of Trojan-Dropper.Win32.Agent.aang (Kaspersky), it’s a p2p worm that spreads through p2p applications by using .rar archives with different names.
These names are something like "xxx.crack.rar" or "xxx.keygen.rar" where xxx is the name of a famous application.
This time I focuses on the analysis of the rootkit because the trojan is very simple to understand.
The article is here:

Interesting and bad Malware

Hello everyone,

I Have a big passion for the malwares - mine is only a hobby - and I like to test the new malwares with the suites of security for check possible vulnerability.

This morning I have uploaded two very bad malwares that I have tested in the last days:

b.css, MD5: 8404200644217e86445d89d1f3ae8fee

wversion.exe, MD5: f5c6b935e47b6a8da4c5337f8dc84f76

Take care.

Sorry for my English, thanks.


Backdoor.W32.rizo.ab or W32.Spybot.Worm

Hi there!

I generally write articles about software protections, so I hope that my writing style will be good for malware too.

I’m used to reverse malware but this is the first time I write about it.

Backdoor.W32.rizo.ab (Kaspersky) or W32.SpyBot.Worm (Symantec) is a worm spreading through Windows MSN, it’s not too hard to reverse, it uses some anti-VM and anti-Debug protections with a little bit of cryptography.

We will discover that the coder is not so expert (we will find some bugs).

Google Groups Used To Control Botnets

It's seems good that symantec guys discovered C&C ( command & control ) on the private google pages, from the symantec blog the following quotes are available :

Maintaining a reliable command and control (C&C) structure is a priority for back door Trojan writers. Recent developments have included the utilization of Web 2.0 social networking websites to deliver commands. By integrating C&C messages into valid communications, it becomes increasingly difficult to identify and shut down such sources. It's a concept very similar to that of chaffing and winnowing. Symantec has observed an interesting variation on this concept in the wild. A back door Trojan that we are calling Trojan.Grups has been using the Google Groups newsgroups to distribute commands. Trojan distribution via newsgroups is relatively common, but this is the first instance of newsgroup C&C usage that Symantec has detected.

It’s worth noting that Google Groups is not at fault here; rather, it is a neutral party. The authors of this threat have chosen Google Groups simply for its bevy of features and versatility.

The Trojan itself is quite simple. It is distributed as a DLL, and when executed will log onto a specific account:


The Web-based newsgroup can store both static “pages” and postings. When successfully logged in, the Trojan requests a page from a private newsgroup, escape2sun. The page contains commands for the Trojan to carry out. The command consists of an index number, a command line to execute, and optionally, a file to download. Responses are uploaded as posts to the newsgroup using the index number as a subject. The post and page contents are encrypted using the RC4 stream cipher and then base64 encoded. The attacker can thus issue confidential commands and read responses. If no command is received from the static page, the infected host uploads the current time.

Vizsec 2009: Visualizing Compiled Executables for Malware Analysis

The Vizsec 2009 program looks to be a pretty exciting this year. Please join us in Atlantic City New Jersey; I will be presenting more visualization techniques for malware. I'm presenting a paper titled "Visualizing Compiled Executables for Malware Analysis." I hope to see you there.

Visualizing Compile Executables for Malware Analysis PDF - This won best paper at the workshop.


Reverse engineering compiled executables is a task with a steep learning curve. It is complicated by the task of translating assembly into a series of abstractions that represent the overall flow of a program. Most of the steps involve finding interesting areas of an executable and determining their overall functionality. This paper presents a method using dynamic analysis of program execution to visually represent the overall flow of a program. We use the Ether hypervisor framework to covertly monitor a program. The data is processed and presented for the reverse engineer. Using this method the amount of time needed to extract key features of an executable is greatly reduced, improving productivity. A preliminary user study indicates that the tool is useful for both new and experienced users.

OSSS: Security Suite. Fourth public beta (Vista support)

| |

For the recent six weeks we have implemented a number of new functions.

The first one to mention is automatic customization of rules via Security Master already at the program installation stage.

Starting with version v1.1, search for software in use is performed during the OSSS installation, whereupon the accumulated data are analyzed on our server and the set of rules for the detected applications is generated automatically.

W32/Skintrim Reversing of a Badly Coded Mw


Here I've linked the first two parts of W32/Skintrim Reverse Engieering of a Badly Coded Malware
a Malware that is not working and appears really little, I've repaired it and I'm reversing it completely,
Skintrim appeared to be really articulate.

Here the first three blog posts:


Soon I will publish the #4 part.

Giuseppe 'Evilcry' Bonfa'

UPS Spam - Bredolab Trojan - Anubis blind (for once)

Syndicate content