Skip navigation.


YARA v1.2 released

A new version of YARA have been released. This version introduces some bug fixes and new features, such as:

* Sub-string alternatives in hex strings.
* Global rules.
* Enhanced "of" operator and a new "for..of" operator
* Anonymous strings
* uintXX and intXX functions to read integers from a given offset
* yara-python improvements

I've also started to create some rules for packer identification based on PEiD's signatures, there are just a few for now, but I expect to include more in the future.

Shmoocon 2009

Tired of being hustled around by thousands of people at the summer Vegas conventions? Do you live on the wrong side of the United States? Do you really want to fill the time in the winter with hacking and interesting technical discourse? Do you like getting pelted by foam balls emblazoned with a strange animal? Come to Shmoocon!

The Shmoo Group puts on a great conference in DC called Shmoocon. Last year I spoke at it and was impressed by the low-key attitude and technical content enough to be an attendee this year. Tickets are a bit hard to come by but if you can get them I strongly recommend you go.

See you there!


Tracking Waledac

Jeremy from Sudosecure has built a really impressive tool for tracking the Waledac worm. The primary communication system is via the fast-flux method, and Jeremy has built in a system to track countries, origins, and other domains. He also provided a large collection of the Waledac executables.

Sudosecure Blog Post About the Tracker
Sudosecure Waledac Tracker



Asprox sample from Mike Johnson of See his write up here --> Asprox - It's Baaaaaaack

Barack Obama and Trojan.Script.Iframer

People have been reporting spam e-mail linking them to:


It turns out to be a anti-Obama website; they make fake claims such as

"Barack Obama's inauguration that was planned on 20th January 2009 is under the threat of failure. On the Eve of Inauguration Day President-elect Barack Obama made statement. He declared that he is definitely NOT ready for this position. Analysts say that Barack Obama has refused to be next president because he recognized inconsistency of his plan of stimulating USA economy"

Zerowine: Dumping malware and detection of antivm and antidebug

| |

I released a new version of Zerowine, a QEmu+Wine based malware auto-analysis tool. In this version I added support to dump the malware from memory while running. The dumps can also be downloaded for later analysis with IDA Pro.

The other feature I added is the ability to detect both anti-debugging and anti-vm techniques. The detection of anti-debugging techniques is done by analyzing the APIs called by the malware while the anti-vm detection is done by looking for patterns in both the packed version of the malware (the original one) and the unpacked (memory dump) version of the malware.

You can download the latest version of Zerowine as a Prebuilt QEmu virtual machine (you can convert it to one VMWare image if you prefer using the help found in this blog) or in source code form.

Update: I fixed the issue with the corrupted image. I uploaded a new working one and the MD5Sum.


New Malware Campaign

While reading through my spam folder, I found a new sample. There is a new malware sample being spread posing as a reunion message. The sample I have is MD5 895377d01833dfd01dfccb523b2d3026. I haven't done anything to analyze this file yet.

UPDATE: Here's a new copy of the executable 393473bd4a1da563ec086cff7d9c50f6

Here's the original email from my spam folder:

Received: from [] by; Tue, 13 Jan 2009 18:09:56 +0100
From: "Committee members" <>

YARA: a malware identification and classification tool

YARA is open-source multi-platorm tool that allows you to create your own signatures to identify malware families based on text or hex strings presents on samples of those families. The signatures are written in a special-purpose language looking like this:

rule silent_banker : banker
        $a = {6A 40 68 00 30 00 00 6A 14 8D 91}  
        $b = {8D 4D B0 2B C1 83 C0 27 99 6A 4E 59 F7 F9}
        $a or $b or $c

Complex signatures can be created by using boolean operators, wild-cards, regular expressions and much more. You can find more information on the project site:

Zero Wine: QEMU based malware auto-analysis

Zero wine is an open source (GPL v2) research project to dynamically analyze the behavior of malware. Zero wine just runs the malware using WINE in a safe virtual sandbox (in an isolated environment) collecting information about the APIs called by the program.

The output generated by wine (using the debug environment variable WINEDEBUG) are the API calls used by the malware (and the values used by it, of course). With this information, analyzing malware's behavior turns out to be very easy.

virus signature

hii floks....

i need standard virus signatures. can any body suggest me where i can get them. i need them for my project work. thankq in advance

Syndicate content