Skip navigation.


Armadillo packed Bot

found Armadillo packed bot bundled with 2 DLL + 1 SYS
files of "CACE Technologies".
wpcap.dll, packet.dll, npf.sys


Wepawet: analyzing web-based malware

Hello guys!

Wepawet is a new service for detecting and analyzing web-based malware. It currently handles Flash and JavaScript files.

Things you can do with Wepawet:
- Determine if a page or file is malicious
- wepawet runs various analyses on the URLs or files that you submit. At the end of the analysis phase, it tells you whether the resource is malicious or benign and provides you with information that helps you understand why it was classified in a way or the other.
- wepawet displays various pieces of information that greatly simplify the manual analysis and understanding of the behavior of malicious samples. For example, it gives access to the unobfuscated malicious code used in an attack. It also collects the URLs accessed by a sample.
- wepawet does not just tell you that a resource is malicious, it also shows you the exact vulnerability (or, more likely, the vulnerabilities) that are exploited during an attack.

Blog Spam on OC

Last week we had a problem where some spammers figured out how to flood our blogs with spam. I'd like to apologize the inconvenience this caused. To fix the problem we have moved to a moderation system for blog posts. We will still accept external content, but will not allow spam posts.

Just to be very clear: Offensive Computing is not going into the World of Warcraft gold trading business. :)

DNSChanger 2.0

DNS Changer 2.0 (Trojan.Flush.M) is the next –in the wild- variant of this famous malware. Now the strategy has been changed, no need to modify the DNS settings on ADSL routers. Instead it will install a network driver (NDISProt.sys) which allows the malware to send/receive raw Ethernet packets. Such approach will help it bypass Windows TCP/IP, FW and HIPS.

It installs a rogue DHCP server on the infected machine and listens for DHCP requests and responds with its own crafted DHCP offer packets. The reply contains malicious DNS servers, which will redirect hosts to infected websites that include everything from phishing to exploit-and-infect pages.

The question is how to protect and prevent such attacks.

Continue Reading at the Extreme Security Blog

What do you consider to be the most important security issue for 2009?

I'm completing some research on what we feel will be the most important security issues in 2009. Please take a minute to respond to our poll.

Take poll:


Memoryze Memory Forensics Tool

Peter Silberman from Mandiant has written an article at OpenRCE about the new tool Memoryze.


The goal of this article is to demonstrate how simple malware analysis can be using Memoryze and some good old fashion common sense. Readers should have some knowledge of how malware works, and be somewhat familiar with Memoryze. A good place to familiarize yourself with Memoryze is the user guide included in the installer.

Memoryze is designed to aid in memory analysis in incident response scenarios. However, it has many useful features that can be utilized when doing malware analysis. Memoryze is special in that it does not rely on API calls. Instead Memoryze parses the operating systems' internal structures to determine for itself what the operating system and its running processes and drivers are doing.

Comments on NYT article: A sneaky security problem, ignored by the bad guys

Today I read an article on the New York Times website called A sneaky security problem, ignored by the bad guys

NY Times: A Sneaky Security Problem

I had a conversion by phone and mail with its author Robert McMillan from IDG News before and I've answered him some questions about my Rustock.C research as he planned to write the above story. There are some quotes by Al Huger from Symantec in this article I would like to comment, as I disagree to most of his statements regarding rootkits.

"MacAccess" OSX DNSChanger New Variant

For those interested, I just uploaded the file. MD5: 56cb64220dc0248b57649ba1fc6956a1

Further Reading

Trojan Zapchast

I have been analyzing various Zapchast samples. I am not able to however see much activity.

When the sample is executed it connects to some IRC server(different in all the samples) and then only sends an ISON command with a list of users. and i see the response for the command as well however nothing further happens.

I want to know the impact of the zapchast trojan. What is it doing.

Recently I saw PVTMSG being sent to another user. The msg was encrypted. Have you also observed the same.

Please share your analysis of Zapchast

Great Virtual Memory Overview by Mark Russinovich

Virtual memory continues to be one of the things that people have a lot of problems understanding. There are lots of misconceptions about how this fundamental part of the operating system works. Mark Russinovich has done an excellent job, as usual, distilling this information into a very readable form. I suggest you read his blog post titled Pushing the Limits of Windows: Virtual Memory on the technet site.

Syndicate content