Since more and more malware are using the COM interface I thought it was time to write some reconstruction helpers and creating a video tutorial how to use it on a real life malware. You'll see how a complete function which uses the COM interface will be translated into far more readable code than before. The code itself dumps the windows protected storage to steal account data like member site passes, outlook express accounts, autocomplete fields and so forth. The IDAPython scripts are indeed also available on my site.
Practical COM Code Reconstruction at Reconstructer.org
From The Register, "The computer virus turns 25 this month. Long-suffering computer users would be forgiven for thinking that the first computer virus appeared in the mid-1980s, but the first virus actually predates the arrival of the first IBM-compatible PC."
To Mr. Rich Skrenta, thank you for spawning a multi-billion dollar a year industry.
SB.BADBUNNY is a multi-platform worm distrubted as an openoffice document containing a starbasic macro.
this worm first infects you when you open an OpenOffice Draw file called badbunny.odg. A macro included in the file performs different functions depending on whether you are running Windows, MacOS or Linux.
Rob Lemos at Security focus wrote about the tendency of malware to use what are called fast-flux DNS to prevent botnet takedowns. These methods use DNS to ensure that there are redundant backups for a series of call-home hosts. The call-home hosts are remote sites that phishers or other malicious people have taken over to collect data. Simply put malware authors are using economies of scale to provide redundant backup to their servers. This lets them stay online for much longer periods of time. The problem is that takedown notices for these affected websites are not very effective as each host owner must be contacted.
With the current ethical thinking there is no other resource available to the burgeoning white-hat trying to fix this problem. The current method for reigning in these problem sites is to contact the site owner, convince them they have a problem, and wait. This causes an unnecessary amount of time to be wasted, while thousands of credit cards are stolen. The massive scale of this creates a situation where there is no other recourse for defensive reaction.
Is it time to start considering a vigilante corp to deal with these problems? It would certainly allow for a quicker more concerted response to the issue. There are companies that are walking the ethical line in gathering and reporting these problems, but perhaps it is time to set the scope wider. Create it as a government sanctioned activity, but get someone in there with a quick response to deal with the problem.
The new version of Offensive Computing is now up and running. If you notice any errors, please contact us as soon as possible so we can fix them ASAP. Bear with us if there are any service outages.
Let me take this time to thank all of our beta testers for helping to find more bugs. Thanks!
Anyone knows how to hack/exploit this Netgear software? as this program prevents people from learning more and communicating on the internet.
There have been some changes in the whole "E-card Malware" saga.
First and foremost I've been seeing sites that are bundling an older IE exploit with the malware. It looks to be the JS/Psyme exploit, or some variant thereof. AV detects it pretty easily.
Secondly, the spams themselves have changed a bit. As reported by the Internet Storm center, they are now using a 4th of July theme. Most of the sites are now in the US, which is a change from a few days ago when most of the ones I saw were in Europe.
Fially, ISC is reporting that the malware in question is yet another Storm Worm variant. I've uploaded one I captured this afternoon to OC. the MD5 hash is 41ceb97828f4f14ece4f6973380c4fdd.
Alisa Shevchenko from Kaspersky Labs has written an article about the evolution of self-defense in malware. This article covers in detail the methods used by malware to obfuscate and protect itself. This is a good overview that is worth checking out.
Yesterday I've received a file over MSN:
MSN Contact says:
hmm is this you on the photo ?
Then sends a file, called myalbum2007.zip which contains a file photo album-2007.scr
I've been following the entries on the SANS Internet Storm Center about the latest wave of "ecard" malware. Pretty interesting if not original. When I checked my spam traps this morning lo and behold someone was kind enough to leave me a Christmas present!
Read more for the rest of cdhamby's post