Found 2 chinese malware FTP servers.
happy malware hunting.
Didn't do a detailed analysis of this but it seems to be using BITS to download other malware. (which was reported last month iirc)
The new version of our malware processing back end is coming along well. We're deep into testing it and are going to start with an expanded private beta test for all invited users. Hopefully the interface will make it even easier to upload files and content to our system. Here is a small feature list that will be included in our new release:
- We will accept non-PE files. This has been a big request.
- Better submission system. Now you can zip, rar, and tar files to be submitted to our scanning system.
- Email submissions with automatic scanning
- Better antivirus scans
- Tagging system so you can add notes to specific samples
- Improved packer detection
- More modular code framework for future growth
- 3x as many samples
Bear with us as we make the transition to the new system and as always let us know about bugs.
Tom Liston and Ed Skoudis has written a clean paper about how to detect a Virtual Machine and some possible method for prevent it against detection .
i just think this was requested on some page sometime ago ... and if this is not the one, sorry :P
Uploaded , no password, nothing else to say ...
Here is an example of the new Mpack malware that has been gaining momentum recently. Mpack gained notoriety as it is a commercial tool being distributed for pay. It is purported to attack the MS06-014, MS06-006, MS06-044, XML Overflow, WebViewFolderIcon Overflow, WinZip ActiveX Overflow, QuickTime Overflow overflows. SANS ISC and Verisign/iDefense have an email that has been circulating about this. The further commercialization of malware is continuing on both sides of the confrontation.
Tavis Ormandy of Google has written a paper on the effect of running hostile code on virtual machines. This is a good paper, and shows that even with VMs you can't be sure that code will be safe.
"As virtual machines become increasingly commonplace as a method of separating hostile or hazardous code from commodity systems, the potential security exposure from implementation flaws has increased dramatically. This paper investigates the state of popular virtual machine implementations for x86 systems, employing a combination of source code auditing and blackbox random testing to assess the security exposure to the hosts of hostile virtualized environments."
This small IDAPython script scans an idb file for class and interfaces UUIDs and creates the matching structure and its name. Unfortunately IDA doesn't do this automatically, thus this little helper. It personally helped me alot, while reversing several malwares using the COM interface, e.g. for browser or outlook manipulation, BITS file transfer or dumping the protected storage. The script was tested with IDAPython v0.9.0 and Python 2.4. Make sure to copy interfaces.txt + classes.txt + ClassAndInterfaceToNames.py to IDADIR, e.g. C:\Program Files\IDA
Just watch the howto movie for usage.
I need a sample of Perlovga, a file infector of flash memory and others, to test a new removal tool.
The FBI and our friends at CMU’s CERT, in a display of impressive bureaucratic maneuvering and ninja-like paperwork prowess, have identified a large botnet. This is really good news as it will hopefully set a precedent to enable further and more swifter action on other malware writers. Good work to all those involved.