Skip navigation.
Home

blogs

Chinese malware FTP servers

Found 2 chinese malware FTP servers.

ftp://luckycn.cn
login: netserv3
password: 43243wen9874

ftp://aosoft.cn
login: netserv3
password: 43243wen9874

happy malware hunting.

Malware using BITS

Didn't do a detailed analysis of this but it seems to be using BITS to download other malware. (which was reported last month iirc)

MD5: 59213c81bf3af062e3a6291ed2c932bd

The New Offensive Computing

The new version of our malware processing back end is coming along well. We're deep into testing it and are going to start with an expanded private beta test for all invited users. Hopefully the interface will make it even easier to upload files and content to our system. Here is a small feature list that will be included in our new release:

  • We will accept non-PE files. This has been a big request.

  • Better submission system. Now you can zip, rar, and tar files to be submitted to our scanning system.
  • Email submissions with automatic scanning
  • Better antivirus scans
  • Tagging system so you can add notes to specific samples
  • Improved packer detection
  • More modular code framework for future growth
  • 3x as many samples

Bear with us as we make the transition to the new system and as always let us know about bugs.

Thwarting Virtual Machine Detection

Tom Liston and Ed Skoudis has written a clean paper about how to detect a Virtual Machine and some possible method for prevent it against detection .

Read the paper

Hxdef rootkit's source code

hello all,

i just think this was requested on some page sometime ago ... and if this is not the one, sorry :P

Hxdef100 Source Code

Uploaded , no password, nothing else to say ...

Cheers :)
Kish

MPack Malware Sample

Here is an example of the new Mpack malware that has been gaining momentum recently. Mpack gained notoriety as it is a commercial tool being distributed for pay. It is purported to attack the MS06-014, MS06-006, MS06-044, XML Overflow, WebViewFolderIcon Overflow, WinZip ActiveX Overflow, QuickTime Overflow overflows. SANS ISC and Verisign/iDefense have an email that has been circulating about this. The further commercialization of malware is continuing on both sides of the confrontation.

You can find a sample of the MPack virus here.

Paper: An Empirical Study into the Security Exposure to Hosts of Hostile Virtualized Environments

Tavis Ormandy of Google has written a paper on the effect of running hostile code on virtual machines. This is a good paper, and shows that even with VMs you can't be sure that code will be safe.

"As virtual machines become increasingly commonplace as a method of separating hostile or hazardous code from commodity systems, the potential security exposure from implementation flaws has increased dramatically. This paper investigates the state of popular virtual machine implementations for x86 systems, employing a combination of source code auditing and blackbox random testing to assess the security exposure to the hosts of hostile virtualized environments."

Read the full paper.

ClassAndInterfaceToNames Converter

This small IDAPython script scans an idb file for class and interfaces UUIDs and creates the matching structure and its name. Unfortunately IDA doesn't do this automatically, thus this little helper. It personally helped me alot, while reversing several malwares using the COM interface, e.g. for browser or outlook manipulation, BITS file transfer or dumping the protected storage. The script was tested with IDAPython v0.9.0 and Python 2.4. Make sure to copy interfaces.txt + classes.txt + ClassAndInterfaceToNames.py to IDADIR, e.g. C:\Program Files\IDA

Just watch the howto movie for usage.

Download it here.

Perlovga

Hi everybody!

I need a sample of Perlovga, a file infector of flash memory and others, to test a new removal tool.
Thanks!

Operation Botroast

The FBI and our friends at CMU’s CERT, in a display of impressive bureaucratic maneuvering and ninja-like paperwork prowess, have identified a large botnet. This is really good news as it will hopefully set a precedent to enable further and more swifter action on other malware writers. Good work to all those involved.

Syndicate content