Skip navigation.
Home

blogs

Pefile Incorporates OC Code

The new version of pefile being released by Ero Carrera will have our packer scanning code integrated in. Ero has made a post detailing some of the changes as well as some initial data about his collection of malware. If you have a project that is in need of PE parsing, please look at the pefile module. You won't be sorry.

If you're looking for a good class on reverse engineering, Ero and Pedram Amini are teaching a class called Reverse Engineering on Windows: Application in Malicious Code Analysis Blackhat this year. It's very good and one of the better classes that are offered at Blackhat

Offensive Computing at Blackhat 2007 and Defcon 15

Offensive Computing team members will be speaking at both Blackhat 2007 and Defcon 15 in Las Vegas Nevada. Danny Quist (Chamuco) and Valsmith will be giving a talk title Covert Debugging: Circumventing Software Armoring Techniques. This is research we've been working on to automatically and generically unpack software.

HD Moore and Valsmith will be presenting a talk called Tactical Exploitation at Blackhat 2007. It will detail methods for penetrating non-standard methods of network penetration and should be very interesting.

We'll be around for both conferences so be sure to find us and say hello!

Desperatly need an assembly code assembler!!!

i reallllllly need an assembler! so if anyone could post a link for any (clean) TASM or MASM, or any disasemblers, would be very much appreciated!

zealot.

MFC42 Ordinal to Function Names Converter for IDA

While analysing a new BZUP variant I came across the situation that IDA in some cases fails to recognize the right MFC42 names, thus just showing something like this:

call MFC42_6648

So I've coded a small IDAPython script which fixes this problem.

Find it here.

Hope it's useful for others as well.

Hacking Tools Illegal in Germany

Obviously most everyone thinks This is a bad idea.

But I wonder, last year we presented a talk at Defcon called "Hacking Malware" which talked about bypassing security features in malicious binaries. Would this be illegal in Germany? How do you do incident response / forensics and analysis under those types of laws?

Does this mean in Germany someone can hack into a computer and not worry about being analyzed because the tools to do so are illegal?

Good Anti-Forensics Article

This article covers what's going on right now in antiforensics and there are some good interview questions with our friend Vinnie Liu.

CIO Article: How Online Criminals Make Themselves Tough to Find, Near Impossible to Nab

Read it and fear.

V.

Jitko a tool to turn any Javascript enabled browser into a component of a botnet

It seems that the Javascript botnet code that was announced at Shmoocon last month has been leaked.

The code known as Jitko was designed to turn any Javascript enabled browser into a component of a botnet. Written by Billy Hoffman from Spy Dynamics the code was presented at Shmoocon, the code was placed unprotected on a publicly visible web server where eagle-eyed conference goers where able to copy the URL and download a copy of the code for themselves.

BBC Article on Malware Hijacking Windows Updates

The BBC is covering Frank Boldewin's discovery of malware that hijacks the Windows update process. From the BBC webpage "Virus writers may be able to smuggle malicious files onto a computer using Microsoft's security patch updates, experts say."

Read the BBC article here
Visit Frank's Reconstructer Site

Anyone have xpKiller and/or killdisk samples?

I'd be very interested in a copy if you do.

Thanks!

V.

W32.Rinbot.BC - detects VM and Ollydbg's presence

This piece of malware detects the presence of VM and Ollydbg.

AhnLab-V3 2007.5.9.0 05.09.2007 no virus found
AntiVir 7.4.0.15 05.08.2007 BDS/Vanbot.AR
Authentium 4.93.8 05.08.2007 no virus found
Avast 4.7.997.0 05.07.2007 no virus found
AVG 7.5.0.467 05.08.2007 Win32/CryptExe
BitDefender 7.2 05.09.2007 Backdoor.Vanbot.AR
CAT-QuickHeal 9.00 05.08.2007 no virus found
ClamAV devel-20070416 05.09.2007 no virus found
DrWeb 4.33 05.08.2007 BackDoor.IRC.Sdbot.1335
eSafe 7.0.15.0 05.08.2007 Win32.Rinbot.BC
eTrust-Vet 30.7.3618 05.08.2007 Win32/Nirbot.BD

Syndicate content