The new version of pefile being released by Ero Carrera will have our packer scanning code integrated in. Ero has made a post detailing some of the changes as well as some initial data about his collection of malware. If you have a project that is in need of PE parsing, please look at the pefile module. You won't be sorry.
If you're looking for a good class on reverse engineering, Ero and Pedram Amini are teaching a class called Reverse Engineering on Windows: Application in Malicious Code Analysis Blackhat this year. It's very good and one of the better classes that are offered at Blackhat
Offensive Computing team members will be speaking at both Blackhat 2007 and Defcon 15 in Las Vegas Nevada. Danny Quist (Chamuco) and Valsmith will be giving a talk title Covert Debugging: Circumventing Software Armoring Techniques. This is research we've been working on to automatically and generically unpack software.
HD Moore and Valsmith will be presenting a talk called Tactical Exploitation at Blackhat 2007. It will detail methods for penetrating non-standard methods of network penetration and should be very interesting.
We'll be around for both conferences so be sure to find us and say hello!
i reallllllly need an assembler! so if anyone could post a link for any (clean) TASM or MASM, or any disasemblers, would be very much appreciated!
While analysing a new BZUP variant I came across the situation that IDA in some cases fails to recognize the right MFC42 names, thus just showing something like this:
So I've coded a small IDAPython script which fixes this problem.
Hope it's useful for others as well.
But I wonder, last year we presented a talk at Defcon called "Hacking Malware" which talked about bypassing security features in malicious binaries. Would this be illegal in Germany? How do you do incident response / forensics and analysis under those types of laws?
Does this mean in Germany someone can hack into a computer and not worry about being analyzed because the tools to do so are illegal?
This article covers what's going on right now in antiforensics and there are some good interview questions with our friend Vinnie Liu.
Read it and fear.
The BBC is covering Frank Boldewin's discovery of malware that hijacks the Windows update process. From the BBC webpage "Virus writers may be able to smuggle malicious files onto a computer using Microsoft's security patch updates, experts say."
I'd be very interested in a copy if you do.
This piece of malware detects the presence of VM and Ollydbg.
AhnLab-V3 2007.5.9.0 05.09.2007 no virus found
AntiVir 126.96.36.199 05.08.2007 BDS/Vanbot.AR
Authentium 4.93.8 05.08.2007 no virus found
Avast 4.7.997.0 05.07.2007 no virus found
AVG 188.8.131.527 05.08.2007 Win32/CryptExe
BitDefender 7.2 05.09.2007 Backdoor.Vanbot.AR
CAT-QuickHeal 9.00 05.08.2007 no virus found
ClamAV devel-20070416 05.09.2007 no virus found
DrWeb 4.33 05.08.2007 BackDoor.IRC.Sdbot.1335
eSafe 184.108.40.206 05.08.2007 Win32.Rinbot.BC
eTrust-Vet 30.7.3618 05.08.2007 Win32/Nirbot.BD