Skip navigation.
Home

blogs

Device Driver Malware

In the past I've taken some deep looks at device driver malware. Rustock is a good example of this (with some generous work from Frank Boldewin and others as well :).

However I am vaguely aware of some malware which mucks with the microsoft signing certificate stores and things like this. I've seen this behavior during analysis but never really thought about it. What are the reasons for this? Instdrv type methods seem to do a good job at installing malware drivers. A quick deobfuscation and disassembly reveals

push 0 ; lpServiceArgVectors

OC Mentioned in the news

http://blogs.zdnet.com/security/?p=190

Interesting article :)

V.

Vista Will Get Malware

Ryan Naraine has an article about Mark Russinovich admitting that Vista will get malware. I suppose the news worthy portion of this statement is that Mark is admitting it, which seems to be a change in direction. There have already been reports of spyware working for Vista, so this is not too surprising. All the viruses and malware I've test run on Vista work without trouble.

Scam kits

Posted some scam-kits used by phishers for stealing credentials. Similar to the previous entry, the download will be facilitated by rapidshare.

Companies which might be (are?!) affected by the kits, include
* CapitalOne
* E-bay
* E-gold
* E-Passporte
* Yahoo!

Download:http://rapidshare.com/files/27191225/5-scam.rar.html
Password: "scamkit" (without quotes)

Cheers :)
Kish

Dbot v3 - Source code

Download:http://rapidshare.com/files/26902004/Dbotv31.rar.html

This is actually a commercial bot, and being used in the wild as of date.

Since RAR file(s) can't be uploaded here directly, I used rapidshare.

Cheers :)
Kish

Paper: Code Normalization for Self-Mutating Malware

Code normalization is a popular topic for anti-virus researchers, especially with respect to classifying the phylogeny of a particular sample. The essence of the idea is that each assembly instruction is translated into an intermediate language that contains all the state modification performed by an instruction. The consummate example is that of the dec assembly instruction. This modifies a register and also modifies six other control flags. The results are then run through a series of optimizations which remove and reorder the code into the normalized form.

This intermediate form is interesting in that it is simply an expansion of the assembly language. I have trouble seeing how this intermediate step would be worthwhile over just optimizing the non-expanded assembly code. It seems completely impractical for implementing on a real-time defense system (such as a virus scanning engine) and is better suited to closed research systems.

The article is in the Volume 5, issue 2 of IEEE's Security and Privacy. The article requires a ridiculous fee to get to, so if you have access check it out.

Update: Find them on the author's website.

Podloso : IPod linux Virus

Kaspersky Labs discovered the first virus designed to infect ipod. It does not work on normal iPods that are running the default iPod operating system. This virus can not be launched automatically without user involvement. Once launched, the virus scans the device’s hard disk and infects all executable .elf format files. Any attempt to launch these files will cause the virus to display a message on the screen which says "You are infected with Oslo the first iPodLinux Virus".

Does anyone have this malware?

ANI vulnerability Analysis

All versions of Windows support animated mouse pointers and a function from USER32.DLL load animated mouse pointer. An .ani file is based on chunks and each chunks start with 4 byte ID word and a DWORD have chunk lenghth. One of the chunks is "anih" and contains 36 bytes. The vulnerability is here ... code doesn't check the length of the "anih" long field before using it. Here are some teams that have published their analysis of the ANI vulnerability:

Windows Animated Cursor Stack Overflow Vulnerability

Analysis of ANI “anih” Header Stack Overflow Vulnerability

Hisspasec analysis

Worm.Sedoubot.A

I have uploaded a sample of this Backdoor.
md5sum: a1d74a9027b8e81b6f2296112144517c

Below is a short description:
When it's executed, the malware will create a file named rdihost.dll in %Windir%\System32 folder and it will inject it in explorer.exe process.
It will create an own copy as an archive in %windir% folder, named "photo album.zip"
Then it will connect to an IRC channel on www.fre[blocked]e8.biz and will wait for commands from a malicious attacker. The connection string is "lol lol lol :shadowbot2"

ANI file

This should be it. I haven't analyzed it yet. Sorry it took me so long to put it up. Anyone who does an analysis will get front-posted :)

ani.zip

V.

Syndicate content