Skip navigation.
Home

blogs

ANI file

This should be it. I haven't analyzed it yet. Sorry it took me so long to put it up. Anyone who does an analysis will get front-posted :)

ani.zip

V.

Looking for Peacomm

I need the peacomm binary for some analysis. Fairly new stuff, released end of Jan called "Trojan.Peacomm" by symantec. Thanks!

New worm use the .ani zero day vulnerability

Some days ago researchers declared an alert for Microsoft Windows Cursor and Icon(.ANI) zero day vulnerability . now they declared an alert for a new worm .

Metasploit Framework 3.0 RELEASED!

Metasploit is pleased to announce the immediate free availability of the Metasploit Framework version 3.0 from http://framework.metasploit.com/.

YAY!

V.

ZDNet - Ryan Naraine Mentions the OC / Irnbot situation

"The botnet operator behind the virulent Nirbot Trojan is having a field day taunting anti-virus researchers.

While it is common to find messages and shout-outs buried in virus code, the person(s) behind Nirbot is rather talkative, leaving hostile threates directed at specific individuals, a strange apology for something involving "hospital computers" and even a mock CNN interview that discusses the bot's intent."

Read more at ZDNet

New IrnBot / Rinbot pokes at Offensive Computing

IrnBot is getting more personal it seems.

The bot does the following depending what server its on:
JOIN ##OC hellovalsmit

I guess he's a fan of the site? Why not contribute positively here instead of making a bunch of negative malware?

You'll notice the irc channel name is #OC and the leet speak spelling of OffensiveComputing.
I guess the malware author is a fan of our site? :) Or maybe we will see an Anti Offensive Computing Rant similar to the symantec / cnn one ?

WinDbg CheatSheet

This is a cheatsheet to WinDbg from Microsoft. Thanks to the Metasploit for writing this.

Rinbot / Delbot

A generous user provided us with the rinbot / delbot sample. However our scans show it as vanbot.

b09d49c377de3e835eb5bdfc31be5a66

AntiVir 7.3.1.38 03.02.2007 BDS/VanBot.AY.10
Authentium 4.93.8 03.04.2007 W32/Backdoor.AGKF
Avast 4.7.936.0 03.03.2007 no virus found
AVG 7.5.0.447 03.03.2007 Win32/CryptExe
BitDefender 7.2 03.04.2007 Backdoor.VanBot.L
CAT-QuickHeal 9.00 03.02.2007 Backdoor.VanBot.ay
ClamAV devel-20060426 03.03.2007 no virus found

anyone have rinbot?

Could someone upload a copy of rinbot / delbot? it targets symantec and seems a bit interesting.

V.

Defeating HyperUnpackMe2 With an IDA Processor Module

RolfRolles has written an excellent article at OpenRCE about reverse engineering a sophisticated packer called HyperUnpackMe2.

"Modern protectors mutilate the original code section, use virtual machines operating upon polymorphic bytecode languages to slow reverse engineering, and take active measures to frustrate attempts to dump the process. Meanwhile, the complexity of the import protections and the amount of anti-debugging measures has steadily increased.

This article dissects such a protector and offers a static unpacker through the use of an IDA processor module and a custom plugin. The commented IDB files and the processor module source code are included. In addition, an appendix covers IDA processor module construction. In short, this article is an exercise in overkill. "

Syndicate content