Skip navigation.


Zolb variant... registered!

Zolb variant... registered!

in disguise codec... but download adware or spyware!

File: 2c5bc9d3faeba122e435e5f5d0c96b27.exe
MD5: 2c5bc9d3faeba122e435e5f5d0c96b27
Size: 54800

File: 63d8eef9a6b748c8aca89847cbc1fed2.exe
MD5: 63d8eef9a6b748c8aca89847cbc1fed2
Size: 56976

File: 94c979b2f3fcddb5c083d4faa5998bc0.exe
MD5: 94c979b2f3fcddb5c083d4faa5998bc0
Size: 73632

File: a77ccf9705483b31f53d70de8b2ead32.exe
MD5: a77ccf9705483b31f53d70de8b2ead32
Size: 96980

File: a032878bede5c8a31403f4d74d7928c9.exe
MD5: a032878bede5c8a31403f4d74d7928c9
Size: 68888

File: bb33e231225a6dbd9b30a5982172fa79.exe

Another MSN thing?

Yet another MSN worm here:

MD5: c0fc8d049547722059bedc9893f6bfd3

recieved in message:
is that u? :o

Nice that it looks like a jpg extention to the unexperienced user, would fool many people, now that we've been learning them to only click on gif (NOT pif!), jpg etc etc :p


Hello guys from Offensive Computing.

I´m from Sao Paulo, Brazil, and a staff member of Linha Defensiva Security Forum, where we analyse and solve problems with malware, specialy brazilians malware bankers.

Congratulations for all


Paper: SPiKE: Engineering Malware Analysis Tools using Unobtrusive Binary-Instrumentation

SPiKE: Engineering Malware Analysis Tools using Unobtrusive Binary-Instrumentation is a paper by Amit Vasudevan and Ramesh Yerraballi from UT Arlington. This paper outlines several different methods to control a running process. In this case, it is used for controlling malware.

The SPiKE method uses a kernel solution to implement "drifters" or memory read/write breakpoints. These breakpoints are then used to control the execution of the malware. The breakpoints are done via setting the target memory page in the kernel to a "not-present" flag, and then through "subtle software techniques" (their quote, not mine) they are able to transfer execution to the SPiKE API. This is very similar to Joe Stewart's OllyBone method of setting region based breakpoints. The rest of the interception points are based on the Windows API hooking via CreateProcess, OpenProcess, and others.

New stration

Last night i decided to take a quick look at the recent malware in my inbox, and i saw a new Stration spam run, i've uploaded the files here, see below for all the MD5 sums.

It downloads the following files:


I'm dealing with a large amount of files every day (guess which kind of files), and major part are different kind of installers (Wise, Inno Setup, NSIS...).
Some of them can be unpacked by using specialized tools. The problem is that none of those tools are updated recently, or they do not support all the versions of the installer they claim to unpack.
During the time, on my HDD was growing a collection of installers that I could not unpack.

Yesterday I got to an idea :)
Someone here may remember the old DOS days. There was a program named Ripper (latest version I have had was 2.91), that could rip multimedia files from the games.

Papers : small reading list

Following chamuco's post, here are three papers I thought were interesting.

How to 0wn the Internet in Your Spare Time
was presented at Usenix in 2002, it describes some new techniques that could be used by malware to increase their propagation speed.

The Future of Internet Worms
, even if worms are not as hot as they used to be, this article is a good read. It relates new organisation techniques that can be used by groups of malware to coordinate, among other things.

Paper: Stripping Down an AV Engine

While reading through some papers, I found a particularly good one. While the methods are not ground breaking, and the paper is somewhat old (circa 2000) it does outline some of the good methods for detecting a viruses. These methods are still being rehashed today. Stripping Down an AV Engine by Igor Muttik is a good read. Check it out.

Do you have a particular paper you like? Post it in a blog or forum post with a brief description and share with the community.

The Politics of Malware

Kurt Wismer comes up with the standard set of criticisms that we've received at Offensive Computing.

Kurt really touches on the heart of the issue when he says, "i suppose the argument could be made that public access helps those just breaking into the anti-malware market, but in reality there's all kinds malware already readily available to such people so they can build their malware databases organically... at the same time they can build their reputations and trust relationships with others in the anti-malware community so that by the time they need access to malware they can't easily find themselves they'll have people they can turn to..."

It is true, all you have to do is go look and you'll find all kinds of malware. What you won't find are collections of malware that are somewhat presorted for you. You won't find the analysis, and you won't find trends. This causes a duplication of effort that could better be spent on experimenting with new ideas. The old-guard of AV protection is just not working. There are many many smart people working on the issues, but in the end until people work together advancement cannot happen.

There are large barriers to starting malware research. We believe that those barriers are unnecessary for a largely innocuous threat. The real threat is the new malware that is not, and can not be detected. For the most part the current malware threat has been innocuous, and easily handled. What is the path forward when newer more creative threats emerge?

PEFile: A Portable Executable Parser for Python


Ero Carrera created an excellent portable executable parser for python called PEFile. We've taken his file and run it across our entire malware collection for use in a future version of our malware analyzer. Attached is a collection of all the bug fixes we've made. If anyone has any comments on the modifications, I would very much appreciate hearing them.

Read the full article for all the bugs that have been fixed.

Syndicate content