Skip navigation.
Home

blogs

Another MSN thing?

Yet another MSN worm here:

MD5: c0fc8d049547722059bedc9893f6bfd3

recieved in message:
is that u? :o http://tuspics.tu.funpic.org/index.php?pic2038.jpg

Nice that it looks like a jpg extention to the unexperienced user, would fool many people, now that we've been learning them to only click on gif (NOT pif!), jpg etc etc :p

Hello!

Hello guys from Offensive Computing.

I´m from Sao Paulo, Brazil, and a staff member of Linha Defensiva Security Forum, where we analyse and solve problems with malware, specialy brazilians malware bankers.

Congratulations for all

Einstein
www.linhadefensiva.org
http://linhadefensiva.uol.com.br/forum

Paper: SPiKE: Engineering Malware Analysis Tools using Unobtrusive Binary-Instrumentation

SPiKE: Engineering Malware Analysis Tools using Unobtrusive Binary-Instrumentation is a paper by Amit Vasudevan and Ramesh Yerraballi from UT Arlington. This paper outlines several different methods to control a running process. In this case, it is used for controlling malware.

The SPiKE method uses a kernel solution to implement "drifters" or memory read/write breakpoints. These breakpoints are then used to control the execution of the malware. The breakpoints are done via setting the target memory page in the kernel to a "not-present" flag, and then through "subtle software techniques" (their quote, not mine) they are able to transfer execution to the SPiKE API. This is very similar to Joe Stewart's OllyBone method of setting region based breakpoints. The rest of the interception points are based on the Windows API hooking via CreateProcess, OpenProcess, and others.

New stration

Last night i decided to take a quick look at the recent malware in my inbox, and i saw a new Stration spam run, i've uploaded the files here, see below for all the MD5 sums.

It downloads the following files:

http://www4.vadesunjionderunhdae.com/chr/843/lt.exe
http://www5.vadesunjionderunhdae.com/chr/843/s.exe
http://www6.vadesunjionderunhdae.com/chr/843/nt.exe

Ripper

I'm dealing with a large amount of files every day (guess which kind of files), and major part are different kind of installers (Wise, Inno Setup, NSIS...).
Some of them can be unpacked by using specialized tools. The problem is that none of those tools are updated recently, or they do not support all the versions of the installer they claim to unpack.
During the time, on my HDD was growing a collection of installers that I could not unpack.

Yesterday I got to an idea :)
Someone here may remember the old DOS days. There was a program named Ripper (latest version I have had was 2.91), that could rip multimedia files from the games.

Papers : small reading list

Following chamuco's post, here are three papers I thought were interesting.

How to 0wn the Internet in Your Spare Time
was presented at Usenix in 2002, it describes some new techniques that could be used by malware to increase their propagation speed.

The Future of Internet Worms
, even if worms are not as hot as they used to be, this article is a good read. It relates new organisation techniques that can be used by groups of malware to coordinate, among other things.

Paper: Stripping Down an AV Engine

While reading through some papers, I found a particularly good one. While the methods are not ground breaking, and the paper is somewhat old (circa 2000) it does outline some of the good methods for detecting a viruses. These methods are still being rehashed today. Stripping Down an AV Engine by Igor Muttik is a good read. Check it out.

Do you have a particular paper you like? Post it in a blog or forum post with a brief description and share with the community.

The Politics of Malware

Kurt Wismer comes up with the standard set of criticisms that we've received at Offensive Computing.

Kurt really touches on the heart of the issue when he says, "i suppose the argument could be made that public access helps those just breaking into the anti-malware market, but in reality there's all kinds malware already readily available to such people so they can build their malware databases organically... at the same time they can build their reputations and trust relationships with others in the anti-malware community so that by the time they need access to malware they can't easily find themselves they'll have people they can turn to..."

It is true, all you have to do is go look and you'll find all kinds of malware. What you won't find are collections of malware that are somewhat presorted for you. You won't find the analysis, and you won't find trends. This causes a duplication of effort that could better be spent on experimenting with new ideas. The old-guard of AV protection is just not working. There are many many smart people working on the issues, but in the end until people work together advancement cannot happen.

There are large barriers to starting malware research. We believe that those barriers are unnecessary for a largely innocuous threat. The real threat is the new malware that is not, and can not be detected. For the most part the current malware threat has been innocuous, and easily handled. What is the path forward when newer more creative threats emerge?

PEFile: A Portable Executable Parser for Python

|

Ero Carrera created an excellent portable executable parser for python called PEFile. We've taken his file and run it across our entire malware collection for use in a future version of our malware analyzer. Attached is a collection of all the bug fixes we've made. If anyone has any comments on the modifications, I would very much appreciate hearing them.

Read the full article for all the bugs that have been fixed.

Warezov.DC (f-secure) uploaded.

Hey,

i've uploaded Warezov.DC (name according to F-secure), this variant just got spammed this night.

MD5SUM: 83e00e3c95e51bb700a5380acdf9b2c3
SHA1SUM: ab471ad131a3590ba835ab622f4b9bc9f44685d3
SHA256SUM: 17d9827ed2aca3824f0f1916fc1d0048a2e70f1f109f518e2e23d90b826b2701

It tries to download a few files and execute it on the system, just like the rest of this downloader family it is trojans it downloads.

Syndicate content