Skip navigation.


Spam and Abuse

One of the day-to-day tasks of running this site involves monitoring for spam. Usually it's no problem: I just delete the junk posts, comments, and disable the accounts. I've made some tools to make this pretty easy. The problem is that the spammers and malcontents seem to have ratcheted up their spamming and it's getting to be too much work. I've made a drastic change requiring people to send me an email asking to register their account.

There is a general pattern to the spam. All of the accounts are new and created within 1-10 hours of the spam. They all tend to have Gmail accounts. Others such as Yahoo, Hotmail, etc. have really dropped off. It would be nice if Google could do something to prevent people from taking advantage of their server. If I just banned any accounts from Gmail I could probably get rid of about 90% of the spam. That would affect other people using Gmail legitimately though, so I didn't want to take that step.

I realize there are people out there doing legitimate work [1] that can't answer the questions truthfully. That's ok, just make something up. I will accept "I work for the Post Office" as an answer [2], or pretty much anything else. So far it seems to be working too, there haven't been nearly as many spam messages as before.

There also have been some efforts to download our entire collection of malware. While I can understand why someone would want to do this, it does end up using a lot of our resources, bandwidth being one of them. As always I'm happy to work with people but please contact me about it. I'm happy to make trades with people for new samples I can add. If you have nothing to trade drop me a note and we can work something out.

[1] For some definition of legitimate. :)
[2] Stolen without shame from Halvar's class

zero wine tryouts - a fork of zero wine

What is zero wine tryouts?

zero wine tryouts is an open source malware analysis tool.
Just upload your suspicious PE file (Windows executable) through the web interface and let it analyze the behaviour of the process.

zero wine + X = zero wine tryouts

The zero wine tryouts project is a fork of the original zero wine project.
The last modification to the source code of the original project was done back in Jan 2009.

For more information, visit here.

One Million Samples

Watching the sample counter, I noticed that we have ticked over the 1 million mark. Ordinarily I'm not one for making a big deal about big round numbers, but I think this one has some special merit. There has been a lot of work to make this happen from a lot of people. Offensive Computing has been running for a little over 4 years now. It started out as a small website with big dreams. That turned into one with more of a focus on large numbers of samples. I can remember conversations with friends about how amazing it was when we had a thousand, ten thousand, and forty thousand samples. Each increment of size added more complexity to the system. There is no better way to learn about scaling issues than to run a public site like this.

It has always been our hope that this site has been a resource to the reverse engineering and malware analysis community. As always we enjoy interacting with everyone whether it be at conferences, training we've taught, twitter, or just email.

Thank you for all your support in creating this resource. Happy 1 million samples!

Danny Quist

PHP/Spy.Bull Cryptanalysis of Encryption used and Threat Analysis

Today we're going to locate a PHP/Spy.Bull infected target, Cryptoanalyze the
encoded blocks involved in and finally analyze the deriving thread.

It's clear that cryptanalysis part is is superabundant for the study of the actual threat, what I want to show here is a different, more pragmatic and general approach to the problem.

This procedure can be used in much more complex contexts, where encryption is stronger that our case and there is an important lack of informations.

This malicious PHP malware affects compromised Websites, with an encrypted page, the classical anatomy of an infected URL is

Let's now see this page.


As you can see we have two blocks of encrypted data:

1. The first one that does not help us in this moment because we don't have any explicit information about the encryption algorithm used, but we can pragmatically how complex is this cipher text.
2. We can decode the second block, its easly Base64 Encoded.

At a first look it's obvious that the first code block presents an encryption that should be not so hard. But this is only a supposition, we have to demonstrate:

1. It's really easy how appears?
2. We can have a misure of how many complex is?

Could happen that an apparently easy block it's the result of complex operations.

1st Rogue Mail in 2010

Good Guys Bring Down the Mega-D Botnet

Chalk up one for the defenders. Here’s how a trio of security researchers used a three-step attack to defeat a 250,000-pronged botnet.

Erik Larkin, PC World
Sunday, December 27, 2009 06:00 PM PST

Siberia Exploit Pack. Another package of explois In-the-Wild


Siberia Exploit Pack is a new package designed to exploit vulnerabilities and recruit zombies original, as is easy to deduce from its name and as is customary in this area crimeware clandestine business in Russia.


Rule2Alert's goal, is to read in snort rules and generate packets that would make snort produce an alert. It is written entirely in python and utilizes Scapy to craft the packets. It is still under heavy development with myself, Pablo Rincon, and Will Metcalf.

Currently, it is able to generate pcaps based off simple content snort compatible rules. I loaded in the emerging-all.rules file and was able to create a pcap that alerted snort 514 times. The project is not ready to be released yet, but the results look promising so far. This project is currently under the Open Information Security Foundation, as all of the project members are currently working on the new IDS/IPS system Suricata.


alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"Snort alert"; flow:to_server,established; content:"|56 24 5a 63|"; content:"hey"; distance:5; within:12; sid:2000000; rev:1;)

famousjs@youbantoo:~/rule2alert$ sudo python -vt -c /etc/snort/snort.conf -f rules/test.rule -w test.pcap
Ether / IP / TCP > S
Ether / IP / TCP > SA
Ether / IP / TCP > A
Ether / IP / TCP > PA / Raw

-------- Hex Payload Start ----------
56 24 5a 63 20 20 20 20
20 68 65 79
--------- Hex Payload End -----------

Loaded 1 rules successfully!
Writing packets to pcap...
Successfully alerted on all loaded rules

RussKill. Application to perform denial of service attacks


Conceptually speaking, a DoS attack (Denial of Service attack) is basically bombarded with requests for a service or computer resource to saturate and the system can not process more data, so those resources and services are inaccessible, "denying" the access to anyone who wants them.

From the standpoint of computer security, Denial of Service attacks are a major problem because many botnets are designed to automate these attacks, especially those of particular purpose, taking advantage of computational power offered by the network of zombies. In this case, the attack is called Distributed Denial of Service (DDoS).

Moreover, under the framework of the concept of cyberwarfare, this type of attack is part of the armament "war" through which virtual scenarios presented conflicts between their requirements as to neutralize a state vital services.

RussKill is a web application that is classified within these activities and that despite being extremely simple, both in functionality and in the way of use, is an attack that could be very effective and difficult to detect.

As is customary in the current crimeware, the web application is of Russian origin and has a number of fields with information about how and against whom to carry out the attack, letting you configure the packet sequence, ie the flow in amount. The option "Hide url" is a self-defensive measure designed to ensure that the server is detected.

Although several methods of DoS attacks, RussKill makes use of the attacks HTTP-flood and SYN-flood. In both cases the servers for flood victims through http requests and packets with fake source IP addresses respectively.

As I said at first, the denial of service attacks are a danger for any information system, regardless of the platform that supports services and applications such, in this case site, demonstrates the ease with which an attack of this type can run.

Jorge Mieres
Pistus Malware Intelligence

Syndicate content