Skip navigation.
Home

blogs

DDoS Botnet. New crimeware particular purpose

| |

An attack by Denial of Service (DoS) consists basically of abuse of a service or resource by successive requests, either intentional or negligent, which eventually break the availability of such service or resource temporarily or completely.

When this type of attack is performed using the processing power of an important set of computers carrying out the abuse of requests synchronously, we are witnessing an attack Distributed Denial of Service (DDoS).

Need password for downloading WinCE Mobile sample Virus

as the title says, i need a password for the WinCE sample virus. The page says password is infected, can someone tell me how to get it pls? thanks

DNAScan Malicious Network Activity Reverse Engineering

Hi,

This is a paper split into two episodes, the first two can be read here

First
http://evilcodecave.blogspot.com/2009/11/dnascan-malware-analysis-from-browser.html
Second
http://evilcodecave.blogspot.com/2009/11/dnascan-malware-analysis-from-browser_15.html

In this blog post we will investigate deeply the effective functionalities of DNAScan,
that can be seen as a set of Threads that accomplish different networking functionalities like:

* Server Functionalities
* Client Functionalities
* Malicious File Exchange
* Generic Backdoor

Let's start from the beginning of network functionalities setup, initially from the main thread is called WSAStartup used to initiate the Winsock DLL, successively is called a classical socket() and immediately after WSAIoctl

Sample Windows Mobile Virus

Dear Users,

I looking for a sample Virus for Windows Mobile 5. I need this Virus for my final year project. Help me pls..

TDL3 - Why so serious? Let's put a smile on that face ...

Abstract:

TDL or TDSS family is a famous trojan variant for its effectiveness and active technical development. It contains couple compoments: a kernel-mode rootkit and user-mode DLLs which performs the trojan operation such as downloaders, blocking Avs, etc,. Since the rootkit acts as an “injector” and protector for the usermode bot binaries, almost all technical evolutions of this threat family focus on rootkit technology so as to evade AV scanners.

Ether Mailing List

Artem has created a mailing list for all Ether development related activities. You can find it here in the Google Groups.

Buster Sandbox Analyzer 1.0 release version

I released Buster Sandbox Analyzer 1.0.

Buster Sandbox Analyzer is a malware analyzer using Sandboxie as environment to run programs.

You can follow the development of the tool here:

http://sandboxie.com/phpbb/viewtopic.php?t=6557

And you can download the tool from here:

http://bsa.qnea.de/bsa.rar

Reading the manual before using the tool is necessary.

Wandering Through Trojan.NtRootKit.47 Driver

|

Wandering Through Trojan.NtRootKit.47 Driver
Author: ocean

Introduction

I didn’t have the dropper at the moment of writing this, only the driver. Without the dropper we can only get a generic idea of what the driver is used for. The driver has been reverse engineered by deadlist, a really irritating thing to do actually, but it can be useful to see the generic structure of a typical driver.

It’s a driver with dll functionality. Erssd shows us that the driver is produced by ErrorSafe, a fake-av (scareware) company. Seems like there are no rootkit functionality in this driver, while only a few zw* functions are exposed to the dropper, through the use of IOCTLS, though we can’t know how this is used without access to the dropper.

Driver entry point:
driver entry point graph
Simple start structure, a Device is created with name “erssdd” and linked with a Dosdevice with the same name, next every PDRIVER_DISPATCH MajorFunction[IRP_MJ_MAXIMUM_FUNCTION+1] will be written to point to a general IRP_dispatch procedure. Also a driver unload routine is set.

.text:000113EA push 1Ch ; IRP_MJ_MAXIMUM_FUNCTION+1
.text:000113EC lea edi, [ebx+38h]
.text:000113EF pop ecx
.text:000113F0 mov eax, offset irp_dispatch
.text:000113F5 rep stosd

.text:000113F7 mov dword ptr [ebx+34h], offset unload

unload procedure is pretty simple too

.text:0001133A unload:
.text:0001133A cmp Handle, 0
.text:00011341 jz short loc_1134A
.text:00011343 push 0
.text:00011345 call close_handle
.text:0001134A
.text:0001134A loc_1134A:
.text:0001134A push offset DestinationString
.text:0001134F call ds:IoDeleteSymbolicLink
.text:00011355 push DeviceObject
.text:0001135B call ds:IoDeleteDevice
.text:00011361 retn 4

it will just check if there’s and object handle open and close it (inside function close_handle there’s a call to
ZwClose).

now the irp dispatcher procedure :)

Huytebesy4ko Hijacker analysis

Continuing on the road of scammail-spread malwares, today I am going to analyze an interesting little toy i accidentally get in touch just yesterday when receiving this funny email at my Universitary address from a fake crafted address notifications@crema.unimi.it:

We are contacting you in regards to an unusual activity that was identified in your mailbox. 
As a result, your mailbox has been deactivated. To restore your mailbox, you are required to 
extract and run the attached mailbox utility.

Best regards, crema.unimi.it technical support.

As you may guess there was an attachment called utility.zip containing an utility.exe which VirusTotal rates with a 73%.

"Vosate Nofooz" - an almost unknown iranian malware [ part 1 ]

Well, after took some glance at this malware, I've been decided to write up something useful for this kind of almost unknown malware .
the term "unknown" is not referred to something dangerous with the high level risk !
actually this malware doesn't dangerous as people have thinking about it, this kind of malware is difficult on the cleaning phase .
the malware doesn't act as so dangerous code, but it's robust in the field of self-defense .

Syndicate content