Skip navigation.

kernex's blog

BITS used as covert channel

Eric Landuyt from DataRescue analyzed a malware that exploits Background Intelligent Transfer Service (BITS) as a covert channel

From the site:
"A strange executable, named MSMSGS.EXE, was found on several machines on the network of a customer, apparently dropped by the exploitation of a vulnerability inside Word files. As monitoring tools (registry/file/socket) provided insufficient information on the malware's behaviour, we proceeded with a complete analysis."

wikipedia : BITS

29A has left the building!

29A Group retired forever.

+I tried to contact ValleZ for some time in order to take a decission together about the future of 29A with no luck therefore I decided to take the decission alone. And my decission is that 29A goes officially retired. I feel this is fair because I am kinda the alpha and the omega of the group. 29A was born in Dark Node, my BBS, and I am the last active member of the group. My last words as 29A member are for all the people that worked hard to make of this group the best one: Thank you very much! Regards, VirusBuster/29A

Blue Pill published

The Blue Pill PoC published finally.

SB.BadBunny Source Code

SB.BADBUNNY is a multi-platform worm distrubted as an openoffice document containing a starbasic macro.
this worm first infects you when you open an OpenOffice Draw file called badbunny.odg. A macro included in the file performs different functions depending on whether you are running Windows, MacOS or Linux.
Windows: The worm drops a file called drop.bad which is then moved to system.ini in your mIRC folder (if you have one) and also drops and executes badbunny.js which is a JavaScript virus that replicates to other files in the folder.

Thwarting Virtual Machine Detection

Tom Liston and Ed Skoudis has written a clean paper about how to detect a Virtual Machine and some possible method for prevent it against detection .

Read the paper

Podloso : IPod linux Virus

Kaspersky Labs discovered the first virus designed to infect ipod. It does not work on normal iPods that are running the default iPod operating system. This virus can not be launched automatically without user involvement. Once launched, the virus scans the device’s hard disk and infects all executable .elf format files. Any attempt to launch these files will cause the virus to display a message on the screen which says "You are infected with Oslo the first iPodLinux Virus".

Does anyone have this malware?

ANI vulnerability Analysis

All versions of Windows support animated mouse pointers and a function from USER32.DLL load animated mouse pointer. An .ani file is based on chunks and each chunks start with 4 byte ID word and a DWORD have chunk lenghth. One of the chunks is "anih" and contains 36 bytes. The vulnerability is here ... code doesn't check the length of the "anih" long field before using it. Here are some teams that have published their analysis of the ANI vulnerability:

Windows Animated Cursor Stack Overflow Vulnerability

Analysis of ANI “anih” Header Stack Overflow Vulnerability

Hisspasec analysis

New worm use the .ani zero day vulnerability

Some days ago researchers declared an alert for Microsoft Windows Cursor and Icon(.ANI) zero day vulnerability . now they declared an alert for a new worm .

Syndicate content