i want to announce that our new malware feeds alliance was lunched. http://c300g.net.
we are open for feeds exchange for the solely purpose of research.
we already have 8 different vendors which we all ready exchanging data with, we also work with 6 different sensors deployed around several different geographical hosting services.
we have more the 8,000,000 samples all ready.
we will lunch Dissect||PE Smart threat analysis framework on January 1. 2011.
During my malware research i have encountered thousands of samples.
most research labs uses same methods during their sample analysis, they all uses emulators or any other kind of virtualization implementation.
the problem start when trying to analyze well defended malwares, i.e. malwares which uses good packers, antivm and anti debugging technique (and no im not talking about IsDebuggerPresent).
As a malware researcher I just got my hand on one of the latest TDSS Malware.
The malware uses protection against an execution on a virtual machine by using the SIDT query technique, in case a VMware environment is detected, the malware simply terminates and removes itself from the machine. For this analysis I used solely real machine to perform the analysis. The malware prevent itself from being executed several times using name event, it is pretty convenient as a signaling synchronization as well.
** TO VIEW THE FULL REPORT . http://www.flap71.com/tdss/ **
push offset aGfdjhfd ; "gfdjhfd"
push 1 ; bInitialState
push 1 ; bManualReset
push 0 ; lpEventAttributes
Date: Wed, 21 Apr 2010 06:23:01 -0120
Subject: April Discount #88724
From: USA VIAGRA
Command & Coordination Communication (Data is being encoded)
HTTP/1.1 200 OK
magic-number : 128|1|176:78:92:79:102:102:50:246:184:71:97:63:185:238:83:142:67:
content-length : 40448
entity-info : 1271783310:40448:2;
x-powered-by : PHP/5.2.6-1+lenny8
vary : Accept-Encoding
server : nginx/0.6.32
connection : close
version : 1
date : Wed, 21 Apr 2010 07:30:58 GMT
rnd : 11988440
content-type : text/html; charset=utf-8