Skip navigation.
Home

udishamir's blog

New Feed Alliance Created

Hi Guys,

i want to announce that our new malware feeds alliance was lunched. http://c300g.net.
we are open for feeds exchange for the solely purpose of research.

we already have 8 different vendors which we all ready exchanging data with, we also work with 6 different sensors deployed around several different geographical hosting services.
we have more the 8,000,000 samples all ready.

we will lunch Dissect||PE Smart threat analysis framework on January 1. 2011.

Using RDMA during malware research

During my malware research i have encountered thousands of samples.
most research labs uses same methods during their sample analysis, they all uses emulators or any other kind of virtualization implementation.
the problem start when trying to analyze well defended malwares, i.e. malwares which uses good packers, antivm and anti debugging technique (and no im not talking about IsDebuggerPresent).

WIn32.TDSS

As a malware researcher I just got my hand on one of the latest TDSS Malware.

The malware uses protection against an execution on a virtual machine by using the SIDT query technique, in case a VMware environment is detected, the malware simply terminates and removes itself from the machine. For this analysis I used solely real machine to perform the analysis. The malware prevent itself from being executed several times using name event, it is pretty convenient as a signaling synchronization as well.

** TO VIEW THE FULL REPORT . http://www.flap71.com/tdss/ **

push esi
push offset aGfdjhfd ; "gfdjhfd"
push 1 ; bInitialState
push 1 ; bManualReset
push 0 ; lpEventAttributes
call ds:CreateEventA

push fs[0]
RCPT TO:
DATA
Received: 20100421082301.2417.qmail@
Date: Wed, 21 Apr 2010 06:23:01 -0120
Message-ID:
To: nicolad@hammondresources.co.uk
Subject: April Discount #88724
From: USA VIAGRA
Reply-To: nicolad@hammondresources.co.uk
MIME-Version: 1.0
Content-Type: text/plain
Content-Transfer-Encoding: 8bit

http://tuxoxynuri.livejournal.com

Command & Coordination Communication (Data is being encoded)

HTTP/1.1 200 OK
magic-number : 128|1|176:78:92:79:102:102:50:246:184:71:97:63:185:238:83:142:67:

150:205:76:183:198:210:215:181:120:211:118:191:153:157:112:231:250:191:77:96:242:68:24:58:

165:88:243:148:171:129:215:66:79:36:249:22:246:208:203:110:163:65:46:60:223:158:36:217:93:113:57:80:

181:82:138:91:170:125:240:86:255:200:152:79:236:145:101:226:97:49:81:5:114:127:66:82:29:102:43:123:215:

100:203:141:183:85:233:98:211:217:184:211:162:80:34:142:226:136:112:68:185:194:73:44:65:139:126:95:241:169:218:
content-length : 40448
entity-info : 1271783310:40448:2;
x-powered-by : PHP/5.2.6-1+lenny8
vary : Accept-Encoding
server : nginx/0.6.32
connection : close
version : 1
date : Wed, 21 Apr 2010 07:30:58 GMT
rnd : 11988440
content-type : text/html; charset=utf-8

http://hjwbxhqr.cn/win-xp/controller.php?action=report&guid=0&rnd=11987634&uid=7&entity=1271783310

Syndicate content