Skip navigation.
Home
WARNING: This site contains samples of live malware. Use at your own risk.

Stealthy Profiling and Debugging of Malware

Here is a Windows driver I developed that I presented at Blackhat this year. Enjoy

Hades is a tool for dynamic application analysis on Microsoft Windows-based systems. It has function hooking capabilities similar to those of Microsoft Detours and WinAPIOverride (WAO), and it can also function as a debugger. It was developed to allow analysis of malware binaries that were able to detect Detours and WAO.

https://github.com/jnraber/Hades

Three Million Samples

Today we added our three millionth sample to the Offensive Computing malware corpus. While three million pales in comparison to the total malware out there, we still have the largest openly available collection available on the open Internet.

The story of this site has had its ups and downs, and on multiple occasions it was on the brink of shutting down. Every time I heard from someone at a conference, or saw mention of the site in presentations in papers, this helped to keep us up and running. The resources needed to keep things moving have been interesting to deal with. Our commercial services have supported the ongoing maintenance of running a free malware archive.

Some changes are coming to the site Real Soon Now (TM) and I think now is a good time to share them with you. First, the storage and catalog software we have been running on has been sluggish for a long time. I'm about 80% through a rewrite of the underlying malware processing system that should get us to the next order of magnitude without problems. We have made some key partnerships with other open malware resources and we are beginning to put those into service soon. Second, our Reverse Engineering training is getting a massive rewrite. Currently we only do on-site offerings, but we are investigating the possibility of hosting at a more public general venue. Finally, the blog that you see here will be undergoing some changes.

Thank you to all of our customers, users, and supporters. Without you Offensive Computing would not be up and running today. Watch for more news coming soon.

Danny Quist
Founder, Offensive Computing, LLC.

MeMMon - A Light Weight Process Memory Scanner

| | |

Vejovis is a project that was started to develop an user mode memory scanning tool "MeMMoN - A Process Memory Scanning Tool". It scans the memory of all the processes in the system. It can be downloaded from the below link.

Download

Releasing PDF X-RAY

| |

For the past few months I have been doing research on PDF analysis and how it could be better improved. While doing the research I found myself writing tools and scripts to help me get the job done and decided it was time to put something more useful together. PDF X-RAY is a static analysis tool that allows you to analyze PDF files through a web interface or API. The tool uses multiple open source tools and custom code to take a PDF and turn it into a sharable format. The goal with this tool is to centralize PDF analysis and begin sharing comments on files that are seen.

PDF X-RAY differs from all other tools because it doesn't focus on the single file. Instead it compares the file you upload against thousands of malicious PDF files in our repository. These checks look for similar data structures within the PDF you upload and ones that have been reviewed by analysts. Using this feature we can begin to see shared coded samples among malicious files or trends due to malicious author coding styles. The tool is still in beta, but I wanted to release it to the public to see what users thought. In my opinion the API is the most useful as you can begin to integrate rich PDF analysis into other tools and services with little or no cost.

PoC XMPP Bot C&C using Google Talk (video)

Earlier this year I put together an outline for a talk to cover how XMPP could be used as a botnet command and control. I just got around to playing around with the stuff and wanted to share some of the information I had and get opinions on what people thought about it all. I see XMPP as a more modern and flexible IRC when it comes to botnets. Features like federation, transports, p2p and client/server communication all make it seem to fit well in this area. Rather then waiting until it actually gets implemented, maybe we should think about what we could do to stop it or detect it now.

http://blog.9bplus.com/new-age-cc-xmpp-bots-preview

http://blog.9bplus.com/poc-xmpp-bot-cc-using-google-talk

Reversing TDSS: The x64 Dollar Question

| |

In the two years since the Win32/Olmarik family of malware programs (also known as TDSS, TDL and Alureon) started to evolve, its authors have implemented a notably sophisticated mechanism for bypassing various protective measures and security mechanisms embedded into the operating system. Read more here Reverse Engineering Malware

The fourth version of the TDL rootkit family (TDL4) is the first reliable and widely spread bootkit to target x64 operating systems (Windows Vista and Windows 7). Since TDL4 started to spread actively in August 2010, several versions of the malware have been released. By comparison with its predecessors, TDL4 is not just characterized by modification of existing code, but to all intents and purposes can be regarded as new malware. Among the many changes that have been applied as it developed, the most radical were those made to its mechanisms for self-embedding into the system and surviving reboot. One of the most striking features of TDL4 is its ability to load its kernel-mode driver on systems with an enforced kernel-mode code signing policy (64-bit versions of Microsoft Windows Vista and Windows 7) and perform kernel-mode hooks with kernel-mode patch protection policy enabled. This makes TDL4 a powerful weapon in the hands of cybercriminals. In this article, we consider the PPI (Pay Per Install) distribution model used by both TDL3 and TDL4, and the initial installation.

YARA 1.5 released

A new version of YARA has been released. This version provides some new features, including:

* Process memory scanning
* Support for ELF files
* Faster regular expressions by using RE2 instead of PCRE

For more information visit:
http://code.google.com/p/yara-project

ShmooCon 2011: Visual Malware Reversing

This past weekend I had the pleasure of presenting at ShmooCon 2011. This conference continues to be one of my favorites. Shmoocon is a small conference that is trying very hard to stay that way. This year I talked about my improvements to VERA over the past 6 months. Much of the talk was centered around live demos, which unfortunately did not make it to the slides. The new tracing module and updated versions of the VERA code will be posted here soon.

Video of the Talk
PDF of the Powerpoint Slides
Download the new VERA code here

Abstract:

Reverse engineering is a complicated process that has a lot of room for improvement. This talk will showcase some improvements to our visualization framework, VERA. New features that decrease the overall time to reverse a program will be shown. New items are a debugger based interface which allows for faster analysis without the need for a hypervisor, integrated trace processing tools, IDA Pro integration, and an API to interface with the display. During the talk I will reverse engineer malware samples, and show how to integrate it into your reversing process.

Danny

Paper: Hunting rootkits with Windbg

Here are the slides to my talk "Hunting rootkits with Windbg" at the Ruhr University of Bochum yesterday. I'll introduce several ways to find well known rootkits like Rustock or TDL Versions 3+4 with Windbg and scripts. Enjoy!

http://www.reconstructer.org/papers/Hunting rootkits with Windbg.pdf

The Windbg script shown in the slides to grab Kernelcallbacks can be found here:

http://www.reconstructer.org/code/WindbgScript-KernelCBFindx86.rar

Releasing malpdfobj (malicious PDF described in a JSON object)

| |

About a month ago I posted a blog describing research I was doing on malicious PDF files. As part of this research I needed a way to represent a malicious PDF file in a queryable form. I ultimately decided on MongoDB as my backend and therefore wanted to get the malicious file in a JSON form so I could store it.

The tool I just released today is a composite of tools from myself and Didier Stevens. Didier's PDF tools have done a lot of the heavy lifting, but my glue code brings multiple pieces of data into a single object. As of right now the object contains the following details: