Skip navigation.
Home
WARNING: This site contains samples of live malware. Use at your own risk.

Barack Obama and Trojan.Script.Iframer

People have been reporting spam e-mail linking them to:

hxxp://store.worldnewsdot.xxx

It turns out to be a anti-Obama website; they make fake claims such as

"Barack Obama's inauguration that was planned on 20th January 2009 is under the threat of failure. On the Eve of Inauguration Day President-elect Barack Obama made statement. He declared that he is definitely NOT ready for this position. Analysts say that Barack Obama has refused to be next president because he recognized inconsistency of his plan of stimulating USA economy"

Zerowine: Dumping malware and detection of antivm and antidebug

| |

I released a new version of Zerowine, a QEmu+Wine based malware auto-analysis tool. In this version I added support to dump the malware from memory while running. The dumps can also be downloaded for later analysis with IDA Pro.

The other feature I added is the ability to detect both anti-debugging and anti-vm techniques. The detection of anti-debugging techniques is done by analyzing the APIs called by the malware while the anti-vm detection is done by looking for patterns in both the packed version of the malware (the original one) and the unpacked (memory dump) version of the malware.

You can download the latest version of Zerowine as a Prebuilt QEmu virtual machine (you can convert it to one VMWare image if you prefer using the help found in this blog) or in source code form.

Update: I fixed the issue with the corrupted image. I uploaded a new working one and the MD5Sum.

Cheers!

New Classmates.com Malware Campaign

While reading through my spam folder, I found a new sample. There is a new malware sample being spread posing as a Classmates.com reunion message. The sample I have is MD5 895377d01833dfd01dfccb523b2d3026. I haven't done anything to analyze this file yet.

UPDATE: Here's a new copy of the executable 393473bd4a1da563ec086cff7d9c50f6

Here's the original email from my spam folder:

Received: from [78.2.19.242] by hoemail1.alcatel.com; Tue, 13 Jan 2009 18:09:56 +0100
From: "Committee members" <alumni@classmates.com>
To: <DANNY'S EMAIL ADDRESS>

YARA: a malware identification and classification tool

YARA is open-source multi-platorm tool that allows you to create your own signatures to identify malware families based on text or hex strings presents on samples of those families. The signatures are written in a special-purpose language looking like this:

rule silent_banker : banker
{
    strings: 
        $a = {6A 40 68 00 30 00 00 6A 14 8D 91}  
        $b = {8D 4D B0 2B C1 83 C0 27 99 6A 4E 59 F7 F9}
        $c = "UVODFRYSIHLNWPEJXQZAKCBGMT"
    condition:
        $a or $b or $c
}

Complex signatures can be created by using boolean operators, wild-cards, regular expressions and much more. You can find more information on the project site:

http://code.google.com/p/yara-project/

Zero Wine: QEMU based malware auto-analysis

Zero wine is an open source (GPL v2) research project to dynamically analyze the behavior of malware. Zero wine just runs the malware using WINE in a safe virtual sandbox (in an isolated environment) collecting information about the APIs called by the program.

The output generated by wine (using the debug environment variable WINEDEBUG) are the API calls used by the malware (and the values used by it, of course). With this information, analyzing malware's behavior turns out to be very easy.

Wepawet: analyzing web-based malware

Hello guys!

Wepawet is a new service for detecting and analyzing web-based malware. It currently handles Flash and JavaScript files.

http://wepawet.iseclab.org

Things you can do with Wepawet:
- Determine if a page or file is malicious
- wepawet runs various analyses on the URLs or files that you submit. At the end of the analysis phase, it tells you whether the resource is malicious or benign and provides you with information that helps you understand why it was classified in a way or the other.
- wepawet displays various pieces of information that greatly simplify the manual analysis and understanding of the behavior of malicious samples. For example, it gives access to the unobfuscated malicious code used in an attack. It also collects the URLs accessed by a sample.
- wepawet does not just tell you that a resource is malicious, it also shows you the exact vulnerability (or, more likely, the vulnerabilities) that are exploited during an attack.

DNSChanger 2.0

DNS Changer 2.0 (Trojan.Flush.M) is the next –in the wild- variant of this famous malware. Now the strategy has been changed, no need to modify the DNS settings on ADSL routers. Instead it will install a network driver (NDISProt.sys) which allows the malware to send/receive raw Ethernet packets. Such approach will help it bypass Windows TCP/IP, FW and HIPS.

It installs a rogue DHCP server on the infected machine and listens for DHCP requests and responds with its own crafted DHCP offer packets. The reply contains malicious DNS servers, which will redirect hosts to infected websites that include everything from phishing to exploit-and-infect pages.

The question is how to protect and prevent such attacks.

Continue Reading at the Extreme Security Blog

Memoryze Memory Forensics Tool

Peter Silberman from Mandiant has written an article at OpenRCE about the new tool Memoryze.

Introduction:

The goal of this article is to demonstrate how simple malware analysis can be using Memoryze and some good old fashion common sense. Readers should have some knowledge of how malware works, and be somewhat familiar with Memoryze. A good place to familiarize yourself with Memoryze is the user guide included in the installer.

Memoryze is designed to aid in memory analysis in incident response scenarios. However, it has many useful features that can be utilized when doing malware analysis. Memoryze is special in that it does not rely on API calls. Instead Memoryze parses the operating systems' internal structures to determine for itself what the operating system and its running processes and drivers are doing.

Comments on NYT article: A sneaky security problem, ignored by the bad guys

Today I read an article on the New York Times website called A sneaky security problem, ignored by the bad guys

NY Times: A Sneaky Security Problem

I had a conversion by phone and mail with its author Robert McMillan from IDG News before and I've answered him some questions about my Rustock.C research as he planned to write the above story. There are some quotes by Al Huger from Symantec in this article I would like to comment, as I disagree to most of his statements regarding rootkits.

Great Virtual Memory Overview by Mark Russinovich

Virtual memory continues to be one of the things that people have a lot of problems understanding. There are lots of misconceptions about how this fundamental part of the operating system works. Mark Russinovich has done an excellent job, as usual, distilling this information into a very readable form. I suggest you read his blog post titled Pushing the Limits of Windows: Virtual Memory on the technet site.