Skip navigation.
Home
WARNING: This site contains samples of live malware. Use at your own risk.

Ether 0.1 Debian Package - BETA

To make Ether a bit easier to install, we've put together a Debian package with precompiled Ether binaries. This is considered a highly beta install package, so you will want to take care about where you install it. Everything should install into /opt/ and work very closely to how Ether does when you compile via source.

Please note that this package contains the Ether patched Xen package. Other than satisfying the package's dependencies, you shouldn't install anything beyond that. This has been tested with a fresh installation of Debian Lenny. Please note that uninstall is currently not implemented.

Thanks to Chris Collord and Daniel Cox for their work on this.

Download the Ether 0.1 Debian Package here

Generating Ether-like Trace Files for VERA

I've had a few people email me about how to use non-Ether generated trace files in VERA. To help with this, I ran a trace with Ether of the Notepad.exe included with Windows XP.

Notepad.exe Trace file

If you want to generate instruction traces external from Ether, you just need to make sure it follows the same format. First, you should start with the standard instruction trace boilerplate. It looks like this:

After init:
        shared_page_ptr: 0xffff830000fd9000
        shared_page_mfn: 0xfd9
        domid_source: 0
        event_channel_port: 34
Shared Page va: 0x7fde19b77000
Shared Page test:
        Page-Sharing is A-OK!

Trying to bind to local port...
Success, bound to local port: 35
Trying to get first pending notification...
Taking off suprious pending notification...
Setting filter by name to: notepad.exe
Execution of Target detected:
        Image Base:  0x1000000
        Image Size:  0x14000
        Entry Point: 0x100739d

After this, all you need to do is have a listing of instructions. Right now the only thing I'm parsing is the instruction address, so there's no need to include the actual instruction. Later versions of VERA will use the disassembly.

100739d: push   0x70
100739d: push   0x70
100739f: push   0x01001898
10073a4: call   0x01007568
1007568: push   0x010075BA
100756d: mov    eax, fs:[0x00000000]
1007573: push   eax

At the end of the file, after all the instructions make sure you include two "Handling sigint" messages:

1007519: jnz    0x01007522
100751b: push   esi
100751c: call   [0x1001318]
Handling sigint
Handling sigint

That should be all you need to use VERA for your own uses. As always, let me know if there are any bugs you observe.

VERA 0.1 Released

I would like to announce the latest version of VERA, the reverse engineering visualization program. Lots of bugs have been fixed, which I have detailed below. Be sure to read the original VERA release documentation for instructions on how to use it.

Here is the change log:

  • View panning has now been fixed so that it follows the mouse.

  • Cleaned up display code and made it more portable
  • Fixed right-click selection code. Currently a stub function but more will come later
  • Center graph on first load. Now the graph isn't out in the middle of nowhere when you first load it.
  • The start of execution is highlighted with a big blue box
  • Added arrows to show directionality of execution
  • Implemented frustum culling for rendering font text. This makes things *much* faster.

If you have any problems, please let me know via dquist SHIFT-2 offensivecomputingDOTnet

State of the art in CRiMEPACK Exploit Pack

| |

CRiMEPACK exploit pack is a widespread and accepted in the crime scene in this area came under the slogan "Highest Lowest rates for the price".

He is currently In-the-Wild 3.0 version is being developed as alpha (the first of this version). That's, is in the middle stage of evaluation, perhaps in the next few days will go on sale in underground forums, at which time it will know your actual cost.

Like any pack exploit, it also consists of a set of pre-compiled exploits to take advantage of a number of vulnerabilities in systems with weaknesses in some of its applications, then download and run (Drive-by-Download & Execute) codes malicious and convert that system into a zombie, and therefore part of the apparatus crime.

And I mean ... "criminal" because those behind the development of this type of crimeware do for this purpose. And judging by the pictures (a washcloth, a handgun, a wallet, money and what appears to be cocaine, own scenario of all mafia) observed in the authentication interface your control panel, this definition is very evident.

The first time I found this package was in 2009, when version In-the-Wild was version 2.1 and later expressed his "great leap" to one of the most popular: version 2.8 (still active) which in early 2010 had incorporated into its portfolio of exploits CVE-2010-0188 y CVE-2010-0806; in addition to adding an iframe generator and function "Kaspersky Anti-emulation", at a cost of USD 400.

YARA 1.4 released

A new version of YARA have been released. This version improves the scanning speed and fix an annoying bug which causes crashes on 64-bits Windows. It also introduces external variables, a feature that allows you to create rules dependent on variables provided from the outside world.

Get the latest documentation here

The Irrelevancy of Industry Accepted Malware Testing Standards

Writing or presenting about AV testing and performance is a great way to draw the collective ire of the AV industry. This is a hot button subject that I, personally, have received a lot of grief on. The primary reason that the AV industry is so sensitive about their software is because it is not as effective as they would like you to believe. Case in point is the recent Anti-Malware Testing Standards Organization’s document titled Issues involved in the ‘creation’ of samples for testing. If you want to find a document listing all the hot-button issues that particularly perturb the AV community, here it is.

Without taking a particular side, the document seeks to “frame the debate” of the issue of “creating” malware samples. What follows is a 19 page exploration of all the ways new malware can be created. Here is a short list of modifications that they address:

  1. Archiving samples using ZIP or tar

  2. Packing / repacking with a new packer (think UPX or ASPack)
  3. Using a malware generation kit
  4. Server-side polymorphic samples - the sample is slightly modified every time it is downloaded from a public website
  5. Patched versions of an existing file, including PE modifications and actual code changes
  6. Writing a custom packer
  7. Writing a new sample using existing techniques
  8. Writing new samples using unknown techniques

Specifically prohibited is public dissemination of malware samples. These might actually encourage people to test AV software before buying it.

The pros and cons of each are presented, followed by a way to frame your debate afterwards. What all of these miss is the central point that malware authors are using every single one of these techniques with spectacular success. The other terrible secret is that these techniques are extremely easy. Continued debate on whether or not these tests are ethical is moot because malware authors are already using them. In order to protect against real threats, you must use the techniques that are being used to evade your protection software.

Consider the NHTSA talking about testing crash performance, but not actually ever smashing any of the cars into a wall. There’s no substitute for the real thing unless you’re trying to hide something. In the case of the AV industry, that thing is their technological irrelevance to the modern malware threat.

PDF Exploit detection system: Joedoc

We are happy to release Joedoc a novel runtime analysis system for detecting exploits in documents like pdf and doc. In its current beta stage it detects pdf exploits in Acrobat Reader 7.0.5, 8.1.2, 9.0 and 9.2. Check out the submission instructions on www.joedoc.org to check malicious pdfs.

Basical Trojan Banker Win32.Banz.a Anatomy - Reverse Engineering

Hi,

Today we are going to inspect a Rootkit Technology based Banker, called Win32.Banz.a or RKIT/Banker.9088.
This rootkit presents some interesting aspects from a reverse engineering point of view because has two
layers of protection:
[b]
* UPX
* DalKrypt[/b]

Before starting the direct analysis let's study the general structure, with a PE inspection.

MD5: 58A567A59A6B713B3B2638BC76C100DC
SHA-1: 0C18FF28DF6941541CDA89FF8006025E0E07E83D

[b]Section Headers:

* UPX0
* UPX1
* .rsrc
* .DalKiT[/b]

Best Buy iPad Censorship

Today I was at Best Buy playing with the iPad, when I tried loading Offensive Computing on the web browser. It seems that Best Buy thinks that this site has something to do with hacking. I wonder if some customers were stress testing the demo machines' antivirus products.

The picture is blurry so here is the text:

This Page Cannot Be Displayed

Based on your corporate access policies, access to this web site ( http://offensivecomputing.net/ ) 
has been blocked because the web category "Hacking" is not allowed.

Store Network

If you have questions, please contact a Best Buy Employee and provide the codes shown below.

Notification codes:     (1, WEBCAT, BLOCK-WEBCAT, 0x0021ed3a, 1270677200.557, 
AAAdUAAAAAAAAAAAyf8AEP8AAAA=, http://offensivecomputing.net/)

Analysis of new malware (YolrotX - Backdoor.Win32.Poison.apec)

This is the latest malware I got from the malware repositories, here I present how this malware infect the system and which third-party actions is doing by this specimen .
YolrotX
written in Visual Basic 6.0
MD5 Checksum : cb702c3319a27e792b84846d3d6c61ad
Size : 61493 Bytes
Extract itself to %windir%\System32 with 3 different names : update.exe, security.exe, avg.exe
it's also open the internet explorer and tends to surf golo.com website.
Seems it also uses the following library : Microsoft Base Cryptographic Provider v1.0
usename of the author is Basic, so we can name the author Basic .
Also trying to download the following files to system32 .

hxxp://www.oviedolocal3476.com/mail/bin/msm.exe
\system32\updates.exe

hxxp://www.oviedolocal3476.com/mail/bin/plugoff.exe
\system32\securitys.exe

hxxp://www.oviedolocal3476.com/mail/bin/regdllhelper.exe
\system32\drivess.exe

when start to executing, it's also drop a driver named "drive.sys" and "drive.sys.off" to system32\Drivers, had some rootkit behavior, while scanning with RKU it reports try to hide process update.exe .
Open a Handle to Cmd.exe .
seems, there's no hooking behavior available in this sample .
set itself as startup to the following key with 3 different entries:
HKLM\SOFTWARE\MICROSOFT\WINDOWS\CurrentVersion\Run
\System32\avg.exe
\System32\update.exe
\System32\security.exe
easy to kill, just terminate update.exe , security.exe and globo.exe, so the malware become inactive .
vt result : Result: 6/42 (14.29%)
vt perma link :
http://www.virustotal.com/analisis/ec89254ddb24b1c7f750d8c32d6e33d8f20959be410092401bbc28ee0bf19d07-1270075998

download sample from here :
http://www.multiupload.com/I5OPJU5DIN
pass : Infected

P.S : I've been added it OC dataBase, try to search this one : cb702c3319a27e792b84846d3d6c61ad