Skip navigation.
Home
WARNING: This site contains samples of live malware. Use at your own risk.

Google's Binary Search Helps Identify Malware

|

"A little-known capability in Google's search engine has helped security vendor Websense uncover thousands of malicious Web sites, as well as several legitimate sites that have been hacked, the company said today."

Read the full PC Magazine Article

What's really interesting is this portion:

"Hubbard and his team plans to share its Google code with a select group of security researchers, but it will not make the software public, for fear that the tool could be misused by the bad guys."

This is yet another example of the reluctance to share information regarding malware. There's enough information in the article to replicate this information, but there is not enough to make it a viable tool..unless you want to spend a lot of money.

20 Years of PC Viruses

TechWeb is running an article showcasing 20 years of PC viruses.

In the first half of the 1980s, computer viruses -- programs that reproduce themselves by "infecting" other programs -- existed mostly in labs. A few had managed to find their way into the wild on the Apple II platform, but for the most part they were tightly controlled by computer researchers.

W32/Cuebot-K

| |

MD5: f0d5c5577ec40a12cec0e56442afdcca
File size: 7,643 bytes
Packer: Mew
AntiVir Found Worm/IRCBot.7643
ArcaVir Found Trojan.Ircbot.St
Avast Found nothing
AVG Antivirus Found Worm/Opanki.IP
BitDefender Found Backdoor.IRCBot.JV
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found Possibly a new variant of W32/Threat-HLLIM-based!Maximus
Fortinet Found W32/IRCBot.ST!tr.bdr
Kaspersky Anti-Virus Found Backdoor.Win32.IRCBot.st
NOD32 Found Win32/IRCBot.OO
Norman Virus Control Found W32/Suspicious_M.gen

UI Development

As Chamuco has indicated, I'm working on getting my prototype code into a usable form. For those of you who did not get the chance to see my office, I had about 8 pages filled front-and-back with file offset calculations and other side-effects of a highly disjoint process.

Right now I've moved the code from a series of standalone projects into a suite unified by a CGI/python interface. This is moving toward integration with OC's systems to provide automatic coverage of malware submissions.

The major problem with the BLAST-type approach, as with the original BLAST algorithm, is in filtering the output to get the usable kernels.

Joanna strikes again

Joanna Rutkowska is one of those researchers that continues to amaze and impress me. Pushing things to the next level as usual she has come up with Blue Pill.

http://theinvisiblethings.blogspot.com/2006/06/introducing-blue-pill.html

I can't wait till Blackhat to see more about this. Hrm so we have Red Pill, Blue Pill, No pill, whats next? Maybe Camopill?

Anyway, I can't wait to see what you do next.

V.

OC Updates and Feature Requests

We're currently working on a variety of things at OC. The first one that is being improved is the query system. Some people have made the request to see a list of all the malware that is available. The list that is available would be quite large, and would probably be unusuable. For now you can search for specific malware names (such as netsky) and get a listing in that manner.

If you would like to download our complete archive, please contact Val or myself and we'll discuss this. Generally in these situations we would like to get your archive as well.

Hllywood is working hard to get his automatic malware classification system up and running on OC. He's currently in the process of translating this code from thesis-code to working-code. Any of you in grad school will appreciate the distinction.

Malware Catalog / index.

|

Hello,

Is there, or perhaps will there be a list, of malware samples that are available? I don't seem to see anything like that at the moment. Might be useful.

Posting to Sourceforge in Process

The tool mentioned in previous post will be presented at DefCon and released via sourceforge. The intent is to make the suite usable for larger analysis vs. the prototype analysis present in my thesis topic. As soon as I have the registration for the sourceforge project completed, I will post the project link here.

Special thanks to Valsmith and Chamuco for providing the source malware for my thesis as well as some reverse engineering pointers.

binBLAST presentation at DefCon

Excel 0day Second Stage Malware

The new Excel 0day malware is available through the malware search. Simply search for the MD5 sum "8e98ee572636fb66f69df992b4dfa983" using the malware search on the right toolbar.

SANS ISC has coverage of the malware as well as a Microsoft's blog.

Offensive Computing Team to Speak at Defcon

|

Val and Danny's talk was accepted to Defcon 14. Get the schedule and talk information at the Defcon site.

Here's our abstract:

The proliferation of malware is a serious problem, which grows in sophistication and complexity every day, but with this growth, comes a price. The price that malware pays for advanced features and sophistication is increased vulnerability to attack. Malware is a system, just like an OS or application. Systems employ security mechanisms to defend themselves and also suffer from vulnerabilities which can be exploited. Malware is no different.