Skip navigation.
Home
WARNING: This site contains samples of live malware. Use at your own risk.

Burn out

| |

Sorry all, ive been extremely busy working on back end stuff and kind of burnt out lately, hence the lack of new malware posts. Several of you have sent me samples and Ill get working on them soon and some exciting new features are on the way.

V.

IMG-7.pif AIM Malware

| |

Notes in the Report.rtf

Password for attachment zip == infected

img7.pif
MD5SUM: 8cb6b40527571f3156e8147eaf3d137b
SHA1SUM: edd0a1b715954871d67f7f9d5db09d2a4913113a
SHA256SUM: 50b8b770e4b561221245c119d05e6369601aed158086f58bff811cf2961220c7

PACKER: PECompact 2.x
REF:
DATE FOUND: 01/28/2006
VECTOR: AOL Instant Messenger
THREAT: SdBot
CME #:

REcon Malicious Code Analysis Video / Slides

Video and Slides are up for the Malicious Code Analysis presentation that Ryan Russell and Nicolas Brulez gave at REcon '05

http://2005.recon.cx/recon2005/papers/Ryan_Russel-Nicolas_Brulez/

Check it out-
Tebodell

Nyxem.E

NOTE: Thanks jupe, I really appreciate the contribution. I am attaching some more related files and some new stuff. V.

Nyxem.E is a mass mailing worm that also tries to spread using remote shares. Rename this sample to Attachment.bhx, then uncompress using a utility like Winzip.

Unknown Executable

| |

This executable was found by one of our constituents. I am not sure what it does. It is not detected by anti-virus, (except Panda, maybe). It has curious icons in it, and appears to be written with Delphi. Googling for some randomly chosen binary strings inside the icon revealed several compromised php and cvs sites serving up executables with this image.

Besides this, the machine was a run-of-the-mill IRC bot.

Sharing policy

|

Just a note in case it wasn't obvious. The policy of offensive computing is to "share" any contributions recieved by posting them on the site and potentially to A/V vendors unless explicitly told not to. Thanks,

V.

backdoor.ircbot

| |

Update: Thanks to NED we have some more potential varients of this one. The password is "infected" and they could use some more analysis. If I get time ill try to break the packing on them. (morphine, etc)

#################################
FILE TYPE: MS-DOS executable (EXE), OS/2 or MS Windows
MD5SUM: 34b72db0fea7ad88546b76596a6fc7f0
SHA1SUM: d7c11f5cb9ddb024c880c6d8c2e7868d8bdedaa5
SHA256SUM: 6e05e6ee8cf2ce407f40e8700ac929ce1d4999317de454d918419105d30e9a9c
A/V SCAN: MS-DOS executable (EXE), OS/2 or MS Windows
PACKER: [!] SVKP - Slovak Protector encrypted !
#################################

Backdoor.Botnachala

| |

start.exe backdoor.botnachala

#################################
FILE TYPE: MS-DOS executable (EXE), OS/2 or MS Windows
MD5SUM: 2eb58d7431b558c29ec2c18f6d8b495b
SHA1SUM: 4e74377003143ea90953c5b069563aa7ca7c7188
SHA256SUM: 93a050723fa3a3b4fff0cd419de2140d0db7702610273538eea71571aab9201d
A/V SCAN: MS-DOS executable (EXE), OS/2 or MS Windows
PACKER: [!] UPX [unknown / modified] !
UPX 0.89.6 - 1.02 / 1.05 - 1.24 -> Markus & Laszlo
#################################

new stuff ?

| |

Does anyone out there have any new malware? I have tons of old stuff im sloggin through but I'm kind of running low on new malware. My collectors pick up unlimited amounts of korgo but nothing really interesting. Aim stuff, new worms, anything? Anyone have anything they are trouble reversing or analysis like maybe with anti debugger code or something?

Ill do a full analysis with lots of info :)

V.

IDS sigs?

| |

Hi. New to the site, but this looks at lot like what some of my friends and I have been looking for. That is, a site that says something to the effect of "here is what a packet looks like if it (fill in the blank) and can be found with this signature."

I realize that sigs are better found at snort.org and sites like that, but it would be nice to have the full pcap file, the sig, *and* (if possible), the malware to go with it. Is that outside the scope of what this site is for? I notice that the Intrusion Detection links tells me to go away....

Thanks,

Wille