Skip navigation.
WARNING: This site contains samples of live malware. Use at your own risk.


Rule2Alert's goal, is to read in snort rules and generate packets that would make snort produce an alert. It is written entirely in python and utilizes Scapy to craft the packets. It is still under heavy development with myself, Pablo Rincon, and Will Metcalf.

Currently, it is able to generate pcaps based off simple content snort compatible rules. I loaded in the emerging-all.rules file and was able to create a pcap that alerted snort 514 times. The project is not ready to be released yet, but the results look promising so far. This project is currently under the Open Information Security Foundation, as all of the project members are currently working on the new IDS/IPS system Suricata.


alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"Snort alert"; flow:to_server,established; content:"|56 24 5a 63|"; content:"hey"; distance:5; within:12; sid:2000000; rev:1;)

famousjs@youbantoo:~/rule2alert$ sudo python -vt -c /etc/snort/snort.conf -f rules/test.rule -w test.pcap
Ether / IP / TCP > S
Ether / IP / TCP > SA
Ether / IP / TCP > A
Ether / IP / TCP > PA / Raw

-------- Hex Payload Start ----------
56 24 5a 63 20 20 20 20
20 68 65 79
--------- Hex Payload End -----------

Loaded 1 rules successfully!
Writing packets to pcap...
Successfully alerted on all loaded rules

RussKill. Application to perform denial of service attacks


Conceptually speaking, a DoS attack (Denial of Service attack) is basically bombarded with requests for a service or computer resource to saturate and the system can not process more data, so those resources and services are inaccessible, "denying" the access to anyone who wants them.

From the standpoint of computer security, Denial of Service attacks are a major problem because many botnets are designed to automate these attacks, especially those of particular purpose, taking advantage of computational power offered by the network of zombies. In this case, the attack is called Distributed Denial of Service (DDoS).

Moreover, under the framework of the concept of cyberwarfare, this type of attack is part of the armament "war" through which virtual scenarios presented conflicts between their requirements as to neutralize a state vital services.

RussKill is a web application that is classified within these activities and that despite being extremely simple, both in functionality and in the way of use, is an attack that could be very effective and difficult to detect.

As is customary in the current crimeware, the web application is of Russian origin and has a number of fields with information about how and against whom to carry out the attack, letting you configure the packet sequence, ie the flow in amount. The option "Hide url" is a self-defensive measure designed to ensure that the server is detected.

Although several methods of DoS attacks, RussKill makes use of the attacks HTTP-flood and SYN-flood. In both cases the servers for flood victims through http requests and packets with fake source IP addresses respectively.

As I said at first, the denial of service attacks are a danger for any information system, regardless of the platform that supports services and applications such, in this case site, demonstrates the ease with which an attack of this type can run.

Jorge Mieres
Pistus Malware Intelligence

DNAScan Malicious Network Activity Reverse Engineering


This is a paper split into two episodes, the first two can be read here


In this blog post we will investigate deeply the effective functionalities of DNAScan,
that can be seen as a set of Threads that accomplish different networking functionalities like:

* Server Functionalities
* Client Functionalities
* Malicious File Exchange
* Generic Backdoor

Let's start from the beginning of network functionalities setup, initially from the main thread is called WSAStartup used to initiate the Winsock DLL, successively is called a classical socket() and immediately after WSAIoctl

Ether Mailing List

Artem has created a mailing list for all Ether development related activities. You can find it here in the Google Groups.

Buster Sandbox Analyzer 1.0 release version

I released Buster Sandbox Analyzer 1.0.

Buster Sandbox Analyzer is a malware analyzer using Sandboxie as environment to run programs.

You can follow the development of the tool here:

And you can download the tool from here:

Reading the manual before using the tool is necessary.

Wandering Through Trojan.NtRootKit.47 Driver


Wandering Through Trojan.NtRootKit.47 Driver
Author: ocean


I didn’t have the dropper at the moment of writing this, only the driver. Without the dropper we can only get a generic idea of what the driver is used for. The driver has been reverse engineered by deadlist, a really irritating thing to do actually, but it can be useful to see the generic structure of a typical driver.

It’s a driver with dll functionality. Erssd shows us that the driver is produced by ErrorSafe, a fake-av (scareware) company. Seems like there are no rootkit functionality in this driver, while only a few zw* functions are exposed to the dropper, through the use of IOCTLS, though we can’t know how this is used without access to the dropper.

Driver entry point:
driver entry point graph
Simple start structure, a Device is created with name “erssdd” and linked with a Dosdevice with the same name, next every PDRIVER_DISPATCH MajorFunction[IRP_MJ_MAXIMUM_FUNCTION+1] will be written to point to a general IRP_dispatch procedure. Also a driver unload routine is set.

.text:000113EA push 1Ch ; IRP_MJ_MAXIMUM_FUNCTION+1
.text:000113EC lea edi, [ebx+38h]
.text:000113EF pop ecx
.text:000113F0 mov eax, offset irp_dispatch
.text:000113F5 rep stosd

.text:000113F7 mov dword ptr [ebx+34h], offset unload

unload procedure is pretty simple too

.text:0001133A unload:
.text:0001133A cmp Handle, 0
.text:00011341 jz short loc_1134A
.text:00011343 push 0
.text:00011345 call close_handle
.text:0001134A loc_1134A:
.text:0001134A push offset DestinationString
.text:0001134F call ds:IoDeleteSymbolicLink
.text:00011355 push DeviceObject
.text:0001135B call ds:IoDeleteDevice
.text:00011361 retn 4

it will just check if there’s and object handle open and close it (inside function close_handle there’s a call to

now the irp dispatcher procedure :)

Huytebesy4ko Hijacker analysis

Continuing on the road of scammail-spread malwares, today I am going to analyze an interesting little toy i accidentally get in touch just yesterday when receiving this funny email at my Universitary address from a fake crafted address

We are contacting you in regards to an unusual activity that was identified in your mailbox. 
As a result, your mailbox has been deactivated. To restore your mailbox, you are required to 
extract and run the attached mailbox utility.

Best regards, technical support.

As you may guess there was an attachment called containing an utility.exe which VirusTotal rates with a 73%.

T-IFRAMER. Kit for the injection of malware In-the-Wild

| |

T-IFRAMER is a package that allows you to automate, centralize and manage via http the spread of malicious code via code injection sites violated viral techniques using iframe, and feed a botnet. We then see a screen capture of authentication.

While there is a complex kit allows computer criminals manage the spread of malware via the http protocol type attacks using Drive-by-Download and Drive-by-Injection by inserting iframe tags in web pages violated.

The four key modules: Stats, Manager, Iframes and Injector, and each has the main function to optimize the spread of malware.

The first one (Stats) to manage FTP accounts violated having control over them with the ability to upload files. Thus begins one of the cycles of propagation of malicious code.

Ether Automation Utility: Ether Bunny

Ether Bunny is a script that I use to automatically startup and run Xen domains, copy files, and then execute them with Ether. It is a quick hack I put together. Most of the variables at the top of the file will need to be changed to match your configuration. This script is made available as-is. If it doesn't work you'll need to debug it on your own. That being said if you find it useful and modify it let me know and I'll be happy to update the public version.

You'll need to get a copy of Winexe as well to remotely run the files. There are some setup instructions at the Winexe page that will help you to configure your host machine.

Here's how I use it:

snoosnoo:/xen# ./ malware.exe
Ether Bunny v0.1 by Danny Quist

Analyzing malware.exe to on VM
Destroying old vm image /xen/winxp-sp2-malware-instance/
Restoring vm image...
Starting vm from /etc/xen/ramdisk-winxp-sp2.cfg
Copying malware.exe to VM 1166 at
Attempt: 1
Running malware.exe on VM winxp-sp2-ramdisk (1166)
Letting program run...
dos charset 'CP850' unavailable - using ASCII
EPOLL_CTL_ADD failed (Operation not permitted) - falling back to select()
Killing ether.
Destroying VM ID: 1166

Download Ether Bunny here.


Edit Jan 18 2011: The Winexe site seems to have disappeared, so I have linked to my local compiled copy.

[Crimeware] Researches and Reversing about Eleonore Exploit Pack


Today we will see how works Eleonore Exploit Pack directly from an infected website.

Essentially Eleonore Exploit Pack is a collection of Exploits and Data Statistics Collectors, this is the 'marketing' presentation of the exploit pack:

I present new actual russian exploits pack "Eleonore Exp v1.2"

Exploits on pack:
> MS009-02
> Telnet - Opera
> Font tags - FireFox
> PDF collab.getIcon
> PDF Util.Printf
> PDF collab.collectEmailInfo
> DirectX DirectShow
> Spreadsheet