Skip navigation.
Home
WARNING: This site contains samples of live malware. Use at your own risk.

Whats needed ?

So what does OC need? Alot of people have sent me tons of malware samples (awesome thanks!) however what is really needed for OC is people who want to do cataloging, checksumming and analysis on samples. People willing to write IDS rules are needed too. If you are willing to do work uploading, cataloging and preparing samples, go for it. If you don't have any samples to work on, let me know I have enough to keep you busy. Also feel free to add info to the samples I've already seeded the database with too.

V.

more identification ideas

Just posting some ideas from Dave Aitel here (so they're not forgotten.

"I've always wondered at the use of md5 for file determination of malware. Seems like it's time for something a bit more of a curved function than that. You want to determine not only file identity, but file closeness. Personally I'd probably unpack them, then design a vector of and then I'd just do vector differences from each other. Another option is to run them in a sandbox, and just record their use of API's as a vector.

You can probably devolve each API call into a tuple and use that as a direction in an N-dimensional space and do some simple pattern matching as your HIDS as well. That way your HIDS would not only recognize one

Automating Tools

How should we automate malware fingerprinting and feature extraction?

For example:

Should we automatically run things like strings and make the output searchable?

Should we automatically look for data like URLs, domain names, and IP addresses that make up the network fingerprint. Should we do more detailed analysis on connect() calls and such?

How can we automate some of the static analysis like call-graph extraction?

To the AntiVirus/infosec community

So the response to this site so far has been overwhelmingly positive with one or two exceptions. However I keep hearing that the anti-virus community will do everything they can to get me shut down. I'm not sure if that's true or what the issue would be if it is but I am really interested in hearing from and working with the A/V community.

What do you think? What are the issues?

I really want to provide a beneficial service to the community and I'm willing to work with any professionally behaving entity that has input or different perspectives.

I got one (only one) email so far saying that this makes it easier for un-ethical people to acquire and write malware. I'm not sure what's easier than google personally. While researching this site I found literally tons of "blackhat" sites with live samples just by simple google searches. And they were in a totally uncontrolled and obviously not a positive intent environment.

Site changes / fixes

I made a modification that prevents anonymous users from seeing malware content. This is to prevent worms or random people from automatically accessing samples. If you want access to samples and analysis please register (its free!)

Thanks,

V.

n/a

Irc backdoor / botnet backdoor.litmus

This looks like some kind of irc trojan. Some of it matches w32/litmus or backdoor.litmus but I'm not sure yet if its just various tools rolled together or all one entity. More analysis needed. Some of the dll's are not really dlls but rather code / text files.

I just made one giant zip for everything. I was able to unpack two of the thre files that were packed. I really need some generic unpacking tools because while I have some stuff to unpack UPX I keep finding modified UPXs. Or if someone wants to post a tutorial on dealing with this that would be cool too.

V.

Threat: Backdoor.Litmus

Korgo_s

More korgo, I guess this is the prevalent malware in my neck of the net.

file: 7f60162c2c0bd2cc7531e51328e98290: MS-DOS executable (EXE), OS/2 or MS Windows
info: 11391 Dec 3 16:42 7f60162c2c0bd2cc7531e51328e98290 md5sum: 7f60162c2c0bd2cc7531e51328e98290 7f60162c2c0bd2cc7531e51328e98290
sha1sum: 14d1aa76e3e787d7ce2080c8a314821bab6f18de 7f60162c2c0bd2cc7531e51328e98290

Event: Threat Found!
Threat: W32.Korgo.S
File: C:\malware\7f60162c2c0bd2cc7531e51328e98290
Date found: Saturday, December 10, 2005 6:47:38 PM

Lupper worm variant

(added some more info and disass - V.)

md5sum: 5b1176a690feaa128bc83ad278b19ba8 *linux_listen.bin
sha1sum: 454df00e2db034054ff2359d3e8c7113115fa1e3 linux_listen.bin
info: 443364 Dec 10 12:42 linux_listen.bin

This is one of the variants of the lupper worm, which exploited three different well known scripting injection vulnerabilities. This version copied itself via this website:
wget 24.224.174.18/listen

copies of the binary could be found in /tmp on infected hosts.

Site Status

So I've added sha1 hashes to all the entries per multiple suggestions I got to do so since we all know md5 is weak now. It would be nice to have gpg / sha256 stuff too if anyone can work on that. (I dont have a sha256sum tool yet.)

Dave Aitel and others made some interesting suggestions on how to accuratly identify malware which I like alot and will be working on. See the DailyDave maling lists for more information. (linked in the links section)

I've gotten some emails asking how to post content to the site so here are some brief instructions.

Once you log in there is a menu at the left. One of the menu options is "Create Content"