I posted OC to DailyDave's (Dave Aitel) maling list today, and I noticed several new users and hits on the site so I just wanted to welcome the new comers. We're very interested in feedback and any contributions you all can make, especially adding malware/analysis. I uploaded a few dissasemblies for people to comment and there are ida databases for some of the malware.
Enjoy the site!
sha1: f91a4d7ac276b8e8b7ae41c22587c89a39ddcea5 win_mydoom_a.exe
md5sum: 53df39092394741514bc050f3d6a06a9 win_mydoom_a.exe
info: 22528 Oct 20 10:58 win_mydoom_a.exe
Date found: Monday, December 05, 2005 10:02:44 PM
Scanning -> C:\malware\win_mydoom_a.exe
File Type : Exe, Size : 22528 (05800h) Bytes
[!] UPX v1.24 compressed !
- Scan Took : 0.953 Seconds
unpacked mdsum: 41e28ad24d9c075b01ebba52ff28ff27 unpacked_win_mydoom_a.exe
upacked info: 53248 Dec 5 22:40 unpacked_win_mydoom_a.exe
entry point: 00004051
This binary was packed with UPX. There are both packed and unpacked versions attached.
So I removed the "exploits" and "shellcode" secitons. The reason for this is that there are many sites that do this way better than we ever could.
If you want exploits or shellcodes then I would like to direct you to Metasploit
Those guys are awesome and anything cool we do in that realm will be available through them one way or another.
So now this site can focus on what it does best which is malware analysis, searching database, etc.
Ok this is a massive post. For some reason my malware collector keeps picking up korgo worm binaries.
None of them will disassemble correctly as if they are packed/encoded. None of my file analyzers find anything. (peid, pescan, protection-id, etc) IDA shows that they are packed with a modified UPX2.
I have not figured out how to unpack it yet.
There are some A/V entries for this worm (its a LSASS worm)
If anyone has ideas on how to unpack this or even a good generic unpacker to donate to the cause it would be greatly appreciated.
sha1: 8fe00da5f0b2114a132f41eb5e7065d46e7741fa $sys$DRMServer.exe
This is just the executable. I'll get the other files up soon.
I have uploaded an ida database and flow graph for this as well.
I added the supporting dlls and sys files. Ill see if i can get the installer off the cd as well.
md5sum: 7d99b0e9108065ad5700a899a1fe3441 *7d99b0e9108065ad5700a899a1fe3441
sha1: 5ab1a63cfca5be0dac591194583f6405c16905dd 7d99b0e9108065ad5700a899a1fe3441
need a generic or modified UPX unpacker to analyze.
sha1: d0de44bcf3ca6553307c77da8699dbc9b5e9d56a win_sasser_a.exe
md5sum: 1a2c0e6130850f8fd9b9b5309413cd00 *win_sasser_a.exe
md5sum: 2d2cd880b204bc6809effc3d850fcd14 *win_sasser_a.zip
sha1: 9bc7cc5f2030ae4d0a307f063b93f7caedacc2b5 win_netsky_aa.exe
md5sum: 2f4f05bb09b396579225615ab4121256 *win_netsky_aa.exe
md5sum: caf5821dcd9fd5eebda86eeb861cf2ef *win_netsky_aa.zip
sha1: 1c944d94b906a5212d72a4462d18e853f490c245 win_nimda.exe
md5sum: 839d5d4abc115f22a6a32b5f934c5bbc *win_nimda.zip
md5sum: 7a9527afdda4179b10e5465e93d0f3aa *win_nimda.exe
md5sum: ac53b755c0f2909114a73b2743c41b16 *linux_slapper.tar.gz
sha1sum: 0f0166c3a5666a5281526f7853cf331c5092b3d8 linux_slapper.tar.gz