Skip navigation.
Home

Some malware for analysis/detection

|

I have a folder (just over 300 megabytes/927 files), which contains a lot of malcious software. I uploaded it incase anybody wants to analyse it, or if anybody from anti-virus companies wants to detect it. A lot of it is already detected, but some of it is detected by some anti-viruses but not detected by others. There are all types of executable files, pif/exe/scr etc and also some .jpg/.zip which are really executable files renamed. There are also some HTML files, but a lot of those can just be ignored. Well I uploaded it all anyway.

The password for the rar file is "malware"
http://www.megaupload.com/?d=KE19T9DI

Post any questions or comments that you have.

Any Ideas for fast classification

Hello JST,

thank you very much for the archive, comes just in time.

We try to test some generic anti malware tools (like Cisco's CSA and Solidcore S3 embedded) and want to find out if they are suited to substitute virus scanners and OS patches (as said by the vendors).

One of our biggest problems (beside getting suited malware archives) is to do a classification of the malware. Because it takes time to check if the malware was successful or not we look for a fast way to classifiy the malware (to prevent testting similar malware / malware-variants two times or more).

Any Ideas ?

Thank you very much.
oldzombi

The only thing I can think

The only thing I can think of, is to use a proper anti-virus to sort through the files first and remove variants. This might sort the archive ready for your tests but it would be time consuming.

File not available

Hello. The site (besides requiring to install an additional toolbar for your browser) says that the file is temporary unavailable. Could you please re-upload it to services like http://www.yousendit.com/ or http://mydatabus.com/ ?

The file is available again.

The file is available again. Try it now.

Assuming that the location

Assuming that the location doesn't change periodicaly, this is were the Javascript crap eventually directs you to:

http://www76.megaupload.com/files/2446d5992864c4dc27df95114a6fb8e2/malware.rar

One of the projects on my todo list is a malware analyzer for most known malware. (It's all 90% the same these days anyway.) Think of it as a ripper to extract C&C server addresses, IRC channel names, passwords, command strings, shellcodes, etc. etc. Basically just spitting out a feature set, rather than a useless "rxbot.PQRST/sdbot.123456" name. I need to write a universal unpacker first. (I've got ideas for how to do it fast and automatic.)

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

What is your idea to create

What is your idea to create the automatic unpacker?

The file is still

The file is still unavailable -- the direct link you posted just redirects back to the first link you posted.

Works again for me

Works again for me http://www.megaupload.com/?d=KE19T9DI

Probably they were just overloaded on that server where the file is.

Temporarily unavailable

Temporarily unavailable still for me. Can someone upload it somewhere else?

edit: Got it now.

Automatic Unpacker Stuff

Ok, the idea isn't really mine, I got it from Joe Stewart. It was basically just mapping the memory segments so that the packer could read and write to them, but the moment it goes to exec, there's a fault. Which you catch and now know the real entry address, etc.

A bit easier that going through the lengths that the Norman Sandbox goes through.

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

Are you referring to the

Are you referring to the OllyBonE method or something else?

Automatic unpacker

I have written something that resembles with an automatic unpacker (tough it's not universal :D ) and probably can be used to dump strings, shellcodes, etc...
It just starts a program under a debugger and when it exists it dumps the program. Unfortunatelly it is vulnerable when checking the presence of a debugger, but this can be avoided, at least partially.

can we see it?

the source would be great, a binary at a mininum.

autounpacking is a hard problem so anything that helps is a boon to reversers so hook it up

V.

yup

Ok, as soon as I have some time I will make it public (for now the exe and maybe later the source code).

Maybe its Off-topic, but

Maybe its Off-topic, but this brings me to another idea: The opposite:
Exists a tool that put all files within a folder in separate archive-files?
In other words: When a folder contains x files, I want put all that files in a separate packed-file.
In this case: I downloaded the malware-collection as mentioned above. I unpacked it, and then I have a malware-folder wich contains a lot of unpacked files. I'm very busy with analyse and archive them seperately.
So: how can I automatically archive separate files within its folder?

I hope you understand the request/question. Don't know how I can explain it in other words.

Thanks.
Chato

Portions of this collection uploaded here.

I wrote a quick one-line script to take all of the executable files in this collection, and upload them to OC. For future reference:

for i in `find . -type f -exec file {} \; | grep executable |cut -d ":" -f 1 |sed 's/^.\///g'` ; do curl -F malware=@$i http://mwdl.offensivecomputing.net/cgi-bin/upload.cgi ; done &> /tmp/upload_spew.log

If I had been planning ahead, I could have also made it pop out a list of all of the links to the reports. So I've just got the output of grep -i "malware" /tmp/upload_spew.log to match up to the input file list, but anyway... Because I'm also dumb, I forgot to escape spaces in filenames, so two files didn't get uploaded on this pass...

I'm so, so, tempted to post the list of MD5 sums for all of the files I just submitted, but that would add another 813 lines to this post.

$ head /tmp/exe.md5
18269ab7c0c405611a02d7d201999e30 AbrirCartao.scr
d216946947578f1baa9cd5a6ddd71837 cartorio24horas.cmd
597ca5b57de7cdec1b4ab4933ca48ff5 smtprujpg.exe
28f4196b50975c494c47d2738929bd38 wexplorer32684.exe
ffef2cca3f738cc536b0e3449a1b1a93 cmb_214877.exe
bcf87cea0b8554c54e0a8d6fddaaa70f postcarddh.exe
a80be346e38d795bc82c639638af4e11 cmb_214879.exe
5349c41b845218f3fef3bdb6511e738a aaa1.exe
6506e5cc86eca11565fa06ded38c3c9e member.gif
42b18aed32220d29f1ed9b37319004da aaa2.exe
[…]

Thanks!

Cool thanks. I promise that uploading automatically like this will become a lot easier in the future. Thanks for the upload script.

JST, you have a collection,

JST, you have a collection, that I need :)
But I can't download it from www.megaupload.com, it says all slots are used.
If you can, please email me, I reply you with FTP account to upload.
Thanks in advance.

Janet Kellman, software reviews manager

Big File

File is there,with megaupload,you have to skip the ad....

After page is loaded,it forwards to ad page,look in top right for Skip this Ad and it goes back to dload page.

315MB....im not that patient. :)