Skip navigation.


ok, so i'm smoking crack

be careful...

ok, and so i went to this one site and was just looking for some new stuff to play with. i clicked on
and low and behold my little antivir goes off. wtf?

Old file virus?



I am looking for a standard file virus, you remember the type that propagate itself by infecting other files and so on.

Now for the hard part, i have some requirements:

1. It must NOT crash or corrupt the system, like prevent it from rebooting, i do not want to reinstall each time i run it.

2. It must NOT require a network connection, the testing environment will be totally isolated from networks.

3. It must NOT crash any debugger tools.

4. It must NOT lock files while running.

5. It must NOT alter any ACL on NTFS partitions (Did any virus even bother to do this?)

Impending MS06-040 Worm? Don't Panic

With the release of the first unauthenticated remote executable exploit in a couple of years, many in the press have taken to predicting that a new worm is on the horizon. No doubt the AV companies are all prepared to disassemble, analyze, and most importantly name the new worm.

There are some things that will limit the effects of this worm. First, under XP Service Pack 2 it is widely thought that the only effect will be a denial of service attack. Where the real threat occurs is under previous service packs and older versions of Windows. Microsoft is probably the only one to comment on the percentage of Windows 2000/XP SP1 vs. XP SP2 machines available. Given my impression of organizations we have dealt with, the SP2 install set has been widely adopted.

Given all these issues, it's probably not worth getting too riled up about. Some events that should get your attention are if a reliable XP SP2 exploit payload is released, or there are a lot of non SP2 systems on your network. If the latter is the case, it's probably time to get with the program and upgrade. Don't bank on a reliable exploit not being released. Many smart people are thinking very hard about how to make this happen.

Further into rustock


So I was sitting in Hoglund and Butler's Advanced Rootkits class playing with instdrv and injecting processes via device drivers, when I had an idea.

I know where rustok puts its rootkit driver from the partial unpacked disassembly I was able to do, but I can't get at it because its in an ADS which is hidden by the rootkit itself. But here I am playing with instdrv which lets you load and unload drivers by path.

So I told it to unload pe386.sys and then I ran lads.exe to see if I could find the ADS now. Indeed it was there. From there it was a matter of doing cat.exe c:\windows\system32\:pe386.sys > c:\owned.sys to extract the driver! However this driver is protected somehow so on to the next step :)

Looking for Troj/Riler-S


I am looking for Troj/Riler-S - the powerpoint 0-day exploit.


Undetected Haxdoor


Looks like we got a copy of the new undetected haxdoor. Undetected is relative because some AV's detect it. Its in the database under this MD5 82a365b7a90b47d9cf0f2c9cd63c3ad1

Donald Smith from SANS has some initial analysis of it.


Unrecognized malware!

Uploaded: A file called 'Windows Picture And Fax Viewer.pif', which was sent in a link via AIM. All I know about it is that it's not packed with UPX.

I'm totally a newb to this sort of thing.

MD5(Windows Picture and Fax Viewer.pif)= e57d647eed5a6ff815cd472fee90b1ba
SHA1(Windows Picture and Fax Viewer.pif)= a1a9c7ae90f9a285223faa26e033755615a2ab57
SHA256(Windows Picture and Fax Viewer.pif)= fcbb213c123ad91942018b91576b17e6a60affcdc3e826152f021a7c13cecffc

Rootkits Get Better at Hiding


CNet is running a story on the new Rustock/Mailbot.AZ malware making the rounds. The hiding methods used by Rustock are certainly a threat, but hardly anything new. If anything this is a good example of a piece of malware that amalgamates the different methods together.

Is anyone actually surprised this happened? Is Greg Hoglund going to pop a vein when he sees CNet headlining Rootkits == Malware?

Preliminary Rustock Analysis

| |

Rustock is pretty interesting and challenging. I had to hide from IsDebuggerPresent() to get anything out of it. Below you can see where it is generating the file name for the .sys driver which holds the rootkit capabilities.

.text:00410530 push offset aWin23PeFilesLo ; "Win23 PE files loader"
.text:00410535 push offset aPe386 ; "pe386"
.text:0041053A push edi
.text:0041053B call ds:dword_40FA80
.text:00410541 nop

This looks interesting here :

.text:004105A9 push offset aCmd_exeCDel ; "cmd.exe /c \"del \""


| |

Edited by Chamuco 7/16/2006

Thanks mythx for uploading Rustock. You can search for any of these sums in our search tool.

MD5SUM: 111d19b60ae921ac90c2b73c2afe18e0
SHA1SUM: 2bd44dc6ca2d18913b89035955a1871644cb3a49
SHA256SUM: 5d22c25f26c1f768afa995f6602c83597636d7cdb414444e6c926a54a9f61dba

MD5SUM: 28a56f3a53ca91e85185bb28541b43b7
SHA1SUM: e5ffb6eb7a5222005f2d3748f0d4cf9bb3648dfc
SHA256SUM: 612d976771ab9fdc0ede065a6f032aee2ae280bd4aa16328bfff507d90f30b06

MD5SUM: 0dace30934e7435a78140bc4bc19ed30
SHA1SUM: 2fbfef2383a4abfbc3256367e155cfaf933d912f
SHA256SUM: 3a45e865498a868ec32a47c08fa21950160dc4ef5d287b77f15f89b59d52e4f7

Syndicate content