does anyone know the exact algorithm to get the config file's url in prg/wnspoem? the md5 for a sample: 04f21bd0c56dfa7162bd172395186809 (I've uploaded it here). I read www.securescience.net/FILES/securescience/10378/pubMalwareCaseStudy.pdf but can't just get that url from offset 40 in file.
(hope it's clear my question; my English just sucks :-| )
Recently, I received a copy of an obfuscated php "virus". OC hash: 6891e6df8e053d3438af8a5404284361. It is not very complex, but the deobfuscation process is very interesting. I have the process and functionality analysis on my blog at isisblogs.poly.edu. By the way, this iCTF 2007 challenge is something else you can check out if you like deobfuscating php.
The PHP code was collected from a working server after unusual traffic patterns were noticed. After the machine was compromised (not in scope of this description), the code was injected. It listened to and executed commands passed through a POST request with ‘www’ user privileges. Some of the commands that were run include id, pwd as well as directory searches and wgets of various files. The compromised machine also served as a hop in a pharmacy ad delivery scheme. It redirected HTTP requests for medications to a possible ‘mothership’ server. There is evidence that links to our server were posted as ads on websites like MySpace.
I have found descriptions of similarly obfuscated filed on blogs such as arbornetworks, cyberlot and waraxe. So there must be an obfuscator that does this. If anyone knows what it is please let me know, I'd like to check it out. Anyway, the obfuscation on the file I provided seems to be slightly more complex then the links I gave. So there must be good options on that obfuscator that allow specification of how many iterations to do etc.
The mothership adware server is still alive at the time of this writing (link in my blog).
does someone know about the "packer" that makes a MZ look like M8Z? there are some droppers and loaders that have that MZ inside.. So if you have any info or know about some tools.. I'd appreciate. Of course, it would be nice if I'd reverse it.. but .. the time is my enemy :) a sample cand be found with http://www.offensivecomputing.net/?q=ocsearch&ocq=3ed060817d9d380249a5b7465efb07e2 (but it's not "the best" sample since it obfuscated :( )
I've downloaded and analyzed the last strand of the storm worm and as many of you know, the p2p payload it's encrypted now.
I'm mostly interested in its network behavior, so has anyone of you found what the encryption key is? I would really appreciate this information or a link to some article that talks about it.
In case nobody knows: how would you proceed to find the key in the disassembled code? Any ideas on the techniques/tools to be used?
I have noticed a bunch of cases where malware modify NTFS file permissions to prevent deletion (by conventional methods.. I am not referring to booting from a BartPE CD or deleting files by adding the drive as a slave)..
A few names..
Trojan:Win32/Boaxxe.B (MS OneCare),
Definitely look like rootkit type infections..
Has anyone come across samples.. Looks like the DLLs use random file names..like..
Any insights on this would be helpful..
i succeded with unpacking the bagle.z.cpl ... there
it exported file c:\winodws\cplstub.exe .... that
file was packed with upx .... np unpacking.
but now when i load the file into ida .... it doesnt
make sense to me, so i hope somebody here will be
able to help me.
here i uploaded the rared cplstub.exe in case anyone
is interested and prepared to help me.
I'm new to reversing malware but i'm chugging along, however this file creates some encrypted text files to send back to the master's website. Do you have any links to share about decrypting or how to find the decryption key/hash for files created in this manner? I hope I'm making sense here lol.
Thanks in advance
Welcome to the first ever Offensive Computing Reverse Engineering Challenge. Basically there will be a file attached to this post. Your job is to download the file and figure out as much information as possible about the file. This includes disassembly, packer, if its AV detected, packet captures, ports used, processes spawned, source code if available.
Note however, this is a malicious file. It could be a propegating worm, a trojan or a virus. Therefor take all necessary precautions when analyzing this file. Offensive Computing is NOT responsible for anything that may happen to you as a result of this file.