For the past few months I have been doing research on PDF analysis and how it could be better improved. While doing the research I found myself writing tools and scripts to help me get the job done and decided it was time to put something more useful together. PDF X-RAY is a static analysis tool that allows you to analyze PDF files through a web interface or API. The tool uses multiple open source tools and custom code to take a PDF and turn it into a sharable format. The goal with this tool is to centralize PDF analysis and begin sharing comments on files that are seen.
PDF X-RAY differs from all other tools because it doesn't focus on the single file. Instead it compares the file you upload against thousands of malicious PDF files in our repository. These checks look for similar data structures within the PDF you upload and ones that have been reviewed by analysts. Using this feature we can begin to see shared coded samples among malicious files or trends due to malicious author coding styles. The tool is still in beta, but I wanted to release it to the public to see what users thought. In my opinion the API is the most useful as you can begin to integrate rich PDF analysis into other tools and services with little or no cost.
I would like to know;
1- Given I have a binary/packed/unpacked ones, how can I know which strings are malicious, which aren't? Is there any link/knowledge base that you could point me out?
2- How to you get those strings? XOR tools? IDA Pro? OllyDBG? strings command?
I want to get "malicious strings" which I can consider a database of malicious strings, so that each time I analyze a binary I can know a particular PE/EXE is a malicious/benign.
Hello every one,
I,m in need for some malwares that can infect unix/linux machines.My research is on linux machines.I have found many but moost of them are for windows machines.please help me.provide me some malware for linux/unix machines
In the two years since the Win32/Olmarik family of malware programs (also known as TDSS, TDL and Alureon) started to evolve, its authors have implemented a notably sophisticated mechanism for bypassing various protective measures and security mechanisms embedded into the operating system. Read more here Reverse Engineering Malware
The fourth version of the TDL rootkit family (TDL4) is the first reliable and widely spread bootkit to target x64 operating systems (Windows Vista and Windows 7). Since TDL4 started to spread actively in August 2010, several versions of the malware have been released. By comparison with its predecessors, TDL4 is not just characterized by modification of existing code, but to all intents and purposes can be regarded as new malware. Among the many changes that have been applied as it developed, the most radical were those made to its mechanisms for self-embedding into the system and surviving reboot. One of the most striking features of TDL4 is its ability to load its kernel-mode driver on systems with an enforced kernel-mode code signing policy (64-bit versions of Microsoft Windows Vista and Windows 7) and perform kernel-mode hooks with kernel-mode patch protection policy enabled. This makes TDL4 a powerful weapon in the hands of cybercriminals. In this article, we consider the PPI (Pay Per Install) distribution model used by both TDL3 and TDL4, and the initial installation.
rootkit.com is down for long time you guys know, any one backup anywhere rootkit.com vault then please share. lots of article and blog post referred the rootkit.com vault source.Really miss the rootkit.com. Please share anything you have here.
specially i'm looking for Subverting the Windows Kernel book source code.
I've done some reading through the forums here, and like one of the other posters (albeit from 2009) I've actually been looking to do some simple virus removal practice with some of the other technicians I work with. Most of them are pretty good, but in trying to make sure everyone meets a minimum level of knowledge, I'd like to have a mess about and get them some practice.
I always download samples on "junspack.jeek.org", but I found that the samples on that site had been descoded and split to pieces, what is worse, the samples it submits every day are generally the same.
who can help me? Thank you all of you who caring me. God blesses all of you.
Additionally, I can not found any fake AV page sources. Why?
Here are the slides to my talk "Hunting rootkits with Windbg" at the Ruhr University of Bochum yesterday. I'll introduce several ways to find well known rootkits like Rustock or TDL Versions 3+4 with Windbg and scripts. Enjoy!
http://www.reconstructer.org/papers/Hunting rootkits with Windbg.pdf
The Windbg script shown in the slides to grab Kernelcallbacks can be found here:
I am sure this has been asked for before, but I'm doing a research paper on vm-detection methods and I need some samples to work with, all though the act of vm-detection is pretty cool, I've only seen it a few times in practice. I will continue to do some research on the net and try to find as much as I can on my own but I just thought I would ask my RE brethren if they knew about any for-sure ones that I can use for my paper. Thanks!
I have recently setup a honeynet lab and i'm looking for help for sources whre i can get some worms so that i can inject them on my honeypots.....My research is on irc bots so plz help me