I've just released a paper into my website about the RCE Analysis of an italian downloader.
Paper can be reached here:
if this link does not works, just reach it from the home of my website.
i think you know, sexycodec and fake AVs were propagated using e.g.
hacked bbs and blogs
both, sexycodec and fakeAV, are using the same "obfuscating engine".
play with their parameters and you are able to generate your "malware threat of the day"
by using their own cgi script.
will send something like this:
if you'r runnig honeytrap,
you should have a look at the way i try to detect it.
Again it's based on NetCat dump and again it is a module for a simple rbot,
just to demonstrate how easy it is to find the honeys,
even if you are a noob.
using for illegal things is prohibited
awaiting your comments
Anyone here have asm source of this beauty of coding.
As a newbie asm coder, i do like to see how it is coded.
Hi needed nugache strain that was released recently ...Rizo has been uploaded which is not the strain of nugache! could anyone pls help!
If you're going to be at the RSA 2008 conference, please join myself and Colin Ames in our talk "Reverse-Engineering Malware and Commercial Software Armoring" on Thursday April 10 at 9:10am in the Research Revealed track. We'll generally be around the conference so be sure to say hello.
Here's the abstract:
"Protecting software from reverse-engineering has been a common goal of both commercial software and malware authors. Anti-reverse engineering techniques will be demonstrated and methods of circumventing them will be presented. A forensically sound kernel-based monitoring system will be shown as an effective way to monitor and instrument running applications."
somebody knows the format of "PHP script Zend Optimizer data" (as file says). or any free tools to do that? or a manual method? i googled a bit but no luck :(
thanks in advance
I've fixed a bug inside the Saffron-DI code that was released at last year's Blackhat USA. It should result in better dumps of executables. I've tested it out with the latest version of Intel's PIN (As of this writing 2.3-17236, IA32)
Installation instructions are on the original Covert Debugging post. If you have any bug reports please feel free to contact me and I'll look into it.
The kernel release of Saffron will be ready Real Soon NowTM.
This is actually my first analysis of malware so the paper I wrote up may not be as in depth as some may wish. I cover the two files that the variant creates on the windows system, and provide packet capture analysis. I plan on diving deeper into research with a few peers from Rochester Institute of Technology, including SPARSA (Security Practices and Research Student Association).
This paper briefly details the analysis of W32/StormWorm.gen1. Analysis includes the two files created by the variant and a look into the contents of those files. A quick overview of the network traffic generated by the worm is displayed and the data exchanged between the peers who are connected to the Overnet P2P network. Towards the end of the paper, extended research discusses the disassembly of the variant and where the process injection is found within the assembly code.
I will eventually post more analysis here once I can find the time.