Skip navigation.


CartellaUnicaTasse.exe An Italian Malware RCE Study

I've just released a paper into my website about the RCE Analysis of an italian downloader.

Paper can be reached here:

if this link does not works, just reach it from the home of my website.


DNS Hoo-Ha

Everyone should go read Halvar Flake's post about this DNS scandal. Once again Halvar gets it exactly right. Djbdns for the win. If you don't use it you should.

ZLOB sexy codec & Co


i think you know, sexycodec and fake AVs were propagated using e.g.
blog spamming
search engines
fake pronsites
hacked bbs and blogs

if case 'hacked', they use obfuscated javascript to do a 'document.write'.
both, sexycodec and fakeAV, are using the same "obfuscating engine".
play with their parameters and you are able to generate your "malware threat of the day"
by using their own cgi script.

will send something like this:

easy detection of honeytrap


if you'r runnig honeytrap,
you should have a look at the way i try to detect it.
Again it's based on NetCat dump and again it is a module for a simple rbot,
just to demonstrate how easy it is to find the honeys,
even if you are a noob.

using for illegal things is prohibited

awaiting your comments

Old DOS virus Whale


Anyone here have asm source of this beauty of coding.

As a newbie asm coder, i do like to see how it is coded.

looking for latest strain of nugache![not rizo variant]


Hi needed nugache strain that was released recently ...Rizo has been uploaded which is not the strain of nugache! could anyone pls help!


RSA 2008: Reverse-Engineering Malware and Commercial Software Armoring

If you're going to be at the RSA 2008 conference, please join myself and Colin Ames in our talk "Reverse-Engineering Malware and Commercial Software Armoring" on Thursday April 10 at 9:10am in the Research Revealed track. We'll generally be around the conference so be sure to say hello.

Here's the abstract:

"Protecting software from reverse-engineering has been a common goal of both commercial software and malware authors. Anti-reverse engineering techniques will be demonstrated and methods of circumventing them will be presented. A forensically sound kernel-based monitoring system will be shown as an effective way to monitor and instrument running applications."

Zend de-Optimizer


somebody knows the format of "PHP script Zend Optimizer data" (as file says). or any free tools to do that? or a manual method? i googled a bit but no luck :(

thanks in advance

Updated Saffron-DI Code 0.2a

I've fixed a bug inside the Saffron-DI code that was released at last year's Blackhat USA. It should result in better dumps of executables. I've tested it out with the latest version of Intel's PIN (As of this writing 2.3-17236, IA32)

Saffron-DI 0.2a

Installation instructions are on the original Covert Debugging post. If you have any bug reports please feel free to contact me and I'll look into it.

The kernel release of Saffron will be ready Real Soon NowTM.

W32/StormWorm.gen1 Network Analysis


This is actually my first analysis of malware so the paper I wrote up may not be as in depth as some may wish. I cover the two files that the variant creates on the windows system, and provide packet capture analysis. I plan on diving deeper into research with a few peers from Rochester Institute of Technology, including SPARSA (Security Practices and Research Student Association).


This paper briefly details the analysis of W32/StormWorm.gen1. Analysis includes the two files created by the variant and a look into the contents of those files. A quick overview of the network traffic generated by the worm is displayed and the data exchanged between the peers who are connected to the Overnet P2P network. Towards the end of the paper, extended research discusses the disassembly of the variant and where the process injection is found within the assembly code.

Download the PDF of the research here

I will eventually post more analysis here once I can find the time.

Syndicate content