I have two questions:
1. Problem: I suspect that it may be possible to modify the name of a loaded module, i.e. a process monitor displays "foobar.dll" but it really contains mallicious code?
Question: Is this possible? It doesnt seem so far fetched.
I spent a few hours looking at the storm worm and wrote up a quick informal paper on how to extract the actual malicious payload. If you're interested in how to use asynchronous procedure call to inject code into a userspace process this paper might be interesting to you.
This paper will detail the analysis methods of W32/StormWorm.gen1 and show a process injection method it uses to run malicious code in user-space. This variant loads a driver into the kernel which then injects itself into the running services.exe process. The worm then connects to a P2P network sending spam, initiating DDoS from the infected computer. This technique does not use a packer in the traditional sense but a two-stage loader to inject itself into a running process from kernel space. I will show the decoding process and methods for extracting the true malicious code from the driver executable.
does anyone know the exact algorithm to get the config file's url in prg/wnspoem? the md5 for a sample: 04f21bd0c56dfa7162bd172395186809 (I've uploaded it here). I read www.securescience.net/FILES/securescience/10378/pubMalwareCaseStudy.pdf but can't just get that url from offset 40 in file.
(hope it's clear my question; my English just sucks :-| )
I have found malwares that download Partizan.exe. I can't determine if Partizan is clean or not, and why its used by some bankers.
In this page Partizan is described like an antirootkit, part of UnHackMe:
This is the malware that use Partizan.
Sandbox running and reg entrance:
does someone know about the "packer" that makes a MZ look like M8Z? there are some droppers and loaders that have that MZ inside.. So if you have any info or know about some tools.. I'd appreciate. Of course, it would be nice if I'd reverse it.. but .. the time is my enemy :) a sample cand be found with http://www.offensivecomputing.net/?q=ocsearch&ocq=3ed060817d9d380249a5b7465efb07e2 (but it's not "the best" sample since it obfuscated :( )
We just finished giving our talk at Shmoocon 2008, which is a slight update of our Blackhat 2007 talk. Under great peer pressure we decided to give a live demonstration of Saffron-kernel. It crashed the first time but the second attempt worked well. We unpacked two sets of packers live on stage: TeLock and Vmprotect. Afterwards we were even able to unpack a random binary from the audience. Thanks to the Shmoocon organizers and everyone who got up early to see our talk.
Shmoocon is a really nice conference. If you get a chance to attend I highly recommend it.
With "More advanced unpacking - Part II" I show you how to decrypt an infamous real-life malware called WSNPOEM, (aka Infostealer.Banker.C) The binaries are usually created with a tool called ZEUS Builder, and there exist lots of different versions in the wild. I found samples with and without rootkit functionality. They are also "ontop" packed binaries, meaning they are additionally protected/packed with tools like Aspack, ACProtect, Polycrypt and so forth. We will discuss all 3 types and how to deal with them in 3 different ways.
1. Manual unpacking + import fixing
2. Manual unpacking + Auto import fixing
3. Auto unpacking/import fixing
Stage 2 introduces a nice tool called "Universal Import Fixer" and Stage 3 shows how to automate unpacking/import fixing with OllyDbgScript.
I'm looking to write snort and clamav signatures for it, but have yet to find a sample.
Val and I will be speaking at Shmoocon 2008 showing off our malware unpacking techniques. The talk is Sunday at 10am during the "Break It!" session. If you can't make it but are in the area let us know, we'll be around for the entire weekend. This talk will be similar to the one we gave at Blackhat USA 2007 however we'll also be talking about building an effective hardware based analysis system.
Software armoring techniques have increasingly created problems for reverse engineers and software security analysts. As protections such as packers, run-time obfuscators, virtual machine and debugger detectors become common, newer methods must be developed to cope with them. In this talk we will present our forensically sound debugging platform named Saffron. Saffron is based upon dynamic instrumentation techniques as well as a page fault assisted debugger. We show that the combination of these two techniques is effective in removing armoring from most software armoring systems.
Unbelievable but true. After 4 months of getting owned by other things making my life mad, i finally managed to release a new unpacking tutorial. This one goes far more into depth as the beginners tutorial i have released last year. It aims to show some generic tricks and tools, that can be used on many other protectors. Enjoy!