Skip navigation.
Home

Research

Releasing malpdfobj (malicious PDF described in a JSON object)

| |

About a month ago I posted a blog describing research I was doing on malicious PDF files. As part of this research I needed a way to represent a malicious PDF file in a queryable form. I ultimately decided on MongoDB as my backend and therefore wanted to get the malicious file in a JSON form so I could store it.

The tool I just released today is a composite of tools from myself and Didier Stevens. Didier's PDF tools have done a lot of the heavy lifting, but my glue code brings multiple pieces of data into a single object. As of right now the object contains the following details:

Detecting Malicious PDF Files

| |

For the past few days I have been completely immersing myself in PDF research in hopes to find better ways to detect malicious PDF files. I have collected a pretty good random sample set (15K) of PDF data and have a bunch of malicious files with the same statistics. I have wrote some basic tools to aid in my research and it would be nice to get some input on the results I have found so far.

The outline of the project can be found here:
http://pdfxray.9bplus.com/

The blog with all the research, data and tools that have been released can be found here:
http://blog.9bplus.com

Recent trojan or malware sample for some decent botnet traffic

|

Hi there, would anyone be able to recommend any samples here at OC that could within a short period of time after infection allow one to see C&C or P2P botnet traffic? Nothing specific, just any recommended samples that could lead to one seeing this type of traffic easily, rather than an outdated sample of some type just sending requests out to the wild with no response.

Again nothing specific would be required, me and a classmate are just looking for some interesting traffic to capture and analyze to some extent.

Thanks!

Sample of UltraDefragger Scareware

| | | |

Anybody with sample of misleading app, UltraDefragger ?

Old sploits

|

Hello All, is there any chance I can request for samples of Siberia or SeoSploit pack, or maybe if anyone knows where is it possible to get them in a public, for personal analysis only. Thanks.

Trojan.Fadeluxnet aka Fake Stuxnet Cleaner

| | | |

Hi, can anybody supply me a sample of Trojan.Fadeluxnet which claims to be a Stuxnet Cleaner but deletes all the data present in C: drive !

Extended length paths in Windows

Maybe you are one of persons who belived for this moment that maximal length of path in Windows is equal to MAX_PATH ( 260 signs). Nothing further from the truth !!!.

In document which you can download below I have described inter alia:

- what is the maximum path length and from which it follows
- in how achieve possibility to create paths longer than MAX_PATH
- details related with WinApi, where path length and it’s type is tested

entire post you can find here:

help on project on exploit selling industry among hackers.

|

I am doing a project on the exploit selling industry (underground market).However, I could not find websites that sells zero-day exploits. Can someone list them down for me?I would be very grateful.

Logical bug in <= gmer.sys [1, 0, 15, 4809 built by: WinDDK]

Messing a little bit recently with a gmer’s code I discovered logical bug which can cause abnormal behavior of an random applications.

[+]Localization of a problem
If some file can’t be deleted in the usual way, gmer will try to close all opened handlers related with this file and after it delete file.
In my opinion implementation of this procedure has not been thought out correctly.

More info here
http://www.icewall.pl/2010/07/22/blad-logiczny-w/?lang=en

<= GMER 1.0.15.15281 Buffer overflow 0day

During some research which results I’m going to publish in near future, I discovered a bug in a gmer win32 application causes a buffer overflow.
(un)Fortunatelly because of existing security cookies in code and it’s character near function where BO appears, it’s not possible to
achieve code exec.
Although couples of my tries to contact with gmer’s author I didn’t get any response for this day and unfortunatelly bug has not been fixed yet also. So , only thing I can do now is to share with you an advisories, which you can download from here:

Syndicate content