Skip navigation.
Home

Research

Basical Trojan Banker Win32.Banz.a Anatomy - Reverse Engineering

Hi,

Today we are going to inspect a Rootkit Technology based Banker, called Win32.Banz.a or RKIT/Banker.9088.
This rootkit presents some interesting aspects from a reverse engineering point of view because has two
layers of protection:
[b]
* UPX
* DalKrypt[/b]

Before starting the direct analysis let's study the general structure, with a PE inspection.

MD5: 58A567A59A6B713B3B2638BC76C100DC
SHA-1: 0C18FF28DF6941541CDA89FF8006025E0E07E83D

[b]Section Headers:

* UPX0
* UPX1
* .rsrc
* .DalKiT[/b]

Vizsec 2010 CFP Now Open

Vizsec 2010, or the Visualization Security conference, is one of those conferences that I feel strongly could change the nature of security field. If you have any ideas for visualization, especially reverse engineering related visualization, I strongly recommend you submit a paper there. Here are the relevant dates:

April 30, 2010 Full papers
May 21, 2010 Short papers

The Vizsec CFP is open now. It's colocated with RAID this year. Based on the 2008 RAID papers it should be a productive week.

Malware for Android platform?

| |

Has anybody come across malware for Android platform. If so please let me know the family name of it or MD5 hash. I read few articles about a infostealer for Android phone.But do not have any more info about it.

Thanks in advance!

Need suggestions for research paper...

|

Hi All,

Need help thinking of a topic to write a research paper on. My area of focus is mobile computing and security/malware. Looking for suggestion on research areas related to malware and mobile computing, any help would be really appreciated, having a bad case of researchers block. If your interested in co authoring a paper please let me know.

Symbian

Siberia Exploit Pack. Another package of explois In-the-Wild

|

Siberia Exploit Pack is a new package designed to exploit vulnerabilities and recruit zombies original, as is easy to deduce from its name and as is customary in this area crimeware clandestine business in Russia.

Malware request for bots that use P2P for C&C

|

I am a student at Aalborg University in Denmark doing a research project in traffic pattern detection.

I am searching for bots that use P2P for command & control.

The only samples I managed to find are Peacomm.C, Nugache.A4, and Nugache C@mm.

If anyone can provide me with binaries of or pcap trace from other bots of this type, it would be very appreciated.

Thanks in advance
Søren

RussKill. Application to perform denial of service attacks

|

Conceptually speaking, a DoS attack (Denial of Service attack) is basically bombarded with requests for a service or computer resource to saturate and the system can not process more data, so those resources and services are inaccessible, "denying" the access to anyone who wants them.

From the standpoint of computer security, Denial of Service attacks are a major problem because many botnets are designed to automate these attacks, especially those of particular purpose, taking advantage of computational power offered by the network of zombies. In this case, the attack is called Distributed Denial of Service (DDoS).

Moreover, under the framework of the concept of cyberwarfare, this type of attack is part of the armament "war" through which virtual scenarios presented conflicts between their requirements as to neutralize a state vital services.

RussKill is a web application that is classified within these activities and that despite being extremely simple, both in functionality and in the way of use, is an attack that could be very effective and difficult to detect.

As is customary in the current crimeware, the web application is of Russian origin and has a number of fields with information about how and against whom to carry out the attack, letting you configure the packet sequence, ie the flow in amount. The option "Hide url" is a self-defensive measure designed to ensure that the server is detected.

Although several methods of DoS attacks, RussKill makes use of the attacks HTTP-flood and SYN-flood. In both cases the servers for flood victims through http requests and packets with fake source IP addresses respectively.

As I said at first, the denial of service attacks are a danger for any information system, regardless of the platform that supports services and applications such, in this case site, demonstrates the ease with which an attack of this type can run.

Jorge Mieres
Pistus Malware Intelligence

Win32 Rootkit Foundation

|

Hey all,
I'm looking for a Win32 root-kit source package. I'd like to work with a "Root-kit Foundation" that I can further build for my own project. My end result is to create a root-kit to prevent other programs from seeing my interaction with the kernel, thus creating anonymous automated control of other programs. I already have the topside scripting and command code mostly done, Just need to interact with a Win32 kernel.

Any suggestions would be greatly appreciated.

DDoS Botnet. New crimeware particular purpose

| |

An attack by Denial of Service (DoS) consists basically of abuse of a service or resource by successive requests, either intentional or negligent, which eventually break the availability of such service or resource temporarily or completely.

When this type of attack is performed using the processing power of an important set of computers carrying out the abuse of requests synchronously, we are witnessing an attack Distributed Denial of Service (DDoS).

Syndicate content