Skip navigation.


Analyzing MSOffice malware with OfficeMalScanner - Whitepaper

Finally i'm happy to release my paper Analyzing MSOffice malware with OfficeMalScanner. This paper describes all features of the OfficeMalScanner suite in detail. Further i've updated some features since my PH-Neutral talk, fixed bugs and replaced bin2code with MalHost-Setup. A much smarter way to analyze the inner workings of shellcode in a real life session. Both malicious samples described in the paper are included in the package. For sure additionally compressed and with extra password safety.

Get the Paper Here


Looking for Blackberry Malware

| | |

hey all... i am looking to see if anyone here has any samples of malware for the blackberry. I know that it is pretty much non-existent, but I figured I would ask. i would appreciate any assistance that anyone has. if you have any information or samples please email them to me.... Thanks in advance!

Malware Patent Application

I recently came across this patent from Network Associates by Igor Muttik. Here's the abstract:

"One embodiment of the present invention provides a system for determining whether software is likely to exhibit malicious behavior by analyzing patterns of system calls made during emulation of the software. The system operates by emulating the software within an insulated environment in a computer system so that the computer system is insulated from malicious actions of the software. During the emulation process, the system records a pattern of system calls directed to an operating system of the computer system. The system compares the pattern of system calls against a database containing suspect patterns of system calls. Based upon this comparison, the system determines whether the software is likely to exhibit malicious behavior. In one embodiment of the present invention, if the software is determined to be likely to exhibit malicious behavior, the system reports this fact to a user of the computer system. In one embodiment of the present invention, the process of comparing the pattern of system calls is performed on-the-fly as the emulation generates system calls."

Reading through the claims it appears that they have patented much of what was the state of the art of academic research in the early 2000's. I'm shocked with how loosely the patent is written. Comparing system calls might have been novel at the time, but the real magic is finding a matching algorithm for them. That algorithm, I would think, would be the real patentable material. Then again that's why I'm not a patent lawyer.

how to analyze a worm (Conficker.B)?


Please help, I would like to learn how to analyze a worm particularly Conficker.B (got a sample here). What are the steps? What are the tools needed? I'm new here and I had no experience with analyzing a worm before. Thanks in advance!

Talk on "Analyzing exploitable file formats" at PH-Neutral

Thorsten Holz and me are giving a talk at the next PH-Neutral. A 31337 invite-only conference from FX and the gang in Berlin. Thorsten and i will introduce several ways to analyze exploitable file formats, ranging from PDF and Flash to malicious Office files like PPT, DOC or XLS. We will show some of the popular tools used for analysis and will also present 2 new tools developed especially for malicious Office-file analysis.

I hope to meet a lot of interesting people again this year!

Cya on 29th and 30th May 2009 in Berlin!

Has anyone come across a (virtually) undetected packer ?


I am conducting some research into the way malware can hide itself. Now, my problemis that to simulate a realistic scenario I have to make the malware undetectable for (at least) transit. Most of the packers / binders I have used are being detected by the usual set of anti-virus software. Is there a packer / binder which is not detected or detected by only a couple of AVs ? In that case, I can avoid having those AVs in my test-bed.

The other (but infinitely more painful) method is to try and make a packer myself but for which I will require a lot of help from all of you fine people :0)

Intro to Malware Analysis


Greetings All,

I am doing a term paper on malware analysis for a digital forensics course. I am relatively new to malware analysis and such have a billion questions.

I need to pick a 'specimen', if you will, for my malware analysis. Instinctively I picked the much publicized Conficker. After some preliminary research I've discovered it is VMWare and Sandbox aware. Which is the only way I can monitor process, registry, etc changes. Additionally I've heard the code is extremely obfuscated.

Code injection

| |

Not a new concept for sure.

A new wave of more difficult to remove malware? A new way of stealing information? Maybe.

In the last 6 months to a year it seems code injection and file infectors have "opened a new door". It's still seems to be the "replicate and destroy" but recently with infections like "Scribble" "sality" "alman" and "virut" some changes have begun to show in this "angle of attack".

Now instead of just replicating out of control the infections are replicating crazily, but also bringing down fake-alerts and other nasty things.

Anti-malware research (infection and detection)

| |

I have undertaken a tertiary course that requires me to infect my computer with myriad malware signatures (at least 10), and then test multiple anti-malware products (4-5 products)

My main question is: How can I get my hands on multiple signatures, and what's the easiest way to infect said computer? (I'll be using VMWare to try and isolate the infections)

Additionally, if anyone could give me suggestions about the following, I would be most appreciative:
1. What malware is recommended? I'm after a variety of malware types (worms, trojans, viruses, spyware, etc.)

Any of you know of or got a Virus/Malware capable of flashing BIOS?


Any of you know of or got a Virus/Malware capable of flashing BIOS?

I'm looking for something that's very rare and dangerous... Any of you heard of Virus capable of flashing your BIOS and totally frying your motherboard?

If you know any variants let me know.

Thank you all.

Syndicate content