Skip navigation.
Home

Administrivia

Internet Explorer

Apologies but IE does not work on this site.
It does not appear to understand HTML standards
(and I dont recommend using it anyway for security reasons).

State of Offensive Computing

I would like to take this time to thank everyone that expressed their support while Offensive Computing was offline. It was a trying time and I really appreciate everyone's support. Without getting into any of the specifics of why the site was offline for two months, we are back and here to stay. There are a couple of people who were instrumental in helping to keep everything up and running. Paul Royal, from the Georgia Tech Information Security Center helped out significantly with hardware and the new home of the site. Kelcey Tietjen also stepped in and helped out tremendously. If you see either of them at some upcoming conferences (hint: Paul is giving a talk at Blackhat) buy them a drink.

There are a couple of changes that are going to happen that more accurately reflect the intentions of the site. First, the name will be changing to Open Malware. The new name more accurately reflects the purpose and intention of the site. Way back in 2005 the intention was to make this a place where you could find information related to malware and other types of hacking. As things (and life) have progressed it has changed into a malware research site, specifically with the ability to download malware samples. The domain will be OpenMalware.org in the very near future.

The second big item of news is that we will be transitioning to a download-only malware repository in the coming weeks. The blog site will be officially shutting down. There are much better forums maintained by commercial services that have taken up the role of a discussion area. Specifically the /r/ReverseEngineering and /r/Malware sub-Reddits, and OpenRCE are better avenues of communication. I will maintain a static version of the site to archive the old content.

To accommodate the new download site, there will be a couple of changes. First, a lot of the back end software has changed. Searches will be faster, more malware will be available, and the overall maintenance will be a lot easier. Second, you will need to have a valid, verified Google Account. Having a Google account allows us to use industry standard authentication, and most importantly not to have to maintain a user database. Get one here if you haven't already. In the meantime new account creation is disabled while we make the transition. Old accounts should work as normal.

Finally, we are discontinuing our commercial services. I would like to thank all of our customers for their business. You all helped to support this site and maintain an open service. We will be looking at transitioning to a non-profit status in the coming years.

Thanks again,

Danny Quist

Three Million Samples

Today we added our three millionth sample to the Offensive Computing malware corpus. While three million pales in comparison to the total malware out there, we still have the largest openly available collection available on the open Internet.

The story of this site has had its ups and downs, and on multiple occasions it was on the brink of shutting down. Every time I heard from someone at a conference, or saw mention of the site in presentations in papers, this helped to keep us up and running. The resources needed to keep things moving have been interesting to deal with. Our commercial services have supported the ongoing maintenance of running a free malware archive.

Some changes are coming to the site Real Soon Now (TM) and I think now is a good time to share them with you. First, the storage and catalog software we have been running on has been sluggish for a long time. I'm about 80% through a rewrite of the underlying malware processing system that should get us to the next order of magnitude without problems. We have made some key partnerships with other open malware resources and we are beginning to put those into service soon. Second, our Reverse Engineering training is getting a massive rewrite. Currently we only do on-site offerings, but we are investigating the possibility of hosting at a more public general venue. Finally, the blog that you see here will be undergoing some changes.

Thank you to all of our customers, users, and supporters. Without you Offensive Computing would not be up and running today. Watch for more news coming soon.

Danny Quist
Founder, Offensive Computing, LLC.

Sample of W32.TmpHide

| | | |

Hi everyone, I am looking for a sample of a new worm called TempHid or TmpHider which exploits Windows shell vulnerability (CVE-2010-2568) to execute arbitrary code, the worm also contains rootkit-like capabilities to hide its presence

Details:-

www.symantec.com/business/security_response/writeup.jsp?docid=2010-071400-3123-99&tabid=2

www.microsoft.com/technet/security/advisory/2286198.mspx

Best Buy iPad Censorship

Today I was at Best Buy playing with the iPad, when I tried loading Offensive Computing on the web browser. It seems that Best Buy thinks that this site has something to do with hacking. I wonder if some customers were stress testing the demo machines' antivirus products.

The picture is blurry so here is the text:

This Page Cannot Be Displayed

Based on your corporate access policies, access to this web site ( http://offensivecomputing.net/ ) 
has been blocked because the web category "Hacking" is not allowed.

Store Network

If you have questions, please contact a Best Buy Employee and provide the codes shown below.

Notification codes:     (1, WEBCAT, BLOCK-WEBCAT, 0x0021ed3a, 1270677200.557, 
AAAdUAAAAAAAAAAAyf8AEP8AAAA=, http://offensivecomputing.net/)

Spam and Abuse

One of the day-to-day tasks of running this site involves monitoring for spam. Usually it's no problem: I just delete the junk posts, comments, and disable the accounts. I've made some tools to make this pretty easy. The problem is that the spammers and malcontents seem to have ratcheted up their spamming and it's getting to be too much work. I've made a drastic change requiring people to send me an email asking to register their account.

There is a general pattern to the spam. All of the accounts are new and created within 1-10 hours of the spam. They all tend to have Gmail accounts. Others such as Yahoo, Hotmail, etc. have really dropped off. It would be nice if Google could do something to prevent people from taking advantage of their server. If I just banned any accounts from Gmail I could probably get rid of about 90% of the spam. That would affect other people using Gmail legitimately though, so I didn't want to take that step.

I realize there are people out there doing legitimate work [1] that can't answer the questions truthfully. That's ok, just make something up. I will accept "I work for the Post Office" as an answer [2], or pretty much anything else. So far it seems to be working too, there haven't been nearly as many spam messages as before.

There also have been some efforts to download our entire collection of malware. While I can understand why someone would want to do this, it does end up using a lot of our resources, bandwidth being one of them. As always I'm happy to work with people but please contact me about it. I'm happy to make trades with people for new samples I can add. If you have nothing to trade drop me a note and we can work something out.

[1] For some definition of legitimate. :)
[2] Stolen without shame from Halvar's class

OC Site Maintenance

|

OC will be generally unavailable tonight from about 6pm until 2am. We're moving to a new server and in order to move the data correctly we'll need to bring down much of the site.

Offensive Computing Twitter OComputing

Offensive Computing is now on Twitter! Follow OComputing for all the malware and reverse engineering 140 characters can handle.

Searching offensive computing

Hi every one,

I'm not sure how many of you have tried the search capability on the right side of this webpage. I tried it many times, the problem is that it does not return any results, i.e. the answer is always "no match" no matter if there is actually a content including the search terms or not.

I think it would be useful if this is fixed.

By the way I use the "Search for sum or name" and it works.

Thanks

Shmoocon 2009

Tired of being hustled around by thousands of people at the summer Vegas conventions? Do you live on the wrong side of the United States? Do you really want to fill the time in the winter with hacking and interesting technical discourse? Do you like getting pelted by foam balls emblazoned with a strange animal? Come to Shmoocon!

The Shmoo Group puts on a great conference in DC called Shmoocon. Last year I spoke at it and was impressed by the low-key attitude and technical content enough to be an attendee this year. Tickets are a bit hard to come by but if you can get them I strongly recommend you go.

See you there!

Danny

Syndicate content