So theres no sample post tonight. Im busy trying to understand the 700 unknown "shellcode" i have from my mwcollect. I dont really understand how that part works. Nepenthes has a page http://nepenthes.sourceforge.net/howto:reversing_windows32_shellcodes that kind of explains what to do with them but its incomplete. If anyone has suggestions that would help.
also i need samples of like the pnp worm / dasher / etc. my collectors seem to be running dry lately.
ps we seem to be linked on Halvars blog wooo! thanks Halvar!
Just a couple of things to note:
- If you are an anonymous user you are missing 75% of the content of this site. Signing up for an account is free and realitivly painless. I promise not to sell you to spamers.
- I love getting emails with samples, tools, ideas, etc. However you might consider posting stuff directly to the site. I'm hoping to build a community and i think thats the best way to do it.
- I've seeded the site with lots of malware which could still use more analysis. If you want to learn / work on something pick one of the entries and go to down and update the site.
Thats about it for now.
This is an open discussion forum.
If you are reading this then the migration to the new ISP / hosting service was successful!
Let me know if something is broken please. (mvalsmith at gmail.com)
thanks for your patience
So what does OC need? Alot of people have sent me tons of malware samples (awesome thanks!) however what is really needed for OC is people who want to do cataloging, checksumming and analysis on samples. People willing to write IDS rules are needed too. If you are willing to do work uploading, cataloging and preparing samples, go for it. If you don't have any samples to work on, let me know I have enough to keep you busy. Also feel free to add info to the samples I've already seeded the database with too.
So the response to this site so far has been overwhelmingly positive with one or two exceptions. However I keep hearing that the anti-virus community will do everything they can to get me shut down. I'm not sure if that's true or what the issue would be if it is but I am really interested in hearing from and working with the A/V community.
What do you think? What are the issues?
I really want to provide a beneficial service to the community and I'm willing to work with any professionally behaving entity that has input or different perspectives.
I got one (only one) email so far saying that this makes it easier for un-ethical people to acquire and write malware. I'm not sure what's easier than google personally. While researching this site I found literally tons of "blackhat" sites with live samples just by simple google searches. And they were in a totally uncontrolled and obviously not a positive intent environment.
I made a modification that prevents anonymous users from seeing malware content. This is to prevent worms or random people from automatically accessing samples. If you want access to samples and analysis please register (its free!)
So I've added sha1 hashes to all the entries per multiple suggestions I got to do so since we all know md5 is weak now. It would be nice to have gpg / sha256 stuff too if anyone can work on that. (I dont have a sha256sum tool yet.)
Dave Aitel and others made some interesting suggestions on how to accuratly identify malware which I like alot and will be working on. See the DailyDave maling lists for more information. (linked in the links section)
I've gotten some emails asking how to post content to the site so here are some brief instructions.
Once you log in there is a menu at the left. One of the menu options is "Create Content"
I posted OC to DailyDave's (Dave Aitel) maling list today, and I noticed several new users and hits on the site so I just wanted to welcome the new comers. We're very interested in feedback and any contributions you all can make, especially adding malware/analysis. I uploaded a few dissasemblies for people to comment and there are ida databases for some of the malware.
Enjoy the site!
So I removed the "exploits" and "shellcode" secitons. The reason for this is that there are many sites that do this way better than we ever could.
If you want exploits or shellcodes then I would like to direct you to Metasploit
Those guys are awesome and anything cool we do in that realm will be available through them one way or another.
So now this site can focus on what it does best which is malware analysis, searching database, etc.