Skip navigation.


Generic Removal tool for Conficker..

This is a great place to share, currently sharing generic Conficker/ Kido removal tool with you.

Conficker Removal Tool

Any suggestions or improvement
write to

Best Regards

A new bird in the malware research sky

Dear OffensiveComputing community,
I take the chance of this blog post to inform you of the release of Cuckoo 0.1.0-beta.
Cuckoo is a very simple automated malware analysis sandbox which makes use of Microsoft Detours, AutoIt3 and Python for analyzing malwares in a VirtualBox based environment.
At this point it is able to analyze Windows binaries and PDF files, but can be easily extended.
Here are some basic features:

  • Retrieve files from remote URLs and analyze them.
  • Trace relevant API calls for behavioral analysis.



anyone have a spamtool? the one people use to send spam? I would be glad if anyone could share this sample.


code injection analysis tools or ways

| |

Can any one help/guide me that how can I analyse code injection malware samples? ThreatExpert and other sandbox tools tell abt the code injection existence, but I want to go in deep level to know which code injection technique is being used in malwares.

Thanks alot!

Releasing malpdfobj (malicious PDF described in a JSON object)

| |

About a month ago I posted a blog describing research I was doing on malicious PDF files. As part of this research I needed a way to represent a malicious PDF file in a queryable form. I ultimately decided on MongoDB as my backend and therefore wanted to get the malicious file in a JSON form so I could store it.

The tool I just released today is a composite of tools from myself and Didier Stevens. Didier's PDF tools have done a lot of the heavy lifting, but my glue code brings multiple pieces of data into a single object. As of right now the object contains the following details:

VERA 0.3 Released

VERA 0.3 has been released. This new version contains a bunch of new features and API improvements. The two biggest updates are the addition of the trace file parsing and analysis inside of the GUI. This alleviates the need for the gengraph.exe program. The next big feature is the integration with IDA Pro. Currently it only supports version 5.6 and 6.0 versions of IDA. Finally, VERA now includes documentation.

Download VERA 0.3 MSI File
Download VERA Documentation (PDF)

Please feel free to email me (dquist at this domain) if you have any comments. Those of you that have responded thank you very much.


* Added processing of trace files without having to use gengraph via new wizard
* Better handling of low memory situations
* Major code cleanup, refactoring, and new buzzwordy sounding tasks
* Added a toolbar, because everyone loves those
* Added IDA integration and IDA Pro module
* Fixed a bug involving parsing of non-traditional Ether trace files
* Now should support larger and more complicated graphs
* I'm getting paid to write and support VERA. :)

At Shmoocon 2011 I'll be rolling out the next version of VERA, complete with new features.

Detecting Malicious PDF Files

| |

For the past few days I have been completely immersing myself in PDF research in hopes to find better ways to detect malicious PDF files. I have collected a pretty good random sample set (15K) of PDF data and have a bunch of malicious files with the same statistics. I have wrote some basic tools to aid in my research and it would be nice to get some input on the results I have found so far.

The outline of the project can be found here:

The blog with all the research, data and tools that have been released can be found here:

NameChanger ver 1.0 – OllyDbg plugin

I recently returned to an idea of an OllyDbg plug-in which would provide functionality similar like in an IDA related with inter alia :changing name of functions or setting more readable form for global variables.
I think that the best way to present its adoption and functionality is to see it in an action:
More info here:
NameChanger ver 1.0 – OllyDbg plugin

Reversing the source of the ZeroAccess crimeware rootkit

| |

We recently undertook a project to update the hands-on labs in our Reverse Engineering Malware course, and one of our InfoSec Resources Authors, Giuseppe "Evilcry" Bonfa, defeated all of the anti-debugging and anti-forensics features of ZeroAccess and traced the source of this crimeware rootkit:

Part 1

InfoSec Institute would classify ZeroAccess as a sophisticated, advanced rootkit. It has 4 main components that we will reverse in great detail in this series of articles. ZeroAccess is a compartmentalized crimeware rootkit that serves as a platform for installing various malicious programs onto victim computers. It also supports features to make itself and the installed malicious programs impossible for power-users to remove and very difficult security experts to forensically analyze.

How to connect to Botnet C&C servers

Anybody who knows how to connect to Botnet Command and Control servers
let me know it please.....
My email address is

Syndicate content