Skip navigation.


Static Check for VM-aware malware


Does anyone know of a tool that can perform a static check against an executable to determine the possibility of it being VM-aware? Linux tool is preferred, but I'll take anything at this point.


Morfeus F*cking Scanner

| | |

Hello, I am trying to find out what exactly is behind the flurry of "Morfeus Fucking Scanner" web-vulnerability scans going on out there. After some research, a lot of people are reporting seeing it but no-one seems to be reporting or linking to an actual tool responsible.

Does anyone have more information on the tool? Any possibility of getting a copy?


YARA 1.3 released

I'm glad to announce a new version of YARA which includes three new major features, some of them inspired by requests and suggestions of some users out there. They are:

* C-style includes. Now you can include a YARA source file into another just like you do in your C programs with the #include pre-processor directive.

* Metadata in rules. Rules now can contain associated metadata in identifier/value pairs. Metadata information can be string, integer or boolean values. This metadata can be accessed later from the yara-python extension.

* Multi-source compilation in yara-python. A group of YARA source files can be compiled together in yara-python. In this way rules from different sources can be matched at the same time against your data, which is more efficient than compiling and matching each source independently.

Here is an example of the "include" and "metadata" features:

include "./includes/some_other_rules.yar"

rule silent_banker : banker
        description = "This is just an example"
        thread_level = 3
        in_the_wild = true

        $a = {6A 40 68 00 30 00 00 6A 14 8D 91}  
        $b = {8D 4D B0 2B C1 83 C0 27 99 6A 4E 59 F7 F9}
        $a or $b or $c

For more info:

Turbodiff v1.01 Beta Released

| |

Turbodiff is a high-performance IDA plugin designed to detect differences between executable binaries.
It works on architectures supported by IDA 4.9 FREE, IDA 5.0 through 5.5.
Turbodiff was developed by Nicolas A. Economou, from the Exploit Writers Team of Core Security Technologies.

The tool's page is here: Coresecurity's Turbodiff

You can also read the
presentation of Turbodiff at Ekoparty '09

Buenos Aires, Argentina.

Tool for visualizing encrypted and/or packed data with special focus on PE-files ...


Hi folks,

I developed a tool which might be of interest for you/us reversers. It's
capable of creating histograms for the spreading of byte-codes for a
whole file as well as section-wise regarding PE-files. This will make
the detection of crypted and/or packed data much easier. The tool (a
windows and a linux version) and a decent description is available under
our CERT-homepage:

Plz let me know if you encounter any problems or have any questions.

Christian Wojner.

OSSS: Security Suite. Fourth public beta (Vista support)

| |

For the recent six weeks we have implemented a number of new functions.

The first one to mention is automatic customization of rules via Security Master already at the program installation stage.

Starting with version v1.1, search for software in use is performed during the OSSS installation, whereupon the accumulated data are analyzed on our server and the set of rules for the detected applications is generated automatically.

New Jsunpack Release

A new version of jsunpack has been released with some very cool features. Jsunpack now includes pdf decoding and even includes signatures for known PDF attacks. It is able to deobfuscate javascript within a PDF file, or on the network and match the function call to a known malicious signature. You can check out the blog here.

Tools to Test Anti-Malware Security Gateway


I want Tools or collection of Malware to test Anti-Malware Security Gateway. The security gateway has Clamv antivirus and Kaspersky to inspect HTTP and HTTPS traffic to block Malwares.
How it can be determined the effectiveness of anti-malware product?

Detecting Packers in Network Streams with Pynids and Pefile

To step away from using snort as a base for detecting binary packers, I decided to go with a more direct approach and use a library that handled stream reassembly within python. I then simply took the data once the connection had closed, and scanned the data with PeFile. The python script, which I call nPeID (network peid), can either scan a pcap if passed in as an argument, or sniff on an interface (default is eth0).


Moth is a VMware image with a set of vulnerable Web Applications and scripts, that you may use for Testing Web Application Security Scanners, Testing Static Code Analysis tools (SCA) and Giving an introductory course to Web Application Security

The motivation for creating this tool came after reading "anantasec-report.pdf" which is included in the release file which you are free to download. The main objective of this tool is to give the community a ready to use testbed for web application security tools. For almost every web application vulnerability that exists in the wild, there is a test script available in moth.

More information and download:

Syndicate content