Skip navigation.
Home

tools

OSSS: Online Solutions Security Suite v1.0 Beta (third public beta)

| |

Hello!

We have released first public beta of "OSSS". This product can be easly used by malware analysts to analyze and create reports "what malware is doing".

"OSSS" (Online Solutions Security Suite) is a complex protection software, that includes:

  • Proactive Defense (OSPD) - new generation proactive defence system,
  • Personal Firewall (OSPF) - extremely powerful personal firewall

binBLAST release

This is something that I've ignored for entirely too long, so I finally just did it instead of trying to pretty up the release.

binBLAST is now available via google code (not SourceForge):
binBLAST source code

This is everything that was presented at DefCon.

YARA v1.2 released

A new version of YARA have been released. This version introduces some bug fixes and new features, such as:

* Sub-string alternatives in hex strings.
* Global rules.
* Enhanced "of" operator and a new "for..of" operator
* Anonymous strings
* uintXX and intXX functions to read integers from a given offset
* yara-python improvements

I've also started to create some rules for packer identification based on PEiD's signatures, there are just a few for now, but I expect to include more in the future.

Zerowine: Dumping malware and detection of antivm and antidebug

| |

I released a new version of Zerowine, a QEmu+Wine based malware auto-analysis tool. In this version I added support to dump the malware from memory while running. The dumps can also be downloaded for later analysis with IDA Pro.

The other feature I added is the ability to detect both anti-debugging and anti-vm techniques. The detection of anti-debugging techniques is done by analyzing the APIs called by the malware while the anti-vm detection is done by looking for patterns in both the packed version of the malware (the original one) and the unpacked (memory dump) version of the malware.

You can download the latest version of Zerowine as a Prebuilt QEmu virtual machine (you can convert it to one VMWare image if you prefer using the help found in this blog) or in source code form.

Update: I fixed the issue with the corrupted image. I uploaded a new working one and the MD5Sum.

Cheers!

YARA: a malware identification and classification tool

YARA is open-source multi-platorm tool that allows you to create your own signatures to identify malware families based on text or hex strings presents on samples of those families. The signatures are written in a special-purpose language looking like this:

rule silent_banker : banker
{
    strings: 
        $a = {6A 40 68 00 30 00 00 6A 14 8D 91}  
        $b = {8D 4D B0 2B C1 83 C0 27 99 6A 4E 59 F7 F9}
        $c = "UVODFRYSIHLNWPEJXQZAKCBGMT"
    condition:
        $a or $b or $c
}

Complex signatures can be created by using boolean operators, wild-cards, regular expressions and much more. You can find more information on the project site:

http://code.google.com/p/yara-project/

Zero Wine: QEMU based malware auto-analysis

Zero wine is an open source (GPL v2) research project to dynamically analyze the behavior of malware. Zero wine just runs the malware using WINE in a safe virtual sandbox (in an isolated environment) collecting information about the APIs called by the program.

The output generated by wine (using the debug environment variable WINEDEBUG) are the API calls used by the malware (and the values used by it, of course). With this information, analyzing malware's behavior turns out to be very easy.

sorting the collection

|

Which tool do you prefer to use for sorting your collection?

I found some tools at vxnetlux.org, but I'm just curious which you use. And why.

The tools at vxnetlux are all *.exe, but I prefer to use one of my Linux-machines (Ubuntu, Debian, BackTrack) for sorten the collection, therefore I'm mostly interested in apps for Linux.
But , if neccesary, I have a Windows XP-comp also.

Thanks,
Chato Flores

Resources and tools for malicious SWF analysis

|

Hi All,

What tools and resources do folks recommended for quickly analyzing malicious SWF files? I finally have a nice pile of 'em for analysis, including a few that have may have come through ad banners on high traffic sites.

Thanks,
Jared

A new member of the Offensive Computing team - Dante Allegro

| | | | | | | |

Hello everyone!

My name is Dante Allegro , and as the newest member of the team my job is to work with members of the commercial community who wish to purchase products and services from Offensive Computing.

If you or your company would like to utilize the Offensive Computing malware database in your commercial product, or if you have a specific job that you feel the Offensive Computing team can assist you with , please contact me and I will be quite happy to assist you.

As I am on the road quite a bit please contact me directly at dallegro ( at ) offensivecomputing.net.

Paul Royal´s Azure

|

Anyone knows where to get Paul Royal´s Azure?

He was supposed to release it at Black Hat conference but so far I didn´t find it.

Syndicate content