we (CERT.at, the Austrian National Computer Emergency Response Team)
just released our latest paper which addresses an issue with Microsoft
Windows 64-bit that has high potential to affect the IT-Security community.
Especially those dealing with malware analysis and accordingly
investigations. It's even possible that some of us already are or were
affected but just didn't notice.
The goal of my paper is to raise the IT-Security community's awareness
regarding this issue.
In short: this issue - I call it the "WOW-Effect" - is a so to say
unintentionally implication of Microsoft's WOW64 technology and the
according redirection functionality.
You can find the paper on our website. If you have any questions
regarding the "WOW-Effect" or would like to give me some feedback feel
free to contact me via wojner_at_cert.at.
Here's the link to the paper:
hey all i need all type of mobile viruses on symbian , palm , windowsMobile , Blackberry etc. if anyone have mobileviruse collection plz contact with me @ email@example.com .
i got some files named braviax.exe which is downloading the rogues. all of them are of somewhat same sizes. Also when i try to pass it in olly something wrong happens.
this is one of those samples.
when i execute them, using process xplorer i found that there are lots of malware filenames and urls to the malwares are there.(but in (properties->strings->memory)
And when i passed it to die_0.64 which is a tool like PEiD, it showed the file is entropy packed.
My name is Dante Allegro , and as the newest member of the team my job is to work with members of the commercial community who wish to purchase products and services from Offensive Computing.
If you or your company would like to utilize the Offensive Computing malware database in your commercial product, or if you have a specific job that you feel the Offensive Computing team can assist you with , please contact me and I will be quite happy to assist you.
As I am on the road quite a bit please contact me directly at dallegro ( at ) offensivecomputing.net.
A new contest called Race to Zero is being held at Defcon this year. The premise is that you take a modern virus and modify it to evade detection by antivirus companies. The AV industry is officially crying foul, saying that this only encourages bad behavior. The organizers say it will point out the shortcomings of modern AV engines.
I'm going to ruin part of the contest: It's scandalously easy to circumvent any antivirus engine with a trivial amount of work. There has been evidence of this: The Consumer Reports scandal is one of them. The point is that it is not difficult to apply some seemingly minor and trivial modification that completely evades detection. The AV companies know it, the malware authors know it, the only people who don't have a clue are the consumers. Shaking their confidence of spending $60 per year on updates is something that the AV vendors fear. That's why the lawyers are probably going to get involved very quickly.
In lieu of this sure to be scandalous con drama, I propose a secondary contest. Antivirus vendors all race each other to develop signatures for the new variants as quickly as possible. Bring your best analysts to Defcon, or engage the home analysts, and show the true value of a good AV company: its signature development and reverse engineering teams.
For Reading - Russian Business Network study
There are some places in the world where life is dangerous. Internet has some dark zones too and RBN is one of them. RBN stands for Russian Business Network and it’s a nebulous organisation which aims to fulfil cyber crime.
This study aims to provide some enlightenment on RBN activities and tries to detail how they work. Indeed RBN has many constituents and it’s hard to have an exact idea on the goal of some of them and the way they’re linked with other constituents.
There are some countermeasures available but they don't make sense for home users or even companies. Only ISPs, IXPs and internet regulators can help mitigating risks originating from RBN and other malicious groups.
You may download, the pdf in these links:
Rob Lemos contacted the MPack author and interviewed them. He writes, "In June 2006, three Russian programmers started testing a collection of PHP scripts and exploit code to automate the compromise of computers that visit malicious Web sites."
Ryan Naraine has an article about Mark Russinovich admitting that Vista will get malware. I suppose the news worthy portion of this statement is that Mark is admitting it, which seems to be a change in direction. There have already been reports of spyware working for Vista, so this is not too surprising. All the viruses and malware I've test run on Vista work without trouble.
"The botnet operator behind the virulent Nirbot Trojan is having a field day taunting anti-virus researchers.
While it is common to find messages and shout-outs buried in virus code, the person(s) behind Nirbot is rather talkative, leaving hostile threates directed at specific individuals, a strange apology for something involving "hospital computers" and even a mock CNN interview that discusses the bot's intent."