July 24, 2007

undetecteding a worm or...

hi http://rapidshare.com/files/43783036/vid2.avi.1 http://rapidshare.com/files/43782943/vid2.avi.2 for joining the parts http://rapidshare.com/files/44765472/Create_vid2.exe size : a little huge :(
Posted by REM at 09:38:31 | Permanent Link | Comments (0) |

July 01, 2007

Kaspersky Free Cleaner 12.0.0.13

************************************************************
  Utility for cleaning infection by:
  I-Worm.Zafi.b
  I-Worm.Bagle.at,au,cx-dw
  Virus.Win32.Implinker.a
  Not-a-virus.AdWare.Visiter
  Trojan.Win32.Krotten
  Email-Worm.Win32.Brontok.n
  Backdoor.Win32.Allaple.a
  Trojan-Spy.Win32.Goldun.mg
  Email-Worm.Win32.Warezov
from Kaspersky Lab
link:
Posted by REM at 04:35:50 | Permanent Link | Comments (0) |

June 19, 2007

Top10 malware registry launchpoints

Most trojans, worms, backdoors, and such make sure they will be run after a reboot by introducing autorun keys and values into the Windows registry. Some of these registry locations are better documented than others and some are more commonly used than others. One of the first steps to take when doing forensic analysis is to check the most obvious places in the registry for modifications.

What are the most commonly used registry launchpoints then? We wanted to find out so we picked a collection of several thousand samples of malware and checked which launchpoints they were using. The results are presented in the diagram below. It should be noted that some of the samples used multiple launchpoints.

Please note that many of the launchpoints that malware uses are also very commonly used by normal software such as installers. You can also expect to find several entries there on a typical non-infected Windows host.

The locations of the keys in the top10 are:

As a summary: 39.8% of malware launchpoints are still in the good ol' "run" key in HKLM. Of course a clean "run" does not mean you are not infected, but it still is an excellent place to start looking (after running an anti-virus scan, of course) if you suspect that you have been infected.

Posted by REM at 07:08:47 | Permanent Link | Comments (0) |

WinHex Virus?

WinHex Virus?
From time to time there appear proof-of-concept viruses for various platforms and applications that have their own scripting language interpreters. Almost a year ago a proof-of-concept virus for IDA (Interactive Disassembler Pro) appeared. IDA is our primary tool for reverse-engineering malware. No one in the industry was infected. As far as we know.
A few days ago someone sent us a new proof-of-concept virus. This time it was for WinHex, the powerful computer forensics, data recovery, and IT security tool. The virus prepends itself to all available .WHS (WinHex script) files. The infected WinHex scripts stop working and the only thing that they can do at that point is to spread the virus further. We named the virus "Vred.A". Here's a short description for the virus…
The developer of WinHex has been notified of the case.

Name :  Virus:WH/Vred.A
Type: Virus
Category: Malware
Summary 
Vred.A is a proof-of-concept virus for WinHex.
WinHex is a powerful computer forensics, data recovery, and IT security tool.
 Back to the Top
Detailed Description 
Vred.A is a proof-of-concept virus that is written in script language, that is used by the powerful computer forensics, data recovery, and IT security tool called WinHex.
Here's a screenshot of the WinHex utility:
The virus contains less than 20 commands that allows it to look for all available .WHS (WinHex script) files and to prepend itself to them. As a result all infected scripts stop working until the virus' code is removed from them.
It should be noted that WinHex shows a warning before running any script, so the virus can not replicate without user's interaction:
Posted by REM at 07:04:31 | Permanent Link | Comments (0) |

June 18, 2007

lena151 nice collection tutor

hi
i post this topic again becuz i love it ;)
Part#40 which will be about ReverseMe#8 (the one solved by MOID & MrMag) and will release it ASA ready come soon
01. Olly + assembler + patching a basic reverseme
02. Keyfiling the reverseme + assembler
03. Basic nag removal + header problems
04. Basic + aesthetic patching
05. Comparing on changes in cond jumps, animate over/in, breakpoints
06. "The plain stupid patching method", searching for textstrings
07. Intermediate level patching, Kanal in PEiD
08. Debugging with W32Dasm, RVA, VA and offset, using LordPE as a hexeditor
09. Explaining the Visual Basic concept, introduction to SmartCheck and configuration
10. Continued reversing techniques in VB, use of decompilers and a basic anti-anti-trick

11. Intermediate patching using Olly's "pane window"
12. Guiding a program by multiple patching.
13. The use of API's in software, avoiding doublechecking tricks
14. More difficult schemes and an introduction to inline patching
15. How to study behaviour in the code, continued inlining using a pointer
16. Reversing using resources
17. Insights and practice in basic (self)keygenning
18. Diversion code, encryption/decryption, selfmodifying code and polymorphism
19. Debugger detected and anti-anti-techniques
20. Packers and protectors : an introduction  

21. Imports rebuilding
22. API Redirection
23. Stolen bytes 
24. Patching at runtime using loaders from lena151 original 
25. Continued patching at runtime & unpacking armadillo standard protection 
26. Machine specific loaders, unpacking & debugging armadillo 
27. tElock + advanced patching  
28. Bypassing & killing server checks  
29. Killing & inlining a more difficult server check  

30. SFX, Run Trace & more advanced string searching 
31. Delphi in Olly & DeDe
32.  Author tricks, HIEW & approaches in inline patching                                  
33. The FPU, integrity checks & loader versus patcher
34. Reversing  techniques  in packed soft & A S&R loader for aspr 
35. Inlining inside polymorphic code
36. Keygenning
37. Indept  Unpacking  &  Anti-Anti-Debugging  A Combination Packer/Protector
38. Unpacking continued & debugger detection by DLL and TLS
39. Inlining blowfish in a dll + unpacking aspr SKE 2.2
thnax fly to lena151
Posted by REM at 15:46:44 | Permanent Link | Comments (1) |

June 17, 2007

Unpacking malicious software using IDA Pro extensions

hi
Unpacking malicious software using IDA Pro extensions
A paper by Dennis Elser
In almost all cases of today's malicious software, executable packers or -crypters are
used in order to obfuscate code and data. In some cases unpackers and dumpers are
a ailable. In  ery few cases t!ey actually work on packed malware executables due
to modifications of internal structures suc! as t!e P" !eader.
link:
Posted by REM at 11:45:42 | Permanent Link | Comments (2) |

Manual unpacking and Auto-IAT fixing UPX and Aspack

hi
This flash movie covers how to manual unpack and Auto-IAT fix UPX and Aspack packed binaries. It might be useful for people who are new to malware analysis and don't have a clue how to unpack and repair a binary. The introduced technique works for many other easy executable packers like FSG too. For best view use a resolution of 1024x768 or higher and select fullscreen (F11) in your browser
link:
Posted by REM at 11:24:25 | Permanent Link | Comments (0) |

June 14, 2007

The strange case of Dr.Rootkit and Mr.Adware :)

hi
In the last few years, we've seen a dramatic change of infection techniques.
Years ago, malicious programs started as simple file infectors, then progressed
through macro viruses, worms, script viruses, and now we are plagued in
massive numbers by backdoors, trojans, adware, and rootkits.
The skill set needed for writing malware has changed, and so have the goals.
The days when virus writers wrote viruses to show off how good they are at
making malicious programs have gone away, and now all that the virus writers
care about is making money by infecting a lot of computers.
 y using bot trojan horses, an attacker can remotely gain system access. There
are thousands of networks of !ombie computers " machines infected with
backdoors that are ready to be used for anything the bot controllers desires,
ranging from sending spam emails to performing #estributed #enial of $ervice
%##o$& attacks.
' lot of these virus writers are fueled by companies that have poor moral
values and bad advertising campaigns. ' company that wants to advertise a
product to a million users by email would need to send out all of those emails
by themselves, which can get their company blacklisted very quickly. Instead,
all they would need to do is pay a virus writer to write a virus that can remotely
infect a computer, turning it into a mail server. (ompanies make millions of
dollars a year due to spam emails.
' lot of infections also advertise locally on the user's computer. )alware is
frequently used to display messages about products on people's computers by
analy!ing their surving habits and sending the user's information to the
attackers server.
Terrorists are also using bot networks %botnets& frequently to attack websites.
*or e+ample, someone could digitally hold a company and its website ransom,
forcing them to send money or else the virus writer would start a distributed
denial of service attack. $ome computer terrorists have networks of hundreds
of thousands of computers, making the attacks powerful enough to take down
even the largest corporate servers.
The last weapon in the attacker's arsenal is the rootkit " a technique used to
hide the malicious code in an infected computer so that no software can see
them. There are many techniques available to attackers which can hide files
and other components of viruses. )any of these techniques have been
discovered and counter"attacks have been created by antivirus companies,
but, as always, the virus writers are one step ahead and have many ways to
combat even the most powerful antivirus and antirootkit software.
$ome months ago, users started reporting about a rootkit infection that was
totally unknown to antivirus companies. This threat is still emerging and
evolving and is still widely undetected. ,n the following pages, we are going to
analy!e this infection in detail.
link:
Posted by REM at 17:15:09 | Permanent Link | Comments (0) |

A Journey to the Center of the Rustock.B Rootkit

hi
This paper is divided into two main parts. In the first part I wanted to
extract the native Rootkit driver code but without the use of kernel
debuggers or other ring0 tools. The second part covers the extraction over
the last three stages but much faster and with lesser efforts using the
SoftICE debugger. Each part shows various possibilities for solving the
different problems facing the researcher when analyzing Rustock. The
techniques can also be useful in future reversing sessions. All the tools
I’ve used can be found in the references. Some of them are free and
others again are commercial, like IDA Pro. Further all the binary dumps
and IDA .idb files from each stage are included in the package with this
paper. Use caution when reproducing the work described here. Consider
employing a virtual machine like VMware or Virtual PC and perform the
analysis on an isolated network to avoid the damage that could be caused
by the Rootkit. Use at your own risk!
link:
note:
plz be cerful this file contains some rootkits for articles......:)
Posted by REM at 17:06:31 | Permanent Link | Comments (0) |

Malware Case Study

HI
THIS IS ANOTHER ARTICLE FOR Reversing the worm :)
This document contains details of an exploratory case study that was conducted on a malware specimen 1
found in the wild by members of the Mal-Aware Group . The trojan was hosted on web servers located in
the Ukraine and Russia, and existed among several gigabytes of data encoded with a proprietary
algorithm. There were nearly 10,000 individual files available, each containing between 70 bytes and 56
megabytes worth of stolen data that only criminals could read…until now. 
......
link:
Posted by REM at 17:03:27 | Permanent Link | Comments (0) |
1 2