RE: [Full-disclosure] Malicious Code Analysis

From: mike king (ngiles_at_hushmail.com)
Date: 08/05/05

  • Next message: Peter Kruse: "RE: [Full-disclosure] Malicious Code Analysis"
    Date: Fri,  5 Aug 2005 02:03:37 -0700
    To: <full-disclosure@lists.grok.org.uk>, <m4ch3t3@gmail.com>, <pkr@csis.dk>
    
    

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Peter,

    Hello back. Hey thanks for the reply and not a flame.

    These were not submitted to any AV vendors since Norton did flag
    them. In the past I have submitted unknown trojans/ viruses like
    these to Symantec when clients have been owned, but what can I say
    they are hardly 0day more like 300 day.

    The programs that were used when first found were “Hex Workshop”
    and “IDA”. The other way they were confirmed was with the packer
    used to compress the file after the string seg000:00003ABD 0000000C
    C \bPECompact2 was located. Cool thing with PECompact2 is it will
    also tell you if it was packed with the tool.

    Output:
    Path: C: \wytgp.exe
    This module is compressed by PECompact2.

    http://www.bitsum.com/pec2.asp

    Could you share your methodology on how you go about reverse
    engineering/ disassembling a malicious piece of code that has had a
    packer ran on it?

    Regards
    Mike.

    On Thu, 04 Aug 2005 23:55:35 -0700 Peter Kruse <pkr@csis.dk> wrote:
    >Hi Mike,
    >
    >I was just wondering if you have submitted these lastad samples to

    >any
    >antivirus vendors?
    >
    >Although this malware is already identified by several vendors,
    >some don't
    >detect any of these "lastad" variants posted on your website. A
    >good way to
    >ensure that samples gets added for detection, and to help others,
    >would be
    >submitting samples to your prefered av-vendor.
    >
    >Also you should not use a hex editor to determine the format of a
    >binary,
    >since headers are easily modified. Use disassemblers/debuggers
    >like olly,
    >softice or IDA.
    >
    >Regards
    >Peter Kruse
    >
    >> -----Original Message-----
    >> From: full-disclosure-bounces@lists.grok.org.uk
    >> [mailto:full-disclosure-bounces@lists.grok.org.uk] On Behalf
    >> Of mike king
    >> Sent: 5. august 2005 02:40
    >> To: full-disclosure@lists.grok.org.uk; m4ch3t3@gmail.com
    >> Subject: Re: [Full-disclosure] Malicious Code Analysis
    >>
    >> -----BEGIN PGP SIGNED MESSAGE-----
    >> Hash: SHA1
    >>
    >> Here you go; I got this malware from a friend's machine that
    >> had been infected. This was about 2 months ago so there
    >> about. Use a hex editer to give you what it was packed with
    >> and then just go from there. Good luck and have fun.
    >>
    >> download it from here http://209.200.126.28/sample.zip
    >> "unzip" "rename the rar_ to .rar" "unrar".
    >>
    >>
    >> If anyone is wondering yes antivirus picks it up so don't worry.
    >>
    >>
    >> On Thu, 04 Aug 2005 15:19:14 -0700 M4ch3T3 Hax
    ><m4ch3t3@gmail.com>
    >> wrote:
    >> >Hello all,
    >> >
    >> >I have recently graduated from a computers & networking course
    >at
    >> >university and have spent alot of my time analysing network
    >security
    >> >from a scanning/sniffing/hardening point of view.
    >> >
    >> >I'm now becoming very interested in learning more about
    >> malicious code
    >> >analysis in a virtual machine environment. I have read
    >documentation
    >> >and set up the environment and tools etc.. However I have no
    >> malicious
    >> >code to look at! does anyone know of a way to get hold of some?
    >> >
    >> >Also, if anyone can recommend any further reading or sites etc.

    >It
    >> >would be very much appreciated!
    >> >
    >> >Cheers!
    >> >_______________________________________________
    >> >Full-Disclosure - We believe in it.
    >> >Charter: http://lists.grok.org.uk/full-disclosure-charter.html
    >> >Hosted and sponsored by Secunia - http://secunia.com/
    >> -----BEGIN PGP SIGNATURE-----
    >> Note: This signature can be verified at
    >> https://www.hushtools.com/verify
    >> Version: Hush 2.4
    >>
    >>
    >wkYEARECAAYFAkLyst0ACgkQUjm7xSZSd8Ec9wCfVCyeftO+crjrndW0QTWi/7TcH70

    >A
    >> oJIlHd0nyKHnYsEGCiFUAiR1W6Iw
    >> =IGME
    >> -----END PGP SIGNATURE-----
    >>
    >>
    >> _______________________________________________
    >> Full-Disclosure - We believe in it.
    >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
    >> Hosted and sponsored by Secunia - http://secunia.com/
    >>
    -----BEGIN PGP SIGNATURE-----
    Note: This signature can be verified at https://www.hushtools.com/verify
    Version: Hush 2.4

    wkYEARECAAYFAkLzKQEACgkQUjm7xSZSd8F/RwCcDU5poudYJKLiIbGoo+YRgotc2EQA
    oIKXRaSIRGuAZz242PaAW0LnD5oK
    =tdMp
    -----END PGP SIGNATURE-----

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.grok.org.uk/full-disclosure-charter.html
    Hosted and sponsored by Secunia - http://secunia.com/


  • Next message: Peter Kruse: "RE: [Full-disclosure] Malicious Code Analysis"

    Relevant Pages

    • Re: What is mivvx.dll?
      ... It looks like it is not a virus. ... | Complete scanning result of "mivvx.dll", ... In addition to the preferred method, submitting samples to VT and/or ... You can check with other vendors for similar procedures. ...
      (alt.comp.anti-virus)
    • Re: Sample Virus?
      ... Try submitting it to virustotal.com and you can see what all the AV ... vendors have to say about it. ... Some of those AV companies always report submitted files as possible ... false positives or if they're real, ...
      (rec.games.computer.ultima.dragons)
    • Re: Sample Virus?
      ... Try submitting it to virustotal.com and you can see what all the AV ... vendors have to say about it. ... Erimess Dragon ... Never compare yourself to the best others can do, ...
      (rec.games.computer.ultima.dragons)
    • Re: Sample Virus?
      ... Try submitting it to virustotal.com and you can see what all the AV ... vendors have to say about it. ... Guess they're in permanent cover-their-ass mode. ... still get a good idea about an unknown file. ...
      (rec.games.computer.ultima.dragons)
    • Re: Javascriptcode
      ... If you go to the ASP.NET website, check out the QUICKSTARTS tutorials. ... Peter ... after submitting the correct information) verify that ... If he/she hasn't how can I redirect the user ...
      (microsoft.public.dotnet.framework.aspnet)