Remote Code Execution live malware samples - request

Forum for completed malware requests.
User avatar
ssj100
Posts: 61
Joined: Wed Aug 04, 2010 12:16 pm
Contact:

Remote Code Execution live malware samples - request

Post by ssj100 » Thu Aug 05, 2010 4:22 am

Hi, does anyone have any live malware files of remote code execution? I am most interested in scripts and macros. For example, malware hiding in a Microsoft Word macro or that executes via cmd.exe, cscript.exe, java.exe etc. Thanks!
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)

User avatar
EP_X0FF
Global Moderator
Posts: 4872
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: Remote Code Execution live malware samples - request

Post by EP_X0FF » Sat Aug 21, 2010 5:18 pm

Perhaps if you can clarify your request you will have sample. Example of malware name/families perhaps?
Ring0 - the source of inspiration

User avatar
ssj100
Posts: 61
Joined: Wed Aug 04, 2010 12:16 pm
Contact:

Re: Remote Code Execution live malware samples - request

Post by ssj100 » Tue Aug 24, 2010 5:25 am

EP_X0FF wrote:Perhaps if you can clarify your request you will have sample. Example of malware name/families perhaps?
I don't really know of any names or families. As I wrote, I'm more interested in malware of a certain kind of behaviour. One example would be Adobe Reader exploits which attempt to download and run executables to infect your system, just by double clicking the PDF file. If anyone has any live samples like that, I'd be grateful if you could link me to download them.

Another example would include Buffer Overflow exploits which attempt to harm your system (I think they all attempt to download and execute a further malicious executable) or to eg. disable SRP.

Further examples would be malware which can infect your system just by opening a .mp3 file or a .doc file (eg. via a macro).
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)

User avatar
EP_X0FF
Global Moderator
Posts: 4872
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: Remote Code Execution live malware samples - request

Post by EP_X0FF » Tue Aug 24, 2010 5:35 am

Here is some pdfs for you.
and look here http://www.kernelmode.info/forum/viewto ... f=16&t=226
You do not have the required permissions to view the files attached to this post.
Ring0 - the source of inspiration

User avatar
ssj100
Posts: 61
Joined: Wed Aug 04, 2010 12:16 pm
Contact:

Re: Remote Code Execution live malware samples - request

Post by ssj100 » Tue Aug 24, 2010 6:59 am

Which version of Adobe would they work on? Thanks.
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)

User avatar
EP_X0FF
Global Moderator
Posts: 4872
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: Remote Code Execution live malware samples - request

Post by EP_X0FF » Tue Aug 24, 2010 7:27 am

Have no idea, but they a fresh.
Ring0 - the source of inspiration

User avatar
ssj100
Posts: 61
Joined: Wed Aug 04, 2010 12:16 pm
Contact:

Re: Remote Code Execution live malware samples - request

Post by ssj100 » Tue Aug 24, 2010 8:51 am

Didn't seem to work with version 9.3.0 (this version is at least several months old). Wonder why it's so hard to purposefully get infected haha. Almost makes me wonder how people actually get infected in the first place (especially with a default-deny mechanism in place).
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)

Radovan
Posts: 7
Joined: Tue Jul 13, 2010 3:18 pm

Re: Remote Code Execution live malware samples - request

Post by Radovan » Wed Aug 25, 2010 7:45 am

ssj100 wrote:Didn't seem to work with version 9.3.0 (this version is at least several months old). Wonder why it's so hard to purposefully get infected haha. Almost makes me wonder how people actually get infected in the first place (especially with a default-deny mechanism in place).
Step by Step:

1. Remove Adobe Reader 9.3.0, Install Adobe Acrobat Reader 8.1.0 (Also install JRE6U16 to be sure)

2. Go to http://www.malwaredomainlist.com/mdl.php

3. Visit some sites listed there with Firefox & all plugins enabled

4. Enjoy being infected :)

User avatar
ssj100
Posts: 61
Joined: Wed Aug 04, 2010 12:16 pm
Contact:

Re: Remote Code Execution live malware samples - request

Post by ssj100 » Wed Aug 25, 2010 11:56 pm

Radovan wrote:
ssj100 wrote:Didn't seem to work with version 9.3.0 (this version is at least several months old). Wonder why it's so hard to purposefully get infected haha. Almost makes me wonder how people actually get infected in the first place (especially with a default-deny mechanism in place).
Step by Step:

1. Remove Adobe Reader 9.3.0, Install Adobe Acrobat Reader 8.1.0 (Also install JRE6U16 to be sure)

2. Go to http://www.malwaredomainlist.com/mdl.php

3. Visit some sites listed there with Firefox & all plugins enabled

4. Enjoy being infected :)
Thanks, but something more specific would be nice - eg. which exact site to visit and what is the expected malicious behaviour. I want to be able to reproduce the malware behaviour reliably.
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)

User avatar
EP_X0FF
Global Moderator
Posts: 4872
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: Remote Code Execution live malware samples - request

Post by EP_X0FF » Tue Sep 07, 2010 7:57 am

try this one with unpatched IE/Adobe PDF.

pack of exploits ready to download

rezjure.co.cc/x/index.php
Ring0 - the source of inspiration

Post Reply