A forum for reverse engineering, OS internals and malware analysis 

Search found 15 matches

 Go to advanced search

Re: TrojanDownloader:Win32/Poison.A

 by swirl ¦  Sat Jan 28, 2012 1:18 pm ¦  Forum: Malware ¦  Topic: Win32/Poisonivy ¦  Replies: 15 ¦  Views: 27066

here it is

Re: Tool for Java Script debug

 by swirl ¦  Mon Jan 23, 2012 11:36 am ¦  Forum: Tools/Software ¦  Topic: Tool for Java Script debug ¦  Replies: 4 ¦  Views: 8134

debugging or just unpack it ? for blackhole I'd just change the last eval() into a document.write() (like you'd do in malzilla) and enjoy the unpacked script. You might want to pass it through a code beautifier (http://jsbeautifier.org/) to read it smoothly. EDIT: I just saw this thread is 2 months ...

Re: Notify callback tables

 by swirl ¦  Sat Oct 01, 2011 1:52 pm ¦  Forum: Kernel-Mode Development ¦  Topic: Notify callback tables ¦  Replies: 13 ¦  Views: 9211

Re: DRIVER_OBJECT

 by swirl ¦  Thu Aug 18, 2011 9:44 am ¦  Forum: Newbie Questions ¦  Topic: DRIVER_OBJECT ¦  Replies: 6 ¦  Views: 6709

Vrtule wrote: I neither tested this nor I am sure whether the statement above holds now. I have found this information two years ago here: http://d.hatena.ne.jp/xna/20080517/1210984806
I found this exact same link and seem to work just fine (http://www.inreverse.net/?p=1740)

Re: Sophail: A Critical Analysis of Sophos Antivirus

 by swirl ¦  Wed Aug 10, 2011 8:22 pm ¦  Forum: Reverse Engineering and Debugging ¦  Topic: Sophail: A Critical Analysis of Sophos Antivirus ¦  Replies: 2 ¦  Views: 4137

Taviso responded to some critics on reddit

http://www.reddit.com/r/ReverseEngineer ... antivirus/

Re: Mal/GSPFx

 by swirl ¦  Mon Jun 06, 2011 4:58 pm ¦  Forum: Malware ¦  Topic: Rootkit MaxSS (alias TDSS, SST, Alureon.FE, Olmasco) ¦  Replies: 149 ¦  Views: 166863

it came to me without a father :cry:

Mal/GSPFx

 by swirl ¦  Sat Jun 04, 2011 11:06 pm ¦  Forum: Malware ¦  Topic: Rootkit MaxSS (alias TDSS, SST, Alureon.FE, Olmasco) ¦  Replies: 149 ¦  Views: 166863

HTTP/DNS redirector - NDIS hooking - filesystem IRP hooking gspfx.sys SHA1: 0f9f0935d0db58983014b1d263687d2e11556a59 VT 16/38: http://www.virustotal.com/file-scan/report.html?id=3d3317b09d5941a0a54299bf2b370f9b3eeb3394fbcffee1f1233921bc1d8c46-1307209741 unpacked.sys SHA1: ce011ef8b18e5b10d15f800ea78...

TrojanSpy:AndroidOS/Geimini.A

 by swirl ¦  Mon Jan 10, 2011 5:20 pm ¦  Forum: Malware ¦  Topic: TrojanSpy:AndroidOS/Geimini.A ¦  Replies: 0 ¦  Views: 3628

in case someone wants to have a look at it (pw: infected)

here a nice report http://blog.mylookout.com/_media/Geinim ... ardown.pdf

http://www.virustotal.com/file-scan/rep ... 1294510437

Re: Black Energy 2.1+

 by swirl ¦  Fri Oct 22, 2010 2:49 pm ¦  Forum: Malware ¦  Topic: WinNT/BlackEnergy ¦  Replies: 38 ¦  Views: 63100

too bad ddos_update.py doesn't work anymore, they've changed the url format and parameters, and probably also the encryption method :( Also judging by the response size they are using two separate hosts: one for the configuration and one for downloading the dos modules hxxp://91.212.127.147/spm/s_al...

Re: Stuxnet case

 by swirl ¦  Thu Sep 23, 2010 9:52 pm ¦  Forum: Malware ¦  Topic: Stuxnet case ¦  Replies: 64 ¦  Views: 84706

two more links from reddit: http://www.eset.com/resources/white-papers/Stuxnet_Under_the_Microscope.pdf and http://frank.geekheim.de/?p=1189 about this last one, I don't think this kinds of attacks are a prerogative of states. Now this in particular seems to point to a state ok, but what you really ...