A forum for reverse engineering, OS internals and malware analysis 

Search found 10 matches

 Go to advanced search

Re: Linux.Rekoobe

 by fade ¦  Fri Dec 04, 2015 2:29 am ¦  Forum: Malware ¦  Topic: Linux.Rekoobe ¦  Replies: 4 ¦  Views: 6859

That's very interesting. I haven't seen anything targeting SPARC in a while. (At least from my point of view, please correct me if I'm wrong.)

Any word on how it's spreading or being used?

Re: What is releatd CVE of this bug ?

 by fade ¦  Thu Dec 03, 2015 2:28 am ¦  Forum: Reverse Engineering and Debugging ¦  Topic: What is releatd CVE of this bug ? ¦  Replies: 1 ¦  Views: 8357

Looks to be in the same range of CVEs as CVE-2014-4113

Re: [APT] NetTraveler RCEd Source Code

 by fade ¦  Thu Dec 03, 2015 2:24 am ¦  Forum: Reverse Engineering and Debugging ¦  Topic: [APT] NetTraveler RCEd Source Code ¦  Replies: 3 ¦  Views: 11382

I doubt the original author is going to complain ;)

Re: Linux/.IptabLex|s

 by fade ¦  Sun Jul 19, 2015 11:20 pm ¦  Forum: Malware ¦  Topic: Linux/.IptabLex|s ¦  Replies: 12 ¦  Views: 23367

Where did you come across the controller?

Re: [Poll] What is your favorite hex editor?

 by fade ¦  Tue Sep 09, 2014 2:02 pm ¦  Forum: General Discussion ¦  Topic: [Poll] What is your favorite hex editor? ¦  Replies: 11 ¦  Views: 38269

I've really enjoyed 010. Simple, yet full of features.

Re: Linux/BillGates

 by fade ¦  Tue Sep 09, 2014 2:01 pm ¦  Forum: Malware ¦  Topic: Linux/BillGates ¦  Replies: 72 ¦  Views: 107888

Someone I believe has written tracking code for this botnet also:
https://github.com/ValdikSS/billgates-botnet-tracker

Re: Linux/.IptabLex|s

 by fade ¦  Mon Sep 08, 2014 11:03 pm ¦  Forum: Malware ¦  Topic: Linux/.IptabLex|s ¦  Replies: 12 ¦  Views: 23367

If I recall correctly, this was dropped (but not exclusive to) some exploitation of open ElasticSearch instances.

Re: Point-of-Sale malwares / RAM scrapers

 by fade ¦  Mon Sep 08, 2014 11:02 pm ¦  Forum: Malware ¦  Topic: Point-of-Sale malwares / RAM scrapers ¦  Replies: 244 ¦  Views: 864415

A lot of folks are calling this BlackPoS. The main basis for this is the unique-exfiltration techniques.

The t.bat file that is decoded from the Trend posting, uses a bitshift & XOR key.

Re: Good resource for learning how to debug & reverse engine

 by fade ¦  Wed Jul 16, 2014 2:31 am ¦  Forum: Reverse Engineering and Debugging ¦  Topic: Good resource for learning how to debug & reverse engineer? ¦  Replies: 16 ¦  Views: 97825

Step 1: Learn C/C++/Delphi etc. You can't reverse engineer if you can't forward engineer. Step 2: Learn x86 assembly - http://opensecuritytraining.info/IntroX86.html (includes videos) Step 3: Learn x86 architecture - http://opensecuritytraining.info/IntermediateX86.html (includes videos) Step 4: Le...

Re: [Poll] What is your home AV?

 by fade ¦  Wed Jul 16, 2014 2:17 am ¦  Forum: General Discussion ¦  Topic: [Poll] What is your home AV? ¦  Replies: 40 ¦  Views: 65914

YARA Scanning and continuous DNS monitoring seems to work well for me.