A forum for reverse engineering, OS internals and malware analysis 

Search found 249 matches

 Go to advanced search

Re: Doctor Web identifies large Mac botnet

 by R136a1 ¦  Sat Apr 07, 2012 9:20 am ¦  Forum: Malware ¦  Topic: Doctor Web identifies large Mac botnet ¦  Replies: 25 ¦  Views: 19613

Seems like DrWeb landed a great coup with this story. :-)

If someone has a sample of this malware, please upload. Thanks.

Re: Rootkit ZeroAccess (alias Max++, Sirefef)

 by R136a1 ¦  Sat Mar 31, 2012 11:05 am ¦  Forum: Malware ¦  Topic: Rootkit ZeroAccess (alias MaxPlus, Sirefef) ¦  Replies: 374 ¦  Views: 326468

Whitepaper by Symantec (22.3.2012):

ZeroAccess Infection Analysis
http://www.symantec.com/content/en/us/e ... alysis.pdf

List of Anti-Rootkits -> updated

 by R136a1 ¦  Sat Mar 31, 2012 10:39 am ¦  Forum: Tools/Software ¦  Topic: Antirootkits ¦  Replies: 55 ¦  Views: 72032

ATool - http://www.antiy.net/download/atool.rar -> dead ATool (mirror) - http://www.kernelmode.info/ARKs/atool.rar Antivir Antirootkit - http://dl.antivir.de/down/windows/antivir_rootkit.zip Avast! Antirootkit - http://files.avast.com/files/beta/aswar.exe AVZ - http://www.z-oleg.com/secur/avz/downl...

Re: Whistler Bootkit

 by R136a1 ¦  Sun Feb 26, 2012 1:23 pm ¦  Forum: Malware ¦  Topic: Whistler Bootkit ¦  Replies: 16 ¦  Views: 17887

Dropper
MD5: 4b9ef6ed40836450035cad1c45b8beb6

Does someone have access to Virustotal?

Crash dump I/O path [talk at syscan12 conference]

 by R136a1 ¦  Mon Feb 13, 2012 10:37 am ¦  Forum: Reverse Engineering and Debugging ¦  Topic: Crash dump I/O path [talk at syscan12 conference] ¦  Replies: 3 ¦  Views: 5223

Hi there, a friend drew my attention to this interesting talk about the Windows crash dump path. I/O, You own: Regaining control of your disk in the presence of bootkits (Aaron LeMasters) Master Boot Record based rootkits (MBR rootkits, or bootkits for short)have existed for decades but are more rec...

Re: Whistler Bootkit

 by R136a1 ¦  Mon Feb 13, 2012 10:25 am ¦  Forum: Malware ¦  Topic: Whistler Bootkit ¦  Replies: 16 ¦  Views: 17887

I was aware of this MBRs uploaded to virustotal, unfortunately doesn't help me very much.

Anyway thanks for uploading here!

Re: Whistler Bootkit

 by R136a1 ¦  Sun Feb 05, 2012 5:35 pm ¦  Forum: Malware ¦  Topic: Whistler Bootkit ¦  Replies: 16 ¦  Views: 17887

Hey there, the development of Whistler Bootkit hasn't stopped as I thought. Here we have a blogpost claiming that they found a new Whistler varaint ITW (November 2011): http://labs.bitdefender.com/?post_type=post&p=807 Unfortunately they don't want to provide a sample (I asked) or a hash of the afor...

Threat from 16bit executable [AVG]

 by R136a1 ¦  Tue Jan 31, 2012 3:37 pm ¦  Forum: Malware ¦  Topic: Threat from 16bit executable [AVG] ¦  Replies: 2 ¦  Views: 4545

Hey there,

has anybody the sample mentioned in the following blogpost:
http://blogs.avg.com/news-threats/threa ... xecutable/

It is a dropper (16bit Windows NE-Format) written by a chinese malware writer.

Unfortunately no hashes or name of the sample is given.

Re: Source of Malware

 by R136a1 ¦  Mon Jan 30, 2012 9:21 pm ¦  Forum: Malware ¦  Topic: Source of Malware ¦  Replies: 141 ¦  Views: 223372

Great site:
http://www.nothink.org

Contains also binary links (only italian domains):
http://www.nothink.org/viruswatch.php

Re: MIDI vulnerability + malware

 by R136a1 ¦  Mon Jan 30, 2012 5:47 pm ¦  Forum: Malware ¦  Topic: MIDI vulnerability + malware ¦  Replies: 5 ¦  Views: 5115

I did a mistake: 20120113.exe doesn't contain any rootkit capabilities as you probably already noticed. This is the credentials stealer "related to certain Korean online game sites." The dropper (tdc.exe) contains the rootkit. Unfortunately I am not able to decrypt this file. As you already mentione...

  • 1
  • 21
  • 22
  • 23
  • 24
  • 25