A forum for reverse engineering, OS internals and malware analysis 

Search found 233 matches

 Go to advanced search

Re: Rootkit ZeroAccess (alias MaxPlus, Sirefef)

 by R136a1 ¦  Tue Jan 26, 2016 3:51 pm ¦  Forum: Malware ¦  Topic: ZeroAccess (alias MaxPlus, Sirefef) ¦  Replies: 557 ¦  Views: 570743

I'm trying to figure out if it's spreading at all, there does seem to be a very slow growth in number of online bots per day but that could be just all the crawlers using EP_X0FFs source :P I am also trying to figure out the infection vector itself for some time, but it remains unknown to me. I hav...

Re: Rootkit ZeroAccess (alias MaxPlus, Sirefef)

 by R136a1 ¦  Tue Jan 26, 2016 12:28 pm ¦  Forum: Malware ¦  Topic: ZeroAccess (alias MaxPlus, Sirefef) ¦  Replies: 557 ¦  Views: 570743

I am also surprised that the return of this botnet got no attention by any of the big security companies. Especially, because it's one of the few remaining malware families which deserves the term "sophisticated". On the other hand, it is understandable after they proclaimed victory over the botnet ...

Re: ZeroAccess (alias MaxPlus, Sirefef)

 by R136a1 ¦  Mon Jan 18, 2016 10:27 pm ¦  Forum: Malware ¦  Topic: ZeroAccess (alias MaxPlus, Sirefef) ¦  Replies: 557 ¦  Views: 570743

Re: Analyzing a com dll

 by R136a1 ¦  Tue Jan 05, 2016 1:48 pm ¦  Forum: Newbie Questions ¦  Topic: Analyzing a com dll ¦  Replies: 4 ¦  Views: 6321

Well, there are some rare articles which deal with COM related malware: https://www.virusbtn.com/virusbulletin/archive/2014/08/vb201408-IcoScript https://www.vmray.com/blinding-malware-analysis-with-com-objects/ Anyway, the best way to understand COM is to read the Microsoft documentation and start ...

Re: Analyzing a com dll

 by R136a1 ¦  Mon Jan 04, 2016 6:29 pm ¦  Forum: Newbie Questions ¦  Topic: Analyzing a com dll ¦  Replies: 4 ¦  Views: 6321

Hi,

there is an article from Malwarebytes which gives a good introduction to reversing COM files: https://blog.malwarebytes.org/intellige ... ious-code/

Re: Rootkit ZeroAccess (alias MaxPlus, Sirefef)

 by R136a1 ¦  Sun Jan 03, 2016 11:46 am ¦  Forum: Malware ¦  Topic: ZeroAccess (alias MaxPlus, Sirefef) ¦  Replies: 557 ¦  Views: 570743

Hi folks, I have found a new year present from ZeroAccess author(s). This fresh variant comes in form of a dropper which contains the encrypted payload inside a .png file in the resource section. -> see Zeroaccess_2016 (attached) Last year around the same time an earlier (unencrypted) sample of this...

Ardbot [x86/x64]

 by R136a1 ¦  Tue Dec 15, 2015 12:36 pm ¦  Forum: Malware ¦  Topic: Ardbot [x86/x64] ¦  Replies: 1 ¦  Views: 6038

Hi folks, first discovered this bot a few months ago. It seems to be a work in progress, because bot and loader are full of debug strings. Currently, it constantly crashes explorer.exe after injection process on all Windows versions up to Windows 10. Might be anyway interesting for future research, ...

ModPOS (Backdoor.Straxbot, TrojanDropper:Win32/Rortiem.A)

 by R136a1 ¦  Thu Nov 26, 2015 9:09 pm ¦  Forum: Malware ¦  Topic: ModPOS (Backdoor.Straxbot, TrojanDropper:Win32/Rortiem.A) ¦  Replies: 5 ¦  Views: 9422

Hi folks, some info about this malware can be found here: http://www.isightpartners.com/2015/11/modpos/ Because the report does not mention any file hashes (which sucks!), I thought I give it a try and finally found some droppers. Might be older versions, since the PE time stamps date back to 2012. ...

Re: Winnti backdoor

 by R136a1 ¦  Tue Oct 06, 2015 1:34 pm ¦  Forum: Malware ¦  Topic: Winnti backdoor ¦  Replies: 6 ¦  Views: 10344

This bootkit is known in certain circle as "sunx bootkit". Unfortunately, I have deleted the sample that I have found which included a pdb path. Also, I saw a similar sample that also had a pdb path which was detected as Derusbi. Interestingly, this bootkit includes functionality that searches for t...

Re: Win32/Kovter

 by R136a1 ¦  Thu Sep 17, 2015 12:54 pm ¦  Forum: Malware ¦  Topic: Win32/Kovter ¦  Replies: 39 ¦  Views: 52992
  • 1
  • 3
  • 4
  • 5
  • 6
  • 7
  • 24