Archive for the ‘General InfoSec’ Category

Gimmiv DLL

Friday, October 24th, 2008

The DLL looks really interesting. Interesting in a sense that even though the code is reaaally easy to read, it’s a rare find since it’s riddled with bad programming. It’s a wonder these guys even managed to make a malware that actually compiles. (more…)

New worm on the loose

Friday, October 24th, 2008

There’s a new malware on the loose, using the MS08-067 that was released out-of-band yesterday. Surprisingly, the malware isn’t packed. The common detection for this is Trojan:W32/Gimmiv.A, and the initial package is just a dropper. (more…)

antitest.exe is out

Wednesday, October 22nd, 2008

As I mentioned in the previous blog post I’ve been working on a binary that contains various anti-debug/tracing/emulation/virtualization tricks. Even though there’d be an eternal list of tricks to be added to it I’m pretty satisfied with the ones it has currently. (more…)

One jailed, several to go

Saturday, October 18th, 2008

I just realized it’s been ages since I’ve last written anything here. I’ve found my hands full of interesting projects and while I didn’t forget teamfurry.com I found too little time to puke my thoughts onto the blog. I’ve been lurking in the shadows though, watching over the forum.

(more…)

Java DDOS bot

Saturday, May 10th, 2008

Just stumbled onto a DDOS bot written in java. Usually there aren’t too many malicious programs for java so I decided to take a closer look. The code quality is about as bad as in the previous entry that depicted the PHP DDoS Bot, but I think the java version has more potential to grow into a problem. (more…)

PHP DDOS Bot

Saturday, May 10th, 2008

Every so often I run into some new evil that interests me enough to take a deeper peek. This time a DDOS bot written in PHP caught my eye. I haven’t seen this in the wild anywhere, but it’s still quite interesting. (more…)

Spammed downloader

Saturday, March 22nd, 2008

Getting spam with attached malware isn’t anything new. Usually I just dispose the junk mails but every now and then I see a spam message that looks interesting enough to dig further. Today’s example is a spam mail that claimed to be a reply to a message I allegedly sent. The body of the message was like this: (more…)

A bunch of trackback spam from the stash

Tuesday, February 12th, 2008

Running a blog means that the software is constantly under a barrage of exploit / spam attemps, as is the case with any webservice.

I have a few hooks and traps spread around to sniff out what’s coming in, especially in HTTP POSTs. So, without further ado the following items are from a trap that’s logging trackback spams:

(more…)

Are Nigerians Evolving From The 419 Letters?

Tuesday, February 12th, 2008

I was going through my access logs to see what nasties have been thrown at me since the last time.

Amongst the normal enter_your_RFI_exploit_here I saw this script being pushed onto the server:

(more…)

PHP based IRC botnet, fast-flux of course

Wednesday, January 30th, 2008

I was checking out the various RFI (Remote File Inclusion) exploits thrown at my site when I saw an exploit file that was heavily obfuscated. I meddled with the code a bit and got it to reveal the C&C servers:

(more…)


InspectorWordpress has prevented 2 attacks.