The DLL looks really interesting. Interesting in a sense that even though the code is reaaally easy to read, it’s a rare find since it’s riddled with bad programming. It’s a wonder these guys even managed to make a malware that actually compiles. (more…)
There’s a new malware on the loose, using the MS08-067 that was released out-of-band yesterday. Surprisingly, the malware isn’t packed. The common detection for this is Trojan:W32/Gimmiv.A, and the initial package is just a dropper. (more…)
As I mentioned in the previous blog post I’ve been working on a binary that contains various anti-debug/tracing/emulation/virtualization tricks. Even though there’d be an eternal list of tricks to be added to it I’m pretty satisfied with the ones it has currently. (more…)
I just realized it’s been ages since I’ve last written anything here. I’ve found my hands full of interesting projects and while I didn’t forget teamfurry.com I found too little time to puke my thoughts onto the blog. I’ve been lurking in the shadows though, watching over the forum.
Just stumbled onto a DDOS bot written in java. Usually there aren’t too many malicious programs for java so I decided to take a closer look. The code quality is about as bad as in the previous entry that depicted the PHP DDoS Bot, but I think the java version has more potential to grow into a problem. (more…)
Every so often I run into some new evil that interests me enough to take a deeper peek. This time a DDOS bot written in PHP caught my eye. I haven’t seen this in the wild anywhere, but it’s still quite interesting. (more…)
Getting spam with attached malware isn’t anything new. Usually I just dispose the junk mails but every now and then I see a spam message that looks interesting enough to dig further. Today’s example is a spam mail that claimed to be a reply to a message I allegedly sent. The body of the message was like this: (more…)
Running a blog means that the software is constantly under a barrage of exploit / spam attemps, as is the case with any webservice.
I have a few hooks and traps spread around to sniff out what’s coming in, especially in HTTP POSTs. So, without further ado the following items are from a trap that’s logging trackback spams:
I was going through my access logs to see what nasties have been thrown at me since the last time.
Amongst the normal enter_your_RFI_exploit_here I saw this script being pushed onto the server:
I was checking out the various RFI (Remote File Inclusion) exploits thrown at my site when I saw an exploit file that was heavily obfuscated. I meddled with the code a bit and got it to reveal the C&C servers: