I’ve decided to release some of the tools I’ve made in the past. I won’t release them all, as few of them are more useful as private ones. I’ll be mostly releasing runtime unpackers, but if you have a tool in mind, ping me at toni(_at_)teamfurry.com
Analyzing malware is a tedious task sometimes. Without proper tools, you can never know what packer surrounds the malware or how to bypass it. Or maybe you’re just getting whacked by the sheer volume of incoming malicious samples. Read the rest of this entry »
Pohernah is a packer with Russian origins. Manual tracing is extremely tiresome since there are dozens of various decryption loops and layers in the code.
The guy(s) behind the Virut botnet have been doing their malicious deeds for a long time now. What puzzles me is that they are still using the same domain names as they did ages ago (zief.pl, ircgalaxy.pl and so on). There’s also some connection between the Virut gang and RBN, the blackest of the black ISPs.
So, I decided to dig in a bit to see if I could locate anything. First of all, one the guys running zief.pl and ircgalaxy.pl goes under the nickname xmax.
Here’s some info on him:
He’s a half-op on PolNet (forum.ircnet.pl)
Birthdate claimed to be 17 Lut 1989 (February 17th 1989)
Name and surname: Max S (from Jabberpl)
Where: Kamienna Góra (from FCLiverPool.pl)
Email addresses:
xmax@canpol.pl
xmax@chrome.pl
Interestingly, canpol.pl redirects to softland.pl
LINKS:
http://forum.ircnet.pl/profile.php?mode=viewprofile&u=369&sid=8be147989567657c04b4504b0fa25eba
http://xmax.jogger.pl
http://www.last.fm/user/xmax/
http://jaggedalliance.pl/forum/profiles/814.htm
http://www.kamienna-gora.pl/en/index.html
Google cache hit in fcliverpool.pl
http://grono.net/pub/u/4424/
Ok, let’s move on. Another guy involved with zief.pl and ircgalaxy.pl goes under the nickname adx. He also seems to be an asm-whiz. Here’s some information on him:
Nickname: adx
Realname: Piotr Niżyński
Where: Warszawa (Warsaw)
Email Addresses:
adx@zief.pl
adx@crashnet.pl
adx@bezduszni.pl
adx@irc7.pl
Various links:
http://forum.ircnet.pl/viewtopic.php?p=19908&sid=c1b71d4a7e8d00c3db973dba524c7ac1
http://209.85.129.104/search?q=cache:kbBMbZ7QY8cJ:www.ksiazki.com/pl.irc_60.html+adx+zief&hl=fi&ct=clnk&cd=2&gl=fi
http://www.antywir.pl/post1039.html
http://www.adx.irc7.pl/
http://forum.ircnet.pl/profile.php?mode=viewprofile&u=740&sid=e3c8945c1eb2468be559683659f49586
http://www.grupy.waw.pl/stats-21961.html
I’ll try to see if I can dig something up a little later, but meanwhile you can check this out:
http://209.85.129.104/search?q=cache:mgPye9UW60UJ:www.htn.pl/index.html%3Fid%3D8+%22Piotr+Ni%C5%BCy%C5%84ski%22&hl=fi&ct=clnk&cd=10&gl=fi
Seems that the guys might be running a legitimate cover on their operations.
If you know a capable contact inside the Polish police forces you might point them to some of the information seen here. It would be high time to get these guys off the market.
There’s a nifty (or nasty, depends on which side you are on) tool being offered for download. The tool (called zxarps) is a hacking tool mostly used in China.
nPack is a public PE executable compressor that can be freely downloaded from various sites. Here’s a description by the author:
“nPack is a Win32 PE executable file compressor. Features: - Support for all types of PE files (exe, dll, ocx) - Compression of program code, data, and resources - Section naming support - Fast decompression routines - Relocation support - TLS support - File rebuilding - Strip relocation - Strip debug information”
Even though this is a late warning, take heed.
If you are running TrendMicro installations that haven’t been patched in a while please patch them soon :) There’s already malwares that exploit the vulnerable installations.
I’ve launched a forum concentrating on malwares, packers and reverse engineering. The forums can be reached here:
http://www.teamfurry.com/index.php
If you have any questions on any of the topics handled here or any other questions relating to them send your queries to the forum. Also, as a result of craploads of automated comment spam bombarding the blog, commenting will be disabled. Any comments to blog entries can be submitted to the forums in it’s own board.
Just noticed several pump&dump scams that dropped in my inbox. The attachment seems to be usually named “detail invoice” or “detail report<random numbers>, and being in the Excel .xls format. Read the rest of this entry »
StormWorm has been spreading for quite a bit for now. Otherwise known as win32.tibs, win32.zhelatin or Trojan.Peacomm, it has been a widespread pesk for a long time.