MW-Blog

KMFCopy is a small utility that copies files in kernel-mode. As such, it need administrative privileges.
Read the rest of this entry »

BlackEnergy is yet another malware coming from Russia. The package is a “for dummies” version, exhibiting a nice GUI you can use to modify the bot. The only purpose for BlackEnergy is to DDOS. It does not spread on it’s own, it just sits and polls a HTTP C&C (Command and Control) to see whether it has been given any targets.

Read the rest of this entry »

This is a runtime unpacker for PolyCryptPE. Being a runtime unpacker, you have every chance of toasting your buttocks since I cannot promise the executable won’t escape. I have tried to add a few safeguards to it, but you still need to be careful. Also, it’s not a perfect unpacker since the imports will be broken in the dumped image. Read the rest of this entry »

I’ve decided to release some of the tools I’ve made in the past. I won’t release them all, as few of them are more useful as private ones. I’ll be mostly releasing runtime unpackers, but if you have a tool in mind, ping me at toni(_at_)teamfurry.com

Analyzing malware is a tedious task sometimes. Without proper tools, you can never know what packer surrounds the malware or how to bypass it. Or maybe you’re just getting whacked by the sheer volume of incoming malicious samples. Read the rest of this entry »

Pohernah is a packer with Russian origins. Manual tracing is extremely tiresome since there are dozens of various decryption loops and layers in the code.

Read the rest of this entry »

The guy(s) behind the Virut botnet have been doing their malicious deeds for a long time now. What puzzles me is that they are still using the same domain names as they did ages ago (zief.pl, ircgalaxy.pl and so on). There’s also some connection between the Virut gang and RBN, the blackest of the black ISPs.

So, I decided to dig in a bit to see if I could locate anything. First of all, one the guys running zief.pl and ircgalaxy.pl goes under the nickname xmax.

Here’s some info on him:

He’s a half-op on PolNet (forum.ircnet.pl)
Birthdate claimed to be 17 Lut 1989 (February 17th 1989)
Name and surname: Max S (from Jabberpl)
Where: Kamienna Góra (from FCLiverPool.pl)

Email addresses:

xmax@canpol.pl
xmax@chrome.pl

Interestingly, canpol.pl redirects to softland.pl

LINKS:

http://forum.ircnet.pl/profile.php?mode=viewprofile&u=369&sid=8be147989567657c04b4504b0fa25eba
http://xmax.jogger.pl
http://www.last.fm/user/xmax/
http://jaggedalliance.pl/forum/profiles/814.htm
http://www.kamienna-gora.pl/en/index.html
Google cache hit in fcliverpool.pl
http://grono.net/pub/u/4424/

Ok, let’s move on. Another guy involved with zief.pl and ircgalaxy.pl goes under the nickname adx. He also seems to be an asm-whiz. Here’s some information on him:

Nickname: adx
Realname: Piotr Niżyński
Where: Warszawa (Warsaw)

Email Addresses:

adx@zief.pl
adx@crashnet.pl
adx@bezduszni.pl
adx@irc7.pl

Various links:

http://forum.ircnet.pl/viewtopic.php?p=19908&sid=c1b71d4a7e8d00c3db973dba524c7ac1
http://209.85.129.104/search?q=cache:kbBMbZ7QY8cJ:www.ksiazki.com/pl.irc_60.html+adx+zief&hl=fi&ct=clnk&cd=2&gl=fi
http://www.antywir.pl/post1039.html
http://www.adx.irc7.pl/
http://forum.ircnet.pl/profile.php?mode=viewprofile&u=740&sid=e3c8945c1eb2468be559683659f49586
http://www.grupy.waw.pl/stats-21961.html

I’ll try to see if I can dig something up a little later, but meanwhile you can check this out:

http://209.85.129.104/search?q=cache:mgPye9UW60UJ:www.htn.pl/index.html%3Fid%3D8+%22Piotr+Ni%C5%BCy%C5%84ski%22&hl=fi&ct=clnk&cd=10&gl=fi

Seems that the guys might be running a legitimate cover on their operations.

If you know a capable contact inside the Polish police forces you might point them to some of the information seen here. It would be high time to get these guys off the market.

There’s a nifty (or nasty, depends on which side you are on) tool being offered for download. The tool (called zxarps) is a hacking tool mostly used in China.

Read the rest of this entry »

nPack is a public PE executable compressor that can be freely downloaded from various sites. Here’s a description by the author:

“nPack is a Win32 PE executable file compressor. Features: - Support for all types of PE files (exe, dll, ocx) - Compression of program code, data, and resources - Section naming support - Fast decompression routines - Relocation support - TLS support - File rebuilding - Strip relocation - Strip debug information”

Read the rest of this entry »

Even though this is a late warning, take heed.

If you are running TrendMicro installations that haven’t been patched in a while please patch them soon :) There’s already malwares that exploit the vulnerable installations.