MW-Blog

I’ve launched a forum concentrating on malwares, packers and reverse engineering. The forums can be reached here:

http://www.teamfurry.com/index.php

If you have any questions on any of the topics handled here or any other questions relating to them send your queries to the forum. Also, as a result of craploads of automated comment spam bombarding the blog, commenting will be disabled. Any comments to blog entries can be submitted to the forums in it’s own board.

Just noticed several pump&dump scams that dropped in my inbox. The attachment seems to be usually named “detail invoice” or “detail report<random numbers>, and being in the Excel .xls format. Read the rest of this entry »

StormWorm has been spreading for quite a bit for now. Otherwise known as win32.tibs, win32.zhelatin or Trojan.Peacomm, it has been a widespread pesk for a long time.

Read the rest of this entry »

I’m on a vacation in Estonia currently with my wife and kids. Tallinn is a very beatiful town, so if you have a chance to visit don’t hesitate. Read the rest of this entry »

The are enormours amounts of sites in the internet that offer free downloads on shareware/evaluation programs. Some of them screen (or atleast try to) the programs they are going to offer, some don’t. In addition to those, there are a huge bunch of sites that are outright malicious. Read the rest of this entry »

I got tired of malwares moving all around process memory and modifying system dlls and so on. So, I decided to do a dumper that’ll dump the whole process memory on disk. Read the rest of this entry »

I was troubleshooting a weird positive signature hit that AllapleRemover detected.

The weird thing was the signature was found inside the nod32krn.exe process, which is the kernel process belonging to NOD32 antivirus scanner(www.eset.com).

After checking out some dumps on the process memory it was quite easy to see what was causing the hits. The signatures themselves are solid and working. The problem was that NOD32 copies files into memory a new process is starting, and scans the process-to-be before letting it run. NOD32 didn’t flush the copied memory fast enough if at all which caused the AllapleRemover to effectively detect itself inside the nod32krn.exe process :)

Even though I could build a kludge to bypass this, I won’t. I don’t feel any burning need to make the program complicated by fixing these kind of mishaps. Allaple does _not_ inject itself anywhere, so if you get a hit on an anti-virus application, just let it drop :)

I stumbled onto an unknown UPX protector a while back. The stub is easy to recognize and fingerprint, and the unpacking is just as easy. Read the rest of this entry »

While I was rummaging through my filestash for anything interesting I spotted a few files that were packed with something known as Stone’s Encrypter. It doesn’t contain any anti-debug tricks, and based on the filecount I had it seems to be a bit unpopular. Anyway, here are the instructions on unpacking it. Read the rest of this entry »

I’m seeking 1 or 2 person(s) to write entries here. I don’t need the typical BS entries that plaque the blogs (”This week, I’ve been mostly eating thawed chickens”, anyone?) What I need is someone who loves to pick packers and malwares apart and who is prepared and capable of putting the process into writing. There are no quotas to meet in writing: write what you want when you want as long as it’s got something to do with malwares / packers / reverse engineering, and as long as you don’t do anything illegal. So, if you have the morals and integrity as well as capability, contact me with a short introduction of yourself: what you do and so on. And add a few links or snippets of what you’ve written. Mails should be sent to toni(_at_)teamfurry.com

Cheers!