nPack is a public PE executable compressor that can be freely downloaded from various sites. Here’s a description by the author:
“nPack is a Win32 PE executable file compressor. Features: - Support for all types of PE files (exe, dll, ocx) - Compression of program code, data, and resources - Section naming support - Fast decompression routines - Relocation support - TLS support - File rebuilding - Strip relocation - Strip debug information”
Even though this is a late warning, take heed.
If you are running TrendMicro installations that haven’t been patched in a while please patch them soon :) There’s already malwares that exploit the vulnerable installations.
I’ve launched a forum concentrating on malwares, packers and reverse engineering. The forums can be reached here:
http://www.teamfurry.com/index.php
If you have any questions on any of the topics handled here or any other questions relating to them send your queries to the forum. Also, as a result of craploads of automated comment spam bombarding the blog, commenting will be disabled. Any comments to blog entries can be submitted to the forums in it’s own board.
Just noticed several pump&dump scams that dropped in my inbox. The attachment seems to be usually named “detail invoice” or “detail report<random numbers>, and being in the Excel .xls format. Read the rest of this entry »
StormWorm has been spreading for quite a bit for now. Otherwise known as win32.tibs, win32.zhelatin or Trojan.Peacomm, it has been a widespread pesk for a long time.
I’m on a vacation in Estonia currently with my wife and kids. Tallinn is a very beatiful town, so if you have a chance to visit don’t hesitate. Read the rest of this entry »
The are enormours amounts of sites in the internet that offer free downloads on shareware/evaluation programs. Some of them screen (or atleast try to) the programs they are going to offer, some don’t. In addition to those, there are a huge bunch of sites that are outright malicious. Read the rest of this entry »
I got tired of malwares moving all around process memory and modifying system dlls and so on. So, I decided to do a dumper that’ll dump the whole process memory on disk. Read the rest of this entry »
I was troubleshooting a weird positive signature hit that AllapleRemover detected.
The weird thing was the signature was found inside the nod32krn.exe process, which is the kernel process belonging to NOD32 antivirus scanner(www.eset.com).
After checking out some dumps on the process memory it was quite easy to see what was causing the hits. The signatures themselves are solid and working. The problem was that NOD32 copies files into memory a new process is starting, and scans the process-to-be before letting it run. NOD32 didn’t flush the copied memory fast enough if at all which caused the AllapleRemover to effectively detect itself inside the nod32krn.exe process :)
Even though I could build a kludge to bypass this, I won’t. I don’t feel any burning need to make the program complicated by fixing these kind of mishaps. Allaple does _not_ inject itself anywhere, so if you get a hit on an anti-virus application, just let it drop :)
I stumbled onto an unknown UPX protector a while back. The stub is easy to recognize and fingerprint, and the unpacking is just as easy. Read the rest of this entry »