Skip navigation.
Home
WARNING: This site contains samples of live malware. Use at your own risk.

New Search System, No More Accounts Needed [1]

The new search system with the updated authentication system is online. There is still some missing functionality but it should let everyone download samples. If you find any problems please let me know. There will be some quirks as we move to the new version of the website. If you find any bugs please let me know on Twitter @openmalware.

Danny

[1] You still need a Google account to download the samples

State of Offensive Computing

I would like to take this time to thank everyone that expressed their support while Offensive Computing was offline. It was a trying time and I really appreciate everyone's support. Without getting into any of the specifics of why the site was offline for two months, we are back and here to stay. There are a couple of people who were instrumental in helping to keep everything up and running. Paul Royal, from the Georgia Tech Information Security Center helped out significantly with hardware and the new home of the site. Kelcey Tietjen also stepped in and helped out tremendously. If you see either of them at some upcoming conferences (hint: Paul is giving a talk at Blackhat) buy them a drink.

There are a couple of changes that are going to happen that more accurately reflect the intentions of the site. First, the name will be changing to Open Malware. The new name more accurately reflects the purpose and intention of the site. Way back in 2005 the intention was to make this a place where you could find information related to malware and other types of hacking. As things (and life) have progressed it has changed into a malware research site, specifically with the ability to download malware samples. The domain will be OpenMalware.org in the very near future.

The second big item of news is that we will be transitioning to a download-only malware repository in the coming weeks. The blog site will be officially shutting down. There are much better forums maintained by commercial services that have taken up the role of a discussion area. Specifically the /r/ReverseEngineering and /r/Malware sub-Reddits, and OpenRCE are better avenues of communication. I will maintain a static version of the site to archive the old content.

To accommodate the new download site, there will be a couple of changes. First, a lot of the back end software has changed. Searches will be faster, more malware will be available, and the overall maintenance will be a lot easier. Second, you will need to have a valid, verified Google Account. Having a Google account allows us to use industry standard authentication, and most importantly not to have to maintain a user database. Get one here if you haven't already. In the meantime new account creation is disabled while we make the transition. Old accounts should work as normal.

Finally, we are discontinuing our commercial services. I would like to thank all of our customers for their business. You all helped to support this site and maintain an open service. We will be looking at transitioning to a non-profit status in the coming years.

Thanks again,

Danny Quist

VizSec 2012 Call for Papers Out

VizSec 2012 will be held in mid-October as part of VisWeek in Seattle. Papers are due July 1.

The International Symposium on Visualization for Cyber Security (VizSec) is a forum that brings together researchers and practitioners from academia, government, and industry to address the needs of the cyber security community through new and insightful visualization techniques. Co-located this year with VisWeek, the 9th VizSec will provide new opportunities for the usability and visualization communities to collaborate and share insights on a broad range of security-related topics. Accepted papers will appear in the ACM Digital Library as part of the ACM International Conference Proceedings Series.

Important research problems often lie at the intersection of disparate domains. Our focus is to explore effective, scalable visual interfaces for security domains, where visualization may provide a distinct benefit, including computer forensics, reverse engineering, insider threat detection, cryptography, privacy, preventing 'user assisted' attacks, compliance management, wireless security, secure coding, and penetration testing in addition to traditional network security. Human time and attention are precious resources. We are particularly interested in visualization and interaction techniques that effectively capture human analyst insights so that further processing may be handled by machines, freeing the analyst for other tasks. For example, a malware analyst might use a visualization system to analyze a new piece of malicious software and then facilitate generating a
signature for future machine processing. When appropriate, research that incorporates multiple data sources, such as network packet captures, firewall rule sets and logs, DNS logs, web server logs, and/or intrusion detection system logs, is particularly desirable.

More information is on the web site:

http://www.ornl.gov/sci/vizsec

Scalable, Automated Baremetal Malware Analysis

This week I will be presenting on scalable, automated baremetal malware analysis at Black Hat Europe. My presentation will coincide with the release of NVMTrace, a tool that facilitates automated baremetal sample processing using inexpensive hardware and freely available technologies. More information is available at the following link:

Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis

If you are attending Black Hat Europe and malware analysis is a topic of interest to you, please attend my talk. If you are interested but will not be in attendance, please let me know and I will make my whitepaper and slide set available to you.

BHO Reversing

|

From a long time for those days (BHO is supported since IE 4.0) malware writers exploit BHO functionality to bully on IE users.
Mostly evil BHO has two functionality ( for sure if we talk about bankers):

- monitoring/logging requests sending by browser
POST dump - password stealing
- HTML page code dynamic modification
HTML code injection - used for e.g - adding additional form fields intended to obtain, more amount of TAN codes or generally some

(...)

Read entire post here: BHO Reversing

Practical Malware Analysis - A Book Review and Curmudgeonly Rant on the State of Reverse Engineering

Recently I was asked to review a pre-publication copy of Mike Sikorski and Andrew Honig’s book “Practical Malware Analysis” by Nostarch Press. I gave it an enthusiastic review, and I strongly believe this will become the defacto text for learning malware analysis in the future. This is a review of that book, and a short rant on reverse engineering.

Before getting into Practical Malware Analysis, I hope you will indulge me in a rant about other books on the reverse engineering topic: They are not pretty. If you’ve taken one of my classes I recommend a few books for learning reversing, but climbing the steep mountain of pre-requisite material before you can attempt to be somewhat proficient is daunting. Specifically the books I recommended were based off of each individual author’s own personal style of reverse engineering with the tools that were available at the time. The field has gotten much more accessible thanks to the awesome tools that are out there from companies like Hex-Rays and Zynamics.

Practical Malware Analysis does a good job of tying together the methods of modern malware analysis. While most of the previous texts have done a good job of presenting the state of the art at their time, PMA overviews many of the tools that are in use in the modern day. Part 1 starts off with the basic static techniques, how to set up a virtual environment, and dynamic analysis. These initial steps are the basis for any good reversing environment. What is nice is that these topics aren’t dwelled on for an entire book.

Part 2 goes over the relationships of the Intel architecture, IDA Pro, modern compilers, and the Windows operating system to reverse engineering. Having an understanding of this as it applies to the reversing process is extremely important. Outside implementing a compiler, learning the fundamentals of the architecture is the most important skill a reverser can have for understanding the field. The difference between an adequate reverser and a great reverser lies in the understanding of how the system interactions work.

The rest of the book is focused on the advanced topics of dynamic analysis. Part 5 deals with all the ways that malware authors can make your life miserable, from anti-disassembly to packers. Part 6, “Special Topics,” talks about shellcode analysis, C++ specifics, and the ever-looming threat of 64-bit malware. I suspect that there will be a second edition once 64-bit malware comes in vogue.

Overall the book is excellent for those that are new to this field. Experts love to curmudgeonly talk about how nothing is new anymore, everything sucks, and pine for the good old days of reverse engineering with some wire-wrap, a lead pencil, a 9-volt Duracell, and a single LED. If you consider yourself one of these people, reading this book is going to feel a lot like wearing someone else’s underwear. If, on the other hand, you read it and put aside your natural skepticism of all things new, you might learn something.

I really do like this book.

Edit 3/4/2012: I have no financial interest in the book. The only thing I received was a reviewers copy. This was not sponsored or paid for in any way by the authors or publishers.
Edit 2/13/2013: There has been a translation to Serbo-Croation of this review by Joanna Milutinovich

CAST Slides: Hunting malware with Volatility v2.0

Last week i had a speech at the CAST forum about hunting malware with volatility 2.0. On 40 slides i will introduce the main features of this powerful forensic framework. All memory dumps being discussed are snapshots from infected machines with modern malwares and rootkits.

http://reconstructer.org/papers/Hunting%20malware%20with%20Volatility%20v2.0.pdf

The WOW-Effect: Imho something the IT-Security community should be aware of ...

|

Dear like-mindeds,

we (CERT.at, the Austrian National Computer Emergency Response Team)
just released our latest paper which addresses an issue with Microsoft
Windows 64-bit that has high potential to affect the IT-Security community.
Especially those dealing with malware analysis and accordingly
investigations. It's even possible that some of us already are or were
affected but just didn't notice.

The goal of my paper is to raise the IT-Security community's awareness
regarding this issue.

In short: this issue - I call it the "WOW-Effect" - is a so to say
unintentionally implication of Microsoft's WOW64 technology and the
according redirection functionality.

You can find the paper on our website. If you have any questions
regarding the "WOW-Effect" or would like to give me some feedback feel
free to contact me via wojner_at_cert.at.

Here's the link to the paper:
http://cert.at/downloads/papers/wow_effect_en.html

Enjoy reading!

Cheers,

Christian Wojner
CERT.at

Introduction to IDA Python

The Introduction to IDA Python document by Ero Carrera is one of the better documents on scripting the IDA Pro platform available. After talking with Ero directly, I have received permission to host the PDF directly on Offensive Computing to make it available long-term. Enjoy.

Introduction to IDA Python by Ero Carrera

Danny

CSI:Internet series - Spyeye detection with Volatility v2 and kernel debugging the TDL4 rootkit

Just in case you missed my forensic analysis contributions for the CSI:Internet series on h-online.com...

CSI:Internet - A trip into RAM
http://www.h-online.com/security/features/CSI-Internet-A-trip-into-RAM-1339479.html

CSI:Internet - Open heart surgery
http://www.h-online.com/security/features/CSI-Internet-Open-heart-surgery-1350313.html

Enjoy!