Articles

Metasploit Framework Windows Tutorial
Remote Desktop Connection
Windows Processes That May Be Dangerous
How-To use NetCat a Tutorial
Common Linux Commands
Common Ports
Netcat Commands
HTTP Response Codes
War-Google Hack Terms
Wardriving
Avoiding Social Engineering and Phishing Attacks
Intrusion Detection on Linux
Linux Intrusion Detection
Penetration Testing Guide
Penetration Testing Tools
Social Engineering Fundamentals, Part I: Hacker Tactics
Social engineering (computer security)
The Psychology of Social Engineering

The Archives

General GSO
GovernmentSecurity.org News & Suggestions
In The News
Open Topic
General Security Information
Trash Can
Exploit & Vulnerability Mailing List Archives
Trial Member Forum
Product and Program Reviews GSO Tutorials
System Security
Windows Systems
Beginners Section
Linux & Unix Systems
File Downloads
Exploit Research & Discussion Trojan & Virus Errata
Networking Security / Firewall / IDS / VPN / Routers
System Hardening
E-Mail Security
Wifi Security
Trial Member Uploads
Upload discovered Trojans & Mal ware
GSO Programming Section
C , C++ , VC++
Visual Basic.NET
Perl /CGI
Java/Javascript
PHP/XML/ASP/HTML
Assembly + Other
The Cork Board
Network Security Consultant Directory
Network Security Jobs
The Archives
Encryption Information
General Network Security
Internet Anonymity
HTTP Protocol Security
Linux Security
MS IIS Information
Exploit Articles
Programming / Tool Design
GSO Software Projects
Public Downloads
Microsoft Security Questions and Papers
Help - Search - Member List - Calendar
GovernmentSecurity.org > System Security > Upload discovered Trojans & Mal ware
chris105
Jul 20 2005, 07:11 PM
Right, Hello everyone.

Purpose of this thread is to enable us to analyze any virusses you become infected by, get inside them see how they work, track botnets if a bot was the payload and for those of us interested in this side of security enable people to shutdown these networks using a variety of techniques. When posting a virus PLEASE STATE IT IS A VIRUS and give as much information about the said virus as possible including payload, how you got it, other spreading techniques. It is recomended that these virusses only be analyzed in a sandbox environment, Neither GSO nor the poster or myself claim any responsible to for any damage caused through the use of these files. The below files are virusses, run at your own risk.
kingvandal
Jul 20 2005, 07:15 PM
I second that Idea! and I will up them.

Go idea chris.

kv-
tibbar
Jul 20 2005, 07:23 PM
ok but keep this thread sensible. i dont want to see any attacks on botnet hosts etc.
click
Jul 20 2005, 08:35 PM
Botnet hunting was largly responsible for the downfall of Ryan1918.com. Although the site acted as a virus development community (rather then a security community), it may have gone unnoticed without the large scale attention it brought through massive DDoS attacks, botnet owners seeking revenge, or even through the many IRC operators cleaning their networks of viral activity. We don't want this to happen to GovSec!

After running a honeypot, collecting IRC viruses, and clicking on every malicious link, I managed to collect a few trojans. I will post them when i get home (and there is no point hunting the botnets, most of the code is 6-8mo old).

This has a lot of potencial to study and understand new coding and "private release" techniques. I would love to see some homemade rootkits being posted here too!
GSecur
Jul 20 2005, 10:05 PM
I like the idea as well, but as stated lets not invite any wars so keep your selfs clean.
kingvandal
Jul 21 2005, 02:09 AM
QUOTE
I like the idea as well, but as stated lets not invite any wars so keep your selfs clean


Maybe restrict it to certain members? like the adv forum.

kv-
cyph34r
Jul 21 2005, 02:34 AM
QUOTE(kingvandal @ Jul 20 2005, 09:09 PM)
QUOTE
I like the idea as well, but as stated lets not invite any wars so keep your selfs clean


Maybe restrict it to certain members? like the adv forum.

kv-
*



Maybe, but perhaps a chance for the trial members to shed some light on the inner-workings of such programs would give them an opportunity to contribute back to this community, as long as its clear this is a for learning purposes only project, and that caution is required.
aelphaeis_mangarae
Jul 21 2005, 03:19 AM
I think this is a great idea...

Anyone recommend some Honeypot software for me to use?

Would like the dl to be as small as possible...I've tracked botnets before....but I haven't come across any more bots since a few months ago.
myth
Jul 21 2005, 03:32 AM
YAY

And everyone thought i was crazy for running Win2kAS Unpatched !!! Who's laughing now !

Ive been doing alot of work with honeypots, and ill get a write up done soon, still getting the honeynet cdrom working properly....

I'll probably just get an ftpd up on my end and pop them all there, and just put a link here for those that are interested, but running honeypots isnt as easy as you'd think - well, some of the botnets are quiet aggressive, ive had 2 mb of SYN packets sent within 2 minutes ... That was a bitch to track...
AdmiralB
Jul 21 2005, 05:58 AM
yeah i agree that we can have something like this but
use it cautiously smile.gif
but i think maybe members should be only the once reading this thread.
well thats what i think...


anyway anyone knows of any good sandbox besides the VMWARE?
n.n.p
Jul 21 2005, 07:41 AM
Seems like a good idea. I have no idea how to go about virus analysis though. I assume its done in asm? Is the normal procedure just to dissassemble the affected file and go through the code?

If anyone could post a tutorial or somesuch (or even just a quick run down of whats involved and i'll go google it myself) that would be cool
beardednose
Jul 21 2005, 08:21 AM
Yes, let's restrict it.
n.n.p
Jul 21 2005, 09:58 AM
WHy would you want to restrict it?


So much for freedom of knowledge
click
Jul 21 2005, 10:40 AM
Idea: Can we have another section made, like the file downloads?

Just a quick blurb, but when collecting viruses it is almost always better to run an array of VMWare clients. You can activate port forwarding to each one depending on the version of the OS that is running and the exploit method which applies to each one. You can have multiple snapshots to revert the system back to a preset state, you can run clones (that way you can have 10 winxp boxes while only using one actual hd image), network management is excellent, supports shared drives without netbios, etc...

VMWare ESX Server is better if you are running multiple systems (memory management allows overcommitement), but VMWare Workstation is good for 2-3 systems on a decent computer.

Although this is an old article (2002) has some good VMWare pointers and good reasons to use it -- h**p://www.seifried.org/security/ids/20020107-honeypot-vmware-basics.html

These are things that would be so much more difficult to code into projects like HoneyD (recommend using Honeywall at h**p://www.honeynet.org/tools/cdrom/index.html), Tripwire (winnt version at h**p://www.tripwiresecurity.com/products/2_0NT.html), KFSensor (h**p://www.keyfocus.net/kfsensor/features.php), or any others that I forgot to mention.

Next, just go to all the places that you can usually get a virus: DALNet is usually a good start laugh.gif heh

I can't think of anything else that I can jam in this post right now, so I leave the rest to anyone else.
Yorn
Jul 21 2005, 11:28 AM
I'd suggest a new section and don't allow unregistered members to download from the section. Maybe have a few members write up some tutorial posts on VMWare and the like, and sticky those to the top of the forum.
kingvandal
Jul 21 2005, 05:54 PM
Here is soemthing I caught today. The install dates where today and was not picked up by ViRobot 4.0 eng ver 7/22/2005.. Rename it from virus.rar.txt to virus.rar.
Onew of them was blocking microsoft sites and the .dll is a email list. So I would image this could be some type of mass mailing worm.. just my guess though... And one may be a Wins Virus as the name is Winshost.exe which was called direct from Run key.

!!!!!WARNING FILE CONTAINS VIRUSES!!!!!


QUOTE
file contents:

685328.exe
698750.exe
22259343.exe
22550062.exe
106318171.exe
eml.exe
FIREWALL_ANTI.EXE-0DA54B48.pf
sa_exe.exe
sa_exe.exe.dll
windll.exe
winshost.exe


Dammit I forgot to add password.. Sorry bout that!
Password <---

kv-

:: EDIT::

hosts file contains:

QUOTE
127.0.0.1 localhost
127.0.0.1 updates1.kaspersky-labs.com
127.0.0.1 ad.doubleclick.net
127.0.0.1 ad.fastclick.net
127.0.0.1 ads.fastclick.net
127.0.0.1 ar.atwola.com
127.0.0.1 atdmt.com
127.0.0.1 avp.ch
127.0.0.1 avp.com
127.0.0.1 avp.ru
127.0.0.1 awaps.net
127.0.0.1 banner.fastclick.net
127.0.0.1 banners.fastclick.net
127.0.0.1 ca.com
127.0.0.1 click.atdmt.com
127.0.0.1 clicks.atdmt.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 download.mcafee.com
127.0.0.1 download.microsoft.com
127.0.0.1 downloads.microsoft.com
127.0.0.1 engine.awaps.net
127.0.0.1 fastclick.net
127.0.0.1 f-secure.com
127.0.0.1 ftp.f-secure.com
127.0.0.1 ftp.sophos.com
127.0.0.1 go.microsoft.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 mast.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 media.fastclick.net
127.0.0.1 msdn.microsoft.com
127.0.0.1 my-etrust.com
127.0.0.1 nai.com
127.0.0.1 networkassociates.com
127.0.0.1 office.microsoft.com
127.0.0.1 phx.corporate-ir.net
127.0.0.1 secure.nai.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 service1.symantec.com
127.0.0.1 sophos.com
127.0.0.1 spd.atdmt.com
127.0.0.1 support.microsoft.com
127.0.0.1 symantec.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 vil.nai.com
127.0.0.1 viruslist.ru
127.0.0.1 windowsupdate.microsoft.com
127.0.0.1 www.avp.ch
127.0.0.1 www.avp.com
127.0.0.1 www.avp.ru
127.0.0.1 www.awaps.net
127.0.0.1 www.ca.com
127.0.0.1 www.fastclick.net
127.0.0.1 www.f-secure.com
127.0.0.1 www.kaspersky.ru
127.0.0.1 www.mcafee.com
127.0.0.1 www.my-etrust.com
127.0.0.1 www.nai.com
127.0.0.1 www.networkassociates.com
127.0.0.1 www.sophos.com
127.0.0.1 www.symantec.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.viruslist.ru
127.0.0.1 ftp.kasperskylab.ru
127.0.0.1 ftp.avp.ch
127.0.0.1 www.kaspersky.ru
127.0.0.1 updates1.kaspersky-labs.com
127.0.0.1 updates3.kaspersky-labs.com
127.0.0.1 updates4.kaspersky-labs.com
127.0.0.1 updates2.kaspersky-labs.com
127.0.0.1 updates5.kaspersky-labs.com
127.0.0.1 downloads1.kaspersky-labs.com
127.0.0.1 www.kaspersky-labs.com
127.0.0.1 updates3.kaspersky-labs.com
127.0.0.1 downloads1.kaspersky-labs.com
127.0.0.1 www3.ca.com
127.0.0.1 ids.kaspersky-labs.com
127.0.0.1 downloads2.kaspersky-labs.com
127.0.0.1 downloads1.kaspersky-labs.com
127.0.0.1 downloads3.kaspersky-labs.com
127.0.0.1 downloads4.kaspersky-labs.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 update.symantec.com
127.0.0.1 download.mcafee.com
127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 kaspersky-labs.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.grisoft.com
127.0.0.1 downloads-us1.kaspersky-labs.com
127.0.0.1 downloads-us2.kaspersky-labs.com
127.0.0.1 downloads-us3.kaspersky-labs.com
127.0.0.1 ftp.downloads2.kaspersky-labs.com
Necrocide
Jul 21 2005, 07:45 PM
What's the password to unrar the files?
myth
Jul 24 2005, 01:17 PM
From having a vulnerable lsass system service running, collected this file...

This is the bot that i got, attached below. Just rename to a .exe file.

I'll put up a writeup on how i got all these (theres many more) using iDefence tools...

For those that are interested:

http://www.phpfi.com/71475 <- Logs (edited for easier reading) of malware connecting to irc server

QUOTE
NICK HOLE-154418
USER erjziqnc 0 0 :HOLE-154418
:irc.unknown.net NOTICE AUTH :Looking up the hostname for 203.122.xxx.xxx...
:irc.unknown.net NOTICE AUTH :Successfully resolved your IP to xxx.xxx.internode.on.net.
:irc.unknown.net 001 HOLE-154418 :Welcome to the Internet Relay Chat network, HOLE-154418!~erjziqnc@xxx.xxx.internode.on.net
:irc.unknown.net 002 HOLE-154418 :Your host is irc.unknown.net [64.251.22.163:9136], running ConferenceRoom 2.1-SEC-win32-ws2 (TRIAL)
:irc.unknown.net 003 HOLE-154418 :This server was started on Tue, 19 Jul 2005 00:21:15 -0400 (Compiled on Aug 27 2003 14:16:19)
:irc.unknown.net 004 HOLE-154418 irc.unknown.net ConferenceRoom 2.1-SEC abcdefghijkmnopqrstwxyzABCLIMORX abcdeijklmnopqrstuvzACJLMNORU
:irc.unknown.net 005 HOLE-154418 SMARTHELP WALLCHOPS TUNL WHISPER KNOCK PROP LANG FIELD SM TUNL CHANTYPES=# PREFIX=(ovu)@+- NICKLEN=30 MODES=12 SILENCE=10
:irc.unknown.net 005 HOLE-154418 CHANMODES=bouv,k,lOMN,cdejimnpqrstzAJLRU WATCH=256 KICKLEN=64 MAXBANS=50 MAXCHANNELS=12 FLG=wEtsekpv,0
:irc.unknown.net 007 HOLE-154418 irc.unknown.net 1122309288 :Mon, 25 Jul 2005 12:34:48 -0400
:irc.unknown.net 008 HOLE-154418 -tmUNQCd6zMLuH7cQss4f^ 24614264 :This is your Session ID and Session Key.
USERHOST HOLE-154418
:irc.unknown.net 009 HOLE-154418 ASCII :Current character mapping.
:HOLE-154418!~erjziqnc@=Ekrka029-936.static.internode.on.net MODE HOLE-154418 :+ixn



QUOTE
USERHOST HOLE-154418
MODE HOLE-154418 +x+i
JOIN #hole pussy
:irc.unknown.net 302 HOLE-154418 :HOLE-154418=+~erjziqnc@=Ekrka029-936.static.internode.on.net
:irc.unknown.net 481 HOLE-154418 MODE :Permission Denied: you do not have the required privileges
:HOLE-154418!~erjziqnc@=Ekrka029-936.static.internode.on.net JOIN :#hole
:irc.unknown.net 353 HOLE-154418 = #hole :@peon
:irc.unknown.net 366 HOLE-154418 #hole :End of /NAMES list.
:irc.unknown.net 332 HOLE-154418 #hole :.scanall -s
:irc.unknown.net 333 HOLE-154418 #hole peon 1121746937
:irc.unknown.net 302 HOLE-154418 :HOLE-154418=+~erjziqnc@=Ekrka029-936.static.internode.on.net
:irc.unknown.net 481 HOLE-154418 MODE :Permission Denied: you do not have the required privileges
:irc.unknown.net 302 HOLE-154418 :HOLE-154418=+~erjziqnc@=Ekrka029-936.static.internode.on.net
:irc.unknown.net 481 HOLE-154418 MODE :Permission Denied: you do not have the required privileges


QUOTE
glitch:/home/brad# nmap -sT -A -vv -P0 -p 1-65535 64.251.22.163

Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-07-26 02:11 CST

Initiating Connect() Scan against stats.nerdie.net (64.251.22.163) [65535 ports] at 02:11
The Connect() Scan took 9823.87s to scan 65535 total ports.

Interesting ports on stats.nerdie.net (64.251.22.163):
(The 65480 ports scanned but not shown below are in state: closed)
PORT      STATE    SERVICE          VERSION
21/tcp    open    ftp              Microsoft ftpd
25/tcp    open    smtp              Microsoft ESMTP 6.0.3790.1830
53/tcp    open    domain            Microsoft DNS
80/tcp    open    http              Microsoft IIS webserver 6.0
88/tcp    open    kerberos-sec?
119/tcp  open    nntp              Microsoft NNTP Service 6.0.3790.1830 (posting ok)
135/tcp  open    msrpc            Microsoft Windows msrpc
139/tcp  open    netbios-ssn
445/tcp  open    microsoft-ds      Microsoft Windows 2003 microsoft-ds
554/tcp  open    rtsp              Microsoft Windows Media Server 9.1.1.3814
563/tcp  open    snews?
612/tcp  open    ftp              Serv-U ftpd 5.0
1025/tcp  open    msrpc            Microsoft Windows msrpc
1028/tcp  open    msrpc            Microsoft Windows msrpc
1030/tcp  open    msrpc            Microsoft Windows msrpc
1031/tcp  open    msrpc            Microsoft Windows msrpc
1033/tcp  open    msrpc            Microsoft Windows msrpc
1035/tcp  open    msrpc            Microsoft Windows msrpc
1036/tcp  open    msrpc            Microsoft Windows msrpc
1720/tcp  filtered H.323/Q.931
1755/tcp  open    wms?
1801/tcp  open    unknown
2103/tcp  open    msrpc            Microsoft Windows msrpc
2105/tcp  open    msrpc            Microsoft Windows msrpc
2107/tcp  open    msrpc            Microsoft Windows msrpc
2137/tcp  open    http              Microsoft IIS webserver 6.0
3389/tcp  open    microsoft-rdp    Microsoft Terminal Service
8000/tcp  open    http-alt?
8080/tcp  open    http              Microsoft IIS webserver 6.0
8098/tcp  open    ssl/http          Microsoft IIS webserver 6.0
8099/tcp  open    http              Microsoft IIS webserver 6.0
8249/tcp  open    unknown
9136/tcp  open    unknown
10000/tcp open    snet-sensor-mgmt?
13222/tcp open    unknown
6 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port88-TCP:V=3.81%D=7/26%Time=42E53CBB%P=i686-pc-linux-gnu%r(GetRequest
SF:,19D,"HTTP/1\.1\x20403\x20Forbidden\r\nContent-Type:\x20text/html\r\nCo
SF:ntent-Length:\x20234\r\nConnection:\x20Close\r\nDate:\x20Mon,\x2025\x20
SF:Jul\x202005\x2019:28:15\x20GMT\r\nServer:\x20Abyss/2\.0\.0\.20-X1-Win32
SF:\x20AbyssLib/2\.0\.0\.20\r\n\r\n<HTML><HEAD><TITLE>Error\x20403</TITLE>
SF:</HEAD><BODY><H1>Error\x20403</H1><P>Forbidden</P><p><HR>Powered\x20by\
SF:x20<b><i>Abyss\x20Web\x20Server</i></b>\x20X1<br>&copy;\x20<a\x20href=\
SF:"http://www\.aprelium\.com\">Aprelium\x20Technologies</a>\x20-\x202001-
SF:2005</p></BODY></HTML>")%r(HTTPOptions,19D,"HTTP/1\.1\x20403\x20Forbidd
SF:en\r\nContent-Type:\x20text/html\r\nContent-Length:\x20234\r\nConnectio
SF:n:\x20Close\r\nDate:\x20Mon,\x2025\x20Jul\x202005\x2019:28:31\x20GMT\r\
SF:nServer:\x20Abyss/2\.0\.0\.20-X1-Win32\x20AbyssLib/2\.0\.0\.20\r\n\r\n<
SF:HTML><HEAD><TITLE>Error\x20403</TITLE></HEAD><BODY><H1>Error\x20403</H1
SF:><P>Forbidden</P><p><HR>Powered\x20by\x20<b><i>Abyss\x20Web\x20Server</
SF:i></b>\x20X1<br>&copy;\x20<a\x20href=\"http://www\.aprelium\.com\">Apre
SF:lium\x20Technologies</a>\x20-\x202001-2005</p></BODY></HTML>");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port8000-TCP:V=3.81%D=7/26%Time=42E53CEC%P=i686-pc-linux-gnu%r(GetReque
SF:st,65A,"HTTP/1\.1\x20200\x20OK\r\nContent-Type:\x20text/html\r\nContent
SF:-Length:\x201407\r\nLast-Modified:\x20Fri,\x2015\x20Apr\x202005\x2003:2
SF:6:22\x20GMT\r\nConnection:\x20Close\r\nDate:\x20Mon,\x2025\x20Jul\x2020
SF:05\x2019:29:04\x20GMT\r\nServer:\x20Abyss/2\.0\.0\.20-X1-Win32\x20Abyss
SF:Lib/2\.0\.0\.20\r\n\r\n<!DOCTYPE\x20html\x20PUBLIC\x20\"-//W3C//DTD\x20
SF:HTML\x204\.01\x20Transitional//EN\"\x20\"http://www\.w3\.org/TR/html4/l
SF:oose\.dtd\"><HTML><HEAD>\r\n<HTML>\r\n<HEAD>\r\n<META\x20http-equiv=\"C
SF:ontent-Type\"\x20content=\"text/html;\x20charset=iso\x208859-1\">\r\n<T
SF:ITLE>Welcome\x20to\x20Abyss\x20Web\x20Server</TITLE>\r\n<STYLE\x20type=
SF:\"text/css\">\r\n<!--\r\nBODY\x20{\r\n\tFONT-SIZE:\x20small;\x20COLOR:\
SF:x20#000000;\x20FONT-FAMILY:\x20\"trebuchet\x20ms\",\x20Verdana,\x20Aria
SF:l,\x20Helvetica,\x20sans-serif;\x20BACKGROUND-COLOR:\x20#FFFFFF\r\n}\r\
SF:n\r\nH1\x20{\r\n\tFONT-SIZE:\x20large;\r\n}\r\n\r\nA:hover\x20{\r\n\tCO
SF:LOR:\x20#ff9900;\x20TEXT-DECORATION:\x20underline;\r\n}\r\n\r\n\.footer
SF:\x20{\r\n\tTEXT-ALIGN:\x20center;\x20FONT-SIZE:\x20smaller;\r\n}\r\n\r\
SF:n\.footer\x20IMG\x20{\r\n\tBORDER:\x201px\x20solid\x20#888;\r\n}\r\n-->
SF:\r\n</STYLE>\r\n</HEAD>\r\n<BODY\x20bgColor=\"#ffffff\"\x20text=\"#0000
SF:00\"")%r(HTTPOptions,90,"HTTP/1\.1\x20200\x20OK\r\nConnection:\x20Close
SF:\r\nDate:\x20Mon,\x2025\x20Jul\x202005\x2019:29:20\x20GMT\r\nServer:\x2
SF:0Abyss/2\.0\.0\.20-X1-Win32\x20AbyssLib/2\.0\.0\.20\r\nAllow:\x20HEAD,\
SF:x20GET\r\n\r\n");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port8249-TCP:V=3.81%D=7/26%Time=42E53CF9%P=i686-pc-linux-gnu%r(GetReque
SF:st,F5,"HTTP/1\.0\x20400\x20Wrong\x20Port\r\nServer:\x20ConferenceRoom/I
SF:RC\r\nConnection:\x20Close\r\nContent-type:\x20text/html\r\n\r\n<HTML><
SF:HEAD><TITLE>Connection\x20to\x20Wrong\x20Port</TITLE></HEAD>\r\n<BODY>Y
SF:ou\x20have\x20connected\x20to\x20an\x20IRC\x20server\x20as\x20if\x20it\
SF:x20were\x20a\x20web\x20server</BODY>\r\n</HTML>\r\n")%r(HTTPOptions,32,
SF:":irc\.unknown\.net\x20421\x20\*\x20OPTIONS\x20:Unknown\x20command\.\r\
SF:n")%r(RTSPRequest,32,":irc\.unknown\.net\x20421\x20\*\x20OPTIONS\x20:Un
SF:known\x20command\.\r\n")%r(RPCCheck,E4,":irc\.unknown\.net\x20421\x20\*
SF:\x20\x80\x20:Unknown\x20command\.\r\n:irc\.unknown\.net\x20421\x20\*\x2
SF:0\(r\xfe\x1d\x13\x20:Unknown\x20command\.\r\n:irc\.unknown\.net\x20421\
SF:x20\*\x20\x02\x20:Unknown\x20command\.\r\n:irc\.unknown\.net\x20421\x20
SF:\*\x20\x01\x86\xa0\x20:Unknown\x20command\.\r\n:irc\.unknown\.net\x2042
SF:1\x20\*\x20\x01\x97\|\x20:Unknown\x20command\.\r\n")%r(DNSVersionBindRe
SF:q,E9,":irc\.unknown\.net\x20421\x20\*\x20\x1e\x20:Unknown\x20command\.\
SF:r\n:irc\.unknown\.net\x20421\x20\*\x20\x06\x01\x20:Unknown\x20command\.
SF:\r\n:irc\.unknown\.net\x20421\x20\*\x20\x01\x20:Unknown\x20command\.\r\
SF:n:irc\.unknown\.net\x20421\x20\*\x20\x07version\x04bind\x20:Unknown\x20
SF:command\.\r\n:irc\.unknown\.net\x20421\x20\*\x20\x10\x20:Unknown\x20com
SF:mand\.\r\n")%r(DNSStatusRequest,58,":irc\.unknown\.net\x20421\x20\*\x20
SF:\x0c\x20:Unknown\x20command\.\r\n:irc\.unknown\.net\x20421\x20\*\x20\x1
SF:0\x20:Unknown\x20command\.\r\n")%r(Help,36,":irc\.unknown\.net\x20451\x
SF:20\*\x20HELP\x20:You\x20have\x20not\x20registered\r\n")%r(SSLSessionReq
SF:,441,":irc\.unknown\.net\x20421\x20\*\x20\x16\x03\x20:Unknown\x20comman
SF:d\.\r\n:irc\.unknown\.net\x20421\x20\*\x20S\x01\x20:Unknown\x20command\
SF:.\r\n:irc\.unknown\.net\x20421\x20\*\x20O\x03\x20:Unknown\x20command\.\
SF:r\n:irc\.unknown\.net\x20421\x20\*\x20\?G\xd7\xf7\xba,\xee\xea\xb2`~\xf
SF:3\x20:Unknown\x20command\.\r\n:irc\.unknown\.net\x20421\x20\*\x20\xfd\x
SF:82{\xb9\xd5\x96\xc8w\x9b\xe6\xc4\xdb<=\xdbo\xef\x10n\x20:Unknown\x20com
SF:mand\.\r\n:irc\.unknown\.net\x20421\x20\*\x20\(\x20:Unknown\x20command\
SF:.\r\n:irc\.unknown\.net\x20421\x20\*\x20\x16\x20:Unknown\x20command\.\r
SF:\n:irc\.unknown\.net\x20421\x20\*\x20\x13\x20:Unknown\x20command\.\r\n:
SF:irc\.unknown\.net\x20421\x20\*\x20f\x20:Unknown\x20command\.\r\n:irc\.u
SF:nknown\.net\x20421\x20\*\x20\x05\x20:Unknown\x20command\.\r\n:irc\.unkn
SF:own\.net\x20421\x20\*\x20\x04\x20:Unknown\x20command\.\r\n:irc\.unknown
SF:\.net\x20421\x20\*\x20e\x20:Unknown\x20command\.\r\n:irc\.unknown\.net\
SF:x20421\x20\*\x20d\x20:Unknown\x20command\.\r\n:irc\.unknown\.net\x20421
SF:\x20\*\x20c\x20:Unknown\x20command\.\r\n:irc\.unknown\.net\x20421\x20\*
SF:\x20b\x20:Unknown\x20command\.\r\n:irc\.unknown\.net\x20421\x20\*\x20a\
SF:x20:Unknown\x20command\.\r\n:irc\.unknown\.net\x20421\x20\*\x20`\x20:Un
SF:known\x20command\.\r\n:irc\.unknown\.net\x20421\x20\*\x20\x15\x20:Unkno
SF:wn\x20command\.\r\n:irc\.unknown\.net\x20421\x20\*\x20\x12\x20:Unknown\
SF:x20command\.\r\n:irc\.unknown\.net\x20421\x20\*\x20\t\x20:Unknow");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port9136-TCP:V=3.81%D=7/26%Time=42E53CFC%P=i686-pc-linux-gnu%r(GetReque
SF:st,F5,"HTTP/1\.0\x20400\x20Wrong\x20Port\r\nServer:\x20ConferenceRoom/I
SF:RC\r\nConnection:\x20Close\r\nContent-type:\x20text/html\r\n\r\n<HTML><
SF:HEAD><TITLE>Connection\x20to\x20Wrong\x20Port</TITLE></HEAD>\r\n<BODY>Y
SF:ou\x20have\x20connected\x20to\x20an\x20IRC\x20server\x20as\x20if\x20it\
SF:x20were\x20a\x20web\x20server</BODY>\r\n</HTML>\r\n")%r(HTTPOptions,32,
SF:":irc\.unknown\.net\x20421\x20\*\x20OPTIONS\x20:Unknown\x20command\.\r\
SF:n")%r(RTSPRequest,32,":irc\.unknown\.net\x20421\x20\*\x20OPTIONS\x20:Un
SF:known\x20command\.\r\n")%r(RPCCheck,E4,":irc\.unknown\.net\x20421\x20\*
SF:\x20\x80\x20:Unknown\x20command\.\r\n:irc\.unknown\.net\x20421\x20\*\x2
SF:0\(r\xfe\x1d\x13\x20:Unknown\x20command\.\r\n:irc\.unknown\.net\x20421\
SF:x20\*\x20\x02\x20:Unknown\x20command\.\r\n:irc\.unknown\.net\x20421\x20
SF:\*\x20\x01\x86\xa0\x20:Unknown\x20command\.\r\n:irc\.unknown\.net\x2042
SF:1\x20\*\x20\x01\x97\|\x20:Unknown\x20command\.\r\n")%r(DNSVersionBindRe
SF:q,E9,":irc\.unknown\.net\x20421\x20\*\x20\x1e\x20:Unknown\x20command\.\
SF:r\n:irc\.unknown\.net\x20421\x20\*\x20\x06\x01\x20:Unknown\x20command\.
SF:\r\n:irc\.unknown\.net\x20421\x20\*\x20\x01\x20:Unknown\x20command\.\r\
SF:n:irc\.unknown\.net\x20421\x20\*\x20\x07version\x04bind\x20:Unknown\x20
SF:command\.\r\n:irc\.unknown\.net\x20421\x20\*\x20\x10\x20:Unknown\x20com
SF:mand\.\r\n")%r(DNSStatusRequest,58,":irc\.unknown\.net\x20421\x20\*\x20
SF:\x0c\x20:Unknown\x20command\.\r\n:irc\.unknown\.net\x20421\x20\*\x20\x1
SF:0\x20:Unknown\x20command\.\r\n")%r(Help,36,":irc\.unknown\.net\x20451\x
SF:20\*\x20HELP\x20:You\x20have\x20not\x20registered\r\n")%r(SSLSessionReq
SF:,441,":irc\.unknown\.net\x20421\x20\*\x20\x16\x03\x20:Unknown\x20comman
SF:d\.\r\n:irc\.unknown\.net\x20421\x20\*\x20S\x01\x20:Unknown\x20command\
SF:.\r\n:irc\.unknown\.net\x20421\x20\*\x20O\x03\x20:Unknown\x20command\.\
SF:r\n:irc\.unknown\.net\x20421\x20\*\x20\?G\xd7\xf7\xba,\xee\xea\xb2`~\xf
SF:3\x20:Unknown\x20command\.\r\n:irc\.unknown\.net\x20421\x20\*\x20\xfd\x
SF:82{\xb9\xd5\x96\xc8w\x9b\xe6\xc4\xdb<=\xdbo\xef\x10n\x20:Unknown\x20com
SF:mand\.\r\n:irc\.unknown\.net\x20421\x20\*\x20\(\x20:Unknown\x20command\
SF:.\r\n:irc\.unknown\.net\x20421\x20\*\x20\x16\x20:Unknown\x20command\.\r
SF:\n:irc\.unknown\.net\x20421\x20\*\x20\x13\x20:Unknown\x20command\.\r\n:
SF:irc\.unknown\.net\x20421\x20\*\x20f\x20:Unknown\x20command\.\r\n:irc\.u
SF:nknown\.net\x20421\x20\*\x20\x05\x20:Unknown\x20command\.\r\n:irc\.unkn
SF:own\.net\x20421\x20\*\x20\x04\x20:Unknown\x20command\.\r\n:irc\.unknown
SF:\.net\x20421\x20\*\x20e\x20:Unknown\x20command\.\r\n:irc\.unknown\.net\
SF:x20421\x20\*\x20d\x20:Unknown\x20command\.\r\n:irc\.unknown\.net\x20421
SF:\x20\*\x20c\x20:Unknown\x20command\.\r\n:irc\.unknown\.net\x20421\x20\*
SF:\x20b\x20:Unknown\x20command\.\r\n:irc\.unknown\.net\x20421\x20\*\x20a\
SF:x20:Unknown\x20command\.\r\n:irc\.unknown\.net\x20421\x20\*\x20`\x20:Un
SF:known\x20command\.\r\n:irc\.unknown\.net\x20421\x20\*\x20\x15\x20:Unkno
SF:wn\x20command\.\r\n:irc\.unknown\.net\x20421\x20\*\x20\x12\x20:Unknown\
SF:x20command\.\r\n:irc\.unknown\.net\x20421\x20\*\x20\t\x20:Unknow");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port10000-TCP:V=3.81%D=7/26%Time=42E53CF8%P=i686-pc-linux-gnu%r(GetRequ
SF:est,19D,"HTTP/1\.1\x20403\x20Forbidden\r\nContent-Type:\x20text/html\r\
SF:nContent-Length:\x20234\r\nConnection:\x20Close\r\nDate:\x20Mon,\x2025\
SF:x20Jul\x202005\x2019:29:17\x20GMT\r\nServer:\x20Abyss/2\.0\.0\.20-X1-Wi
SF:n32\x20AbyssLib/2\.0\.0\.20\r\n\r\n<HTML><HEAD><TITLE>Error\x20403</TIT
SF:LE></HEAD><BODY><H1>Error\x20403</H1><P>Forbidden</P><p><HR>Powered\x20
SF:by\x20<b><i>Abyss\x20Web\x20Server</i></b>\x20X1<br>&copy;\x20<a\x20hre
SF:f=\"http://www\.aprelium\.com\">Aprelium\x20Technologies</a>\x20-\x2020
SF:01-2005</p></BODY></HTML>")%r(HTTPOptions,19D,"HTTP/1\.1\x20403\x20Forb
SF:idden\r\nContent-Type:\x20text/html\r\nContent-Length:\x20234\r\nConnec
SF:tion:\x20Close\r\nDate:\x20Mon,\x2025\x20Jul\x202005\x2019:29:27\x20GMT
SF:\r\nServer:\x20Abyss/2\.0\.0\.20-X1-Win32\x20AbyssLib/2\.0\.0\.20\r\n\r
SF:\n<HTML><HEAD><TITLE>Error\x20403</TITLE></HEAD><BODY><H1>Error\x20403<
SF:/H1><P>Forbidden</P><p><HR>Powered\x20by\x20<b><i>Abyss\x20Web\x20Serve
SF:r</i></b>\x20X1<br>&copy;\x20<a\x20href=\"http://www\.aprelium\.com\">A
SF:prelium\x20Technologies</a>\x20-\x202001-2005</p></BODY></HTML>");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port13222-TCP:V=3.81%D=7/26%Time=42E53D00%P=i686-pc-linux-gnu%r(GetRequ
SF:est,F5,"HTTP/1\.0\x20400\x20Wrong\x20Port\r\nServer:\x20ConferenceRoom/
SF:IRC\r\nConnection:\x20Close\r\nContent-type:\x20text/html\r\n\r\n<HTML>
SF:<HEAD><TITLE>Connection\x20to\x20Wrong\x20Port</TITLE></HEAD>\r\n<BODY>
SF:You\x20have\x20connected\x20to\x20an\x20IRC\x20server\x20as\x20if\x20it
SF:\x20were\x20a\x20web\x20server</BODY>\r\n</HTML>\r\n")%r(HTTPOptions,32
SF:,":irc\.unknown\.net\x20421\x20\*\x20OPTIONS\x20:Unknown\x20command\.\r
SF:\n")%r(RTSPRequest,32,":irc\.unknown\.net\x20421\x20\*\x20OPTIONS\x20:U
SF:nknown\x20command\.\r\n")%r(RPCCheck,E4,":irc\.unknown\.net\x20421\x20\
SF:*\x20\x80\x20:Unknown\x20command\.\r\n:irc\.unknown\.net\x20421\x20\*\x
SF:20\(r\xfe\x1d\x13\x20:Unknown\x20command\.\r\n:irc\.unknown\.net\x20421
SF:\x20\*\x20\x02\x20:Unknown\x20command\.\r\n:irc\.unknown\.net\x20421\x2
SF:0\*\x20\x01\x86\xa0\x20:Unknown\x20command\.\r\n:irc\.unknown\.net\x204
SF:21\x20\*\x20\x01\x97\|\x20:Unknown\x20command\.\r\n")%r(DNSVersionBindR
SF:eq,E9,":irc\.unknown\.net\x20421\x20\*\x20\x1e\x20:Unknown\x20command\.
SF:\r\n:irc\.unknown\.net\x20421\x20\*\x20\x06\x01\x20:Unknown\x20command\
SF:.\r\n:irc\.unknown\.net\x20421\x20\*\x20\x01\x20:Unknown\x20command\.\r
SF:\n:irc\.unknown\.net\x20421\x20\*\x20\x07version\x04bind\x20:Unknown\x2
SF:0command\.\r\n:irc\.unknown\.net\x20421\x20\*\x20\x10\x20:Unknown\x20co
SF:mmand\.\r\n")%r(DNSStatusRequest,58,":irc\.unknown\.net\x20421\x20\*\x2
SF:0\x0c\x20:Unknown\x20command\.\r\n:irc\.unknown\.net\x20421\x20\*\x20\x
SF:10\x20:Unknown\x20command\.\r\n")%r(Help,36,":irc\.unknown\.net\x20451\
SF:x20\*\x20HELP\x20:You\x20have\x20not\x20registered\r\n")%r(SSLSessionRe
SF:q,441,":irc\.unknown\.net\x20421\x20\*\x20\x16\x03\x20:Unknown\x20comma
SF:nd\.\r\n:irc\.unknown\.net\x20421\x20\*\x20S\x01\x20:Unknown\x20command
SF:\.\r\n:irc\.unknown\.net\x20421\x20\*\x20O\x03\x20:Unknown\x20command\.
SF:\r\n:irc\.unknown\.net\x20421\x20\*\x20\?G\xd7\xf7\xba,\xee\xea\xb2`~\x
SF:f3\x20:Unknown\x20command\.\r\n:irc\.unknown\.net\x20421\x20\*\x20\xfd\
SF:x82{\xb9\xd5\x96\xc8w\x9b\xe6\xc4\xdb<=\xdbo\xef\x10n\x20:Unknown\x20co
SF:mmand\.\r\n:irc\.unknown\.net\x20421\x20\*\x20\(\x20:Unknown\x20command
SF:\.\r\n:irc\.unknown\.net\x20421\x20\*\x20\x16\x20:Unknown\x20command\.\
SF:r\n:irc\.unknown\.net\x20421\x20\*\x20\x13\x20:Unknown\x20command\.\r\n
SF::irc\.unknown\.net\x20421\x20\*\x20f\x20:Unknown\x20command\.\r\n:irc\.
SF:unknown\.net\x20421\x20\*\x20\x05\x20:Unknown\x20command\.\r\n:irc\.unk
SF:nown\.net\x20421\x20\*\x20\x04\x20:Unknown\x20command\.\r\n:irc\.unknow
SF:n\.net\x20421\x20\*\x20e\x20:Unknown\x20command\.\r\n:irc\.unknown\.net
SF:\x20421\x20\*\x20d\x20:Unknown\x20command\.\r\n:irc\.unknown\.net\x2042
SF:1\x20\*\x20c\x20:Unknown\x20command\.\r\n:irc\.unknown\.net\x20421\x20\
SF:*\x20b\x20:Unknown\x20command\.\r\n:irc\.unknown\.net\x20421\x20\*\x20a
SF:\x20:Unknown\x20command\.\r\n:irc\.unknown\.net\x20421\x20\*\x20`\x20:U
SF:nknown\x20command\.\r\n:irc\.unknown\.net\x20421\x20\*\x20\x15\x20:Unkn
SF:own\x20command\.\r\n:irc\.unknown\.net\x20421\x20\*\x20\x12\x20:Unknown
SF:\x20command\.\r\n:irc\.unknown\.net\x20421\x20\*\x20\t\x20:Unknow");
Nmap finished: 1 IP address (1 host up) scanned in 10022.899 seconds
              Raw packets sent: 66 (3960B) | Rcvd: 17 (1310B)


The above has been edited out for useless information, more can be found @ http://www.phpfi.com/71476

Im only ever going to say this once, becareful with the file attached.
n.n.p
Jul 27 2005, 03:43 PM
Hey, just wondering what is the standard method of collecting malware safely? For analyising and possibly removing signatures etc what kind of skills are needed and what should I be googling for. I have opened a few things in Ollydbg in the hope I would get a flash of inspiration but to be honest i was just stunned by pretty much everything i saw. I have little idea what anything it created means or how to follow it.

I wrote a basic "hello world" in c++ then opened that in olly aswell and again i had no idea what most of the output generated was about. I was expecting maybe 20-30 lines at the most of assembly but i got what looks like well over 100. Im not entirely sure what the other output in the sub windows generated by olly are about either. The bottom one looks like hex and on lines beside the hex there are letters some of which form broken up parts of words. Could someone explain what these are?

(as a side note im not a complete idiot or new to coding or hacking, this is just the first time i've gone near this stuff and im a complete n00b to it)

Thanks,
NNP
myth
Jul 28 2005, 02:17 AM
Depending if the mods decide to open up another forum section to the honeypot/malware analysis section will depend on how quickly i can write up a tutorial on the various methods i've used to to analyse malware...

Being a not so great / dedicated programmer, im sure theres many great tools that I havent managed to get a hold of just yet.... However, when it comes to networking (ie botnet type malware) thats the field where i excel....

So just hold up guys, i've got some half decent ideas/methods and would like more input from others when it comes to stepping through code, and perhaps generating some kind of psuedo-code to easily read what a program is doing at the time...
chris105
Jul 29 2005, 12:49 AM
Personally I think the best way to analyze is to run VMware and save a snapshot, then use a system monitor and infect yourself. See what changes it makes to your system. Cheers for those two files, I want to do a write up on the first virus from kingvandal and then make a removal tool and compare them to AV tools. Will let you know.
myth
Jul 29 2005, 01:17 AM
Yeah, exactly, but how to do you catch the malware in the first place ?

In the case of botnets etc, I've been using the iDefense tool, multipot, visual basic at tis best smile.gif
chris105
Jul 29 2005, 01:38 AM
Mainly when im fixing friends and relatives computers they let the virusses and malware stack up so I always run a NOD32 scan and take home the quarantine folder =) which seems to work quite well.
tibbar
Jul 31 2005, 12:02 AM
best analysis method is to run Norman Sandbox for a full report on what the malware does.
ash^
Jul 31 2005, 07:28 PM
QUOTE(chris105 @ Jul 29 2005, 01:38 AM)
Mainly when im fixing friends and relatives computers they let the virusses and malware stack up so I always run a NOD32 scan and take home the quarantine folder =) which seems to work quite well.
*



Same here i install a packet sniffer aswell and jot down which files go where and other usefull info such as the bots nickname etc etc.
kingvandal
Aug 10 2005, 05:44 AM
!!!! WARNING !!!!

-ATTACHMENTS CONTAIN VIRUSES + 1 DETECTED ROOTKIT-

!!!! WARNING !!!!

QUOTE
File contents:

tsecure[1].exe
tsecure[].exe
ssk3_b5.exe
sp2update.exe
rdriv.sys = Rookit
ftplog.exe = tinymfc  This one was a ftp server on port 25350 with anonmous access.
clearlogs.exe -we know what this is.
22p2e33n.exe


File Password: password

Found these on the guy next doors system this afternoon.

kv-
ninar12
Aug 10 2005, 12:50 PM
i just wanna add here asomething


someone knows that link

http://sourceforge.net/projects/nepenthes/

its a project thats like a honeypot with backward analyse of the file
satknis
Aug 12 2005, 12:15 PM
i was chatting in a irc network then i someone queried me and postet a link.
i forgot the url but i downloaded the file. see attached file.
it creates a run registry key with the name pathname
it also copies itself to system32 dir as pathname.dll and pathname.exe
and runs in the background as pathname.exe.
my av calls it backdoor.irccontact.30

i didn't sniff the traffic of the file to get the irc server, but u guys will do that
i think wink.gif

zip file password is "troj"
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2005 Invision Power Services, Inc.