This code, like this other code also dealing with processes by the same author will kill a Windows Process. Continue Reading »
Posted in Code, Local Exploitation | Tagged c++, Code, icedane, kill, process, windows, windows xp | Leave a Comment »
My first article on URL Generation for worm updates quickly became my most popular article (until being exceeded by an analysis of Conficker). I’ve been thinking on the concepts of URL generation, and I believe I’ve come up with a similar method that will work just as well, if not better.
Continue Reading »
Posted in Updating and Evolving, Worms | Tagged conficker, pastebin, payload, poor man, update, url generation | 1 Comment »
Now that you’ve seen how easy it is for a worm to steal passwords for the popular messenger protocols, I’ll talk a bit about how to use them. If you use MSN, AIM, or Yahoo, chances are you’ve seen the spambots. Chances are you’ve also seen the viruses spread through. It’s a very effective way of spreading for popular worms such as Kirvo and Bagle.
Continue Reading »
Posted in Spreading, Worms | Tagged aim, contacts, email, hijack, messenger, msn, spam, Worm, yahoo | 1 Comment »
Like my article on extracting Pidgin passwords, this article also deals with extracting passwords from a messenger protocol: AIM. As I mentioned in my article on spreading worm payloads with Bluetooth, one of the most important qualities to pay attention to when coding a worm is how well it can spread. A very common and effective way to spread? Hijacking messengers and sending links and files to all contacts of the victims.
Continue Reading »
Posted in Code, Local Exploitation, Worms | Tagged aim, aol, extract, hash, log in, messenger, passwords, spread | Leave a Comment »
For those of you that don’t know, Pidgin (formerly GAIM) is a messenger client that allows a user to use one client for their MSN, Yahoo, IRC, AIM, ICQ, and various other protocols. There’s one thing special — for malware authors — that needs to be kept in mind.
Continue Reading »
Posted in Code, Local Exploitation | Tagged accounts.xml, aim, aol, gaim, msn, passwords, pidgin, spread, Worm, yahoo | 2 Comments »
In February, Microsoft announced a $250,000 bounty for anyone who came to them with information leading to the arrest of the author of the infamous Conficker worm. In just four months (starting in November 2008 to the time of the bounty: February) the worm was suspected to have infected upwards of ten million computers world-wide and doesn’t show signs of slowing down any time soon. With a reward on the author’s head that high, you know something must be special about this worm. Let’s take a look.
Continue Reading »
Posted in Worms | Tagged analysis, conficker, conficker cabal, downadup, how it works, url generation | Leave a Comment »
Statistically speaking, 1/4 machines are infected by malware of some sort. That means that a machine in your network is probably infected with something. This may be something as insignificant as a spam drone or something more identity threatening, such as a info stealer, or a bot. That means that something is probably trying hard to break into your machine, or your network, waiting for you to pass valuable credentials and information to a ‘secure’ destination.
Posted in Spreading | Tagged ignorance, k0pp, malware, mitigation, Spreading | Leave a Comment »
Let’s face it – although torrents and P2P networks are used to distribute illegal goods 99% of the time, that 1% of legitimate use is what keeps them in business. Torrent and P2P networks are the two most popular forms of finding the files you want to download. When is the last time you googled “index of /music” to find some sweet mp3s? A while, I bet. P2P and torrents are the new filesharing networks – so why not use them to distribute your malware?
Continue Reading »
Posted in Spreading, Worms | Tagged forums, megaupload, network, p2p, rapidshare, seed, spread, technique, torrent, tracker | 2 Comments »
Looking through how Conficker works, I realized their function for looking for instructions from a master is brilliant. Most trojans and worms that report back to a main server or something similar usually hard-code either the actual server into the code (NO NO!) or an algorithm to generate the server into the code (almost as bad). What Conficker does basically prevents shutdowns of the main server and prevents anyone from really knowing what the server is.
Continue Reading »
Posted in Updating and Evolving, Worms | Tagged conficker, instructions, technique, update, url, url generation | Leave a Comment »