Offensive Computing
Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: Offensive Computing

  1. #1
    Senior Member
    Join Date
    Jan 2003
    Posts
    3,914

    Offensive Computing

    Hey Hey,

    This was posted on DailyDave (I know... I repost everything... but it's one of the few mailing lists where everything is useful, or at least humerous)...
    The idea behind http://www.offensivecomputing.net is to provide a basis for users to find and locate malware and download it for analysis. You can search based on name or the md5 sum...

    Here's the original release

    Hi there,

    I know some of the people on this list and i've lurked here for a long time so I thought there might be some interest in a project i've been working on for a little while.

    http://www.offensivecomputing.net

    I know there are a couple of things similar (like Pedram's openrce and Hoglund's rootkits.com) but I haven't found anyone doing exactly this so I thought there might be a need or use for it in the community.

    The basic idea is a community site where you can search for malware based on name or md5sum and get zipped copies. People can upload malware and collaborate on analysis in a sort of a blog style. (think community commented disassemblies, graphs, ida databases, etc.)

    I know there are some problems with it such as md5sums aren't the best method for cataloging malware but its a start. And honestly most of the stuff I run across in general is not super sophisticated or polymorphic, etc.

    I've got some malware collection stuff to help add to the database and I have a small collection built up over the years that I am slowly adding.

    I've started it off with some copies of common stuff like welchia, sobig, the sony drm thing, etc. and some minimal analysis stuff.

    I'm open to any suggestions/contributions or even "this isn't a good idea because . . ."

    thanks!

    V.
    It seems that CERT has actually reported him to his hosting provider and asked that the site be removed....which is sad in my opinion, however he's apparently had several hosting offers, so it should remain up... I think it's a fairly interesting concept...

    I will warn anyone trying to load it in IE... it doesn't turn out overly pretty (javascript errors galore for me caused it to load like ****).... however in Firefox it's very purdy.

    Peace,
    HT
    IT Blog: .:Computer Defense:.
    PnCHd (Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".

  2. #2
    oldie ric-o's Avatar
    Join Date
    Nov 2002
    Posts
    487
    Hmmm..something funny about this site. Going to this site (www.offensivecomputing.net) makes my McAfee crazy giving me a message detecting a VBS script from the site as a 'Joke/EjectCD' malware.

    I was using Mozilla with Active-X and Java turned off. I use that when going to 'untrusted' or 'unknown' sites. Good choice in this case obviously. ;-)

    This person trying to be funny? What gives?

    /update
    found code in the top page that is doing this, here it is:
    <SCRIPT LANGUAGE="VBSCRIPT">
    Set oWMP = CreateObject("WMPlayer.OCX.7" )
    Set colCDROMs = oWMP.cdromCollection
    if colCDROMs.Count >= 1 then
    For i = 0 to colCDROMs.Count - 1
    colCDROMs.Item(i).Eject
    Next ' cdrom
    End If
    </SCRIPT>

  3. #3
    Dead Man Walking
    Join Date
    Jan 2003
    Posts
    810
    I didnt get anything like that but I know those open cd tray scripts are a real pain if you are running deamon tools.

  4. #4
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,884
    I know this thread is a few weeks old but I have some more useful information on the project.

    The owner, Val Smith, is doing a lot of work trying to hook into other libraries that operate along the same lines as he does. The goal is to get a very robust library out there for researches.

    Val is currently a member of a vetted mailing list where his project is being openly discussed (good and bad).

    Based on what I'm seeing, it doesn't sound like many people have faith in the project growing because of the leach/contributor skew, moral and legal obligations associated with distributing malware samples to the general public (which includes the bad guys).

    --TH13
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  5. #5
    AO Senior Cow-beller
    Moderator
    zencoder's Avatar
    Join Date
    Dec 2004
    Location
    Mountain standard tribe.
    Posts
    1,177
    That is too bad, to hear that he is having that much difficulty. It sounds like his intentions are noble...perhaps if he had a documented and subpeona-able registration process, he'd have more support...that way one can track who is accessing what, and when. Otherwise, the user could read about the code, its signature(s) and properties, but not have access to the damaging bits themselves.

    Also, I think he is shooting himself in the foot. If that eject-cd code was intentionally put on the page by Val...that's kinda dumb, IMHO. A site like that has to be cleaner than the next, because he is already under the gun from groups like CERT. That sort of stunt doesn't have a good return on investment...it might be mildly amusing, but it portrays the site as a half-assed project by some skiddie-***-grey-hat. The title, "Malicious code, it's whats for dinner!", doesn't inspire confidence that the proprietor is really looking out for the best interests of the community at large, either. It makes me chuckle...but when I am researching malicious code and samples of the offensive bits, I don't want a chuckle...I want a site that I can rely on to be built upon dependable and reasonable practices, not 'whatever made the webmaster laugh that day'.

    After checking the site, the visual style looks nice enough. I'm guess its PHPNuke or something similar for content management. So it looks nice, but even the tiniest hint of impropriety and he loses credibility; that title, the vbscript code, etc.

    I know, I'm probably being too picky with this...I'm not trying to, but the reality is the that the subject matter and content is questionable, objectionable by a lot of standards, so they should be presenting everything as cleanly and above-board as possible. Al Capone never went to prison for organized criminal activities...he went up for tax evasion crimes. The moral is, don't give them a reason.
    "Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
    Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
    "...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore

  6. #6
    Junior Member
    Join Date
    Dec 2005
    Posts
    2
    Hi there,

    I'm actualy not having so much difficulty anymore. Lost of people in the security community have been very helpful and the site is humming along. I'm interested in technical ways the registration can be better, and I'm working on it, unfortunatly I'm rather limited by a content management system since I want to spend more time doing malware research and analysis and less time doing web devel.

    That ejectcd code was actually not intentional and was actually removed right away several weeks ago. Sorry about that guys.

    I'm definilty trying to avoid the green on black flaming skript kiddie style website and shooting more for a professional research site. I actually took your suggestion (zencoder) and changed the title. I hope I dont have to remove ALL humor though, life is too serious as it is

    The CMS is actually drupal believe it or not. Its nice but we are working on something hopefully better.

    I definitly agree this type of site can be rather controversial and I'll do my best to keep it as above board as possible.

    Thanks for the interest, hope to see you on the site!

    V.

  7. #7
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,884
    I'm actualy not having so much difficulty anymore.
    Really? I read quite a heated debate on a (vetted) mailing list yesterday that you and I both belong to. Of course it degenerated when I last checked so I tuned out. Did it turn around in your favor?

    Having a robust library for researchers is a great cause. I for one use many libraries when searching for samples and in some cases, rely on professional peers from all over the world. Having samples all in one place would be, at very least, convenient.

    That said, and I'm sure you've heard this before, running such a site is a HUGE responsibility. As the holder of that responsibility, skript kiddies would be the least of my worries. Professional crime groups have paid talent that can abuse the hell out of your site. Even logon credentials can be scripted and sadly your library will become a 7-11 for malcode authors. Have you considered a vetting process? Again, I know this adds yet another layer of work for you but deep down I believe that as a researcher, I have the responsibility to handle all malcode in my possesion in a responsible and professional way. That is, I don't care if someone can get it elsewhere, I *know* that I will never be the source.

    Make sense?

    --Th13
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  8. #8
    AO Senior Cow-beller
    Moderator
    zencoder's Avatar
    Join Date
    Dec 2004
    Location
    Mountain standard tribe.
    Posts
    1,177
    Originally posted here by valsmith
    That ejectcd code was actually not intentional and was actually removed right away several weeks ago. Sorry about that guys.

    I'm definilty trying to avoid the green on black flaming skript kiddie style website and shooting more for a professional research site. I actually took your suggestion (zencoder) and changed the title. I hope I dont have to remove ALL humor though, life is too serious as it is
    Agreed, life *can* be too serious. I don't think you need to be so uptight that your own site depresses you, I simply mentioned it because it's a judgement thing, and first impressions are key. Honestly, I had no knowledge of the site until this thread, and that was one of the first things I saw...and I was certainly biased based on what I read here.

    I think it looks good, and I agree with TH13 that it is at the very least a convenience and good service to the community. I also echo his sentiments about malicious code in ones posession. For consideration, I'll make an analogy (as I so often seem to do around here...) Anyone can do some not-so-creative Googling and find out how to make a number of explosive or dangerous substances from common chemicals and items found around the house or at the store...but would you want YOUR site to be the one listed on the front page news as having provided this information to the London bombing terrorist group(s)?

    I'm registering now and look forward to learning from your site. Cheers!
    "Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
    Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
    "...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore

  9. #9
    Junior Member
    Join Date
    Dec 2005
    Posts
    2
    Yeah its really only a couple of people who are vehmently against it. I've recived so many emails or posts of support from high profile researchers that I really can't worry about 2 or 3 nay sayers.

    I have thought about the vetted list, and I'm still thinking about it. There are many vetted lists though so it would almost be better for me to simply join them and do nothing if I was going to go that route. However for now I'm keeping it the way it is and watching closely to see what happens as well as providing the best analysis I can.

    I have no desire to restart the "open site" debate here on this list, however I will say a couple of things.

    I find it hard to believe that crime groups or other bad guys would really want to use what I'd call "spoiled" malware. ie malware thats been fully broken, anlayzed and identified along with defensive signatures.

    Also they can find all the same stuff I have the same way I do:

    mwcollect
    nepenthes
    honeynet
    google
    accidentally putting my computer on the internet

    Im not posting anything thats not already in the wild.

    Anyway, thanks for the interest!

    V.

  10. #10
    oldie ric-o's Avatar
    Join Date
    Nov 2002
    Posts
    487
    Originally posted here by valsmith
    That ejectcd code was actually not intentional and was actually removed right away several weeks ago. Sorry about that guys.

    I definitly agree this type of site can be rather controversial and I'll do my best to keep it as above board as possible.
    Thanks for explanation and hope you are able to monitor and manage it per concerns TH13 and Zen (and I) have. I'll register and check out your site now.

    I wish you the best with it and look forward to learning from the sites community.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •