Simple lessons!
Results 1 to 8 of 8

Thread: Simple lessons!

  1. #1
    AO Guinness Monster MURACU's Avatar
    Join Date
    Jan 2004
    Location
    paris
    Posts
    1,002

    Simple lessons!

    Got this e-mail the other day warning me that i was sending out virii. Firstly here is the text of the mail.
    Mail server report.
    Our firewall determined the e-mails containing worm copies are being sent from your computer.
    Nowadays it happens from many computers, because this is a new virus type (Network Worms).

    Using the new bug in the Windows, these viruses infect the computer unnoticeably.
    After the penetrating into the computer the virus harvests all the e-mail addresses and sends the copies of itself to these e-mail addresses
    Please install updates for worm elimination and your computer restoring.
    Best regards,
    Customers support service
    Obviously this mail won't catch anyone with a bit of computer security sense but it is the type of mail that could cause a minor headache in a company where the users havent been traumatised enought by the IT department. The virus is of course in the zip file that the customer support has kindly attached.
    One of the things I find interesting is that "they" have changed the presentation slightly. The malicious e-mails are been sent by the computer and not the person. That way it is not the users fault. They explain what the virii are doing and how they are doing it so that it is unnoticable to the end user. Once again it is not the users fault. Haveing said that the user can simply fix the problem by installing the required patch which is kindly supplied. Without having to call the geeks in computer support.
    Of course for most anglophones the fact that the mail have a few obivious grammer mistakes would start warning bells ringing for non anglophones the mail would seem correct. It is no worst than a lot of mail I see from non aglophone support sites and it is a few steps up form the usual mail of this type.
    Ok this is an old style attempt to infect a computer. Still an old trick with new users works more often than we like.
    It also needs the user to install the "patch". We all know there nothing more dangerous than a user being smarter than their tech support.
    Nothing really new here but sometimes it is good to be reminded of the basics.
    cheers
    Muracu.

    Ps if any one wants the virus to study it or reverse engineer it let me know and i may attach it.
    Also on the topic what tools do you use to study virii?
    \"America is the only country that went from barbarism to decadence without civilization in between.\"
    \"The reason we are so pleased to find other people\'s secrets is that it distracts public attention from our own.\"
    Oscar Wilde(1854-1900)

  2. #2
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,403
    It's a variant of stration

    Quote Originally Posted by MURACU
    Also on the topic what tools do you use to study virii?
    IDA-Pro..
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  3. #3
    Super Moderator
    Know-it-All Master Beaver

    Join Date
    Jan 2003
    Posts
    3,914
    Hey Hey,

    I was following this a little bit ago:

    http://www.computerdefense.org/?p=111
    http://www.computerdefense.org/?p=113
    http://www.computerdefense.org/?p=114

    It's interesting...

    For virus analysis there is plenty of stuff... Depends on what you're interested in...

    Malware Analysis Pack - -http://labs.idefense.com/software/ma...+analysis+pack is great

    VirusTotal.com -- Variety of AV Vendor Results

    Ethereal/Wireshark

    IDA Pro

    Ollydbg/Windbg

    VMWare

    Peace,
    HT
    IT Blog: .:Computer Defense:.
    PnCHd (Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".

  4. #4
    Member
    Join Date
    Aug 2005
    Posts
    98
    Following on from HT's post, the attached document is something I put together a while ago now about performing behavioural analysis of malicious files, it lists some simple tools and methodologies I have used.

    I am sure I posted it here in the past but I tried to search for it and couldn't find it :-(

    VirusTotal is definitely a good tool, should be in most security professionals bookmarks.
    Attached Files Attached Files

  5. #5
    Super Moderator
    Know-it-All Master Beaver

    Join Date
    Jan 2003
    Posts
    3,914
    Hey Hey,

    Since I'm at work and don't have access to my home box atm (I crashed it )... Does anyone have a copy of the stration virus... and if so could you
    a) PM it to me
    b) attach it to a website
    c) zip/rar it repeatedly with a password and email it to me (I'll provide my email address as needed)...

    This is sort of urgent so if anyone can get a hold of it it would be greatly helpful

    Peace,
    HT
    IT Blog: .:Computer Defense:.
    PnCHd (Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".

  6. #6
    Super Moderator
    Know-it-All Master Beaver

    Join Date
    Jan 2003
    Posts
    3,914
    I don't want to delete the above post in case people saw it and are looking to assist me... .However I wanted to let you know that I have found a copy on OffensiveComputing...

    Peace,
    HT
    IT Blog: .:Computer Defense:.
    PnCHd (Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".

  7. #7
    AO Guinness Monster MURACU's Avatar
    Join Date
    Jan 2004
    Location
    paris
    Posts
    1,002
    Thats good i was about to send you a copy. i.e. the one that was attached to the e-mail. Going to let it infect an unpatched box to see the results. It will be my first attempt at disecting a virus so if any one has already done I would be interested in seeing the results of your invrstigation.
    Cheers,
    Muracu.
    \"America is the only country that went from barbarism to decadence without civilization in between.\"
    \"The reason we are so pleased to find other people\'s secrets is that it distracts public attention from our own.\"
    Oscar Wilde(1854-1900)

  8. #8
    Super Moderator
    Know-it-All Master Beaver

    Join Date
    Jan 2003
    Posts
    3,914
    Hey Hey,

    From my CWSandbox Review - http://research.sunbelt-software.com...e.aspx?id=3247

    I highly recommend reading my post if you haven't.. but even if you don't get time, check the above link out... If you want to test your malware I'd say submit it to CWSandbox and check out the results... I used Stration.B in my tests..

    Peace,
    HT
    IT Blog: .:Computer Defense:.
    PnCHd (Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides