memory of nobody

Mwcollectd v4 Mwcollectd is written by 0xff ( Georg Wicherski) , now that since I plan to contribute back to mwcollect alliance, I've to get a software which provides module for the binaries submission. Nepenthes will do, with the submit-mwserv.conf module (however, I'm yet to know how to enable this, either by editing nepenthes.conf or something). Dionaea, I'm not sure yet since I can't find the module for the submission.  For the mean time I go for Mwcollect, perhaps until I can figure out how to do this on Nepenthes/Dionaea.  If you wondering what mwcollect is, go here  . There is also slides which presented stuffs on mwcollect.

sctest, tool in libemu I recently just tested out sctest, a tool to process shellcode provided in libemu . The usage is as follows:   sctest -gS -s 10000 -v -G test.dot  Basically there are several steps prior to that (which I need a friend to help me out!). Say, I have a file called hexdump.txt; Try with 10, 000 steps: $ sctest -Ss 10000 -g < hexdump.txt verbose = 0 success  offset = 0x00000005   stepcount 10000   Try with 100, 000 steps we got this:   $ sctest -Ss 100000 -gv < hexdump.txt   verbose = 1 success  offset = 0x00000005   stepcount 100000 HMODULE LoadLibraryA ( LPCTSTR lpFileName = 0x0012fe80 => = "ws2_32"; ) = 0x71a10000; int WSAStartup ( WORD wVersionRequested = 2; LPWSADATA lpWSAData = 1244276; ) = 0; SOCKET WSASocket ( int af = 2; int type = 1; int protocol = 0; LPWSAPROTOCOL_INFO lpProto...

Marking Nepenthes' log with GeoIP I always wanted to let my Nepenthes log meaningful, rather than cryptic columns which is pretty much boring. So this is what I did after several searches on the Net... some of the link just show the result, and I wonder why don't they just *put* the script online. Here goes! Let say, I am processing /var/log/nepenthes/logged_downloads 116.7.16.130 df51e3310ef609e908a6b487a28ac068 116.80.225.172 1d419d615dbe5a238bbaa569b3829a23 116.80.227.106 e269d0462eb2b0b70d5e64dcd7c676cd 116.80.81.221 98eb0fdadf8a403c013a8b1882ec986d 116.80.85.224 e269d0462eb2b0b70d5e64dcd7c676cd 116.81.88.146 2fa0e36b36382b74e6e6a437ad664a80 I want it to be: Russian Federation ,95.28.56.118 , 7d99b0e9108065ad5700a899a1fe3441 Russian Federation ,95.28.63.209 , 7d99b0e9108065ad5700a899a1fe3441 Russian Federation ,95.28.71.57 , 7d99b0e9108065ad5700a899a1fe3441 Russian Federation ,95.28.82.129 , 7d99b0e9108065ad5700a899a1fe3441 Russian Federation ,95.28.89.135 , 7d99b0e910...

Coming soon Thank you very much for interest in our program. congratulation , your paper entitled: 1. Effective Malware Analysis with Nepenthes has been accepted and approved by our committee to present for our conference. as for the presentations , shall you have any notes/handouts(ie:power point slides) to be distributed, please submit to us at least a day before the actual presentation day for preparation. to remind you, the fee for each paper is RM650.00 payable on the registration day. thank you very much and congratulation again ------------------------------ MyEduSec 2008 Striving Towards Secured Information http://www.udm.edu.my/ myedusec/2008/

[nepenthes] Using Anubis Python script We can use this python script to automate/mocking the automated submission triggered by Nepenthes... root@nuvox:~/binaries# ./submit_to_anubis.py * -e mailaku @ gmail.com Successfully submitted the sample. Get the task result at http://analysis.seclab.tuwien.ac.at/result.php?taskid =f474d3ae50475c6451031f37d2d283fd Successfully submitted the sample. Get the task result at http://analysis.seclab.tuwien.ac.at/result.php?taskid =357c926ee5bfeb6471185f4fb403b55c Successfully submitted the sample. Get the task result at http://analysis.seclab.tuwien.ac.at/result.php?taskid =0c75b6d90af30124155cf3c69cce504b Could not submit the sample. Successfully submitted the sample. Get the task result at http://analysis.seclab.tuwien.ac.at/result.php?taskid =fd7ca9e064aef6d499121a4956a2d9fa Could not submit the sample. Could not submit the sample. Successfully submitted the sample. Get the task result at http://analysis.seclab.tuwien.ac.at/result.php?taskid =639c...

[nepenthes] Screen shot of hex dumps

[nepenthes] Emulating physical nodes Since the higher number of sensor we get, the huge coverage of outbreak we can cover, so I opt to choose the Neil's and his pal way of doing things: for i in `seq 230 254`;do ip addr add X.X.X.$i/24 brd + dev eth0;done This of course just cover the range of X.X.X.230 until X.X.X.254 . Still finding method to simulate say 10,000 nodes since IPv6 address will be fine. Nobody really use ipv6 here, I guess. Run, ip add show You should see things similar like this: 1: lo: mtu 16436 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0: mtu 1500 qdisc pfifo_fast qlen 1000 inet X.X.X.139/24 brd X.X.X.255 scope global eth0 inet X.X.X.230/24 brd X.X.X.255 scope global secondary eth0 inet X.X.X.231/24 brd X.X.X.255 scope global secondary eth0 inet X.X.X.232/24 brd X.X.X.255 scope global secondary eth...

[clamav] submission added source Submission-ID: 3571791 Sender: me Added: Trojan.Kolabc.BFY Virus name alias: Net-Worm.Win32.Kolabc.bfy (Kaspersky AVP)

[CWsandbox-mannheim and nepenthes] Just this morning I was being alerted by the email sent by CWsandbox-mannheim. At last I received analysis email from them. It seems that one of these malwares which they analyzed considered *known* already since I already sent the binary manually to ClamAV: click here analysis details for Sdbot-8639 analysis from different AV vendors