Monday, November 29, 2010

Sample Analysis 1

I apologize for not posting a primer on OllyDBG. Things are pretty busy with work and life. I know that's not a good excuse but it's all I got :). In the mean time, here is a link to the sample we are currently analyzing. We will post our results, both static and dynamic in the next week or so. Check back. In the mean time, don't forget that we Tweet anytime there is a site update. If you want to follow us it's @inetopenurla.

The latest sample can be found here.

Check back soon for the analysis. Also, if you have a sample you would like us to analyze you can email it to us at inetopenurla (at) gmail[dot]com. Just put it in a password protected zip file with a password of infected.

I promise to add a primer to OllyDBG soon as well.


  1. The link to the malware sample is not working. From where can we get the malware sample?

  2. Sometimes links will die before you get to them. This is due to sites being taken down or systems getting cleaned.

    However, this link is still working for me. I did need to turn off my network AV to get it though.

    Please answer the following:

    What error are you getting?
    What browser are you using?
    Have you checked AV/HIPS logs to ensure it wasn't removed?

  3. I'm getting a 404. Is there a mirror for this file? Thanks!

  4. Sorry, forgot to include the rest of the details. I tried using Safari and wget. I'm not behind AV or HIDS or even a network web filter.

  5. There isn't a mirror as these samples are normally grabbed from servers that are hosting them maliciously. Let me see what I can work out about getting them to you guys.

  6. If anyone wants a copy of this file that was unable to obtain it. Please email us at inetopenurla [at] gmail {dot} com. I will send you a copy that is password protected with a password of infectedmalware.

  7. Hey, this is a really interesting blog.

    One thing though: Can you please not hotlink the malware site directly. I am reading (like most people) on personal computer not a VM. Or put a red sign "warning malicious content" would be useful too.