Monday, November 29, 2010

Sample Analysis 1

I apologize for not posting a primer on OllyDBG. Things are pretty busy with work and life. I know that's not a good excuse but it's all I got :). In the mean time, here is a link to the sample we are currently analyzing. We will post our results, both static and dynamic in the next week or so. Check back. In the mean time, don't forget that we Tweet anytime there is a site update. If you want to follow us it's @inetopenurla.

The latest sample can be found here.

Check back soon for the analysis. Also, if you have a sample you would like us to analyze you can email it to us at inetopenurla (at) gmail[dot]com. Just put it in a password protected zip file with a password of infected.

I promise to add a primer to OllyDBG soon as well.
Posted by Curt Shaffer at 7:32 AM

7 comments:

  1. UnknownNovember 30, 2010 at 6:07 PM

    The link to the malware sample is not working. From where can we get the malware sample?

    ReplyDelete
  2. Curt ShafferDecember 1, 2010 at 7:00 PM

    Sometimes links will die before you get to them. This is due to sites being taken down or systems getting cleaned.

    However, this link is still working for me. I did need to turn off my network AV to get it though.

    Please answer the following:

    What error are you getting?
    What browser are you using?
    Have you checked AV/HIPS logs to ensure it wasn't removed?

    ReplyDelete
  3. NateDecember 2, 2010 at 9:26 AM

    I'm getting a 404. Is there a mirror for this file? Thanks!

    ReplyDelete
  4. NateDecember 2, 2010 at 9:27 AM

    Sorry, forgot to include the rest of the details. I tried using Safari and wget. I'm not behind AV or HIDS or even a network web filter.

    ReplyDelete
  5. Curt ShafferDecember 2, 2010 at 7:32 PM

    There isn't a mirror as these samples are normally grabbed from servers that are hosting them maliciously. Let me see what I can work out about getting them to you guys.

    ReplyDelete
  6. Curt ShafferDecember 5, 2010 at 2:49 PM

    If anyone wants a copy of this file that was unable to obtain it. Please email us at inetopenurla [at] gmail {dot} com. I will send you a copy that is password protected with a password of infectedmalware.

    ReplyDelete
  7. BonoDecember 10, 2010 at 3:25 AM

    Hey, this is a really interesting blog.

    One thing though: Can you please not hotlink the malware site directly. I am reading (like most people) on personal computer not a VM. Or put a red sign "warning malicious content" would be useful too.

    Thanks,
    -NY.

    ReplyDelete

Subscribe to: Post Comments (Atom)