LOD 0x02

Posted in LOD on February 4, 2010 by ianstarkc

 Bootloader Development Environment

 Creating a bootloader from scratch

Hack the Malware ==All keylogged data + Fully registered keylogger software

Posted in Uncategorized on February 4, 2010 by ianstarkc

…………………..You know this is very interesting part and love to see that finally I got access to  remote server and  fully registered Blazing tools Perfect Keylogger as well!!………………………..

Here  and here also

LOD 0x01

Posted in LOD on February 3, 2010 by ianstarkc

Link of Day 0x01

http://www.neerajaarora.com

Sample Submission

Posted in Uncategorized on January 25, 2010 by ianstarkc

After working as Forensic expert , now I want to work as Malware Researcher so send malware samples to malware@annysoft.com

Send your samples in password-protected zip file.

Jsunpack: An Automatic JavaScript Unpacker

Posted in Tools on April 3, 2009 by ianstarkc

http://jsunpack.jeek.org/BlakeHartstein_Shmoocon_Jsunpack_20090208.pdf

http://jsunpack.jeek.org/

Conficker domain generation algorithm and disinfection

Posted in Uncategorized with tags , , , , on April 1, 2009 by ianstarkc

you can find at :

http://iv.cs.uni-bonn.de/wg/cs/applications/containing-conficker/

50000 Domains per day —>>Updated Downadup/Conficker/kido

Posted in Uncategorized with tags , , , , , , on March 8, 2009 by ianstarkc

There is some news about new variant of downadup worm . In old variant it was generating 250 domains per day but in this variant it changed its algorithm and now it is calculating 50000 domains per day !!! . I confirmed this  through the code of  new variant . See hint :

66 81 7D 80 D9 07                       cmp     word ptr [ebp-80h], 7D9h ——>>Checking for Year  0x7D9 ==2009
77 12                                         ja      short loc_6A3C37
75 26                                         jnz     short loc_6A3C4D
66 83 7D 82 04                            cmp     word ptr [ebp-7Eh], 4 ———->> For Month  4 == ‘April’

77 09                                         ja      short loc_6A3C37

75 1D                                        jnz     short loc_6A3C4D
66 83 7D 86 01                            cmp     word ptr [ebp-7Ah], 1 ———–>>For Date  == 1   SO ( 01-04-2009)
72 16                                         jb      short loc_6A3C4D

83 7D 90 00                                cmp     dword ptr [ebp-70h], 0
74 09                                         jz      short loc_6A3C46

short loc_6A3C46:

E8 2F 49 00 00                          call    sub_6A857A

sub_6A857A:

68 94 08 00 00                          push    894h
68 00 00 25 20                          push    20250000h

—————

89 BD 60 FF FF FF                       mov     [ebp-0A0h], edi
81 FF 50 C3 00 00                       cmp     edi, 0C350h ———->>Domain Count     0xC350 == 50,000
0F 83 B9 00 00 00                      jnb     loc_6A86B0
6A 20                                       push    20h
6A 40                                       push    40h
8B 8D 5C FF FF FF                      mov     ecx, [ebp-0A4h]
8D 1C B9                                   lea     ebx, [ecx+edi*4]
89 03                                       mov     [ebx], eax
85 C0                                       test    eax, eax
0F 84 4E 02 00 00                       jz      loc_6A8862
E8 90 FE FF FF                           call    sub_6A84A9
50                                                         push    eax
I hope , i’ll post full algorithm/standalone compiled file. I also want to find out why this time it is having so much website strings like… See file  strings here.

rapidshare.com,      imageshack.us,    facebook.com,   w3.org,   ask.com ,   yahoo.com  ,   google.com  ,  baidu.com,

xiaonei.com , studiverzeichnis.com, alice.it , msn.com , ebay.com , zedo.com ,  tuenti.com, metroflog.com , conduit.com , ameba.jp , ning.com , imdb.com, Todnoklassniki.ru , fc2.com , mediafire.com , mapquest.com , sourceforge.net, google.com, ucoz.ru , xhamster.com,  pcpop.com, ameblo.jp , tinypic.com, livejasmin.com

tianya.cn, gougou.com, reference.com, wikimedia.org,ebay.co.uk, pornhub.com, imeem.com ,adultadworld.com
yahoo.com, naver.com , kooora.com, biglobe.ne.jp,   soso.com ,  answers.com ,mail.ru,xvideos.com,

foxnews.comespn.go.com,    thepiratebay.org,       aweber.com , geocities.com , megaporn.com , facebook.comyoutube.com,   pogo.com,   4shared.com,   linkedin.com , lickr.com,  wordpress.com, dell.com, aim.com, adobe.com,  verizon.net,   disney.go.com,   apple.com ,  adultfriendfinder.com,   nba.com, ..much more

-Avii