PaulDotCom mailing list archives
Re: Malware reverse engineering (Mosh)
From: <binary011011 () gmail com>
Date: Tue, 1 Feb 2011 09:01:28 +0530
hey Mosh i hope this might kick start u 0ff http://questions.securitytube.net/questions/18/how-do-i-get-started-with-malware-analysis there are lots of tool from dissassembling,debugging to live dumping of memory/section for analysis but it will be good if u run it under controlled enviroment ----- Original Message ----- From: <pauldotcom-request () mail pauldotcom com> To: <pauldotcom () mail pauldotcom com> Sent: Sunday, January 30, 2011 5:30 PM Subject: Pauldotcom Digest, Vol 28, Issue 25
Send Pauldotcom mailing list submissions to pauldotcom () mail pauldotcom com To subscribe or unsubscribe via the World Wide Web, visit http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom or, via email, send a message with subject or body 'help' to pauldotcom-request () mail pauldotcom com You can reach the person managing the list at pauldotcom-owner () mail pauldotcom com When replying, please edit your Subject line so it is more specific than "Re: Contents of Pauldotcom digest..." Thank you for subscribing to the PaulDotCom Mailing list digest. Please visit our site, http://pauldotcom.com, for more hacking entertainment. Today's Topics: 1. Re: Question for the Consultants (scott burkhart) 2. Malware reverse engineering (Mosh) 3. HackIM 2011 - Pre-nullcon Hacker Challenge (Prashant Mahajan) 4. user permissions needed to run handle.exe (craig bowser) 5. Re: Any experience with Aristotle software (Robert Portvliet) ---------------------------------------------------------------------- Message: 1 Date: Fri, 28 Jan 2011 14:40:15 -0600 From: scott burkhart <burkhart.scott () gmail com> Subject: Re: [Pauldotcom] Question for the Consultants To: PaulDotCom Security Weekly Mailing List <pauldotcom () mail pauldotcom com> Cc: pauldotcom () pdc-mail pauldotcom com Message-ID: <AANLkTi=SrnMG5eCdHEovXq20ixsh0L0homOzxDsyp=25 () mail gmail com> Content-Type: text/plain; charset="iso-8859-1" Thank you everyone for a the feedback, it has been very helpful. I think the biggest drawback for me would probably be the travel, I don't know if I could give up seeing my kids on a daily basis - maybe when they get to be bit older things will change. On Wed, Jan 26, 2011 at 5:33 PM, Mike Patterson <mike () snowcrash ca> wrote:If you think you'll avoid office politics working for a consultant, I think you're wrong twice. First, you mentioned it's a firm - there'll be politics there, just a different kind than you're used to. You'll also get pulled into it at your clients' offices, even if you're not fully aware of it. I think it's a pretty rare company that hires consultants and everybody there takes everything the consultant says at face value. Another con for conslutting might be, if you're passionate anyway, that they'll reject your advice out of hand. That stings badly enough, but if they're annoyed enough you might get to be on the receiving end of a rant to boot. I'm sure there's more, but that's just what I thought of. What about things like health care? Everything more or less the same there? Mike _______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com-------------- next part -------------- An HTML attachment was scrubbed... URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20110128/b6425097/attachment.html ------------------------------ Message: 2 Date: Fri, 28 Jan 2011 15:34:11 -0500 From: Mosh <moshhax0r () gmail com> Subject: [Pauldotcom] Malware reverse engineering To: Pauldotcom () mail pauldotcom com Message-ID: <AANLkTiksR2M9ekO=+307iAVTvRkgK8AkYDRvQ6JTXoJS () mail gmail com> Content-Type: text/plain; charset="iso-8859-1" Hi There I really want to learn to do a reverse engineering for malware, but i don't have money to do a course :-(, so maybe you can help me with this, i appreciate all your comments: i Have two questions: What should be the process for a detail analysis of malware function ? Do you know about some tools ? Thank you so much and sorry for the bad english Mosh -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20110128/7c4b4f25/attachment-0001.htm ------------------------------ Message: 3 Date: Sat, 29 Jan 2011 15:49:11 +0530 From: Prashant Mahajan <prashant3535 () gmail com> Subject: [Pauldotcom] HackIM 2011 - Pre-nullcon Hacker Challenge To: PaulDotCom Security Weekly Mailing List <pauldotcom () mail pauldotcom com> Message-ID: <AANLkTimWRaAopWjeDB4rhahwgPjyWZq_Xbpwd=NS4ZbZ () mail gmail com> Content-Type: text/plain; charset="iso-8859-1" Anybody playing this ? ---------- Forwarded message ---------- From: corrupt <corrupt () null co in> Date: Fri, Jan 28, 2011 at 5:11 PM Subject: [HackingChallenge] HackIM 2011 To: null-co-in () googlegroups com n00bs & haXors, We are proud to present (..drum roll starts ...) The second edition of our very own, very popular ( ..increasing drum roll tempo.. ) HackIM 2011 - The Pre-nullcon Hacker Challenge .. tadda! After the remarkable success of last years challenge ( well we consider frustrating 1000+ n00bs and keeping dozens of haXors sleepless for weeks as success :) ) Link: http://nullcon.net/challenge/ Here's your chance to Win a free pass with two days stay for nullcon Goa 2011. All you have to do is run over few trivial puzzles and challenges and the golden ticket is yours. In case you have already bought the ticket don't worry we'll reimburse your ticket if you win. Theme: If you have spent anytime with puzzles like notpron or klueless, or other hacking challenges, this one should lie somewhere in between. ( We thought if you gonna pull your hair out solving the puzzle, its only fair that you learn something while doing so.) This time, first few levels are puzzle/quiz based and the later are based on realistic scenarios. Rules: Ok, here you should pay more attention: 1. Players will need to create an account in order to participate in the challenge. http://www.nullcon.net/challenge/register.php 2. Each level gives you sets of clues to reach to the next level. Following these clues you should figure your way to the next level. Once you have reached the final level you'll know how to claim the booty. 3. The unofficial back channel for the challenge is irc.chat4all.org #nullcon & #n|u. Hints will also be provided for each level through twitter or null mailing list. More details will be available shortly. 4. This challenge does NOT give participants any legal permission to exploit http://nullcon.net or its hosting partner in a destructive manner . Any attack against the site or the hosted servers will be observed under general legal framework. 5. Running Automation tools (Scanner/Enumerators/Password Crackers, etc) is not allowed and won't help you complete the challenge in anyway. 6. Scoreboard for the challenge is available on http://www.nullcon.net/challenge/scoreboard.php Tools: 1. Armed with your favorite hacking and debugging tools is advisable. (It will be a good idea to take the new Matriux or BT4 for a ride.) Good Luck and Have fun :) -- Cheers, corrupt -- Regards, Prashant Pain is the price you pay for resisting life. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20110129/0f5b8485/attachment-0001.htm ------------------------------ Message: 4 Date: Fri, 28 Jan 2011 17:37:27 -0500 From: craig bowser <reswob10 () gmail com> Subject: [Pauldotcom] user permissions needed to run handle.exe To: PaulDotCom Security Weekly Mailing List <pauldotcom () mail pauldotcom com> Message-ID: <AANLkTikjVz_3E7X+C6QY29tKZAWS=3DRKhGytPQvpj4p () mail gmail com> Content-Type: text/plain; charset="iso-8859-1" Does anyone know what user perms are needed to run the sysinternal tool handles.exe? The same permissions also allow you to view handles in procexp.exe and nirsoft's openedfilesview.exe while I am using a domain admin, I still get "Error loading driver: access denied" googling that error turns up numerous forum saying that I must have 'Debug Programs" permission. But even after I add myself (both explicitly and by administrators group), I still get the error. Any ideas? Basically I'm trying to find out what process/user has a certain file locked preventing SCCM from installing patches. Thanks. Craig L Bowser ____________________________ This email is measured by size. Bits and bytes may have settled during transport. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20110128/c4fcb716/attachment-0001.htm ------------------------------ Message: 5 Date: Fri, 28 Jan 2011 13:24:30 -0500 From: Robert Portvliet <robert.portvliet () gmail com> Subject: Re: [Pauldotcom] Any experience with Aristotle software To: PaulDotCom Security Weekly Mailing List <pauldotcom () mail pauldotcom com> Message-ID: <AANLkTimBEsoyf834CF+NjaFWCdzNq_4R0aAFsCgmPG6q () mail gmail com> Content-Type: text/plain; charset="utf-8" Funny you mention Arisotle, I was just having a conversation about this the other day... I did some work with it back when I worked for a school district. To be honest I only monitored it, I didn't do the implementation, but it seemed to be fairly comprehensive. As you said, it monitors the machines it is installed on and is controlled\viewed through a central web interface in any IDS like manner where it shows events of interest as alerts, It basically monitors for any keywords being present (re: dirty words) so it will catch them in any application where they may be displayed. It also shows the applications being used, can alert on a banned application, shows the time spent doing certain things such as web surfing and will alert when a threshold is reached (such as excessive web surfing). It has key-logging capabilities as well and the servers themselves are Linux based appliances iirc. That's about all I can think of... We used Aristotle and a WebSense Proxy to monitor/control the environment and it seemed to be pretty effective overall. If you have specific questions ping me off list and I'll see what I can do to answer them. Like I said, I only monitored it, but I'll help where I can. On Thu, Jan 27, 2011 at 11:08 AM, Gibson, Samuel <gibsons () my uwstout edu>wrote:Hello List, I was wondering if anyone had any exposure to Aristotle Reporting and Surveillance software. http://www.provecompliance.com/index.html Essentially, it can monitor desktops with regards to what a user does at a given time, application usage, IM communications, and optional key logging when SSLconnections are made. I was wondering if anyone had any opinions about this software or similar alternatives. Thanks, Sam _______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com-- -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20110128/70bd84a1/attachment-0001.htm ------------------------------ _______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom End of Pauldotcom Digest, Vol 28, Issue 25 ******************************************
_______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
Current thread:
- Re: Malware reverse engineering (Mosh) binary011011 (Feb 01)