Saturday, March 21, 2009

Malware project updates

As I mentioned in the addendum to the last post, I had a flaw in the method I was using.

The flaw was twofold. Memory page trimming in vmware, and I wasn't allowing the malware to execute fully. I've fixed this and as a result you'll see some fairly dramatic changes in the contents of the memory snapshots.

I've uploaded a few snapshots today including:


and I also reloaded the exemplar4 snapshot, which is an IRCbot with a few twists ;)

I'll be adding a Mebroot and Randsom variant soon. I've added a link to the blog for accessing my skydrive. Expect regular updates. If you've got specific malware you want to see in memory, email me.


I've now uploaded 10 samples including: Waledec, Mebroot, and more.


moyix said...

Again, this is amazing stuff. I'm hoping this will spur some tool development. If I get some time, I want to write Volatility plugins that will look for some indicators of malicious behavior based on these samples...