As I mentioned in the addendum to the last post, I had a flaw in the method I was using.
The flaw was twofold. Memory page trimming in vmware, and I wasn't allowing the malware to execute fully. I've fixed this and as a result you'll see some fairly dramatic changes in the contents of the memory snapshots.
I've uploaded a few snapshots today including:
Ackantta
Koobface
Infostealer
and I also reloaded the exemplar4 snapshot, which is an IRCbot with a few twists ;)
I'll be adding a Mebroot and Randsom variant soon. I've added a link to the blog for accessing my skydrive. Expect regular updates. If you've got specific malware you want to see in memory, email me.
Updates:
I've now uploaded 10 samples including: Waledec, Mebroot, and more.
Saturday, March 21, 2009
Subscribe to:
Post Comments (Atom)
1 comments:
Again, this is amazing stuff. I'm hoping this will spur some tool development. If I get some time, I want to write Volatility plugins that will look for some indicators of malicious behavior based on these samples...
Post a Comment