I guess that’s it…

It’s quite a while since I have blogged about malware – and even more time has passed by since I have started catching malware. It all started around March 2006 as I was starting to contact various anti-virus labs and security companies to share the samples I have caught.

But I have to admit that it was a time full of learning and gaining knowledge about that bad software rumbling the network and about analyzing its behavior. But there was hardly anyone saying thanks for the work.

So I decided to stop my malware analysis project as it was just work, stress expenses which I had to pay for by myself. So here it ends after three years now.

Tags: honeypot, Malware

Posted in: Malware | 2 Comments »

Honey, could you please put the rubbish out?

Malware is a topic, driving many people crazy or making sysadmins cry. Sadly we cannot say that there’s an end insight. But what can we do against it?

‘Nothing’ is the wrong answer. That’s why I have started running honeypots. The salvage then is sent to various anti-malware companies so that it can be analyzed and killed. By and by I got more contacts to send the pest to and did my best in filtering out false positives or broken stuff.

As the last tests have proven that my filters are working below available capacity I am now offering a malware submission service. In other words, if you want me to, I can submit the malware you have collected too – Just drop me a line.

Tags: honeypot, Malware

Posted in: Malware | 2 Comments »

Malware and me

I was asked to explain why I am interested in malware. Well – why not? Other people are collecting strange things too – coins, stamps,…

The first worm I tried to understand was the well known Loveletter. As it is just a VB Script, it is very easy to understand. Why did I read it? Well… there were enough in my mailbox and obviously it wanted to be read.

I started my analysis. Every line of code I discovered more of the ways the programmer was thinking but it was way to simple to understand. So I put it away into the ‘I will have a look at it if I am bored and got nothing better to do’-folder. and forgot about analyzing it any further just until bad things started to happen on my irc network.

Read the rest of this entry »

Tags: debug, honeypot, Malware

Posted in: Malware | No Comments »

Botnet diet

It was a wonderful Xmas – not only from a PC resellers point of view. Old computers were exchanged and brand new preinfected preinstalled PCs were installed. As Windows XP now comes with at least SP2 and the mandatory firewall, those boxes are slightly more secure. A nice side effect is, that the new (unpatched) computers replaced the old (infected) ones. The global number of bots has decreased.

Sadly it is only a matter of time and (ir)rational users until everything starts all over again.

Tags: honeypot, botnet

Posted in: Malware | No Comments »

Statistika, der nächste Versuch

Da es im Moment sehr schwierig ist unsere immer grösser werdende Anzahl von Malware-Samples auf einmal zu scannen habe ich mir ein paar Gedanken gemacht, was man bauen könnte um die Statistika der Nepenthes Page betreffend der Scannertests wieder aufleben zu lassen.

Read the rest of this entry »

Tags: honeypot, nepenthes

Posted in: Malware | No Comments »

Da kommt Freude auf

Ein Mail erreichte mich von der Nepenthes Mailingliste, welches einen neuen Patch brachte. Dieser behob einen Bug beim Handling zweier Viren und behob ein Problem welches ich beim Compile der neuen Version hatte. Das Ergebniss sieht schon recht gut aus und präsentiert sich wie folgt Read the rest of this entry »

Tags: honeypot, nepenthes, update

Posted in: Malware | No Comments »

Volle Honeypots

Mit gemischten Gefühlen hole ich heute den grossen Fang der Honeypots ab. Einerseits freut es mich, dass wir einen so guten Fang gemacht haben, den wir den Antivirus-Labs zur Verfügung stellen können. Andererseits zeigt es aber auch, dass wieder mehr Kiddies im Botnet-Geschäft tätig sind. Wo wird das nur hinführen?

Tags: honeypot, nepenthes, samples

Posted in: Malware | No Comments »