oneha|f Lab

Virus group 29A disbanded – who’s next?

oneh — Sun, 22 Mar 2009 15:13:30 +0000

Couple of weeks back, 29A officially shut down business. 29A’s published work was one of the best (IMHO) sources for cutting edge virus technologies. Their e-zines provided a sampling of what was happening in the Virus underground during that period.

This was the last message posted by VirusBuster in their site:

” I tried to contact ValleZ for some time in order to take a decision together about the future of 29A with no luck therefore I decided to take the decision alone. And my decision is that 29A goes officially retired. I feel this is fair because I am kinda the alpha and the omega of the group. 29A was born in Dark Node, my BBS, and I am the last active member of the group. My last words as 29A member are for all the people that worked hard to make of this group the best one: Thank you very much! Regards, VirusBuster/29A

29A has left the building! “

Kind of sad.

I came to know of 29A when I was in my 2nd year UG, around 1997. 29A was a new group then (If I am right, the group formed only in the mid of 1996). BTW, if you are wondering why they named it so, 29A is the hex representation of 666 decimal.

One of my (crazy, if you ask my wife now!) hobbies back then was collecting DOS/Windows virii source code. I was more interested in the source than the binary. I had close to 23K source files when I decided to move on to other things. There were umpteen number of sites even back then which listed for download many viruses, but most of them were distributed as either EXE or COM files. I used to take them, decompile/disassemble them using SOURCER or debug.exe (I had to use this only for a few files; Sourcer did a good job for the others.) and add to my virus database. I remember checking out a DB tool (VirSort or VirusBuster??) for sometime, but resorted to maintaining them myself (that is, keeping them scattered through out my 4GB HDD ).

Apart from these, lots of VX tutors were there too. I remember some of the tutorials that were considered state-of-the-art (!?) then:

Advanced Polymorphism Primer by DarkAngel

Calling the Windows API in Assembly Language by Qark

MCB Stealth by Darkman

Particularly, I used to devour anything by Dark Angel, Lord Julus & VLAD. How can I ever forget Lord Julus’s “Ring 0 Residency under Windows 95/98″ article?? Classic!!

When 29A started releasing their e-zines, it quickly became one of my favorites. I loved all their articles, especially by MrSandman, Benny, VirusBuster, Jacky Qwerty, Vecna & Rajaat - they were my favorites. Issue #4 was, IMO, pure gold!!

Later, when I came out of the college, I lost touch with the VX scene. Register.co.uk & F-Secure’s blog were the only VX news source for me. Though 29A published lots of new things, the following are considered notable accomplishments (?!):

Cabir, which infected Symbian mobile phones

Duts, the first ever Pocket PC virus

Haiku, which generated Japanese-style poetry

Stream, which was the first virus to take advantage of NTFS Alternate Data Streams

Lindose, which infected both Windows and Linux computers

Donut a .NET aware Windows file infector

I have given some links to the interviews (public/through email) of some 29A members below: I will be updating this with more as I find them in the net.

automating the snort IDS in FreeBSD

oneh — Wed, 04 Mar 2009 02:47:21 +0000

Currently I am into automating the process of installing and configuring snort in FreeBSD. I have developed a small script which installs and configures Snort, MySql, Apache, PHP, ADODB and Base console in FreeBSD. Currently I have written the following scripts:

1) start.sh -> creates all necessary directories and users

2) deps.sh -> installs dependencies like libpcap, pcre, libxml2

3) mysql.sh -> installs mysql

4) snort.sh -> installs snort and updates the rules

5) create_snortdb.sh -> creates snort db schema and confifures acl’s for accessing

6) apachephp.sh -> installs apache, php and mod security

right now I am into developing scripts for updating configuration files too.. like after you install all the above you need to manually modify snort.conf, httpd.conf;etc for settings..

i am also developing a model to secure the entire ids by hardening FreeBSD, MySQL, Apache;etc and distributed IDS

will update soon !!!

spyware signature file

oneh — Wed, 24 Sep 2008 05:28:58 +0000

I am writing a small spyware removal software … I am writing this tool in VC++ and in ASM … currently I am writing a module to build the signature database and methods to retrieve informations from the DB … while doing this work I came across a good website which has excellent information about the spywares and it is www.spywaredb.com … it has lots of information about many spywares … I am totally using it and it’s very useful

hacker manifesto

oneh — Tue, 19 Aug 2008 16:01:58 +0000

This is our world now… the world of the electron and the switch, the beauty of the baud. We explore… you call us criminals. We seek after knowledge… and you call us criminals. We exist without skin color, without nationality, without religious bias… and you call us criminals. You build atomic bombs, you wage wars, you murder, cheat, and lie to us and try to make us believe it’s for our own good, yet we’re the criminals.

Yes, I am a criminal. My crime is that of curiosity. My crime is that of judging people by what they say and think, not what they look like.
My crime is that of outsmarting you, something that you will never forgive me for.

I am a hacker, and this is my manifesto. You may stop this individual, but you can’t stop us all… after all, we’re all alike.

regmon

oneh — Sun, 17 Aug 2008 05:36:00 +0000

regmon and filemon are the two important tools used in malware analysis.

any malware, when it first infects the Windoze box, it infects the registry. the reason behind this is to make sure that the malware runs every time windoze boots up and to disable other security settings of windoze / av’s.

regmon tool basically monitors any access to the registry. there are about 14 – 16 routines in the windoze kernel (also called virtual machine manager) which deals with all i/o operations on registry. the technique is like the dos TSR and IVT hooking one, where regmon hooks into these chain and anything accessing these routines will pass through regmon as well.

during DOS days all viruses will try to hook themselves into interrupt vector table and put themselves in TSR mode. the same applies in windoze with some fancy names. regmon’s heart is the regvxd.vxd code. this inserts or hooks itself into those 16 routines. regvxd.vxd is a Virtual Device Driver.

so before loading the malware, take a snapshot of the registry using regmon. then load the malware into the sandbox or the VM system and run the regmon. regmon clearly shows what all the key / values got changed ..

more coming …

get regmon from here http://technet.microsoft.com/en-us/sysinternals/bb896652.aspx

from the oneha|f Lab
(groups.google.com/group/onehalf)

what is oneha|f lab ?

oneh — Fri, 15 Aug 2008 14:18:52 +0000

so what is this oneha|f group ?

a place for people to do malware research, malware code analysis, behaviour analysis, discuss about defending malwares, incident response and much more .

I have chosen the name oneha|f because, it was the first virus infected my system ….. I got very thrilled by knowing it’s infection technique …..

onehalf’s payload is very interesting … it infects the hard disc by encrypting cylinders ….. the decryption happens on the fly, when this virus got loaded in the memory … if careful removal is not done, then the data is lost … since the virus will have the key to decrypt the data …..

focus will be more on code analysis, reverse engineering, assembly, worm techniques and what not …

come and join, if you are a person interested in malware research, love systems programming, hit your head in asm instructions, and what so ever related to depth of systems programming …

malware research is an interesting area … we will learn about extreme programming concepts, nice techniques, and depth about computer networks and computer itself …..

the main reason to create this group is to unite people in this arena … please no spammers, no script kiddies, no junkies … you can only join through people who are already in the group …..

the group is highly moderated ….. the reason is ….. we will share malware sample for discussion and research ….. we do not want to allow some one to come and sniff our messages, ask for tutorials, look for exploit codes … please do not bug us .. we are already busy ! …..

you can reach this group at http://groups.google.com/group/onehalf

and the web blog is at http://oneh.wordpress.com

first post

oneh — Fri, 15 Aug 2008 05:27:44 +0000

Welcome to oneha|f Lab, the malware research group

this is the first post in this group. our primary focus is to study about malwares, techniques, malware defense and things like that .

you can interact with our group at onehalf@googlegroups.com