This is our world now… the world of the electron and the switch, the beauty of the baud. We explore… you call us criminals. We seek after knowledge… and you call us criminals. We exist without skin color, without nationality, without religious bias… and you call us criminals. You build atomic bombs, you wage wars, you murder, cheat, and lie to us and try to make us believe it’s for our own good, yet we’re the criminals.
Yes, I am a criminal. My crime is that of curiosity. My crime is that of judging people by what they say and think, not what they look like.
My crime is that of outsmarting you, something that you will never forgive me for.
I am a hacker, and this is my manifesto. You may stop this individual, but you can’t stop us all… after all, we’re all alike.
regmon and filemon are the two important tools used in malware analysis.
any malware, when it first infects the Windoze box, it infects the registry. the reason behind this is to make sure that the malware runs every time windoze boots up and to disable other security settings of windoze / av’s.
regmon tool basically monitors any access to the registry. there are about 14 – 16 routines in the windoze kernel (also called virtual machine manager) which deals with all i/o operations on registry. the technique is like the dos TSR and IVT hooking one, where regmon hooks into these chain and anything accessing these routines will pass through regmon as well.
during DOS days all viruses will try to hook themselves into interrupt vector table and put themselves in TSR mode. the same applies in windoze with some fancy names. regmon’s heart is the regvxd.vxd code. this inserts or hooks itself into those 16 routines. regvxd.vxd is a Virtual Device Driver.
so before loading the malware, take a snapshot of the registry using regmon. then load the malware into the sandbox or the VM system and run the regmon. regmon clearly shows what all the key / values got changed ..
more coming …
get regmon from here http://technet.microsoft.com/en-us/sysinternals/bb896652.aspx
from the oneha|f Lab
so what is this oneha|f group ?
a place for people to do malware research, malware code analysis, behaviour analysis, discuss about defending malwares, incident response and much more .
I have chosen the name oneha|f because, it was the first virus infected my system ….. I got very thrilled by knowing it’s infection technique …..
onehalf’s payload is very interesting … it infects the hard disc by encrypting cylinders ….. the decryption happens on the fly, when this virus got loaded in the memory … if careful removal is not done, then the data is lost … since the virus will have the key to decrypt the data …..
focus will be more on code analysis, reverse engineering, assembly, worm techniques and what not …
come and join, if you are a person interested in malware research, love systems programming, hit your head in asm instructions, and what so ever related to depth of systems programming …
malware research is an interesting area … we will learn about extreme programming concepts, nice techniques, and depth about computer networks and computer itself …..
the main reason to create this group is to unite people in this arena … please no spammers, no script kiddies, no junkies … you can only join through people who are already in the group …..
the group is highly moderated ….. the reason is ….. we will share malware sample for discussion and research ….. we do not want to allow some one to come and sniff our messages, ask for tutorials, look for exploit codes … please do not bug us .. we are already busy ! …..
you can reach this group at http://groups.google.com/group/onehalf
and the web blog is at https://oneh.wordpress.com
Welcome to oneha|f Lab, the malware research group
this is the first post in this group. our primary focus is to study about malwares, techniques, malware defense and things like that .
you can interact with our group at firstname.lastname@example.org