Showing posts with label Tutorial. Show all posts
Showing posts with label Tutorial. Show all posts

Thursday, February 24, 2011

ZeroAccess / Max++ / Smiscer Crimeware Rootkit sample for Step-by-Step Reverse Engineering by Giuseppe Bonfa - << (Update 2011 version available)

Post Update Feb 24, 2011

 The new version is available here, thanks to Guiseppe :)

Download MaxRootkit_2011_1.exe as a password protected archive (contact me if you need the password)

  File name: 392ddf0d2ee5049da11afa4668e9c98f

Virustotal
Submission date 2011-02-14 14:41:24 (UTC)
Result:25 /43 (58.1%)
Antivirus     Version     Last Update     Result
AhnLab-V3     2011.02.14.02     2011.02.14     Trojan/Win32.Gen
AntiVir     7.11.3.78     2011.02.14     TR/Dropper.Gen
Avast     4.8.1351.0     2011.02.14     Win32:FakeAlert-FC
Avast5     5.0.677.0     2011.02.14     Win32:FakeAlert-FC
AVG     10.0.0.1190     2011.02.14     Dropper.Generic3.AJH
BitDefender     7.2     2011.02.14     Trojan.Generic.5349632
CAT-QuickHeal     11.00     2011.02.14     Worm.Sirefef.a
DrWeb     5.0.2.03300     2011.02.14     Trojan.DownLoader2.2219
Emsisoft     5.1.0.2     2011.02.14     Worm.Win32.Sirefef!IK
F-Secure     9.0.16160.0     2011.02.14     Trojan.Generic.5349632
Fortinet     4.2.254.0     2011.02.14     W32/Dx.VUZ!tr
GData     21     2011.02.14     Trojan.Generic.5349632
Ikarus     T3.1.1.97.0     2011.02.14     Worm.Win32.Sirefef
McAfee     5.400.0.1158     2011.02.14     Generic.dx!vuz
McAfee-GW-Edition     2010.1C     2011.02.14     Heuristic.BehavesLike.Win32.Suspicious.H
Microsoft     1.6502     2011.02.14     Worm:Win32/Sirefef.gen!A
NOD32     5872     2011.02.14     a variant of Win32/Sirefef.C
Panda     10.0.3.5     2011.02.13     Trj/CI.A
PCTools     7.0.3.5     2011.02.13     Trojan.Gen
Rising     23.45.00.00     2011.02.14     [Suspicious]
Symantec     20101.3.0.103     2011.02.14     Trojan.Gen
TheHacker     6.7.0.1.130     2011.02.13     Trojan/Sirefef.c
TrendMicro     9.200.0.1012     2011.02.14     TROJ_GEN.R3EC1BD
TrendMicro-HouseCall     9.200.0.1012     2011.02.14     TROJ_GEN.R3EC1BD
VIPRE     8416     2011.02.14     Trojan.Win32.Generic!BT
MD5   : 392ddf0d2ee5049da11afa4668e9c98f


 

Infosec resources published  an excellent and very detailed 4 part tutorial by Giuseppe Bonfa
Step-by-Step Reverse Engineering Malware: ZeroAccess / Max++ / Smiscer Crimeware Rootkit

Part 1: Introduction and De-Obfuscating and Reversing the User-Mode Agent Dropper
Part 2: Reverse Engineering the Kernel-Mode Device Driver Stealth Rootkit
Part 3: Reverse Engineering the Kernel-Mode Device Driver Process Injection Rootkit
Part 4: Tracing the Crimeware Origins by Reversing the Injected Code

The full tutorial is at Infosec resources

To follow the tutorial, you need a hex editor of your choice (e.g. Hex Workshop) , debugger (Ollydbg) plus the malware ZeroAccess rootkit (see download section below)

 

Nov 18, 2010 Whitehat cracks notorious rootkit wide open - The Register

 

Download MaxRootkit_2011_1.exe as a password protected archive (contact me if you need the password)

 If you are interested in other Reverse Engineering tutorials, you can find many at  

read more...

.

read more...
Posted by Mila at 10:07 PM 0 comments Tags: , , Links to this post
Subscribe to: Posts (Atom)
Home