Analysis of Malware Spread via SPAM and ANI vulnerability

i posted about ANI vulnerability malware some days ago and today i saw a paper on websense security labs about analysis of malware spread via spam and ANI vuln.
view this paper on websense

New worm use the .ani zero day vulnerability

Some days ago researchers declared an alert for Microsoft Windows Cursor and Icon(.ANI) zero day vulnerability . now they declared an alert for a new worm .
“It’s a bad news that the Windows Animated Cursor Handling zero-day vulnerability has been used by malwares in China now. We have received this kind of new worm today. It has the same behavior as Worm.Win32.Fujacks. It also can infects .HTML .ASPX .HTM .PHP .JSP .ASP and .EXE files, and inserts the malicious links which contained Windows Animated Cursor Handling zero-day vulnerability into .HTML .ASPX .HTM .PHP .JSP .ASP files. It also can send out Chinese spams which are include the same zero-day vulnerability link. “
view analysis on CISRT
http://www.cisrt.org/enblog/read.php?68

malware analysis (Nailuj)

again analysis a malware .”The malware, named Nailuj by some antivirus companies, is composed of 3 files: VideoAti0.exe, VideoAti0.dll and VideoAti0.sys. I won’t talk about all the files, but will focus my attention on only one, the sys file. This malware represents a nice target for those who want to approach a malware for the very first time because it uses well-known techniques, such as hiding files and hooking functions. Nothing hard once you have dealt with them at least once. In addition, the sys file is compiled in debug mode and every operation performed by the malware is documented inside the code. Yes, every time it does something it reveals its success or failure, printing out a comment using DbgPrint function. This is really useful because you know what it will do before starting to analyze the code, not so bad”
(more…)

Analysis of the worm “Tibick.D”

The aim of this article is to give an introduction to the field of malware analysis. The worm dissected later in this article is neither new nor unknown and has been analyzed already. A very simple and primitive worm has been chosen to make this article most understandable especially to those who never reversed a worm before or are (relatively) new to reverse engineering.
This article might be not very interesting for advanced (malware-)reversers.
(more…)

A Closer Look at the Worm_Mimail.A

 ”A CLoser Look ato the Worm_MiMail.A” (written by C.Hornat) is  a good analysis about techniques you see used in many malware . This analysis show how these things work.
“On August 1, 2003, I encountered several emails from my email admin account informing me that my email address will be expiring and that I should read an attachment for further details. Being suspicious, I analyzed that file and the affects of it. This is a short overview of what I have found so far.”

(more…)

Hacking The Malware

This paper attempts to document an approach on how the hackers make use of the vulnerabilities to install malicious software on the vulnerable machine. A comprehensive reverse code engineered analysis of the malicious software (Win32.Qucan.a) and the various protection schemes against the worm by various security products are also discussed.

(more…)

The Science of Malware Analysis

This paper about reversing malware written by Mad_guy.
Malware . . . it’s all over. It has been successful in attracting world wide attention by infecting systems and causing damage world wide. We try as hard as we can to scan it, detect it, and monitor activities on the internet. But alas, no box is perfectly secure.
read more …
(more…)