To report a botnet PRIVATELY please email: [EMAIL PROTECTED] ----------Title: Re: [botnets] Modified upx?
I was looking at the same very file. I was able to capture a couple of different variants of it. Each one seemed to be packed the same way. I never too far since I am a fledgling reverse engineer but I thought it might have been packed with a upx modifier. From openrce.org I found a couple of upx encryption tools.
http://www.openrce.org/reference_library/packer_database
Let me know if that helps
dan
On 3/16/06 9:11 PM, "M45T3R S4D0W8" <[EMAIL PROTECTED]> wrote:
To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
----------
On 3/15/06, Tron <[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> > wrote:
To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
----------
-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160
I have a file, rp5.exe, snared by my running instance of nepenthes,
which is quite obviously compressed via UPX...
upx -l rp5.exe
Ultimate Packer for eXecutables
Copyright (C) 1996,1997,1998,1999,2000,2001,2002,2003,2004,2005,2006
UPX 1.94 beta Markus Oberhumer, Laszlo Molnar & John Reiser Mar 11th
2006
File size Ratio Format Name
-------------------- ------ ----------- -----------
152064 -> 61952 40.74% win32/pe rp5.exe
... but which I can't decompress...
upx: rp5.exe: Exception: checksum error.
Which is obviously why Norman sandbox stated, for this particular binary..
nepenthes-9291587b85191b06bbf80d4ea1fb142e-rp5.exe : Not detected by
sandbox (Signature: NO_VIRUS).
Presumably, this means that whoever compressed this binary used an
altered version of upx?
See Norman Sandbox reference 20060315-665 for the full (and unhelpful)
report.
Regards.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
iD8DBQFEGF/1BzVUSpB18YoRA6H7AJ0WBPAxFa9QZY3qCXpX/+19HUs+4gCeNdaF
qatvE1+3grAjB4H13Hr5MMQ=
=9jpt
-----END PGP SIGNATURE-----
_______________________________________________
To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
All list and server information are public and available to law enforcement upon request.
http://www.whitestar.linuxbox.org/mailman/listinfo/botnets <http://www.whitestar.linuxbox.org/mailman/listinfo/botnets>
There are various Utilitys for making it impossable to Unpack a UPXed EXE.
They have been around for a long time, there first one I have seen was years
ago. You can also use a Hex Editor to strip the headers, I have tried this in
the past and it fools AV everytime. AV uses a checksum of sorts to out of a
large database of them to reconize a virus/trojan. If you modify it in a way that
changes the checksum it will go right past the AV.
There is no doubt its a Trojan, legitiment application does not have UPX headers
scrambled like this. Some do but that is a very rare exception...
I Hope this has been helpfull,
M45T3R S4D0W8
_______________________________________________ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
