hey Mosh i hope this might kick start u 0ff http://questions.securitytube.net/questions/18/how-do-i-get-started-with-malware-analysis
there are lots of tool from dissassembling,debugging to live dumping of memory/section for analysis but it will be good if u run it under controlled enviroment ----- Original Message ----- From: <[email protected]> To: <[email protected]> Sent: Sunday, January 30, 2011 5:30 PM Subject: Pauldotcom Digest, Vol 28, Issue 25 > Send Pauldotcom mailing list submissions to > [email protected] > > To subscribe or unsubscribe via the World Wide Web, visit > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > or, via email, send a message with subject or body 'help' to > [email protected] > > You can reach the person managing the list at > [email protected] > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Pauldotcom digest..." > > > Thank you for subscribing to the PaulDotCom Mailing list digest. Please > visit our site, http://pauldotcom.com, for more hacking entertainment. > > Today's Topics: > > 1. Re: Question for the Consultants (scott burkhart) > 2. Malware reverse engineering (Mosh) > 3. HackIM 2011 - Pre-nullcon Hacker Challenge (Prashant Mahajan) > 4. user permissions needed to run handle.exe (craig bowser) > 5. Re: Any experience with Aristotle software (Robert Portvliet) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Fri, 28 Jan 2011 14:40:15 -0600 > From: scott burkhart <[email protected]> > Subject: Re: [Pauldotcom] Question for the Consultants > To: PaulDotCom Security Weekly Mailing List > <[email protected]> > Cc: [email protected] > Message-ID: > <[email protected]> > Content-Type: text/plain; charset="iso-8859-1" > > Thank you everyone for a the feedback, it has been very helpful. I think > the > biggest drawback for me would probably be the travel, I don't know if I > could give up seeing my kids on a daily basis - maybe when they get to be > bit older things will change. > > On Wed, Jan 26, 2011 at 5:33 PM, Mike Patterson <[email protected]> wrote: > >> If you think you'll avoid office politics working for a consultant, I >> think you're wrong twice. First, you mentioned it's a firm - there'll >> be politics there, just a different kind than you're used to. You'll >> also get pulled into it at your clients' offices, even if you're not >> fully aware of it. I think it's a pretty rare company that hires >> consultants and everybody there takes everything the consultant says at >> face value. >> >> Another con for conslutting might be, if you're passionate anyway, that >> they'll reject your advice out of hand. That stings badly enough, but >> if they're annoyed enough you might get to be on the receiving end of a >> rant to boot. >> >> I'm sure there's more, but that's just what I thought of. >> >> What about things like health care? Everything more or less the same >> there? >> >> Mike >> _______________________________________________ >> Pauldotcom mailing list >> [email protected] >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> Main Web Site: http://pauldotcom.com >> > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20110128/b6425097/attachment.html > > ------------------------------ > > Message: 2 > Date: Fri, 28 Jan 2011 15:34:11 -0500 > From: Mosh <[email protected]> > Subject: [Pauldotcom] Malware reverse engineering > To: [email protected] > Message-ID: > <[email protected]> > Content-Type: text/plain; charset="iso-8859-1" > > Hi There > > I really want to learn to do a reverse engineering for malware, but i > don't > have money to do a course :-(, so maybe you can help me with this, i > appreciate all your comments: > > i Have two questions: > > What should be the process for a detail analysis of malware function ? > Do you know about some tools ? > > > Thank you so much and sorry for the bad english > > > Mosh > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20110128/7c4b4f25/attachment-0001.htm > > ------------------------------ > > Message: 3 > Date: Sat, 29 Jan 2011 15:49:11 +0530 > From: Prashant Mahajan <[email protected]> > Subject: [Pauldotcom] HackIM 2011 - Pre-nullcon Hacker Challenge > To: PaulDotCom Security Weekly Mailing List > <[email protected]> > Message-ID: > <[email protected]> > Content-Type: text/plain; charset="iso-8859-1" > > Anybody playing this ? > > ---------- Forwarded message ---------- > From: corrupt <[email protected]> > Date: Fri, Jan 28, 2011 at 5:11 PM > Subject: [HackingChallenge] HackIM 2011 > To: [email protected] > > > n00bs & haXors, > We are proud to present (..drum roll starts ...) > The second edition of our very own, very popular ( ..increasing drum roll > tempo.. ) > HackIM 2011 - The Pre-nullcon Hacker Challenge .. tadda! > > After the remarkable success of last years challenge ( well we consider > frustrating 1000+ n00bs and keeping dozens of haXors sleepless for weeks > as > success :) ) > > Link: http://nullcon.net/challenge/ > > Here's your chance to Win a free pass with two days stay for nullcon Goa > 2011. All you have to do is run over few trivial puzzles and challenges > and > the golden ticket is yours. In case you have already bought the ticket > don't > worry we'll reimburse your ticket if you win. > > Theme: > If you have spent anytime with puzzles like notpron or klueless, or other > hacking challenges, this one should lie somewhere in between. ( We thought > if you gonna pull your hair out solving the puzzle, its only fair that you > learn something while doing so.) > > This time, first few levels are puzzle/quiz based and the later are based > on > realistic scenarios. > > > Rules: > Ok, here you should pay more attention: > 1. Players will need to create an account in order to participate in the > challenge. > http://www.nullcon.net/challenge/register.php > > 2. Each level gives you sets of clues to reach to the next level. > Following > these clues you should figure your way to the next level. Once you have > reached the final level you'll know how to claim the booty. > > 3. The unofficial back channel for the challenge is irc.chat4all.org > #nullcon > & #n|u. Hints will also be provided for each level through twitter or null > mailing list. More details will be available shortly. > > 4. This challenge does NOT give participants any legal permission to > exploit http://nullcon.net or its hosting partner in a destructive manner > . > Any attack against the site or the hosted servers will be observed under > general legal framework. > > 5. Running Automation tools (Scanner/Enumerators/Password Crackers, etc) > is > not allowed and won't help you complete the challenge in anyway. > > 6. Scoreboard for the challenge is available on > http://www.nullcon.net/challenge/scoreboard.php > > Tools: > 1. Armed with your favorite hacking and debugging tools is advisable. (It > will be a good idea to take the new Matriux or BT4 for a ride.) > > Good Luck and Have fun :) > > -- > Cheers, > corrupt > > > > -- > Regards, > Prashant > > Pain is the price you pay for resisting life. > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20110129/0f5b8485/attachment-0001.htm > > ------------------------------ > > Message: 4 > Date: Fri, 28 Jan 2011 17:37:27 -0500 > From: craig bowser <[email protected]> > Subject: [Pauldotcom] user permissions needed to run handle.exe > To: PaulDotCom Security Weekly Mailing List > <[email protected]> > Message-ID: > <[email protected]> > Content-Type: text/plain; charset="iso-8859-1" > > Does anyone know what user perms are needed to run the sysinternal tool > handles.exe? The same permissions also allow you to view handles in > procexp.exe and nirsoft's openedfilesview.exe > > while I am using a domain admin, I still get "Error loading driver: access > denied" googling that error turns up numerous forum saying that I must > have 'Debug Programs" permission. But even after I add myself (both > explicitly and by administrators group), I still get the error. > > Any ideas? > > Basically I'm trying to find out what process/user has a certain file > locked > preventing SCCM from installing patches. > > Thanks. > > > Craig L Bowser > ____________________________ > > This email is measured by size. Bits and bytes may have settled during > transport. > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20110128/c4fcb716/attachment-0001.htm > > ------------------------------ > > Message: 5 > Date: Fri, 28 Jan 2011 13:24:30 -0500 > From: Robert Portvliet <[email protected]> > Subject: Re: [Pauldotcom] Any experience with Aristotle software > To: PaulDotCom Security Weekly Mailing List > <[email protected]> > Message-ID: > <[email protected]> > Content-Type: text/plain; charset="utf-8" > > Funny you mention Arisotle, I was just having a conversation about this > the > other day... I did some work with it back when I worked for a school > district. To be honest I only monitored it, I didn't do the > implementation, > but it seemed to be fairly comprehensive. > > As you said, it monitors the machines it is installed on and is > controlled\viewed through a central web interface in any IDS like manner > where it shows events of interest as alerts, It basically monitors for any > keywords being present (re: dirty words) so it will catch them in any > application where they may be displayed. It also shows the applications > being used, can alert on a banned application, shows the time spent doing > certain things such as web surfing and will alert when a threshold is > reached (such as excessive web surfing). It has key-logging capabilities > as > well and the servers themselves are Linux based appliances iirc. That's > about all I can think of... > > We used Aristotle and a WebSense Proxy to monitor/control the environment > and it seemed to be pretty effective overall. If you have specific > questions > ping me off list and I'll see what I can do to answer them. Like I said, I > only monitored it, but I'll help where I can. > > > > > On Thu, Jan 27, 2011 at 11:08 AM, Gibson, Samuel > <[email protected]>wrote: > >> Hello List, >> >> I was wondering if anyone had any exposure to Aristotle Reporting and >> Surveillance software. http://www.provecompliance.com/index.html >> Essentially, >> it can monitor desktops with regards to what a user does at a given time, >> application usage, IM communications, and optional key logging when >> SSLconnections are made. >> >> I was wondering if anyone had any opinions about this software or similar >> alternatives. >> >> Thanks, >> Sam >> >> _______________________________________________ >> Pauldotcom mailing list >> [email protected] >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> Main Web Site: http://pauldotcom.com >> > > > > -- > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20110128/70bd84a1/attachment-0001.htm > > ------------------------------ > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > > > End of Pauldotcom Digest, Vol 28, Issue 25 > ****************************************** _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
