[Vol-users] Need to pick a malware for a demo

Dewhirst, Rob robdewhirst at gmail.com
Thu May 3 20:39:13 CDT 2012


I just seem to recall hacker defender being touchy about where it's
config file was located and the name of it. Claimed to support options
that didn't work.  HTH.

I'd like to know what you end up using because I am preparing a
workshop in a month or so and need a couple more ideas.

On Thu, May 3, 2012 at 5:09 PM, Mike Lambert <dragonforen at hotmail.com> wrote:
> Hi Rob,
>
> Thanks for the suggestion. As I recall that would fit the profile when
> combined with another tool. And I think it will run in a VM.
>
> In the past a friend of mine used Hacker Defender and Optiplex as an example
> in a presentation.  I'd like to pick something else if possible (would
> rather not duplicate and look lame).
>
> What would be really cool is something current that runs in a VM and is a
> good pslist crossview demo.  If I can't find something current, I'll fall
> back to HD. Good thought!
>
> Thanks much for the suggestion.  If you have any other thoughts I appreciate
> them.
>
> Mike
>
>> Date: Thu, 3 May 2012 09:57:16 -0500
>
>> Subject: Re: [Vol-users] Need to pick a malware for a demo
>> From: robdewhirst at gmail.com
>> To: vol-users at volatilityfoundation.org
>
>>
>> Check out the Hacker Defender rootkit. I am pretty sure I demoed
>> exactly what you are wanting to do (including using Volatility to
>> reveal the rootkit) about a year ago and this malware was a good
>> example and easy to use. I don't know for sure that it hides from
>> PsList but it hides from the built-in windows tools.
>>
>> Email me if you can't find a copy.
>>
>> On Wed, May 2, 2012 at 11:32 PM, Mike Lambert <dragonforen at hotmail.com>
>> wrote:
>> > I've got a memory forensics presentation coming up next week and I'd
>> > like to
>> > use a sample that will illustrate a crossview example.
>> >
>> > Specifically, I'd like to use an example that hides from pslist on the
>> > running system (don't want a DKOM example) but we can find it using
>> > Volatility.
>> > I'd like it to be something running and not a process injection sample.
>> >
>> > Does someone have a suggestion which one may provide a good
>> > illustration?
>> >
>> > Thanks,
>> > Mike
>> >
>> >
>> > _______________________________________________
>> > Vol-users mailing list
>> > Vol-users at volatilityfoundation.org
>> > http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>> >
>> _______________________________________________
>> Vol-users mailing list
>> Vol-users at volatilityfoundation.org
>> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users


More information about the Vol-users mailing list