[Vol-users] Need to pick a malware for a demo

Fosforo fosforo at gmail.com
Thu May 3 22:05:51 CDT 2012


try TDL

--
[]s Fosforo
-------------------------------------------------------------
"Only the wisest and stupidest of men never change."
-Confusio
-------------------------------------------------------------


On Thu, May 3, 2012 at 10:39 PM, Dewhirst, Rob <robdewhirst at gmail.com> wrote:
> I just seem to recall hacker defender being touchy about where it's
> config file was located and the name of it. Claimed to support options
> that didn't work.  HTH.
>
> I'd like to know what you end up using because I am preparing a
> workshop in a month or so and need a couple more ideas.
>
> On Thu, May 3, 2012 at 5:09 PM, Mike Lambert <dragonforen at hotmail.com> wrote:
>> Hi Rob,
>>
>> Thanks for the suggestion. As I recall that would fit the profile when
>> combined with another tool. And I think it will run in a VM.
>>
>> In the past a friend of mine used Hacker Defender and Optiplex as an example
>> in a presentation.  I'd like to pick something else if possible (would
>> rather not duplicate and look lame).
>>
>> What would be really cool is something current that runs in a VM and is a
>> good pslist crossview demo.  If I can't find something current, I'll fall
>> back to HD. Good thought!
>>
>> Thanks much for the suggestion.  If you have any other thoughts I appreciate
>> them.
>>
>> Mike
>>
>>> Date: Thu, 3 May 2012 09:57:16 -0500
>>
>>> Subject: Re: [Vol-users] Need to pick a malware for a demo
>>> From: robdewhirst at gmail.com
>>> To: vol-users at volatilityfoundation.org
>>
>>>
>>> Check out the Hacker Defender rootkit. I am pretty sure I demoed
>>> exactly what you are wanting to do (including using Volatility to
>>> reveal the rootkit) about a year ago and this malware was a good
>>> example and easy to use. I don't know for sure that it hides from
>>> PsList but it hides from the built-in windows tools.
>>>
>>> Email me if you can't find a copy.
>>>
>>> On Wed, May 2, 2012 at 11:32 PM, Mike Lambert <dragonforen at hotmail.com>
>>> wrote:
>>> > I've got a memory forensics presentation coming up next week and I'd
>>> > like to
>>> > use a sample that will illustrate a crossview example.
>>> >
>>> > Specifically, I'd like to use an example that hides from pslist on the
>>> > running system (don't want a DKOM example) but we can find it using
>>> > Volatility.
>>> > I'd like it to be something running and not a process injection sample.
>>> >
>>> > Does someone have a suggestion which one may provide a good
>>> > illustration?
>>> >
>>> > Thanks,
>>> > Mike
>>> >
>>> >
>>> > _______________________________________________
>>> > Vol-users mailing list
>>> > Vol-users at volatilityfoundation.org
>>> > http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>>> >
>>> _______________________________________________
>>> Vol-users mailing list
>>> Vol-users at volatilityfoundation.org
>>> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
> _______________________________________________
> Vol-users mailing list
> Vol-users at volatilityfoundation.org
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users


More information about the Vol-users mailing list