[Vol-users] Need to pick a malware for a demo

Dewhirst, Rob robdewhirst at gmail.com
Fri May 4 13:03:54 CDT 2012


I do not have a copy but I have not looked.

On Fri, May 4, 2012 at 12:29 PM, Mike Lambert <dragonforen at hotmail.com> wrote:
> Hi Rob,
>
> I spent the day yesterday testing several new samples I'd gotten from the
> internet last week. They were either VM aware or not functioning properly.
> Blew the whole day.
>
> I ended up looking at previous tests I'd done. I tried a Spyeye I picked up
> in January. It was named us1.exe. It is the Spyeye that names itself
> c:\usxxxxxxxx\usxxxxxxxx.exe It illustrates the crossview I wanted, can't
> see it in a Volatile data collection, but can with Volatilty's pslist. And,
> it infects a VM nicely.
>
> Do you have a copy?
>
> Mike
>
>> Date: Thu, 3 May 2012 20:39:13 -0500
>
>> Subject: Re: [Vol-users] Need to pick a malware for a demo
>> From: robdewhirst at gmail.com
>> To: vol-users at volatilityfoundation.org
>>
>> I just seem to recall hacker defender being touchy about where it's
>> config file was located and the name of it. Claimed to support options
>> that didn't work. HTH.
>>
>> I'd like to know what you end up using because I am preparing a
>> workshop in a month or so and need a couple more ideas.
>>
>> On Thu, May 3, 2012 at 5:09 PM, Mike Lambert <dragonforen at hotmail.com>
>> wrote:
>> > Hi Rob,
>> >
>> > Thanks for the suggestion. As I recall that would fit the profile when
>> > combined with another tool. And I think it will run in a VM.
>> >
>> > In the past a friend of mine used Hacker Defender and Optiplex as an
>> > example
>> > in a presentation.  I'd like to pick something else if possible (would
>> > rather not duplicate and look lame).
>> >
>> > What would be really cool is something current that runs in a VM and is
>> > a
>> > good pslist crossview demo.  If I can't find something current, I'll
>> > fall
>> > back to HD. Good thought!
>> >
>> > Thanks much for the suggestion.  If you have any other thoughts I
>> > appreciate
>> > them.
>> >
>> > Mike
>> >
>> >> Date: Thu, 3 May 2012 09:57:16 -0500
>> >
>> >> Subject: Re: [Vol-users] Need to pick a malware for a demo
>> >> From: robdewhirst at gmail.com
>> >> To: vol-users at volatilityfoundation.org
>> >
>> >>
>> >> Check out the Hacker Defender rootkit. I am pretty sure I demoed
>> >> exactly what you are wanting to do (including using Volatility to
>> >> reveal the rootkit) about a year ago and this malware was a good
>> >> example and easy to use. I don't know for sure that it hides from
>> >> PsList but it hides from the built-in windows tools.
>> >>
>> >> Email me if you can't find a copy.
>> >>
>> >> On Wed, May 2, 2012 at 11:32 PM, Mike Lambert <dragonforen at hotmail.com>
>> >> wrote:
>> >> > I've got a memory forensics presentation coming up next week and I'd
>> >> > like to
>> >> > use a sample that will illustrate a crossview example.
>> >> >
>> >> > Specifically, I'd like to use an example that hides from pslist on
>> >> > the
>> >> > running system (don't want a DKOM example) but we can find it using
>> >> > Volatility.
>> >> > I'd like it to be something running and not a process injection
>> >> > sample.
>> >> >
>> >> > Does someone have a suggestion which one may provide a good
>> >> > illustration?
>> >> >
>> >> > Thanks,
>> >> > Mike
>> >> >
>> >> >
>> >> > _______________________________________________
>> >> > Vol-users mailing list
>> >> > Vol-users at volatilityfoundation.org
>> >> > http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>> >> >
>> >> _______________________________________________
>> >> Vol-users mailing list
>> >> Vol-users at volatilityfoundation.org
>> >> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>> _______________________________________________
>> Vol-users mailing list
>> Vol-users at volatilityfoundation.org
>> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users


More information about the Vol-users mailing list