Domain: netlux.org
Stories and comments across the archive that link to netlux.org.
Comments · 31
-
Is there a place to download malware?
I used to use http://vx.netlux.org/ It was a malware repository, everything that had been released and updated regularly.
It was a serious board for everything malware and filled a nitch. The boards country made any site that carried malware (short term) as illegal.
They fought for awhile and now you can see it's gone.I always deleted the malware I downloaded, those I wish I'd of kept now.
Is there a place to download malware to check ones malware prevention/detection?
And not the EICAR test file.Thanks
-
Re:Microsoft Security Essentials...
...is all I use these days.
Of course since Windows is "out of favor" here, one does not necessarily mention that Microsoft's "Security Essentials" is easily as good as most commercial Windows anti-malware packages, and much more "light weight". And free.
Never used Microsoft's "Security Essentials" only because of back door issues. While I know of none,
I just don't trust MS and some programs I run MS would strongly object to (like linux :)For the record I use ESET aka NOD32.
NOD32 is set to alert me to a problem so I can decide what to do about it not the program. Default
is to not only quarantine it, but encrypt it as well. At least NOD32 lets me have the option to change that,
many programs don't feel the user has the ability to know a good file from a bad one.I used to test my malware programs at http://vx.netlux.org/index.html
NOD32 has always done about 80% which is very good and better than any other I've tested.
-My test were if it downloaded and if it did could it be unzipped (uncompressed). -
Re:NO HELP IS ON THE WAY, NONE!
Yawn, ignoring the obvious, it's this part that is of real concern and what your missing:
"The rootkit scanners for Linux are few and poor. If you're lucky, you'll know how to use
chkrootkit (but you can use strings and other tools for analysis) and show the strings of
binaries on your installation, but the results are dependent on your capability of deciphering
the output and performing further analysis with various tools or in an environment such as Remnux Linux.
None of these free scanners scan the earlier mentioned areas of your PC, either!
Nor do they detect many of the hundreds of trojans and rootkits easily available on popular
websites and the dark/deep web."The loss of this site: http://vx.netlux.org/ was a loss to everybody.
A place one could download the latest malware to see what it would do, now we have
malware businesses who might now mention a malware's name but little else.
Very very few people can find much of malware in use now.Rootkits? I'm sure many are running them now; unless one can have access to sites
like http://vx.netlux.org/ to have even a little chance of finding out or even knowing.(my pet peevee)
Here, ever play Angry BIrds? read their Privacy policy
http://www.rovio.com/Privacy
and think of how long you've been playing it. -
Re:NO HELP IS ON THE WAY, NONE!
Yawn, ignoring the obvious, it's this part that is of real concern and what your missing:
"The rootkit scanners for Linux are few and poor. If you're lucky, you'll know how to use
chkrootkit (but you can use strings and other tools for analysis) and show the strings of
binaries on your installation, but the results are dependent on your capability of deciphering
the output and performing further analysis with various tools or in an environment such as Remnux Linux.
None of these free scanners scan the earlier mentioned areas of your PC, either!
Nor do they detect many of the hundreds of trojans and rootkits easily available on popular
websites and the dark/deep web."The loss of this site: http://vx.netlux.org/ was a loss to everybody.
A place one could download the latest malware to see what it would do, now we have
malware businesses who might now mention a malware's name but little else.
Very very few people can find much of malware in use now.Rootkits? I'm sure many are running them now; unless one can have access to sites
like http://vx.netlux.org/ to have even a little chance of finding out or even knowing.(my pet peevee)
Here, ever play Angry BIrds? read their Privacy policy
http://www.rovio.com/Privacy
and think of how long you've been playing it. -
Re:Hand in glove
I uninstalled the Avast trial a couple months ago with extreme prejudice
No prejudice here, Avast just wouldn't work with me. I installed Avast recently and went to test it
at http://vx.netlux.org/ (Be aware this is a malware collection site).
I was blocked from the entire site, so just uninstalled it. I like to test a malware checker
but being blocked from doing so (and for good reason if I was my Mom) I couldn't really
rate it (for myself).
Went back to my fav which has around an 80% detection rate (5 downloads one got by)
which is good.
So I'm neutral on Avast but hear many good things about it. -
Re:Not News
There is also lots of free information on metamorphism and polymorphism. There are articles on polymorphism that date back to 1992. The basic techniques are relatively easy to implement, however, I guess in most cases using polymorphism has just not been necessary for malware writers until now.
-
Re:Not News
There is also lots of free information on metamorphism and polymorphism. There are articles on polymorphism that date back to 1992. The basic techniques are relatively easy to implement, however, I guess in most cases using polymorphism has just not been necessary for malware writers until now.
-
VirtualBox and a virus creation tool
Well, for starters, I'd install virtualbox and do all the work on a fresh install of windows running on it. Then you can take your pick of virus. I guess a very small non destructive old one would be best, especially if the source code is available (though that might be overkill if you just want them to get an idea of how virus work..)
I was thinking of the 'stoned' virus.. then I remembered there was an app back in the day, for DOS, that would let you create your own virus.. you'd select some options like stealth capabilities, file or disk deletion, printing a message, etc. Then the program would generate a virus, both in compiled .com and asm source code.
It was called NuKE, but I'm sure there's more like that one.here's a link from google (I couldn't verify it since my work's proxy is blocking the site):
This is a very old app, so I'm not sure it'll work on winXP or newer OSs but it might be worth a try.
Good luck!
-
Re:Not really new
These problems have been known for a while
And then some. Try 1992;
The Virus Writer's Handbook: The Complete Guide
(c) 1992 Terminator Z (AKA Harry McBungus)
http://vx.netlux.org/lib/static/vdat/tumisc09.htm[...]
5.22 Disinfecting on-the-fly
This should not be attempted by the light-hearted. It requires a major
overhaul of the viral structure. Becuase of this major overhaul, I will
not include the exact code on how to do it - you'll have to work that
out for yourself. However, I'll give you some pretty explicit details
on how the thing should operate.Note that this is only on way of doing it; no doubt there are several
other ways of doing it, but all must follow this general pattern.
i21h handler: open?
jne i21_2
set up base (jmp, not call)
i21_2: extended open?
jne i21_3
push dx
mov dx, si
set up base ; note! you must tailor your stealth for
; this call, since DX will be on stack!
i21_3: close?
jne i21_4
close base & reinfect
i21_4: [...]
These are the fundamentals of the stealth capability - when to disinfect.
On all calls to open the file, add the name & handle to a "database" in
free memory after the end of your virus. When it comes to close-time,
simply scan your database for the handle and re-infect its corresponding
file, and erase that entry from the database. How simple can it get?
(See? It's a lot easier in theory than most people imagine!)The problem enters here: how the fuck do I write a database in ASM?
Easy. First of all, you must figure out the format which the database
will be in. I worked one out like this:[...]
-
Re:Why bother.
http://vx.netlux.org/ Much the same only much freer.
-
Re:Interesting, but rather expensive.
Download asm files? What a pain in the ass. Just use VCL.
-
Re:Compile from source yourself!
Anybody who thinks that compiling from source provides security should read Ken Thompson's Turing Award talk titled Reflections on Trusting Trust.
-
My weekend project!
I think it's about time I put to use what I've learned over at http://vx.netlux.org/lib/vxx03.html
But first I should also have the anti-virus software ready to sell to all infected Apple PC customers. Isn't this how Windows PC antivirus companies started? -
Re:nothing special
Or the venerable Virus Creation Laboratory, ala '92.
-
Only 10 years? How about 1992?
http://vx.netlux.org/vx.php?id=tv03
I still remember the password was chiba city. -
Earlier not-in-wild virusesto quote: http://vx.netlux.org/lib/aes03.html
Dr. Cohen defined the term to mean a security problem that attaches itself to other code and turns it into something that produces viruses; to quote from his paper: "We define a computer `virus' as a program that can infect other programs by modifying them to include a possibly evolved copy of itself." He claimed the first computer virus was "born" on November 3, 1983, written by himself for a security seminar course. (That the Internet Worm was unleased on the eve of the 5th anniversary of this event was coincidence of a most amazing sort.) Actual computer viruses were being written by individuals before Cohen, although not named such, as early as 1980 on Apple II computers.[9] The first few viruses were not circulated outside of a small population, with the notable exception of the "Elk Cloner" virus for Apple II computers, released in 1981.
-
Re:in certain cases, this would be appropriate
http://en.wikipedia.org/wiki/Computer_virus do have a link to http://vx.netlux.org/
-
Re:I disagree
Actually, it's bullshit^2. Cabir was a proof of concept by 29a and was released in the wild without their consent.
But what could you expect of zdnet? Professional writing?
-
http://vx.netlux.org/src.php?info=clt.zip
-
Viruses have always talked to you
Anyone remember "give me a cookie?"
-
Re:Kuang grade...
"What is this thing?" he asked the Hosaka. "Parcel for me."
"Data transfer from Bockris Systems GmbH, Frankfurt, advises, under coded transmission, that content of shipment is Kuang Grade Mark Eleven penetration program. Bockris further advises that interface with Ono-Sendai Cyberspace 7 is entirely compatdble and yields optimal penetration capabilities, particularly with regard to existing military systems..."
"How about an AI?"
"Existing military systems and artificial intelligences."
"Jesus Christ. What did you call it?"
"Kuang Grade Mark Eleven."
"It's Chinese?"
"Yes."
...
"Dixie," he said, jacking in, "what do you know about Chinese virus programs?"
"Not a whole hell of a lot."
"Ever hear of a grading system like Kuang, Mark Eleven?"
"No."
Case sighed. "Well, I got a user-friendly Chinese icebreaker here, a one shot cassette. Some people in Frankfurt say it'll cut an Al."
"Possible. Sure. If it's military."
...
"I checked ol' Kuang Eleven out again for you, boy. It's real friendly, long as you're on the trigger end, jus' polite an' helpful as can be. Speaks good English, too. You ever hear of slow virus before?"
"No."
"I did, once. Just an idea, back then. But that's what ol' Kuang's all about. This ain't bore and inject, it's more like we interface with the ice so slow, the ice doesn't feel it. The face of the Kuang logics kinda sleazes up to the target and mutates, so it gets to be exactly like the ice fabric. Then we lock on and the main programs cut in, start talking circles 'round the logics in the ice. We go Siamese twin on 'em before they even get restless."
William Gibson, Neuromancer
The entire text of the book
"Speaks good English, too"
Great line. -
about Benny
-
Five Years late is better than never...?
I note that the ITSEC government security evaluation rules specifically cover the speed of updating of an AV product. The standard is termed F-AVIR, and this comment refers:
http://vx.netlux.org/lib/asg09.html
If you have trouble finding it - I enclose a short extract:
"By attempting to measure a product's performance against the threat by scanning a comprehensive large collection of all viruses, testing extensively against those viruses which are known to be "In the Wild" according to designated reporting authorities, and measuring product abilities against a range of different attack strategies, the ITSEC scheme is focusing on the current and future "In the Wild" threat. By evaluating the product's ability to defend against the different techniques used by viruses, they hope to provide a measure of a developer's ability to track a rapidly changing threat. The CLEF would maintain close contact with the developer of the product currently under evaluation, with developers being required to demonstrate that not only are they up to date with the current threat, but that they have in place sufficient procedures to monitor the threat as a function of time and update the software to meet this threat. This would be documented through the use of the Certificate Maintenance Scheme, which includes extensive paperwork on the part of the developer to document their resources and plans in various areas including intelligence activities related to monitoring the threat, threat analysis and countermeasures. This "vendor evaluation" is something that almost no other evaluations of anti-virus software includes, and is one of the biggest benefits of the proposed ITSEC approach. It is also one of the areas which appears to meet with the most resistance within the USA."
If this does not get modded 'insightful' I don't know what will!! -
Re:Goodbye PhrackFrom the manifesto:
We code viruses for the fun of it, because it's our hobby, not because we want to harm other people or to get ourselves into trouble.
We code viruses to invent new techniques, improve on existing techniques and to learn more about the various OSes. We know there are hundred of other ways to do this, probably better ways, yet this is what we like. This is as we said before, our hobby, or at least one of them.
Our goal is to create new, unique, interesting viruses and virus utilities and to release 29A magazine on a regular and more frequent basis. Releasing the magazine frequently has been a problem for us, however, we are getting better but it is still something for us to work at.
/rolls eyes -
Goodbye Phrack
The editorial staff is stepping down, and no one has expressed an interest in taking up the reins.
Each year the articles get goofier. However, I don't think that was really a bad thing, just not a very good source of technical information.
Luckily there is still the 29A zine. Always a great read but it won't show you how to get free soda. -
Re:Sheesh!
-
Re:How about eVoting?
Why would doing it md5sum on the source be any safer than on the binary produced? Have you checked the compiler and the OS?
Check out Ken Thompsons' 'Reflection on Trusting Trust' how you can introduce oncoverable bugs even if other people have the source -
PHP viruses"Second part to hell" wrote the "PHP Virus Writing Guide."
If you're interested in that stuff, I guess it might be worth checking out.
-
Re:Create a worm that patches the vulnerability?Sorry, I jumped the gun there - didn't mean to insult ya.
The 'original' virus that cleaned up another one was the DenZuk virus, which cleaned up Brain. This is like late 80's stuff. DenZuk started corrupting floppies when the new high density ones came out.
It's occurred on occasion since, and the idea comes up pretty often over in alt.comp.virus. Two papers of interest are Bontchev's (originally from the U. of Hamburg, working for F-Prot last I checked), and for the pro- view (written by a virus writer) MidNyte's paper.
-
Re:No Duty to Retreat...Pii said:
There is a concept in law called "No Duty to Retreat," and I see no reason why it cannot be applied in much the same way to cases like this. This concept relates to self-defense, and deadly force. [....] If, however, that person is in his home, his own property, that person may use deadly force as a means of self defense without having to exhaust every means of escape or avoidance.
On his own property, a person has No Duty to Retreat.
What you say is correct in many, but not all jurisdictions in the USA. For example, in Florida, your statement would be correct, since they allow the use of deadly force to protect any of your property. In contrast, Massachusetts residents may not use deadly force to protect their property, although they can use it in self defense. Specifically:If you are in your own home, there is no duty to retreat, but you may use deadly force only to repel an intruder's deadly force attack against you or your family
According to what I just googled, Kentucky, Massachusetts, Maryland, Missouri, Ohio, South Carolina, Virginia, Washington, Wisconsin and Wyoming don't even allow the use of deadly force to protect a dwelling. Surprisingly, it looks as though Maryland actually allows more latitude in the use of deadly force to protect your business than it does to protect your home. (If someone in one of those jurisdictions has better info, feel free to correct me.)
Anyway, the short version here is that jurisdictions differ widely in a) what you are allowed to defend, and b) what means you are allowed to use in defense.
How is the scenario for Cyber-attack any different?
First off, this idea is a defense of property. It is not a matter of defending you or your family against death or bodily injury. All states allow the use of deadly force in to protect you and your family, but they differ widely in what *else* they let you protect with deadly force; i.e. you may not be allowed to use deadly force to protect your property.
Obviously, we're not talking about deadly force... We're simply talking about electronic countermeasures
You correctly noted that computer strikeback is not the same as the use of deadly force, but you failed to note that the states have similar disparities in computer laws. For example, the Oklahoma Computer Crimes Act of 1984 makes it a felony to"willfully and without authorization disrupt or cause the disruption of computer services or deny or cause the denial of access or other computer services to an authorized user of a computer, computer system, or computer network."
Why strikeback is a bad idea.What is legal in your jurisdiction may not be legal in your targets jurisdiction, or in the jurisdictions of the computers, switches and routers that your attack travels through enroute to the the target
It may not be effective in eliminating the problems your network is having from the target site - if you strike back against a machine and accidently harm it, you could find yourself in a protracted feud with the owner of that system (a la "hatfields vs. mccoys") which ends up being more of a bother to you
If you cause collateral damage, you could be liable for it - e.g. someone is flooding you with easily spoofable ICMP and UDP packets and you foolishly DoS the machine whose IP address appears in the header, thus shutting down a small business owner's website. There's a good chance you'll get sued if they know what happened.
it may not be cost effective to accurately trace and identify the machine that is attacking you.
-
Re:Oh great...
Too late.
:)
Now, where's the one made by China Labs I remember from the early 90's?