New Malware v111

M

Matt

New member
Alpha Testers OpenSBI Expert
I've collected detection rules for the following Malware:
  • Malware.Fraud.Sysguard
  • Malware.Mirar.Tango
  • Security.Microsoft.Windows.RedirectedHosts(3)
  • Spyware.Spynet
  • Trojan.Agent(4)
  • Trojan.FakeAlert.ttam(2)
  • Trojan.Kreeper
  • Trojan.Opachki
  • Trojan.Virtumonde
 
in the code that you have given it appears that the users would have to input there user name
Code: 
// mRun: [pdialkdu] C:\Documents and Settings\[B]Dean Palm[/B]\Local Settings\Application Data\uiejudlxq\lofkctltssd.exe
wouldn't it be easier just to use %appdata% then you could continue with the rest of the line \uiejudlxq\lofkctltssd.exe it would make it smaller and make it so people could use it right away but thats only my opinion on that.
 
TwistedMike said:
...
wouldn't it be easier just to use %appdata% then you could continue with the rest of the line \uiejudlxq\lofkctltssd.exe it would make it smaller and make it so people could use it right away but thats only my opinion on that.
Click to expand...
I am aware of that...

The "problem" about this kind of Malware is that the folder uiejudlxq for example is random, like the part lofkctl in lofkctltssd.exe as well.

Without more detailed information (filesize, md5, etc.) , it doesn't make much sense to create some detection rules.
As a conclusion, I didn't create a detection rule which you can see because of the "//" at the beginnging of these lines.

Thank you for your well-intentioned suggestion, but I don't understand why you answer to a post which is almost one year old. :laugh:
 
I'd personally like to know where these OpenSBI files are and how to integrate them into Spybot - Search & Destroy.
 
PepiMK said:
These files are here - click the Download link below the text above (at least those SBI items that are flagged as reviewed by enough people have that link).
Save them to the Includes\ folder within your Spybot folder, and they can be used from within Spybot (can be enabled on Filesets page).
Click to expand...
I don't see a download link, just a set of plain-text embedded within the code tags, and for the newer OpenSBI files there is no way for me to even see them.

I will still make text-files out of the available ones and save them to my Includes directory:thanks:
 
Hello,
the rating of the above code made by Matt has not the necessary rating yet so it is not downloadable for you.

Did you create own sbi files by using the editor? If so you can upload them here and we can rate them so they get downloadable

regards,
Markus
 
MisterW said:
Hello,
the rating of the above code made by Matt has not the necessary rating yet so it is not downloadable for you.

Did you create own sbi files by using the editor? If so you can upload them here and we can rate them so they get downloadable

regards,
Markus
Click to expand...
Are there any OpenSBI files that do have the necessary rating yet? I'm down to "New Malware v93" now and I've been copy-pasting.

I'm not creating OpenSBI files; I've just been interested in using the ones that have been submitted here, and I intend to upload a zip of them for the rest of us who'd rather not go back and copy-paste all those OpenSBI files.
 
lewisje said:
Are there any OpenSBI files that do have the necessary rating yet? I'm down to "New Malware v93" now and I've been copy-pasting.
Click to expand...

Yes, there are some, e.g.

http://forums.spybot.info/showthread.php?t=48837
http://forums.spybot.info/showthread.php?t=49452

lewisje said:
I'm not creating OpenSBI files; I've just been interested in using the ones that have been submitted here, and I intend to upload a zip of them for the rest of us who'd rather not go back and copy-paste all those OpenSBI files.
Click to expand...

Files should get a good rating when a user has tested or at least reviewed them. The idea is that they should not be easily downloadable otherwise. Files with a low rating are totally untested and very likely dangerous to use. So please do not ZIP them and offer them for download.

The problem of OpenSBI is currently lack of participation. We need more people who are willing to learn about Malware and the SBI language so write and rate SBI files for these forums to really work as intended.

Until now the system was mostly used by Matt. His submissions were already included in our detection rules after some corrections.

daemon
 
I agree: I went ahead and tested the last few ones and there were errors with several and a false positive in v108 (the ATI Catalyst Control Center).
 
You must log in or register to reply here.
Back
Top