From Facebook App to Botnet

MyCERT had received a couple of  reports of on a  new variant of Facebook malware spreading in the wild. It propagates through an FB application. The malware also is targetting users with messages on Facebook, which then link through to a fake Facebook photo page. The site is designed to appear that the user is […]

(Yet Another) Quick Botnet Analysis

Botnets are network of malware-infected machines that are controlled by an adversary. Our approach to in studying this botnet is to perform active analysis by using an actual malware sample, infecting the machine and observe its activities. As we probe deeper into the network traffic collected by Wireshark, we find very detailed IRC functionality, attack […]

OllyScript – Automating detection and unpacking the Conficker Worm Variant B/C

In order to bring the problem of extracting unpacking code into the realm of decidability,  MyCERT had been working on  automating the unpacking script in an assembly-like language. The script, called OllyScript,  can be used to unpack malicious worm Win32/Conficker B and Win32/Conficker C. OllyScript is the scripting language plugin for OllyDbg.  It simulates user’s […]

Automated Unpacking Conficker Worm Variant B

The infamous worm, Conficker, which surfaces in 21 November 2009 and is set to time-bomb on 1 April 2009, was literally over the media. Although studying its malware source code is the best way to fully understanding its features and impacts, unfortunately getting the source code to study sometimes are impossible. There is still has […]