I spent the day yesterday testing several new samples I'd gotten from the internet last week. They were either VM aware or not functioning properly. Blew the whole day.
I ended up looking at previous tests I'd done. I tried a Spyeye I picked up in January. It was named us1.exe. It is the Spyeye that names itself c:\usxxxxxxxx\usxxxxxxxx.exe It illustrates the crossview I wanted, can't see it in a Volatile data collection, but can with Volatilty's pslist. And, it infects a VM nicely.
> Date: Thu, 3 May 2012 20:39:13 -0500
> Subject: Re: [Vol-users] Need to pick a malware for a demo
> From: robdewhirst@gmail.com
> To: vol-users@volatilesystems.com
>
> I just seem to recall hacker defender being touchy about where it's
> config file was located and the name of it. Claimed to support options
> that didn't work. HTH.
>
> I'd like to know what you end up using because I am preparing a
> workshop in a month or so and need a couple more ideas.
>
> On Thu, May 3, 2012 at 5:09 PM, Mike Lambert <dragonforen@hotmail.com> wrote:
> > Hi Rob,
> >
> > Thanks for the suggestion. As I recall that would fit the profile when
> > combined with another tool. And I think it will run in a VM.
> >
> > In the past a friend of mine used Hacker Defender and Optiplex as an example
> > in a presentation. I'd like to pick something else if possible (would
> > rather not duplicate and look lame).
> >
> > What would be really cool is something current that runs in a VM and is a
> > good pslist crossview demo. If I can't find something current, I'll fall
> > back to HD. Good thought!
> >
> > Thanks much for the suggestion. If you have any other thoughts I appreciate
> > them.
> >
> > Mike
> >
> >> Date: Thu, 3 May 2012 09:57:16 -0500
> >
> >> Subject: Re: [Vol-users] Need to pick a malware for a demo
> >> From: robdewhirst@gmail.com
> >> To: vol-users@volatilityfoundation.org
> >
> >>
> >> Check out the Hacker Defender rootkit. I am pretty sure I demoed
> >> exactly what you are wanting to do (including using Volatility to
> >> reveal the rootkit) about a year ago and this malware was a good
> >> example and easy to use. I don't know for sure that it hides from
> >> PsList but it hides from the built-in windows tools.
> >>
> >> Email me if you can't find a copy.
> >>
> >> On Wed, May 2, 2012 at 11:32 PM, Mike Lambert <dragonforen@hotmail.com>
> >> wrote:
> >> > I've got a memory forensics presentation coming up next week and I'd
> >> > like to
> >> > use a sample that will illustrate a crossview example.
> >> >
> >> > Specifically, I'd like to use an example that hides from pslist on the
> >> > running system (don't want a DKOM example) but we can find it using
> >> > Volatility.
> >> > I'd like it to be something running and not a process injection sample.
> >> >
> >> > Does someone have a suggestion which one may provide a good
> >> > illustration?
> >> >
> >> > Thanks,
> >> > Mike
> >> >
> >> >
> >> > _______________________________________________
> >> > Vol-users mailing list
> >> > Vol-users@volatilityfoundation.org
> >> > http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
> >> >
> >> _______________________________________________
> >> Vol-users mailing list
> >> Vol-users@volatilityfoundation.org
> >> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
> _______________________________________________
> Vol-users mailing list
> Vol-users@volatilityfoundation.org
> http://lists.volatilesystems.com/mailman/listinfo/vol-users