Re: [Vol-users] Need to pick a malware for a demo

Hi Rob, I spent the day yesterday testing several new samples I'd gotten from the internet last week. They were either VM aware or not functioning properly. Blew the whole day. I ended up looking at previous tests I'd done. I tried a Spyeye I picked up in January. It was named us1.exe. It is the Spyeye that names itself c:\usxxxxxxxx\usxxxxxxxx.exe It illustrates the crossview I wanted, can't see it in a Volatile data collection, but can with Volatilty's pslist. And, it infects a VM nicely. Do you have a copy? Mike > Subject: Re: [Vol-users] Need to pick a malware for a demo > From: robdewhirst(a)gmail.com > To: vol-users(a)volatilityfoundation.org > > I just seem to recall hacker defender being touchy about where it's > config file was located and the name of it. Claimed to support options > that didn't work. HTH. > > I'd like to know what you end up using because I am preparing a > workshop in a month or so and need a couple more ideas. > > On Thu, May 3, 2012 at 5:09 PM, Mike Lambert <dragonforen(a)hotmail.com> > wrote: > > Hi Rob, > > > > Thanks for the suggestion. As I recall that would fit the profile when > > combined with another tool. And I think it will run in a VM. > > > > In the past a friend of mine used Hacker Defender and Optiplex as an > > example > > in a presentation.  I'd like to pick something else if possible (would > > rather not duplicate and look lame). > > > > What would be really cool is something current that runs in a VM and is > > a > > good pslist crossview demo.  If I can't find something current, I'll > > fall > > back to HD. Good thought! > > > > Thanks much for the suggestion.  If you have any other thoughts I > > appreciate > > them. > > > > Mike > > > >> Date: Thu, 3 May 2012 09:57:16 -0500 > > > >> Subject: Re: [Vol-users] Need to pick a malware for a demo > >> From: robdewhirst(a)gmail.com > >> To: vol-users(a)volatilityfoundation.org > > > >> > >> Check out the Hacker Defender rootkit. I am pretty sure I demoed > >> exactly what you are wanting to do (including using Volatility to > >> reveal the rootkit) about a year ago and this malware was a good > >> example and easy to use. I don't know for sure that it hides from > >> PsList but it hides from the built-in windows tools. > >> > >> Email me if you can't find a copy. > >> > >> On Wed, May 2, 2012 at 11:32 PM, Mike Lambert <dragonforen(a)hotmail.com> > >> wrote: > >> > I've got a memory forensics presentation coming up next week and I'd > >> > like to > >> > use a sample that will illustrate a crossview example. > >> > > >> > Specifically, I'd like to use an example that hides from pslist on > >> > the > >> > running system (don't want a DKOM example) but we can find it using > >> > Volatility. > >> > I'd like it to be something running and not a process injection > >> > sample. > >> > > >> > Does someone have a suggestion which one may provide a good > >> > illustration? > >> > > >> > Thanks, > >> > Mike > >> > > >> > > >> > _______________________________________________ > >> > Vol-users mailing list > >> > Vol-users(a)volatilityfoundation.org > >> > http://lists.volatilityfoundation.org/mailman/listinfo/vol-users > >> > > >> _______________________________________________ > >> Vol-users mailing list > >> Vol-users(a)volatilityfoundation.org > >> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users > _______________________________________________ > Vol-users mailing list > Vol-users(a)volatilityfoundation.org > http://lists.volatilityfoundation.org/mailman/listinfo/vol-users