Source Of Evil – A Botnet Code Collection

In case you’re looking for a variety of IRC client implementations, or always wondered how botnets and other malware looks on the inside, [maestron] has just the right thing for you. After years of searching and gathering the source code of hundreds of real-world botnets, he’s now published them on GitHub.

With C++ being the dominant language in the collection, you will also find sources in C, PHP, BASIC, Pascal, the occasional assembler, and even Java. And if you want to consider the psychological aspect of it, who knows, seeing their malicious creations in their rawest form might even give you a glimpse into the mind of their authors.

These sources are of course for educational purposes only, and it should go without saying that you probably wouldn’t want to experiment with them outside a controlled environment. But in case you do take a closer look at them and are someone who generally likes to get things in order, [maestron] is actually looking for ideas how to properly sort and organize the collection. And if you’re more into old school viruses, and want to see them run in a safe environment, there’s always the malware museum.

Françoise Barré-Sinoussi: Virus Hunter

It was early 1983 and Françoise Barré-Sinoussi of the prestigious Pasteur Institute in Paris was busy at the centrifuge trying to detect the presence of a retrovirus. The sample in the centrifuge came from an AIDS patient, though the disease wasn’t called AIDS yet.

Barré-Sinoussi and Montagnier in 1983
Barré-Sinoussi and Montagnier in 1983, Image source: Le Globserver

Just two years earlier in the US, a cluster of young men had been reported as suffering from unusual infections and forms of cancer normally experienced by the very old or by people using drugs designed to suppress the immune system. More cases were reported and US Centers for Disease Control and Prevention (CDC) formed a task force to monitor the unusual outbreak. In December, the first scientific article about the outbreak was published in the New England Journal of Medicine.

By May 1983, researchers Barré-Sinoussi and Luc Montagnier of the Pasteur Institute had isolated HIV, the virus which causes AIDS, and reported it in the journal Science. Both received the Nobel prize in 2008 for this work and the Nobel prize citation stated:

Never before have science and medicine been so quick to discover, identify the origin and provide treatment for a new disease entity.

It’s only fitting then that we take a closer look at one of these modern detectives of science, Françoise Barré-Sinoussi, and what led to her discovery.

Continue reading “Françoise Barré-Sinoussi: Virus Hunter”

Museum Shows Off Retro Malware

There’s some debate on which program gets the infamous title of “First Computer Virus”. There were a few for MS-DOS machines in the 80s and even one that spread through ARPANET in the 70s. Even John von Neumann theorized that programs might one day self-replicate. To compile all of these early examples of malware, and possibly settle this question once and for all, [Mikko Hypponen] has started collecting many of the early malware programs into a Museum of Malware.

While unlucky (or careless) users today are confronted with entire hard drive encryption viruses (or worse), a lot of the early viruses were relatively harmless. Examples include Brain which spread via floppy disk, the experimental ARPANET virus, or Elk Cloner which, despite many geniuses falsely claiming that Apples are immune to viruses, infected Mac computers of the 80s. [Mikko] has collected many more from this era that can be downloaded or demonstrated in a browser.

Retrocomputing is an active community, with users keeping gear of this era up and running despite it being 30+ years old. This software, while malicious at the time, is a great look into what the personal computing world was like in its infancy. And don’t forget, if you have a beige computer from a bygone era, you can always load up our Retro Page.

Thanks to [chad] for the tip!

The Most Brilliant Use of Crowdfunding Yet: Medical Research

Since the rise of Kickstarter and Indiegogo, the world has been blessed with $100 resin-based 3D printers, Video game consoles built on Android, quadcopters that follow you around, and thousands of other projects that either haven’t lived up to expectations or simply disappeared into the ether. The idea of crowdfunding is a very powerful one: it’s the ability for thousands of people to chip in a few bucks for something they think is valuable. It’s a direct democracy for scientific funding. It’s the potential for people to pool their money, give it to someone capable, and create something really great. The reality of crowdfunding isn’t producing the best humanity has to offer. Right now, the top five crowdfunding campaigns ever are two video games, a beer cooler, a wristwatch with an e-ink screen, and something to do with Bitcoin. You will never go broke underestimating people.

[Dr. Todd Rider] wants to change this. He might have developed a way to cure nearly all viral diseases in humans, but he can’t find the funding for the research to back up his claims. He’s turned to IndieGoGo with an audacious plan: get normal people, and not NIH grants, to pay for the research.

The research [Dr. Rider] has developed is called the DRACO, the Double-stranded RNA Activated Caspase Oligomerizer. It works by relying on the singular difference between healthy cells and infected cells. Infected cells contain long chains viral double-stranded RNA. The DRACOs attach themselves to these long strands of RNA and cause those cells to commit suicide. The research behind the DRACO was published in 2011, and since then [Dr. Rider] has already received funding from more traditional sources, but right now the project is stuck in the ‘funding valley of death’. It’s easy to get funding for early research, but to get the millions of dollars for clinical trials it takes real results – showing efficacy, and proving to pharmaceutical companies or VCs that the drug will make money.

So far, results are promising, but far from the cure for HIV and the common cold the DRACO promises to be. [Dr. Rider] has performed a few tests on cell cultures and mice, and the DRACOs have been effective in combating everything from the common cold, to the flu to dengue hemorrhagic fever.

The IndieGoGo campaign is flexible funding, meaning all the money raised will go towards research even if the funding goal is not met. Right now, just over $50,000 has been raised of a $100,000 goal. That $100k goal is just the first step; [Dr. Rider] thinks he’ll need about $2 Million to test DRACOs against more viruses and hopefully show enough progress to get additional traditional funding. That $2 Million is a little less than what Solar Roadways raised, meaning no matter what [Dr. Rider] will make one important medical discovery: people are very, very, very dumb.

Continue reading “The Most Brilliant Use of Crowdfunding Yet: Medical Research”

Decoding ZeuS Malware Disguised as a .DOC

[Ronnie] recently posted about his adventures in decoding malware. One of his users reported a phishy email, which did indeed turn out to contain a nasty attachment. The process that [Ronnie] followed in order to figure out what this malware was trying to do is quite fascinating and worth the full read.

[Ronnie] started out by downloading the .doc attachment in a virtual machine. This would isolate any potential damage to a junk system that could be restored easily. When he tried to open the .doc file, he was presented with an error stating that he did not have either enough memory or disk space to proceed. With 45GB of free space and 2GB of RAM, this should not have been an issue. Something was definitely wrong.

The next step was to open the .doc file in Notepad++ for analysis. [Ronnie] quickly noticed that the file was actually a .rtf disguised as a .doc. [Ronnie] scanned through large chunks of data in an attempt to guess what the malware was trying to do. He noticed that one data chunk ended with the bytes “FF” and D9″, which are also found as the ending two bytes of .gif files.

[Ronnie] copied this data into a new document and removed all new line and return characters. He then converted the hex to ASCII, revealing some more signs that this was actually image data. He saved this file as a .gif and opened it up for viewing. It was a 79KB image of a 3D rendered house. He also found another chunk of data that was the same picture, but 3MB in size. Strange to say the least.

After finding a few other weird bits of data, [Ronnie] finally started to see more interesting sections. First he noticed some strings with mixed up capital and lowercase letters, a tactic sometimes used to avoid antivirus signatures. A bit lower he found a section of data that was about the size of typical shellcode. He decoded this data and found what he was looking for. The shellcode contained a readable URL. The URL pointed to a malicious .exe file that happened to still be available online.

Of course [Ronnie] downloaded the .exe and monitored it to see how it acted. He found that it set a run key in the registry to ensure that it would persist later on. The malware installed itself to the user’s appdata folder and also reached out repeatedly to an IP address known to be affiliated with ZeuS malware. It was a lot of obfuscation, but it was still no match for an experienced malware detective.

Hackaday Links: August 21, 2011

Arduino + PS2 controller + R2D2

Here’s an unbelievably real-looking R2D2 replica driven by a PS2 controller with an Arduino inside that plays sounds from the movies. Too bad we couldn’t find any more details about it. [Thanks Bill]

Server build time-lapse

[Justin] and his colleagues spent five days upgrading their server by building a 29-unit cluster. Lucky for us they set up a web-cam to capture the process.

Cockroach computer

Behold this working desktop computer, complete with monitor and mouse. We’re not sure how it was done, or what it’s for, but worth a peek just because of its size. [Thanks Harald via Dvice]

Modelling self-assembling viruses

A 3D printer and magnets were used to build this model of a self-assembling virus. Shake the jar and it falls apart. Shake a bit more and it’ll rebuild itself… it has the technology.

Tardis cufflinks

[Simon] is exercising his geek chic with these Tardis cuff links. The Doctor Who inspired accessories were made from a model railroad telephone booth.

Exploit Bait and Switch

When a new virus or other piece of malware is identified, security researchers attempt to get a hold of the infection toolkit used by malicious users, and then apply this infection into a specially controlled environment in order to study how the virus spreads and communicates. Normally, these toolkits also include some sort of management console commonly used to evaluate successfulness of infection and other factors of the malware application. In the case of the EFTPS Malware campaign however, the admin console had a special trick.

This console was actually a fake, accepting a number of generic passwords and user accounts, and provide fake statistics to whoever looked in to it. All the while, the console would “call home” with as much data about the researcher as possible. By tricking the researchers in this way, the crooks would be able to stay one step ahead of anti-virus tools that would limit the effectiveness of any exploit. Thankfully though, the researchers managed to come out on top this time.

[via boingboing]