Recent Postssee all

Mar 10, 2015reverse engineering

The DGA of Pykspa"you skype version is old"

Pykspa (also known as Pykse, Skyper or SkypeBot) is a worm that spreads via Skype, see “Take a Deep Breath: a Stealthy, Resilient and Cost-Effective Botnet Using Skype” by Antonio Nappa et al. and “Recognising Botnets in Organisations” by Barry Weymes. The malware has a hardcoded list of chat messages which it sends to contacts of the infected Skype user, trying to lure them into clicking on links...read

Feb 20, 2015reverse engineering

The DGAs of Necurs

Necurs is a malware that opens a backdoor on infected systems, see NECURS: The Malware That Breaks Your Security. A broad analysis of the malware can be found in the three part series The Curse of Necurs by Peter Ferrie. This post focuses exclusively on the network traffic of Necurs, in particular the used domains. Necurs features three different sets of hostnames that serve different purposes...read

Feb 10, 2015reverse engineering

The DGA of Banjori

This post analyses the domain generation algorithm (DGA) of the banking trojan Banjori, also known as MultiBanker 2 or BankPatch/BackPatcher. The DGA was active mostly between April and November of 2013 (at least thats when I found most seeds). Two blog posts on kleissner.org [1] [2] document many interesting properties of the malware, including some aspects of the DGA. Although the malware family...read

Jan 30, 2015reverse engineering

Crackmes.de – KeygenMe #2 by Lesco

The crackme KeygenMe #2 by Lesco has been published August 12, 2006. It is still unsolved, despite the time elapsed. DeepBlue posted a link to a supposed keygen in the comments though, but the link does not work anymore. I think this is one of the better crackmes and worthy of a proper solution. The difficulty rating is “5 - Professional problem to solve”. The crackme is written in C/C++ and runs...read

Jottings see all

Recent Changes

13. Mar 19:30
additional seed for shiz
11. Mar 19:34
new note: the dga of simda/shiz
11. Mar 19:21
additional seeds for Pykspa
10. Mar 21:18
typos
10. Mar 20:44
new blog post: the dga of pykspa - you skype version is old
06. Mar 19:47
new note: The DGA of DirCrypt