Security Hero Rotating Header Image

Packed

Generic Unpacking of Self-modifying, Aggressive, Packed Binary Programs

Bugtraq: PAPER: Generic Unpacking of Self-modifying, Aggressive, Packed Binary Programs

PAPER: Generic Unpacking of Self-modifying, Aggressive, Packed Binary Programs

URL: http://www.securityfocus.com/archive/1/503800

Generic Unpacking of Self-modifying, Aggressive, Packed Binary Programs

PAPER: Generic Unpacking of Self-modifying, Aggressive, Packed Binary Programs

<!– Envelope-to: email@address Delivery-date: Mon, 25 May 2009 21:27:50 +0100 Received: from outgoing.securityfocus.com ([205.206.231.27] helo=outgoing3.securityfocus.com) by lt.network5.net with esmtp (Exim 4.43) id 1M8gly-0007Hw-9E for email@address; Mon, 25 May 2009 21:27:50 +0100 Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20]) by outgoing3.securityfocus.com (Postfix) with QMQP id DBED2236FD1; Mon, 25 May 2009 14:24:55 -0600 (MDT) Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm Precedence: bulk List-Id: <bugtraq.list-id.securityfocus.com> List-Post: <mailto:bugtraq@securityfocus.com> List-Help: <mailto:bugtraq-help@securityfocus.com> List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com> List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com> Delivered-To: mailing list bugtraq@securityfocus.com Delivered-To: moderator for bugtraq@securityfocus.com Received: (qmail 1040 invoked from network); 25 May 2009 16:18:46 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:from:to:cc:subject :date:mime-version:content-type:content-transfer-encoding:x-priority :x-msmail-priority:x-mailer:x-mimeole; bh=U5avKvFgz5HgwmGOPr5cworxmwPKe2LmHj3+hLQtZZI=; b=j6LfEK5NoNoXHMy+lgszx0ngySphcfbTM0sWBCx+krjSnStEA10fCcsipy65BX61gC KzcCKNRGElmrwTVrluhXnm/ZBLdrePV56tHHcfELZIYlc7BqXnjhAtmEsNh4PT4LvIDV 46ZQUqqx5fS2HQ04NVJN5fgNimKt2DriYIWeM= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:from:to:cc:subject:date:mime-version:content-type :content-transfer-encoding:x-priority:x-msmail-priority:x-mailer :x-mimeole; b=PwoQeDWinTeE/nVvAmm+Znj0NlYQQVHEIxYUMxWV97U2GOsTeluyCgwlDGjw79ZlhU M3slnaKtX4rSLlZgQqBwkyoLe8JAZi6TIUUfdeplxfY/a3UW5k5bOfRGjbBP0KEqd0Lt RWxRH8Jcvzdf6Aybe4UpFRAKlQoM4POXTPz2w= Message-ID: <C27C7C74DC944F639243FA91F5792010@DIED> Cc: "SBUGTRAQ" <bugtraq@securityfocus.com> MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-2"; reply-type=original Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.5512 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5579 X-IMAPbase: 1176125385 9184 Status: O X-UID: 9184 Content-Length: 1297 X-Keywords:

Generic Unpacking of Self-modifying, Aggressive, Packed Binary Programs

PAPER: Generic Unpacking of Self-modifying, Aggressive, Packed Binary Programs

Posted by Piotr Bania on May 25

ABSTRACT

Nowadays most of the malware applications are either packed or protected.
This techniques are applied especially to evade signature based detectors
and also to complicate the job of reverse engineers or security analysts.
The time one must spend on unpacking or decrypting malware…

URL: http://seclists.org/fulldisclosure/2009/May/0204.html

The Sims 3 Leaked Two Weeks Before Its Launch

The Sims 3 Leaked Two Weeks Before Its Launch

It caníŽt get any better than this for gamers: The Sims 3 video game has been leaked on torrents two weeks before its official release. This is just unbelievable, as a few weeks ago, the an unfinished version of the Wolverine movie was leaked on torrents about 30 days before its premiere. According to Electronic Arts and Maxis, the game will officially be released on Junde 2, and for the moment none of them reacted on The Sims 3 leak on torrents.

We can say that hackers and pirates have won another battle against publishers and distributors, and this will have to hurt EA a lot. For the moment we caníŽt tell for sure if the game is real as the packed/unpacked leaks are sized somewhere near 5GB. The small size of the game makes us think that this is not the actual game, but maybe itíŽs an unfinished version of The Sims 3 life simulation game.

URL: http://www.hackinthebox.org/index.php?name=News&file=article&sid=31350

Microsoft Security Bulletin for May 2009

Microsoft Security Bulletin for May 2009

The table below lists the Microsoft vulnerabilities for May.

MS Bulletin Number Microsoft Bulletin Title Severity Impact of Vulnerability Affected Software CVE ID
MS09-017 Vulnerabilities in Microsoft Office PowerPoint Could Allow Remote Code Execution (967340) Critical Remote Code Execution Microsoft Office 2009-0220 2009-0221 2009-0222 2009-0223 2009-0224 2009-0225 2009-0226 2009-0227 2009-0556 2009-1128 2009-1129 2009-1130 2009-1131 2009-1137

Threat Remediation

Fortinet provides coverage on Microsoft vulnerabilities in May 2009.

CVE Number Signature Name
CVE-2009-0220 MS.PowerPoint.PP4X322.DLL.Code.Execution
CVE-2009-0221 MS.PowerPoint.Atom.Integer.Overflow
CVE-2009-0222 MS.PowerPoint.PP4X322.DLL.PackedData.Buffer.Overflow
CVE-2009-0223 MS.Powerpoint.Converter.Code.Execution
CVE-2009-0224 MS.Powerpoint.Objects.Size.Heap.Overflow
CVE-2009-0225 MS.Powerpoint.Old.File.Format.Parsing.Code.Execution
CVE-2009-0226 MS.PowerPoint.File.Format.Converter.Code.Execution
CVE-2009-0227 MS.PowerPoint.File.Stack.Buffer.Overrun
CVE-2009-0556 MS.PowerPoint.OutlineTextRefAtom.Memory.Corruption
CVE-2009-1128 MS.PowerPoint.PSTSoundEntity.Code.Execution
CVE-2009-1129 MS.PowerPoint.PSTExEmbed.Code.Execution
CVE-2009-1130 MS.PowerPoint.HashCode10.Code.Execution
CVE-2009-1131 MS.PowerPoint.CurrentUserAtom.Remote.Code.Execution

For more information on new and enhanced signatures, visit the IPS Service Update History. If you require more information, contact the FortiGuard Team using our Contact Us web page.

Document History

Revision Date Version Number
Tuesday, May 12, 2009 1 Initial Documentation.

Reference:

URL: http://www.fortiguardcenter.com/advisory/FGA-2009-18.html

4005

4005

JS/TrojanDownloader.Iframe.NDX, Win32/Adware.Antivirus2008, Win32/Adware.Coolezweb, Win32/Adware.NewWeb (2), Win32/Adware.SystemSecurity, Win32/Agent.WPI, Win32/Autoit.CL, Win32/AutoRun.IRCBot.V, Win32/Packed.Crpak.Gen, Win32/PSW.OnLineGames.NMP (2), Win32/PSW.OnLineGames.NMY (4), Win32/TrojanClicker.VB.NFM, Win32/TrojanDownloader.VB.NXG (2), Win32/Waledac.IT (5), Win32/Waledac.IU

URL: http://www.eset.com/joomla/index.php?option=com_content&task=view&id=5938&Itemid=26

6661 (bitdefender_antivirus)

CVE-2008-6661 (bitdefender_antivirus)

Multiple integer overflows in the scanning engine in Bitdefender for Linux 7.60825 and earlier allow remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a malformed (1) NeoLite and (2) ASProtect packed PE file.

URL: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-6661

WMF!sd6, Packed.Generic.181..

Mal/Behav-009, Trojan.Win32.StartPage, Exploit.IMG-WMF!sd6, Packed.Generic.181..

URL: http://www.threatexpert.com/report.aspx?md5=d7638903e602c080eed9130a5c7d3d5f

Packed.Generic.202, Vundo.gen.w, Troj/Virtum-Gen, Trojan:Win32/Vundo.gen!BB..

Packed.Generic.202, Vundo.gen.w, Troj/Virtum-Gen, Trojan:Win32/Vundo.gen!BB..

URL: http://www.threatexpert.com/report.aspx?md5=4be7fb3ea1584dc7ee732a04e2ac127f

Trojan-Dropper.Vb, Backdoor.ProRAT.K, Trojan.TDss, Packed.Generic.202..

Trojan-Dropper.Vb, Backdoor.ProRAT.K, Trojan.TDss, Packed.Generic.202..

URL: http://www.threatexpert.com/report.aspx?md5=7fa61f8b1ed99c1699c431790b990d36

Infostealer, Packed.Win32.Krap.c, Mal/EncPk-FH, Backdoor:Win32/Bifrose.AE..

Infostealer, Packed.Win32.Krap.c, Mal/EncPk-FH, Backdoor:Win32/Bifrose.AE..

URL: http://www.threatexpert.com/report.aspx?md5=a4fb655c5f9bf7ab68261c584637d5c7

Mal/TibsPk-A, Trojan.Spammer, Packed.Generic.209, Trojan.Win32.Inject.qwd, New..

Mal/TibsPk-A, Trojan.Spammer, Packed.Generic.209, Trojan.Win32.Inject.qwd, New..

URL: http://www.threatexpert.com/report.aspx?md5=a156bccc0b8bd1ca1ce3810a4e79f82b

W32.Harakit, Packed.Win32.Klone.bj, Worm:AutoIt/Renocide.gen!A

W32.Harakit, Packed.Win32.Klone.bj, Worm:AutoIt/Renocide.gen!A

URL: http://www.threatexpert.com/report.aspx?md5=e025b36629d5ce396fffe658b9a8ba38

Packed.Win32.Krap.i, Spam-Mailbot.h.gen.a, Spammer:Win32/Tedroo.A..

Packed.Win32.Krap.i, Spam-Mailbot.h.gen.a, Spammer:Win32/Tedroo.A..

URL: http://www.threatexpert.com/report.aspx?md5=e03ec08c6068edc43d4e0aac119250ac

Packed.Generic.209, Trojan-Downloader.Win32.Agent.bmrg, Generic.dx..

Packed.Generic.209, Trojan-Downloader.Win32.Agent.bmrg, Generic.dx..

URL: http://www.threatexpert.com/report.aspx?md5=e28b7cfec3df1c7ce3e0977ef6588db0