Help
RSS
API
Feed
Maltego
Contact
Domain > reconstructer.org
×
More information on this domain is in
AlienVault OTX
Is this malicious?
Yes
No
DNS Resolutions
Date
IP Address
2012-01-23
176.9.53.106
(
ClassC
)
2024-11-07
176.9.99.164
(
ClassC
)
Port 80
HTTP/1.1 200 OKDate: Thu, 07 Nov 2024 17:52:48 GMTServer: ApacheLast-Modified: Sun, 15 Jun 2014 20:05:23 GMTETag: 63bd-4fbe56e45e6c0Accept-Ranges: bytesContent-Length: 25533Vary: Accept-EncodingContent-Type: text/html !DOCTYPE html PUBLIC -//W3C//DTD XHTML 1.0 Strict//EN http://www.w3.org/TR/xhtml1/DTD/Strict.dtd>html xmlnshttp://www.w3.org/1999/xhtml>meta http-equivcontent-type contenttext/html;charsetiso-8859-1>head> meta http-equivcontent-type contentapplication/xhtml+xml; charsetiso-8859-1 /> title>www.reconstructer.org/title> link relstylesheet hrefcss/style.css typetext/css mediascreen />script languageJavaScript>!--window.moveTo(0, 0)window.resizeTo(1024,768);//-->/script> script languageJavaScript typetext/JavaScript>!--function MM_preloadImages() { var ddocument; if(d.images){ if(!d.MM_p) d.MM_pnew Array(); var i,jd.MM_p.length,aMM_preloadImages.arguments; for(i0; ia.length; i++) if (ai.indexOf(#)!0){ d.MM_pjnew Image; d.MM_pj++.srcai;}}}function MM_findObj(n, d) { var p,i,x; if(!d) ddocument; if((pn.indexOf(?))>0&&parent.frames.length) { dparent.framesn.substring(p+1).document; nn.substring(0,p);} if(!(xdn)&&d.all) xd.alln; for (i0;!x&&id.forms.length;i++) xd.formsin; for(i0;!x&&d.layers&&id.layers.length;i++) xMM_findObj(n,d.layersi.document); if(!x && d.getElementById) xd.getElementById(n); return x;}function MM_swapImgRestore() { var i,x,adocument.MM_sr; for(i0;a&&ia.length&&(xai)&&x.oSrc;i++) x.srcx.oSrc;}function MM_swapImage() { var i,j0,x,aMM_swapImage.arguments; document.MM_srnew Array; for(i0;i(a.length-2);i+3) if ((xMM_findObj(ai))!null){document.MM_srj++x; if(!x.oSrc) x.oSrcx.src; x.srcai+2;}}//-->/script>/head>body onloadMM_preloadImages(images/btn_about_h.gif,images/btn_code_h.gif,images/btn_papers_h.gif,images/btn_links_h.gif)> div idcon> div idhead> a hrefmain.html>img srcimages/head.gif height320 width193 altback to home />/a> /div> div idconcont> div idnav> a hrefmain.html>img srcimages/btn_spacer.gif height50 width500 altback to home />/a>br /> span classnavbtn> a hrefabout.html onmouseoutMM_swapImgRestore() onmouseoverMM_swapImage(about,,images/btn_about_h.gif,1)>img srcimages/btn_about.gif altAbout me and the project nameabout width99 height19 border0 idabout />/a>a hrefcode.html onmouseoutMM_swapImgRestore() onmouseoverMM_swapImage(code,,images/btn_code_h.gif,1)>img srcimages/btn_code.gif altCode ive done namecode width90 height19 border0 idcode />/a>a hrefpapers.html onmouseoutMM_swapImgRestore() onmouseoverMM_swapImage(papers,,images/btn_papers_h.gif,1)>img srcimages/btn_papers.gif altPapers ive written namepapers width112 height19 border0 idpapers />/a>a hreflinks.html onmouseoutMM_swapImgRestore() onmouseoverMM_swapImage(links,,images/btn_links_h.gif,1)>img srcimages/btn_links.gif altLinks to other reversing sites namelinks width99 height19 border0 idlinks />/a>/span>/div> div idcontext> div idtext> p>05.12.2013/p> p>Slides about an in depth analysis of CVE-2013-3906 exploiting a TIFF bug inside a Microsoft Office Winword file. This bug was exploited in a targeted attack in November 2013./p> p>a hrefpapers/masTIFF - An in depth analysis of CVE-2013-3906.pptx target_blank>masTIFF - An in depth analysis of CVE-2013-3906.pptx/a>/p> p>25.11.2013/p> p>A new version of Officemalscanner/RTFScan has been released. This update includes a generic decryption loop detection, enhanced shellcode patterns and bugfixes. Enjoy!/p> p>a hrefcode/OfficeMalScanner.zip target_blank>OfficeMalScanner.zip/a>/p> p>12.09.2012/p> p>The new version of the OfficeMalScanner suite introduces RTFScan. As you might know, there are several samples in the wild, using the RTF format as OLE and PE-File container. So here is a very first version of RTFScan. It currently is able to scan for malicious traces like shellcode, dumps embedded OLE and PE files and other data containers. Buffer decryption in RTFScan is not supported in this release, as OMS and RTFScan will be enhanced to a cryptanalysis feature to break keys up to 1024 bytes in seconds. The old brute force feature in OMS will be kicked then. p>a hrefcode/OfficeMalScanner.zip target_blank>OfficeMalScanner.zip/a>/p> p>10.08.2012/p> p>I found some time to update OfficeMalScanner lately. So here is Version 0.54! Next to bugfixes, it now has its own RtlDecompressBuffer library to support VB-macro extraction on WINE. Further the document format is detected (word, ppt, excel) and is able to extract embedded flash files (compressed and uncompressed). p>a hrefcode/OfficeMalScanner.zip target_blank>OfficeMalScanner.zip/a>/p> p>20.12.2011/p> p>Last week i had a speech at the CAST forum about hunting malware with volatility 2.0. On 40 slides i will introduce the main features of this powerful forensic framework. All memory dumps being discussed are snapshots from infected machines with modern malwares and rootkits./p> p>a hrefpapers/Hunting malware with Volatility v2.0.pdf target_blank>Hunting malware with Volatility v2.0.pdf/a>/p> p>03.10.2011/p> p>H-online released my next article of the CSI:Internet forensic series. In this part its kernel debugging time. Learn how to find the TDL4 rootkit in live memory./p> p>a hrefhttp://www.h-online.com/security/features/CSI-Internet-Open-heart-surgery-1350313.html target_blank>CSI:Internet - Open heart surgery/a>/p> p>12.09.2011/p> p>H-online just released my article contribution for the 2nd season of CSI:Internet. As you might know from former releases of this series it combines a story close to reality with technical stuff. This time i introduce you the usage of an awesome malware forensic framework called Volatility. Hope i can inspire people with this little contribution as it inspired me. The features i use in this article are just a small set of what is possible with this framework./p> p>a hrefhttp://www.h-online.com/security/features/CSI-Internet-A-trip-into-RAM-1339479.html target_blank>CSI:Internet - A trip into RAM/a>/p> p>20.01.2011/p> p>Today i had a talk at the Ruhr University of Bochum Hunting rootkits with Windbg. Ill introduce several ways to find well known rootkits like Rustock or TDL Versions 3+4 with Windbg and scripts. Enjoy!/p> p>a hrefpapers/Hunting rootkits with Windbg.pdf target_blank>Hunting rootkits with Windbg.pdf/a>/p> p>16.01.2011/p> p>Just released a small Windbg script i use while rootkit hunting and searching for kernel callbacks. See the readme.txt for usage infos./p> p>a hrefcode/WindbgScript-KernelCBFindx86.rar target_blank>WindbgScript-KernelCBFindx86.rar/a>/p> p>15.07.2010/p> p>While investigating a new malware i came across strange requests to a Siemens SCADA WinCC + S7 database. This was the first time ive seen malware which targets process control systems and their visualisation components often used in critical infrastructures and manufacturing.p> p>Read more here a hrefhttp://www.h-online.com/security/news/item/Trojan-spreads-via-new-Windows-hole-1038992.html target_blank>Trojan spreads via new Windows hole /a>/p> p>and here a hrefhttp://krebsonsecurity.com/2010/07/experts-warn-of-new-windows-shortcut-flaw/ target_blank>Experts Warn of New Windows Shortcut Flaw /a>/p> p>10.06.2010/p> p>Believe it or not. Im not dead. Just horrible busy with thousands of things in the last months. I shortly wanna point out, that Sebastian Porst from Zynamics an me have done a detailed analysis on the latest PDF / Flash 0day currently being spread. If you are interested in that stuff follow that link here a hrefhttp://blog.zynamics.com/2010/06/09/analyzing-the-currently-exploited-0-day-for-adobe-reader-and-adobe-flash/ target_blank>A brief analysis of a malicious PDF file which exploits this week’s Flash 0-day/a>/p> p>28.09.2009/p> p>I made several new updates for OfficeMalScanner, including a new inflate feature for Ms Office 2007 documents. You can download the package from the code section. Enjoy!p> p>30.07.2009/p> p>Finally im happy to release my paper strong>Analyzing MSOffice malware with OfficeMalScanner/strong>. This paper describes all features of the OfficeMalScanner suite in detail. Further ive updated some features since my PH-Neutral talk, fixed bugs and replaced bin2code with MalHost-Setup. A much smarter way to analyze the inner workings of shellcode in a real life session. Both malicious samples described in the paper are included in the package. For sure additionally compressed and with extra password safety. Switch to the paper section and enjoy reading!/p> p>31.05.2009/p> p>PH-Neutral 2009 is over and it was a great conference. My new tool called OfficeMalScanner, a MS office forensic util can be downloaded from the code section now!/p> p>07.05.2009/p> p>Thorsten Holz and me are giving a talk on Analyzing exploitable file formats at the next PH-Neutral. A 31337 invite-only conference from FX and the gang in Berlin. Thorsten and i will introduce several ways to analyze exploitable file formats, ranging from PDF and Flash to malicious Office files like PPT, DOC or XLS. We will show some of the popular tools used for analysis and will also present 2 new tools developed especially for malicious Office-file analysis. I hope to meet a lot of interesting people again this year! Cya on 29th and 30th May 2009 in Berlin!/p> p>20.11.2008/p> p>Today i read an article on the New York Times website called a hrefhttp://www.nytimes.com/external/idg/2008/11/14/14idg-A-sneaky-securi.html target_blank>A sneaky security problem, ignored by the bad guys/a>/p> p>I had a conversion by phone and mail with its author Robert McMillan from IDG News before and ive answered him some questions about my Rustock.C research as he planned to write the above story. There are some quotes by Al Huger from Symantec in this article i would like to comment, as i disagree to most of his statements regarding rootkits./p> p>Quote 1:/p> p>b>Its extremely difficult to write code for your kernel that doesnt crash your computer, said Alfred Huger, vice president of Symantecs Security Response team. Your software can step on somebody elses pretty easily./b>/p> p>I think this statement comes from the mentioned crashes that Rustock.C produced while analyzing it. But in fact it just crashed if the decryption failed because the rootkit gets analyzed on another box, than the original infected one (check my slides for details). The Rustock familiy has proven to have stable code, as well as other creatures from its author like MEBROOT. If it crashed victims boxes all the time, they had reinstalled their OSes very quickly, but in fact i know people who had this beast on their boxes for 1 year without any crash and without even knowing about its existance./p> p>Quote 2:/p> p>b>Huger agrees that while rootkits are still a problem for Unix users, theyre not widespread on Windows PCs./b>/p> p>Yep, sure. How old is the last well known rootkit on Unix please? 3 or 4 years? And what about rootkits on Windows? Rustock, Srizbi, Ascesso, Mebroot (Here is a bigger list: a hrefhttp://www.antirootkit.com/rootkit-list.htm target_blank>Antirootkit.com Stealth Malware List/a>/p> p>Quote 3:/p> p>b>Rootkits make up far less than 1 percent of all the attempted infections that Symantec tracks these days./b>/p> p>If i just count all those useless malwares created with lame kits or code written by some kiddies, then rootkits might be only 1 percent, but if i take a look at the real effective SpamBots, Banking Trojans and so forth, nearly all of them use rootkit techniques to hide its tracks./p> p>Ok, thats all for now. Sorry for being so rude on Als statements, but i had to clarify this./p> p>24.10.2008/p> p>Just came back from the hack.lu in Luxembourg. It was a great conference, with fine speeches and a lot of fun. The slides of my talk are up now and can be downloaded from the papers section. Enjoy!/p> p>15.10.2008/p> p>Everyone wondering why i havent published my analysis results for Rustock.C ? The main reason was im giving a talk about my research on the hack.lu 2008 on 23th October in Luxembourg. Right after the speech you will be able to download my slides on this site, in case you are interested. Hope to meet some interesting people at hack.lu!/p> p>18.05.2008/p> p>Today a friend from Threatexpert posted a blog entry on unpacking the top-notch rootkit RUSTOCK.C ! We shared some tricks and ideas before unpacking was possible and are both really glad we finally managed to get inside this beasty. Be sure there will be more details on its hooking tricks, infection ways and C&C communications in the next few days or weeks./p> p>a hrefhttp://blog.threatexpert.com/2008/05/rustockc-unpacking-nested-doll.html target_blank>Rustock.C - Unpacking a Nested Doll/a>/p> p>10.03.2008/p> p>Just updated the ClassAndInterfaceToNames package. The classes and interfaces list has grown a lot. Thanx to Sirmabus for adding all these new entries./p> p>Sorry for being lazy at the moment, but since some weeks i have permanent problems with my spinal disk, making it impossible to do some cool research. I really hope the doctors get this fixed very soon./p> p>19.02.2008/p> p>Just added some links to interesting sites. Check them out in the links area./p> p>14.02.2008/p> p>With More advanced unpacking - Part II i show you how to decrypt an infamous reallife malware called WSNPOEM aka Infostealer.Banker.C The binaries are usually created with a tool called ZEUS Builder and there exist lots of different versions in the wild. I found samples with and without rootkit functionality, as well as ontop packed binaries, meaning they are additionally protected/packed with tools like Aspack, ACProtect, Polycrypt and so forth. We will discuss all 3 types and how to deal with them in 3 different ways. - 1. Manual unpacking + import fixing - 2. Manual unpacking + Auto import fixing - 3. Auto unpacking/import fixing - Stage 2 introduces a nice tool called Universal Import Fixer and Stage 3 shows how to automate unpacking/import fixing with OllyDbgScript./p> p>a hrefpapers/More%20advanced%20unpacking%20-%20Part%20II.zip target_blank>More advanced unpacking - Part II.zip/a>/p> p>21.01.2008/p> p>Unbelievable but true. After 4 months of getting owned by other things making my life mad, i finally managed to release a new unpacking tutorial. This one goes far more into depth as the beginners tutorial i have released last year. It aims to show some generic tricks and tools, that can be used on many other protectors. Enjoy!/p> p>a hrefpapers/More%20advanced%20unpacking%20-%20Part%20I.zip target_blank>More advanced unpacking - Part I.zip/a>/p> p>21.09.2007/p> p>No, im not dead. Just too busy in the last weeks. But today i have a new paper for you. Its an analysis of the malware Peacomm.C aka StormWorm. It mainly focuses on extracting the native Peacomm.C code from the original crypted/packed code and all things that happens on this way, like: XOR + TEA decryption, TIBS unpacking, defeating Anti-Debugging code, files dropping, driver-code infection, VM-detection tricks and all the nasty things the rootkit-driver does./p> p>a hrefpapers/Peacomm.C%20-%20Cracking%20the%20nutshell.zip target_blank>Peacomm.C - Cracking the nutshell.zip/a>/p> p>17.07.2007/p> p>Right after finishing my COM reconstruction helpers, i present you today a movie, that aims to be a practical COM code reconstruction tutorial. The analysed function of this malware dumps the windows protected storage to steal account data like member site passes, outlook express accounts, autocomplete fields and so forth. And as it makes heavy use of the COM interface, it was the perfect candidate to show you how this nasty code can be restored to a far better readable code. Enjoy!/p> p>a hrefpapers/Practical%20COM%20code%20reconstruction.swf target_blank>Practical COM code reconstruction.swf/a>/p> p>16.07.2007/p> p>On the flight back from New York i had some time to write a small python script, which generates IDAPython code from vtable structures inside the include files of the Microsoft PSDK 2003-R2. The generated script adds all known vtable structures from the PSDK to an IDB file to save time while reconstructing COM code. Hope its useful for others as well. Enjoy!/p> p>a hrefcode/VtablesStructuresFromPSDK2003R2.zip target_blank>VtablesStructuresFromPSDK2003R2.zip/a>/p> p>16.06.2007/p> p>This small IDAPython script scans an idb file for class and interfaces UUIDs and creates the matching structure and its name. Unfortunately IDA doesnt do this automatically, thus this little helper. It personally helped me alot, while reversing several malwares using the COM interface, e.g. for browser or outlook manipulation, BITS file transfer or dumping the protected storage. The script was tested with IDAPython v0.9.0 and Python 2.4. Make sure to copy interfaces.txt + classes.txt + ClassAndInterfaceToNames.py to IDADIR, e.g. C:\Program Files\IDA/p> p>a hrefcode/ClassAndInterfaceToNames.zip target_blank>ClassAndInterfaceToNames.zip/a>/p> p>03.06.2007/p> p>MFC42Ord2FuncNames is a small IDAPython script which converts MFC42 functions into its realnames. Normally IDA Pro should do this automatically, but in some cases the IDA auto-analysis fails. Watch the short flash movie included in the package for details./p> p>a hrefcode/MFC42Ord2FuncNames.zip target_blank>MFC42Ord2FuncNames.zip/a>/p> p>14.05.2007/p> p>Brian Krebs from The Washington Post wrote a nice article on his blog about BITS here: p>a hrefhttp://blog.washingtonpost.com/securityfix/2007/05/malware_using_microsoft_patch.html target_blank>strong>New Attack Piggybacks on Microsofts Patch Service/strong>/a>/p> p>13.05.2007/p> p>VMEDetect v0.1 is a small commandline tool written in assembly, which makes use of the RDTSC trick to check for the presence of VMWare and VirtualPC./p> p>a hrefcode/VMEDetect v0.1.zip target_blank>VMEDetect v0.1.zip/a>/p> p>11.05.2007/p> p>This is a little proof of concept code to test, if your application-firewall alerts when bitscode.exe tries to download and execute fwbypassalert.exe from this site./p> p>a hrefcode/bitscode.zip target_blank>bitscode.zip/a>/p> p>Also check out Elia Florios blog for more information on this problem./p> p>a hrefhttp://www.symantec.com/enterprise/security_response/weblog/2007/05/malware_update_with_windows_up.html target_blank>strong>Malware Update with Windows Update/strong>/a>/p> p>22.03.2007/p> p>Theres a new version of SYSER available, a SoftICE like kernel debugger with a nice GUI. Supported OSes are Windows 2000, XP, 2003 and VISTA!!! Software and Documentation can be found here: /p> p>a hrefhttp://www.sysersoft.com/download/ target_blank>http://www.sysersoft.com/download//a>/p> p>Also check out the Links section. Added a bunch of nice sites./p> p>21.01.2007/p> p>I put a new paper online. It is an analysis of the Rustock.B rootkit. The rootkit used several proprietary obfuscation/packing methods to hide the native driver code from prying eyes. I have divided the paper into two main parts. The first part, which is divided in three stages, describes how to extract the native rootkit driver code without the use of kernel debuggers or other ring0 tools. The second part basically does the same, but much faster and with lesser efforts using the SoftICE kernel debugger. Each part shows various possibilities for solving the different problems facing the researcher when analyzing Rustock. All the code and IDB files are included in the package!/p> p>13.12.2006/p> p>Theres a new flash movie on manual unpacking and Auto-IAT fixing UPX and Aspack in the papers section. This might be useful for people who are new to malware analysis and dont have a clue how to unpack and repair a binary./p> p>10.12.2006/p> p>IDAAPIHelp v0.3 is ready for download! The API database has grown a lot (16,1 MB) and includes Windows Platform SDK, DDK, NTundoc as well as MSCRT APIS like free, memset, malloc, fopen etc. now./p> p>17.10.2006/p> p>Today i have a small IDAPython script for you, that saves time when searching for API Information while e.g. analyzing a malware with IDA Pro. It looks at cursor position for a valid api call and if found it tries to show you the eligible API Info from the provided helpfile. The package can be found in the ccode section./p> p>12.10.2006/p> p>It seems that Oleh Yuschuk strikes back in the near future with a new release of his rocking debugger Ollydbg, but read by yourself. /p> p>strong>a hrefhttp://www.ollydbg.de/version2.html target_blank>http://www.ollydbg.de/version2.html/a>/strong>/p> p>13.07.2006/p> p>After some lazy months ive finally found the time to release something. Superkill is a is small tool to kill processes, which are normally protected from being stopped on application level. After starting Superkill it detaches its driver from the RC_DATA resource area, installs it as service and runs the driver. Communication between applevel code and driver is being handled through the DeviceIoControl() function. Full source code included. Flip to the ccode section for downloading./p> p>26.05.2006/p> p>Just read Matt Pietreks blog and im completely aghasted at the moment. Compuware retired Driverstudio and therefore SoftICE, my beloved debugger. This is a really sad day for me and ill booze as hell on the PH-Neutral conference tonight, to quickly forget what i read some minutes ago./p> p>heres the link to the blog post: /p> p>a hrefhttp://blogs.msdn.com/matt_pietrek/archive/2006/04/07/570927.aspx target_blank>strong>http://blogs.msdn.com/matt_pietrek/archive/2006/04/07/570927.aspx/strong>/a>/p> p>as well as an obituary from one of its parents: /p> p>a hrefhttp://blogs.msdn.com/matt_pietrek/archive/2006/04/11/573621.aspx target_blank>strong>http://blogs.msdn.com/matt_pietrek/archive/2006/04/11/573621.aspx/strong>/a>/p> p>18.03.2006/p> p>My first paper is a step by step guidance how to use the worlds best debugger called SoftICE, which is part of Compuwares Driverstudio. This essay discusses the installation & configuration of the debugger, the most useful commands SoftICE offers, a rocking extension called IceExt, as well a categorized list of good breakpoints. For a better understanding screenshots are placed at distinctive points. Flip to the papers section for further reading. /p> p>13.03.2006/p> p>Welcome to my little site. Here youll find several papers & code regarding reverse engineering which is hopefully useful for others as well. Feel free to discover the different sections and download some stuff of my work. Dont miss to visit the other cool links to friends and other good reverser sites. Ill try to update this site on a regular basis, but remember that i do this in my very spare time. So dont blame me if theres a month without an update. Now enjoy the content here and just drop me some lines if you have questions regarding this page or constructive reviews of my work(email can be found in the about section)./p> p>cheers, frank/p> p> /p> /div> /div> /div> div classclearfloat>&nbps;/div> /div>/body>!-- Mirrored from www.reconstructer.org/main.html by HTTrack Website Copier/3.x XR&CO2006, Tue, 21 Mar 2006 10:24:21 GMT -->!-- Added by HTTrack -->meta http-equivcontent-type contenttext/html;charsetiso-8859-1>!-- /Added by HTTrack -->/html>
View on OTX
|
View on ThreatMiner
Please enable JavaScript to view the
comments powered by Disqus.
Data with thanks to
AlienVault OTX
,
VirusTotal
,
Malwr
and
others
. [
Sitemap
]