14367
The largest collection of malware source, samples, and papers on the internet. Password: infected Website: https://www.vx-underground.org/ vx-underground Telegram chatroom link: https://t.me/+njfLzUrqos01ZWNh
We're so back 🙏
But in all seriousness, this is cooked. Also, driver is signed. Throw in the pile of crappy poo poo pee pee drivers
https://gist.github.com/alfarom256/f1342f14dc6a742de7ea4004a1b6d7ed
That equates to roughly $3,900 of monthly revenue.
Chat, we are absolutely cooked
New paper additions:
- 2024-07-31 - LayeredSyscall - Abusing VEH to Bypass EDRs
- 2024-03-31 - Syscalls via Vectored Exception Handling
- 2022-02-03 - RecycledGate - Indirect Syscalls
- 2016-11-04 - Windows 10 Hooking Nirvana explained
Mikko Hyppönen, Chief Research Officer of FSecure, confirms his first known siting of the password being 'infected' was March 1st, 2001.
Please note the other password was 'hot4u'. In an alternate universe the password to malware is hot4u.
Uploading 23,023 malwares.
Unfortunately, the malware was supposed to go live yesterday but someone pushed the malware to the wrong place in prod. The issue is being corrected.
New papers going live once this issue is resolved.
The malware oopsie-doopsie paradox
The more evasive techniques introduced into your payload, the more likely it be detected
The less evasive techniques introduced into your payload, the more likely it be detected
One thing noobie scoobies don't seem to understand is that malware is literally just software. Understandably, that seems kind of obvious, it's in the name — 'malicious software'. But it seems less obvious to some that, in order to write malware, you apply the exact same principles, techniques, and structures that legitimate software uses.
Malware is regular ol' programming with some sprinkles of weird stuff. These weird things are documented and shared. Some try to find new weird things.
When people ask what language is best for malware... it's kind of like asking 'what's the best ice cream flavor?'. It's entirely subjective. Everyone will tell you something different. You'll notice a lot of people will prefer Chocolate or Vanilla, you may encounter some who like Raspberry Banana Sprinkle Jam-Blam Blast, or Minty Schminty SpongeBob Sticks Bombs, but at the end of the day it's all still ice cream.
In it's most simple form, all malware techniques are things legitimate software may do.
Ransomware?
- Step 1. Enumerate files in a directory
- Step 2. Lock and encrypt files
Information Stealers?
- Step 1. Enumerate files in a directory
- Step 2. Upload files somewhere
RATs?
- Step 1. Make program run at start
- Step 2. Execute commands (cmd, powershell, other programs)
- Step 3. Upload files somewhere
Loaders?
- Step 1. Download file from somewhere
- Step 2. Run file
Everything the malware does is just an expansion of what is explained above.
Want to find new malware techniques? Find new ways to execute a process, find new ways to enumerate files in a directory, file new ways to upload files somewhere, find new ways to download files from somewhere, find new ways to write to files or delete files, etc.
How do you do this? Read. Read everything. Blogs, Windows documentation, StackOverflow, Wikipedia, our website. Look at every DLL you find on your computer in Ida or Ghidra, just open stuff and look around. Look at other peoples work and see if you can expand on it and find something new.
tl;dr learn to code, then learn weird stuff
Congratulations to everyone who survived 2024.
2025 is double elimination round.
Happy New Year
In celebration of the 2025, you will all be given one (1) limited edition kitty cat.
Cheers,
A 20 year old United States soldier worked with Threat Actors and, following the arrest of his associates, threatened to leak telephone logs from Kamala Harris and Donald Trump.
This was a very, very, very bad decision.
https://krebsonsecurity.com/2024/12/u-s-army-soldier-arrested-in-att-verizon-extortions/
We are in the process of deploying 150,000 new malware samples.
This should have occurred earlier. However, a Threat Actor conducted a sophisticated cyberattack and compromised our infrastructure (my puppy decided to chew on the cables connecting to my local backup NAS).
Hi
We've updated the VirusSign collection.
- VirusSign.2024.12.04
- VirusSign.2024.12.05
- VirusSign.2024.12.06
- VirusSign.2024.12.07
- VirusSign.2024.12.08
- VirusSign.2024.12.09
- VirusSign.2024.12.10
- VirusSign.2024.12.11
- VirusSign.2024.12.12
- VirusSign.2024.12.13
- VirusSign.2024.12.14
- VirusSign.2024.12.15
- VirusSign.2024.12.16
- VirusSign.2024.12.17
- VirusSign.2024.12.18
- VirusSign.2024.12.19
- VirusSign.2024.12.20
- VirusSign.2024.12.21
- VirusSign.2024.12.22
- VirusSign.2024.12.23
- VirusSign.2024.12.24
- VirusSign.2024.12.25
- VirusSign.2024.12.26
- VirusSign.2024.12.27
Approx. 70,000 malicious binaries
Good morning, afternoon, or evening,
We have completed our re-organization of the Windows malware papers (per the request of many). We have introduced more precise sections.
In the future these sections may expand or contract — papers may move. ¯\_(ツ)_/¯
Our Telegram userbase missed the message earlier.
We have historically enjoyed posting photos of cats. They're pretty cool. We came up with this idea of doing mass aggregation of cat photos. We are aiming to make a cat photo exchange (???). No idea why. There is no objective with it. It is quite literally mass-scale cat photo aggregation and displaying it on social media.
Each cat will be hashed to remove duplicates.
tl;dr largest collection of cat photos on the internet
dudes steals a South Korean government Xitter profile and tweets "north korea is best korea". thats diabolical stuff
Читать полностью…
Shoutout to the homies at "IObit Malware Fighter".
Their IMFForceDelete driver is so wildly vulnerable, and poorly written, you can have their driver arbitrarily delete any file on the machine with 0 privileges and literally 1 line of code
Thanks _mmpte_software for sharing
In 2025 thus far we have lost 2 sponsors — potentially 3 sponsors.
Chat, we are cooked
> go to computer store
> computer store guy recommends norton antivirus
> tell him no thank you
> says viruses and malware is dangerous
> tell him i want the malware
his reaction
New papers added:
- 2024-11-21 - New AMSI Bypss Technique Modifying CLRDLL in Memory
- 2024-11-22 - How To Use MSSQL CLR Assembly To Bypass EDR
- 2008-08-06 - Branchless Equivalents of Simple Functions
- 2024-06-28 - An unexpected journey into Microsoft Defender's signature world
- 2024-11-14 - ETW Forensics - Why use Event Tracing for Windows over EventLog
- 2024-12-19 - The Windows Registry Adventure 5 - The regf file format
- 2024-12-24 - Constructing a Win32 Control Handler in MASM
- 2024-12-19 - Process Injection Mapped Sections
- 2024-12-13 - Disabling EDRs by File Rename Junctions
- 2024-12-20 - Weaponizing WDAC Killing the Dreams of EDR
We've had a few people contact us with something along the lines of, "CISA uses your website! They did a training course and the password to the malware was infected!"
We did not set the standard of the 'infected' password. We made it more mainstream due to our follower base, but we didn't set that standard or have anything to do with it's creation.
It's been the standard for malware related stuff for over 100 years (made up number, no idea). We don't even remember how we learned the password. It's just been like that for as long as we remember.
per 404media — most of the southern part of the United States has been banned by PornHub (and associated companies e.g. Brazzers, RedTube, YouPorn, Reality Kings, etc) due to new legislation which requires age verification.
PornHub and associates assert it will be difficult to comply with new legislation and, to avoid legal liability, have opted to simply ban and/or block some portions of the United States from their websites.
As a result of these new age verification laws, what will happen?
A. People say, "wow, pornography is not cool anyway" and stop watching pornography
B. People begin purchasing VPNs (if they can afford it) to bypass geographical bans OR if unable to afford a VPN, people begin going to more shady and less-safe websites to watch pornography
C. Law makers in the southern part of the United States have a sudden change of heart and reverse recent legislation
D. Pornography vendors have a change of heart and decide to review thousands, possibly hundreds of thousands, of United States citizens PII (and pinky promise to not sell it), and put a target on their back from Threat Actors
This year we're starting off strong.
First and foremost, we've got some new sponsors. Our friends over at Binary_Defense and TrustedSec have helped us out tremendously lately. We'd especially like to thank HackingDave for helping the little nerds out and keeping malware cool and badass (and free) forever and ever. We'll be listing them on the website later.
Next up: we're working with our friends at TorGuard VPN to expand our infrastructure. They have a lot (and quite honestly, a disturbing) amount of computational resources. We will be working with them for 2 things.
1. Wide spread cat picture aggregation.
2. Wide spread malware ingestion
Next, next, on the other side of the autism spectrum: our in-house software engineer guessthepw is working on constructing a kitty cat photo database. All cats ingested will be available to browse, download, whatever.
People have asked: "smelly smellington, what's your end game with these cats?". The answer is very shrimple: no idea, thought of it while using the restroom.
Let's see where this whacky adventure takes us. Maybe in a few years it'll be bigger than vx-underground and we can use it to fuel our malware addiction. Or, alternatively, nothing will happen and the project will be dead in a year. Let's see what happens! Sometimes in life you gotta do just a thing, see if it fails, or succeeds, or what happens.
We've got lots of work to do in 2025.
Finally, as is tradition, we've got more malware to add, more malware papers to add, lots and lots of stuff. Very cool.
Thanks,
- smelly smellington
We've never personally encountered an active United States military personnel doing something like this.
It is difficult to assess if they'll go to trial as a civilian or as a soldier (United States military court) or both (which is possible, a rare double whammy)
Threat Actor using advanced evasion techniques (if he can't see you, you can't see him).
Читать полностью…
Every single time a Threat Actor compromises a large Twitter account they drop the ball.
Best usage we've seen thus far has been "North Korea is Best Korea" (a silly message), followed by goofy crypto-drainers.
tl;dr 1 shot, 1 opportunity, doesn't seize the moment, slips
We've updated the malware family collection.
Updates:
- Xworm
- AkiraRansomware
- Android.AndroRAT
- Android.Joker
- Azorult
- BruteRatel
- BumbleBeeLoader
- CrytoxRansomware
- Prometei
- PureStealer
- Rekoobe
- Remcos
- RhadamanthysLoader
- StampadoRansomware
- StealC
- SunSpinner
- DarkComet
- DCRat
- Emotet
- Furtim
- GhostPulse
- LummaStealer
- MacOS.Keydnap
- Mirai
- Multigrain
- Orcus
- PetyaRansomware
- PLAYRansomware
- PoisonIvy
"why are you guys collecting cats?"
The truth is: from discussing, reviewing, reversing, and writing about malware every single day for 6 years, we are deep fried.
It is either we collect cats, alongside malware, or alternatively we fall into a malware induced psychosis
Administrative update:
tl;dr bradley is out, i'm back. reorganizing papers. were collecting cats. no more goofing around.
0. Bradley is out-of-office. He was supposed to man-the-ship. He has experienced a family medical emergency. I am now steering the ship again.
1. Currently the Windows malware paper collection is not organized. We have been dumping them into a giant pool. We have received feedback from users regarding their dissatisfaction with this decision. Hence, we are re-organizing the Windows malware paper collection and introducing new sections to make navigation easier.
New sections:
- AMSI
- Evasion
- GPU Abuse
- Hooking
- Infection
- Initial Access
- Internals and Analysis
- Kernel Mode
- Keylogging
- LSASS
- Networking
- Persistence
- Process Injection
- Shellcode Execution
- Syscalls
- System Components and Abuse
- Windows COM
2. We have begun processing our massive backlog of malware samples. Our current backlog dates back to November, 29th. The current ingestion estimate is 600,000 new malwares.
3. As many have you seen — we have made a pseudo-pseudo-fork of vx-underground. We now have an entire 'side project' dedicated to collecting images of cats. We have received and reviewed your feedback — all images received will be pHashed (perpetually hashed?) to ensure no duplicate photos of cats exist. We have purchased a domain for the side project, we are actively developing something to display and distribute photos of cats. The current cats-related Twitter profiles do not suffice. They fail to categorize them in a structured database and do not actively distribute the cat image data to their userbase. It is disgusting and we hate it.
This is only partially a joke. But, we're wondering if we can use our nerd-mindset to defeat large cat-centric social media profiles.
4. Beside the stupid idea of collecting cat photos, we are returning to business as usual. All giveaways are done, poop posting will be minimal(ish)(depends on mood), our focus will be shifted back to malware-related material aggregation and being cybercrime TMZ.
Thanks,
- smelly smellington
The targeted advanced attack they mention was phishing (someone somewhere said it). It wasn't like when APT29 hopped laterally across buildings via WiFi using a 0day exploit
Читать полностью…