Wednesday, February 17, 2010

Executables Feed for Malware Analysis

Someone sent me an email wondering why I don't continue to publish a feed for recent executables (like the older version of jsunpack), and I do! I thought the answer could be useful to others wanting to perform malware analysis so keep reading if that interests you.

You can perform a search with the term "executable" under the recent submissions of jsunpack.jeek.org. These are not guaranteed to be malicious, but there is a high likelihood that most of them are malicious. Many of the URLs are from decoded javascript or environment variables pointing to executables.

Here are the links for you,

Search http://jsunpack.jeek.org/dec/go?list=1&search=executable
RSS Feed: http://jsunpack.jeek.org/dec/go?search=executable&list=search

For each executable you find, you may choose not to download it from the actual server (the server may not offer the file anymore). In that case, you can download the executables from jsunpack instead.

Each link in the RSS feed contains a link to the decoding report like this:
http://jsunpack.jeek.org/dec/go?report=d6257c1932efa718fe424fbdd92ae7e0779aa9df

If you replace the "go" part with "download" you'll get all the files created and the executable file.
http://jsunpack.jeek.org/dec/download?report=d6257c1932efa718fe424fbdd92ae7e0779aa9df

Please enjoy and send me any reports for malware that you analyze and I'll post them on the site.

Tuesday, February 9, 2010

Shmoocon Recap and Presentation Slides

Shmoocon was great! At the Own the Con talk hosted by Bruce Potter, the event organizer, he explained one of the reasons for limiting the con to 1500 people given that his house, living room, and garage become full of swag. He also mentioned that at the open bar on Saturday night Shmoocon attendees created a bar tab of $28k!

He also said attendance was great given that we just experienced the worst snowstorm in Washington DC's history. (about 95 percent attendance)

Thanks to Bruce, his wife, and all the volunteers for putting on another awesome Shmoocon this year! I put the slides from my presentation online for those of you that couldn't make it:

http://jsunpack.jeek.org/BlakeHartstein_Shmoocon_Jsunpack_20100206.pdf

Thursday, February 4, 2010

Shmoocon and New Releases

Hi everyone,
If you make it to Shmoocon this weekend I'll be presenting jsunpack on Saturday at 10am. Also, check out the improved web interface!

See you there!
Blake