Programm for the fight (4th edition)

[joppeknol]

Quote:

Originally Posted by jeff_wilson

Is there an easy way to do this sort of monitoring?

Wireshark is the most commonly used tool (to my knowledge).

http://www.wireshark.org

not sure if you want to do this. If it's malware, you may end up reinstalling your windows. It might be doable on a virtual machine though

[jeff_wilson]

Quote:

Originally Posted by joppeknol

Wireshark is the most commonly used tool (to my knowledge).

http://www.wireshark.org

I mean something easier than coding with Wireshark or going through its default packet firehose.

[ClayDowling]

There isn't going to be anything easier than wireshark.

But there's precious little doubt that it's part of a botnet, or it wouldn't be starting a service.

The fact that it's establishing a crypto context is also unsavory. You don't do that just to use the crypto api's random number generator. A crypto context is used for bulk data processing, like encrypting and decrypting a message, and there's certainly no need to generate hashes, which are used to sign messages and establish authenticity.

You do establish a crypto context if you want to secure communication with a remote host, and you sign the messages if you want to keep somebody from taking over the botnet you went to the trouble to build.

There's little likelihood that the app does much of use. It's the work of 20 minutes to dummy up a form and give it some basic interactions. There's likely a botnet toolkit bolted on to the back end of it. You can buy them relatively cheaply if you know the right markets, and there are even a few open source ones.

There are plenty of us on here who create actual apps, and we either post source, or publish them through more reputable outlets. We also tend to establish ourselves as part of the community first.

[jeff_wilson]

Quote:

Originally Posted by ClayDowling

There isn't going to be anything easier than wireshark.

But there's precious little doubt that it's part of a botnet, or it wouldn't be starting a service.

The fact that it's establishing a crypto context is also unsavory. You don't do that just to use the crypto api's random number generator. A crypto context is used for bulk data processing, like encrypting and decrypting a message, and there's certainly no need to generate hashes, which are used to sign messages and establish authenticity.

Hashing is used to avoid some expensive sorting operations, but I don't see those being necessary here either.

What tools are you using to gather the intelligence on the Crypto and ACL and NT services calls?

[johndallman]

Quote:

Originally Posted by jeff_wilson

What tools are you using to gather the intelligence on the Crypto and ACL and NT services calls?

"dumpbin /imports" will do it nicely. The depends.exe tool provides a GUI for accessing the same information, plus some other things. Clay may be using something else, but those are the MS tools, which come with Visual Studio, even the free versions.

[JCurwen3]

Quote:

Originally Posted by ClayDowling

The fact that it's establishing a crypto context is also unsavory. You don't do that just to use the crypto api's random number generator. A crypto context is used for bulk data processing, like encrypting and decrypting a message, and there's certainly no need to generate hashes, which are used to sign messages and establish authenticity.

Well, as I said, I do use the crypo API for the random number generator for dice rolls in my own programs, and exclusively use it for that in many of them. Still, I see your point, and everything else in this is very suspect.

[Sanity]

Quote:

Originally Posted by joppeknol

Wireshark is the most commonly used tool (to my knowledge).

http://www.wireshark.org

not sure if you want to do this. If it's malware, you may end up reinstalling your windows. It might be doable on a virtual machine though

Only by the large group of people that are too ignorant to look up what is available in their operating system. Sadly that are many.

The alternative is Microsoft Network Monitor (sans windows 8 - not sure it is available for that already). Available free of charge. Patched as part of the regular update sequence, so no "did I just **** up my system security" thing that a third party drive entails.

[ClayDowling]

Quote:

Originally Posted by jeff_wilson

Hashing is used to avoid some expensive sorting operations, but I don't see those being necessary here either.

What tools are you using to gather the intelligence on the Crypto and ACL and NT services calls?

Cryptographic hashes aren't used to build hash tables. And even if this program was storing lists, it would be using TStringList or TList, common delphi classes used for this kind of thing. Those don't use the crypto api.

[XBott94]

1st: new screenshot (https://www.dropbox.com/s/9hbuu680himxz3p/GURPS.PNG)

2nd: complete source code (https://www.dropbox.com/s/po0w836lkf...Code-GURPS.txt)

3rd: i learn delphi at school and we started this schoolyear. i have no idea how to write a programm like maleware or something else. the programm only generates the interface, reads the edit fields, makes rolls (x:=random(15)+3) you can choose and tells you the result on the lables. and i use the programm for my own gurps group, so it would be totally crazy if this programm was an virus.

4th: if you see someone in the net whose name is xbott94 it will be usualy me because it is my nickname in the net and no hint for an botnet

[ClayDowling]

Prove you're legit and post full source. It seems unlikely though that you'd be using Delphi7 in school. It's nothing like a recent release. There are other more modern tools that are more likely for you to use. Also, I'm somewhat shocked that a school is teaching pascal instead of another language in more common usage like C++, Java or Python.

But post full source so we can build it ourselves, and we'll see if you're legit.