lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <AANLkTimXQZ=Qsar786S16zaJ8BcV+pBpzPmr4552kzL_@mail.gmail.com>
Date: Wed, 9 Mar 2011 20:15:05 +0000
From: Cal Leeming <cal@...whisper.co.uk>
To: John Harwold <johnharwold@...il.com>
Cc: "McGhee, Eddie" <Eddie.McGhee@....com>,
	"full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>
Subject: Re: Buying Web Malware Samples

It sounds like you are looking for drive by kit samples.

Why not just write your own crawler? Find an AV (which has drive by kit
detection and passive scanning), check to see how many requests you can send
to it per minute, then pipe in a shit load of random URLs based on crawled
links from ads (ads links are the most common for having drive by kits), see
which requests were blocked, and queue them for mirroring later.

Some AVs will do drive by kit detection without needing to call a remote
API, which would be quite nice.

Obviously, the AVs aren't going to give you a nice API which you can call
directly, so there would be some tinkering and possibly memory injection
involved.

This approach isn't exactly going to have a high hit rate, and you will
still need to de-obfuscate / decompile and analyse any malware you find, but
it'd be a giggle either way.

There's probably a better way of doing it, but this would certainly be fun
to make :D

On Wed, Mar 9, 2011 at 7:56 PM, John Harwold <johnharwold@...il.com> wrote:

> 0. ) I need that malware for research stuff.
>
> 1. ) There is no way for me to prove that I'm speaking truth.
>
> 2. ) What's wrong with gmail address?
>
> 3. )  500$ offer is still active.
>
>
> Sincerely,
> J.H.
>
>
>
> On Wed, Mar 9, 2011 at 8:23 PM, Cal Leeming <cal@...whisper.co.uk> wrote:
>
>> Actually, just out of curiosity, why do you need to purchase malware
>> samples?
>>
>> On Wed, Mar 9, 2011 at 7:19 PM, Cal Leeming <cal@...whisper.co.uk> wrote:
>>
>>> 1) You are requesting this from a gmail address. Not a good look.
>>>
>>> 2) You aren't representing yourself as a company entity, which indicates
>>> you might want this malware for malicious purposes.
>>>
>>> 3) Looks like you're trying to bullshit tbh.
>>>
>>> Just my two cents.
>>>
>>> On Wed, Mar 9, 2011 at 6:34 PM, John Harwold <johnharwold@...il.com>wrote:
>>>
>>>> I need (JS/PDF/HTML/Exploit) malware samples, and I'm not a cheater.
>>>> If I say that I'll pay 500$ for best submission, I'll pay 500$ for it.
>>>>
>>>> I won't pay before I see the stuff.
>>>> I don't want to pay 500$ for big zip file with garbage in it.
>>>>
>>>> Best submission will be rewarded with 500$. That's it.
>>>> If you have what I need, and you are not satisfied with this
>>>> arrangement, find a way in which we'll both be satisfied...
>>>> give me access to place where I can inspect them or something like that.
>>>>
>>>> Sincerely,
>>>> J.H.
>>>>
>>>>
>>>> On Wed, Mar 9, 2011 at 7:21 PM, McGhee, Eddie <Eddie.McGhee@....com>wrote:
>>>>
>>>>>  Yes lets all send out malware samples and *hope* you actually pay the
>>>>> best submission, tell you what send me the $500 and ill send you a pretty
>>>>> comprehensive tar full of samples.
>>>>>
>>>>>
>>>>>  ------------------------------
>>>>> *From:* full-disclosure-bounces@...ts.grok.org.uk [mailto:
>>>>> full-disclosure-bounces@...ts.grok.org.uk] *On Behalf Of *John Harwold
>>>>> *Sent:* 09 March 2011 16:35
>>>>> *To:* full-disclosure@...ts.grok.org.uk
>>>>> *Subject:* [Full-disclosure] Buying Web Malware Samples
>>>>>
>>>>> Hi folks,
>>>>>
>>>>> I'm buying web malware samples... obfuscated malicious javascript, web
>>>>> exploit kits, pdf malware, browser/activex exploits, etc.
>>>>> I'm not interested in executable (PE/ELF) malware.
>>>>> Contact me on email with download URL, or send ZIP/TAR/RAR malware
>>>>> archive directly to my email (with changed archive extension to .MAL because
>>>>> of gmail filtering).
>>>>>
>>>>> After two weeks, contributions will be revisited and person with
>>>>> largest collection of real web malware will receive prize of 500$.
>>>>>
>>>>> Bye,
>>>>> J.H.
>>>>>
>>>>>
>>>>>
>>>>
>>>> _______________________________________________
>>>> Full-Disclosure - We believe in it.
>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>
>>>
>>>
>>
>

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ