[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <AANLkTimXQZ=Qsar786S16zaJ8BcV+pBpzPmr4552kzL_@mail.gmail.com>
Date: Wed, 9 Mar 2011 20:15:05 +0000
From: Cal Leeming <cal@...whisper.co.uk>
To: John Harwold <johnharwold@...il.com>
Cc: "McGhee, Eddie" <Eddie.McGhee@....com>,
"full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>
Subject: Re: Buying Web Malware Samples
It sounds like you are looking for drive by kit samples.
Why not just write your own crawler? Find an AV (which has drive by kit
detection and passive scanning), check to see how many requests you can send
to it per minute, then pipe in a shit load of random URLs based on crawled
links from ads (ads links are the most common for having drive by kits), see
which requests were blocked, and queue them for mirroring later.
Some AVs will do drive by kit detection without needing to call a remote
API, which would be quite nice.
Obviously, the AVs aren't going to give you a nice API which you can call
directly, so there would be some tinkering and possibly memory injection
involved.
This approach isn't exactly going to have a high hit rate, and you will
still need to de-obfuscate / decompile and analyse any malware you find, but
it'd be a giggle either way.
There's probably a better way of doing it, but this would certainly be fun
to make :D
On Wed, Mar 9, 2011 at 7:56 PM, John Harwold <johnharwold@...il.com> wrote:
> 0. ) I need that malware for research stuff.
>
> 1. ) There is no way for me to prove that I'm speaking truth.
>
> 2. ) What's wrong with gmail address?
>
> 3. ) 500$ offer is still active.
>
>
> Sincerely,
> J.H.
>
>
>
> On Wed, Mar 9, 2011 at 8:23 PM, Cal Leeming <cal@...whisper.co.uk> wrote:
>
>> Actually, just out of curiosity, why do you need to purchase malware
>> samples?
>>
>> On Wed, Mar 9, 2011 at 7:19 PM, Cal Leeming <cal@...whisper.co.uk> wrote:
>>
>>> 1) You are requesting this from a gmail address. Not a good look.
>>>
>>> 2) You aren't representing yourself as a company entity, which indicates
>>> you might want this malware for malicious purposes.
>>>
>>> 3) Looks like you're trying to bullshit tbh.
>>>
>>> Just my two cents.
>>>
>>> On Wed, Mar 9, 2011 at 6:34 PM, John Harwold <johnharwold@...il.com>wrote:
>>>
>>>> I need (JS/PDF/HTML/Exploit) malware samples, and I'm not a cheater.
>>>> If I say that I'll pay 500$ for best submission, I'll pay 500$ for it.
>>>>
>>>> I won't pay before I see the stuff.
>>>> I don't want to pay 500$ for big zip file with garbage in it.
>>>>
>>>> Best submission will be rewarded with 500$. That's it.
>>>> If you have what I need, and you are not satisfied with this
>>>> arrangement, find a way in which we'll both be satisfied...
>>>> give me access to place where I can inspect them or something like that.
>>>>
>>>> Sincerely,
>>>> J.H.
>>>>
>>>>
>>>> On Wed, Mar 9, 2011 at 7:21 PM, McGhee, Eddie <Eddie.McGhee@....com>wrote:
>>>>
>>>>> Yes lets all send out malware samples and *hope* you actually pay the
>>>>> best submission, tell you what send me the $500 and ill send you a pretty
>>>>> comprehensive tar full of samples.
>>>>>
>>>>>
>>>>> ------------------------------
>>>>> *From:* full-disclosure-bounces@...ts.grok.org.uk [mailto:
>>>>> full-disclosure-bounces@...ts.grok.org.uk] *On Behalf Of *John Harwold
>>>>> *Sent:* 09 March 2011 16:35
>>>>> *To:* full-disclosure@...ts.grok.org.uk
>>>>> *Subject:* [Full-disclosure] Buying Web Malware Samples
>>>>>
>>>>> Hi folks,
>>>>>
>>>>> I'm buying web malware samples... obfuscated malicious javascript, web
>>>>> exploit kits, pdf malware, browser/activex exploits, etc.
>>>>> I'm not interested in executable (PE/ELF) malware.
>>>>> Contact me on email with download URL, or send ZIP/TAR/RAR malware
>>>>> archive directly to my email (with changed archive extension to .MAL because
>>>>> of gmail filtering).
>>>>>
>>>>> After two weeks, contributions will be revisited and person with
>>>>> largest collection of real web malware will receive prize of 500$.
>>>>>
>>>>> Bye,
>>>>> J.H.
>>>>>
>>>>>
>>>>>
>>>>
>>>> _______________________________________________
>>>> Full-Disclosure - We believe in it.
>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>
>>>
>>>
>>
>
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists