[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: Re: [Full-disclosure] Fwd: What's going on about Pangolin
From: "=?utf-8?B?am9zaA==?=" <mastahflank () gmail ! com>
Date: 2008-03-29 17:04:02
Message-ID: 1057062018-1206810246-cardhu_decombobulator_blackberry.rim.net-1204573928- () bxe032 ! bisx ! prod ! on ! blackberry
[Download RAW message or body]
Its pretty obvious if you unpack it and it comes off clean. UPX always sets off alerts with the majority of AVs.
Sent from my BlackBerry smartphone with SprintSpeed
-----Original Message-----
From: Tim Kunschke <tim@timmey.homelinux.com>
Date: Sat, 29 Mar 2008 14:27:17
To:"zwell.nosec" <zwell.nosec@gmail.com>
Cc:full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] Fwd: What's going on about Pangolin
I have also tested, and with the UPX packer unpacked. Nothing. Nothing
dangerous. ;)
-------------------------------------------------------------------------------------------------------------------
C:\>C:\upx302w\upx.exe -d C:\pangolin_bin\out\pangolin.exe
Ultimate Packer for eXecutables
Copyright (C) 1996,1997,1998,1999,2000,2001,2002,2003,2004,2005,2006,2007
UPX 3.02w Markus Oberhumer, Laszlo Molnar & John Reiser Dec 16th 2007
File size Ratio Format Name
-------------------- ------ ----------- -----------
2834944 <- 879616 31.03% win32/pe pangolin.exe
Unpacked 1 file.
-------------------------------------------------------------------------------------------------------------------
Antivirus programs work with signatures. Matched the signature on the
upx packed programs we have a problem. A false-positive.
snake
zwell.nosec schrieb:
>
> Hi, everyone:
>
> A friend told me that modify offset at 0x000D6BDF from 0x00 to 0xff,
> then the world will be quiet. ; )
>
> ------------------------------------------------------------------------
>
> *From:* full-disclosure-bounces@lists.grok.org.uk
> [mailto:full-disclosure-bounces@lists.grok.org.uk] *On Behalf Of *Nemes
> *Sent:* Saturday, March 29, 2008 1:18 AM
> *To:* full-disclosure@lists.grok.org.uk
> *Subject:* [Full-disclosure] Fwd: What's going on about Pangolin
>
> This is not anykind of trojan or has it got anykind of backdoor in it.
>
> I've been using it for a few days now and its fine.
>
> I had a process monitor running and aTCP/IP UDP connections monitor
> running when i unpacked the rar and ran pangolin for the first time,
> NOTHING HAPPENED except for the application starting.
>
> I did an "upx.exe -d pangolin.exe" on my copy and I got 1 FILE UNPACKED..
>
> No trojans no abckdoors, no virus nothing!
> Its fine!
>
> N
>
> ---------- Forwarded message ----------
> From: *Tremaine Lea* <tremaine@gmail.com <mailto:tremaine@gmail.com>>
> Date: 28 Mar 2008 17:20
> Subject: Re: [Full-disclosure] What's going on about Pangolin
> To: mastahflank@gmail.com <mailto:mastahflank@gmail.com>
> Cc: full-disclosure@lists.grok.org.uk
> <mailto:full-disclosure@lists.grok.org.uk>,
> full-disclosure-bounces@lists.grok.org.uk
> <mailto:full-disclosure-bounces@lists.grok.org.uk>
>
> Why should he show the source to his work?
>
> To allay valid concerns of the intended users.
>
> With some of the discussion at this point, it would certainly benefit
> the author if he wants to gain wider usage and discourage uninformed
> opinion.
>
> ---
>
> Tremaine Lea
> Network Security Consultant
> Intrepid ACL
> "Paranoia for hire"
>
>
>
> On 28-Mar-08, at 10:38 AM, josh wrote:
> > Why should he show the source to his work. I don't see him selling
> > it, he isn't twisting your arm to use it. He released it for free.
> > Either use it or don't.
> > Sent from my BlackBerry smartphone with SprintSpeed
> >
> > -----Original Message-----
> > From: "Andreas Selvicki" <drsynack@gmail.com <mailto:drsynack@gmail.com>>
> >
> > Date: Fri, 28 Mar 2008 10:25:25
> > To:full-disclosure@lists.grok.org.uk
> <mailto:To:full-disclosure@lists.grok.org.uk>
> > Subject: Re: [Full-disclosure] What's going on about Pangolin
> >
> >
> > Let's see the source please.
> >
> >
> > On 3/26/08, zwell@sohu.com <mailto:zwell@sohu.com>
> <mailto:zwell@sohu.com <mailto:zwell@sohu.com>> <zwell@sohu.com
> <mailto:zwell@sohu.com> <mailto:zwell@sohu.com <mailto:zwell@sohu.com>
> > > > wrote:
> > I've just read the discussion from here, seriously, I don't know
> > what's going on.
> > I've coded it since 2005 and never release it until this year. And I
> > really do not know why it be treated as a backdoor.
> >
> > If you think it is a backdoor, so please do a reverse engineering on
> > it. You can capture the network packet, you can list all the strings
> > in it, even you can hook APIs in it. Do anything you like to make
> > sure whether it's backdoor or not.
> >
> > BTW, I packeted it through UPX to reduce the size. And some people
> > focused on "http://www.nosec.org/web/index.txt
> <http://www.nosec.org/web/index.txt
> > > ", which is used in ORACLE injection mode when the target database
> > is in intranet so we can use some store-procs to make the target to
> > visit our website then we can receive the internet address that is
> > mapped to outside. Anybody who is good at oracle injection should
> > know this.
> >
> > Really, I wanna know why!!!
> >
> >
> >
> > < div class="w134">
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > ----------------
> >
> > 2008年薪水翻倍技巧 <http://doc.go.sohu.com/200802/5e1b674ab8183f3db8baba
> > 8ee4c6dd53.php>
> > *用搜狗拼音写邮件,体验更流畅的中文输入>> <http://goto.m
> > ail.sohu.com/goto.php3?code=mailadt-ta
> <http://ail.sohu.com/goto.php3?code=mailadt-ta>>
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> <http://lists.grok.org.uk/full-disclosure-charter.html
> > >
> > Hosted and sponsored by Secunia - http://secunia.com/
> <http://secunia.com/
> > >
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic