Author Archives: adam

Random stats from 300k malicious samples – copyright banners

Posted on by

Some more stats from the 300K samples – this time copyright banners embedded inside the samples – these are all with 1000+ occurrences:

  38186 Copyright (c) 1998 Hewlett-Packard Company
   5944 Portions Copyright (c) 1983,99 Borland
   4055 deflate 1.0.4 Copyright 1995-1996 Jean-loup Gailly
   3580 deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly
   3433 inflate 1.1.3 Copyright 1995-1998 Mark Adler
   2858 Terms of use at https://www.verisign.com/rpa (c)041.0, 
   2654 inflate 1.2.3 Copyright 1995-2005 Mark Adler
   2463 inflate 1.1.4 Copyright 1995-2002 Mark Adler
   2390 Portions Copyright (c) 1999,2003 Avenger by NhT
   2365 deflate 1.1.4 Copyright 1995-2002 Jean-loup Gailly
   1823 Portions Copyright (c) 1983,97 Borland
   1683 unzip 0.15 Copyright 1998 Gilles Vollant
   1670 Copyright
   1669 NO LIABILITY ACCEPTED, (c)97 VeriSign, Inc.0
   1618 deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly
   1492 Copyright (C) 2001, 2003 Radim Picha
   1361 Copyright Flag
   1354 Zip archive creation and modification Copyright 2000 Tadeusz Dracz

As you can imagine, the stats are not for a sole purpose of amusement.
Soon, all of these will be added to HexDive :-)

Forensic Riddle #12 – Answer

Posted on by

There are many answers to this one.

For starters, consider triplet A, W, UTF8 instead of usual A,W in:

  • DnsQueryExA
  • DnsQueryExUTF8
  • DnsQueryExW

or

  • DnsQuery_A
  • DnsQuery_UTF8
  • DnsQuery_W

Other examples include:

  • RunDll32ShimW for Unciode, but not ANSI version RunDll32ShimA
  • GetHashFromFile for ANSI and GetHashFromFileW for Unicode
  • triplet ShellExec_RunDLL and ShellExec_RunDLLA for ANSI and ShellExec_RunDLLW for Unicode

and many more…