Clicky

Thursday, December 27, 2012

Dec. 2012 Skynet Tor botnet / Trojan.Tbot samples



Here are 7 binaries for Skynet Tor botnet aka Trojan.Tbot.  Claudio's analysis is wonderfully detailed, I just added  pcaps  and a few words in the description

Read more here:
Rapid7.  Claudio Guarnieri.  Skynet, a Tor-powered botnet straight from Reddit



Wednesday, December 26, 2012

ZeroAccess / Sirefef Rootkit - 5 fresh samples


Stocking stuffers.
ZeroAccess rootkit is far from new and exciting but but this is a fresh lot with still active C2 servers.
Although the dropper is detected by at least half of AV engines, post infection detection is another story. I tried Kaspersky TDSS Killer, Avast Rootkit utility and RootRepeal without any success. I used Gmer and LordPE to carve out the hidden file from the memory. You can use Redline or Volatility too.
You can download 5 files below together with pcaps from one of the files and the file dumped from memory. It appears that free videos and apps names are used as the lure in this case.

Tuesday, December 25, 2012

* * * Merry Christmas and Happy New Year! * * *



More presents to come, pa rum pum pum pum
    rum pum pum pum, rum pum pum pum

Monday, December 24, 2012

Dec 2012 Linux.Chapro - trojan Apache iframer


Here is another notable development of 2012 - Linux malware (see Wirenet trojan posted earlier too)
Research: ESET Malicious Apache module used for content injection: Linux/Chapro.A
All the samples are below. I did not test it thus no pcaps this time.
------Linux/Chapro.A  e022de72cce8129bd5ac8a0675996318
------Injected iframe    111e3e0bf96b6ebda0aeffdb444bcf8d
------Java exploit         2bd88b0f267e5aa5ec00d1452a63d9dc
------Zeus binary         3840a6506d9d5c2443687d1cf07e25d0

Dec. 2012 Trojan.Stabuniq samples - financial infostealer trojan



Holiday presents.
Research: Symantec. Trojan.Stabuniq Found on Financial Institution Servers
More research: Stabuniq in-Depth  by Emanuele De Lucia

Here is a another minor news maker of 2012.
It is very well detected by most AV but if you want to play or make IDS or yara signatures, the pcap and the sample is below.


Sunday, December 23, 2012

Dec 2012 Dexter - POS Infostealer samples and information


End of the year presents. Point of Sale (POS) infostealer, aka Dexter.
I got 3 more "tester-type" samples and added them below - in addition to the well known 4 samples mentioned by Seculert.
You can read more about it here:
Seculert Dexter - Draining blood out of Point of Sales 
TrendMicro Infostealer Dexter Targets Checkout Systems
Verizon: Dexter: More of the same, or hidden links?
Volatility labs Unpacking Dexter POS "Memory Dump Parsing" Malware
Trustwave labs: The Dexter Malware: Getting Your Hands Dirty
Symantec Infostealer.Dexter

Monday, December 17, 2012

Sample for Sanny / Win32.Daws in CVE-2012-0158 "ACEAN Regional Security Forum" targeting Russian companies



End of the year presents continue.
Here is an excellent analysis made by the Fireeye: To Russia with Targeted Attack. I am posting all the necessary details for this type of malware to be findable on Google plus the sample and pcap for signature development. Fireeye named it “Sanny” after one of the email addresses and many AV vendors called the dropper Win32.Daws.


Friday, December 7, 2012

Aug 2012 - Hikit APT rootkit sample



End of the year presents:
This is a sample of Hikit rootkit 
Aug 2012
Related News and Analysis:
The “Hikit” Rootkit: Advanced and Persistent Attack Techniques (Part 1) - Mandiant



Aug 2012 W32.Crisis and OSX.Crisis - JAR file Samples - APT


End of the year presents:
Malicious Java file containing W32.Crisis and OSX.Crisis
Related News and Analysis:
Aug 2012
Crisis for Windows Sneaks onto Virtual Machines - Symantec
New Apple Mac Trojan Called OSX/Crisis Discovered - Intego




Nov 2012 Worm Vobfus Samples



End of the year presents:
This is a sample of W32.Vobfus / Worm_Vobfus

Related News and Analysis:
Nov 2012  
Trend Micro What’s the Fuss with WORM_VOBFUS?



Nov 2012 - Backdoor.W32.Makadocs Sample


End of the year presents:
These is a sample of W32.Makadocs
Related News and Analysis:
November 2012
Malware Targeting Windows 8 Uses Google Docs | Symantec
Backdoor.Makadocs | Symantec


Aug 2012 Backdoor.Wirenet - OSX and Linux


End of the year presents:
Backdoor.Wirenet.1
Related News and Analysis:
August 2012
The first Trojan in history to steal Linux and Mac OS X passwords  Dr.Web




Thursday, December 6, 2012

Nov 2012 - W32.Narilam Sample


End of the year presents:
This is a sample of W32.Narilam 

Related News and Analysis:
Nov 2012 (malware is much older but re-surfaced in Nov 2012)
W32.Narilam – Business Database Sabotage
W32.Narilam | Symantec


Oct 2012 - Skype Dorkbot / W32.Phopifas samples




End of the year presents:
These are 4 samples of Skype Dorkbot / W32.Phopifas
Related News and Analysis:
October 2012
Infection Spreads Profile Pic Messages to Skype Users -GFI
W32.Phopifas | Symantec


Wednesday, December 5, 2012

OSX/Dockster.A and Win32/Trojan.Agent.AXMO Samples, pcaps, OSX malware analysis tools



Img.baronet4tibet. Tibetan furniture
 featuring a leopard and a lion
Better late than never. Here are the samples of the recent twin newsmakers OSX/Dockster.A and Win32/Trojan.Agent.AXMO.  The malware was already described and hashes published but I thought I would add traffic captures and samples themselves.
 I ran these samples on Thursday, November 29  (OSX) and Friday, November 30 (Agent.AXMO) when the C&C servers were still online. Intego mentioned the address itsec.eicp.net was not registered and it was possibly a test but it is a dynamic DNS address and it was down by the weekend.Credit for the sample goes to an anonymous Santa. 
I have to admit that my knowledge of  OSX malware leaves much to be desired. When we deal with Windows malware, range of choices for capturing, logging, recording, and analyzing is similar to this. I cannot name more than a few for MAC OSX - Wireshark, native Apple syslogs, IDA, Macmemoryze from Mandiant, and a few more below. If you have some good recent papers and tools lists for OSX malware analysis please share.

Read more here
http://www.f-secure.com/weblog/archives/00002466.html

Wednesday, November 14, 2012

Common Exploit Kits 2012 Poster (based on Exploit pack table Update 18, Nov 12, 2012)

Update November 14, 2012
1. We forgot to mention that in the best tradition of the Antivirus industry, all posters come with one (1) year of free updates. Email us when a new version of the poster comes out ( use same email address or reply to the original message) and we will send you the file (same size you ordered, in JPG format). We cannot reprint Zazzle posters but you can use your own printing, or upload and order your own from Zazzle.

2. We added two more sizes for smaller wall spaces and budgets (asking for $15 and $10 to be donated to charity )


Hurricane Sandy, Jersey Shore
Src. Twitter Oct 28,2012
 author unknown
This update to the exploit pack table comes in the form of a poster (Exploit pack table update 18 is coming soon too).
The poster includes most common exploit packs of 2012. The poster will be updated and new issues posted in the future.







Poster sizes: 

If you wish to order a larger poster print,  (up to 60"x40" or 152cm x 101cm), follow this link to Zazzle.com 
Zazzle cancelled orders due to logos in fish images, despite the fact that their use falls under "Nominative Fair use" policy  (Read: "Lawful use of another's trademark") and we make zero money on it. Here is an example of PC magazine using it lawfully to compare browsers  - they also publish and sell their magazine is stores.
We filed a complaint with Zazzle. But even if they don't cancel,  Zazzle is also very overpriced so you are likely to find cheaper ways to print it. so we do not recommend using it anymore.

If Zazzle cancelled your order, email us and we will send you the full file for free. 

 Staten Island Hurricane Sandy Relief (Staten Island Project Hospitality).
See Staten Island hurricane aftermath photos here:
  • If you wish to use your own printing services and/or need multiple copies, you can request the poster file (see sizes below)  in exchange for donation to the Hurricane Relief  or a charity of your choice. Email us (admin at deependresearch.org) a receipt of a donation made in the past month (you can partially hide/obscure your personal info, if needed) and we will send you the file.
  • 8900 x 6000 px = up to 40" x 60"      (101 x 150 cm) = $25  Donate here or charity of your choice
  • 5340 x 3600 px = up to 24" x 35.6"   (~ 61 x 91 cm) = $15 Donate here or charity of your choice
  • 3578 x 2415 px = up to 16" x 24"      (~ 40 x 60 cm) = $10 Donate here or charity of your choice
  • 1720 x 1200 px = up to 11"x14"        (~ 20 x 30 cm) = Free Download


CVE-2012-5076 Java sample from "Cool" exploit pack

Here is quick post for a CVE-2012-5076 sample (from Cool pack, as described by Kafeine here Cool EK : "Hello my friend..." CVE-2012-5076 )



Group Photos.zip OSX/Revir | OSX/iMuler samples March 2012-November 2012


Sophos posted information about a variant of iMuler OSX trojan targeting Tibet activists (New variant of Mac Trojan discovered, targeting Tibet )  and posted the MD5 2d84bfbae1f1b7ab0fc1ca9dd372d35e (FileAgent 37.3 KB) of the trojan  . This post is for the actual dropper, which is a full 1.9 MB package (Group photo.zip MD5: 9e34256ded3a2ead43f7a51b9f197937)

 I don't have a Mac OS VM handy tonight to provide more details about the traffic or behavior so I will just describe the package and post the previous version of the same trojan that was targeting fans of Russian topless models.

Tuesday, October 16, 2012

CVE-2012-1535 Sep.9, 2012 "房號表.doc - Data for Reference.doc" and Taidoor trojan sample set for signature development



As promised, here is one sample of CVE-2012-1535 that you can use to follow the exploit analysis in the previous post CVE-2012-1535 Adobe Flash Player Integer Overflow Vulnerability Analysis by Brian Mariani & Frédéric Bourla. It is from September 9, 2012, I have one from October, which I will post shortly as well. If you are not interested in the exploit, you can use the Taidoor payload plus 18 other Taidoor binaries to develop your own signatures for this trojan or test your AV. 

This message was sent to Taiwan government and is digitally signed with a valid signature. I am not sure if the signature is obtained for a fake account or the account is hijacked, this is why I am not posting the email address. If you work for TW government, you can ask for it. There was also a PDF attached with a personally identifiable information (full application) of an applicant for International Cooperation and Development Fund (Taiwan) - Women Development program. It is not included in this post. I assume it was stolen earlier as well. 

Sunday, October 14, 2012

CVE-2012-1535 Adobe Flash Player Integer Overflow Vulnerability Analysis by Brian Mariani & Frédéric Bourla


Brian Mariani and Frédéric Bourla from High-Tech Bridge SA – www.htbridge.com sent their excellent deep analysis of  CVE-2012-1535 vulnerability in Adobe Flash Player. The Word documents with Flash that exploited that vulnerability appeared in August but did not become as popular as RTF CVE-2012-0158, which remains to be the most widely used exploit for targeted email attachments. 
The reason for it is that integer overflows are difficult to exploit in general and CVE-2012-1535 is less reliable than other exploits prevalent today. This does not mean it is not in use and I will post several recent samples with this exploit in the next article.
The full analysis is posted below, plus you can download it in PDF format.

Thursday, October 4, 2012

Blackhole 2 exploit kit (partial pack) and ZeroAccess (user-mode memory resident version)


 This post is an addtion to the DeepEnd Research post Blackhole & Cridex: Season 2 Episode 1: Intuit Spam & SSL traffic analysis by Andre DiMino about the Blackhole 2 exploit pack and Cridex trojan alliance.

Here is for download a partial Blackhole 2 exploit pack. This pack has been shared with me a few times over the past couple of weeks as researchers discovered an blackhole server with open directories. While it is missing a few crucial files, it is still provides insight into the pack components, exploits, and structure.

The list of files in the pack are listed below. 16 files are zero in size (not on purpose, that's all I have) and are there just for your information. The zero size files are listed in the separate list below (in addition to being in the main list). The files and data directories contain the exploits ( cve-2012-1723, cve-2012-0507, cve-2010-1885, cve-2012-4681, cve-2010-0188) and the payload (ZeroAccess  among other malware, which is memory resident rootkit (thus no 'dropped', created files for ZeroAccess in the package, only the original dropper and all kinds of files genereated by the clickfraud component. Use Volatility or Redline/Memorize for analysis)
This captcha component of this pack was reviewed by
Behind the Captcha or Inside Blackhole Exploit Kit 2.0 - Exploit Kit Administration Panel (Malware Don't Need Coffee).

 Malware Must Die analysts have been tracking Blackhole 2 as well

Wednesday, September 19, 2012

CVE-2012-4969 Internet explorer 0day samples


The Internet Explorer 0day aka now CVE-2012-4969, have been used in a "small number of targeted attacks". The new Internet Explorer Zero day technical details came out (eromang.zataz.com), the Metasploit module is out now too and the number will increase exponentially as soon as exploit pack authors add it to their arsenal, which will happen very soon. This seems to be repeating the story of Java CVE-2012-4681. See CVE-2012-4681 samples Original (APT) and Blackhole 2.0 (crime)

There are a few mitigation workarounds you can use for now, the best is to upgrade your browser, however
Read more at http://technet.microsoft.com/en-us/security/advisory/2757760


CVE-2012-4681 samples Original (APT) and Blackhole 2.0 (crime)


Here are two samples of Java CVE-2012-4681 exploit - one from the original targeted attack described in our post on August 30, 2012 and the other from today's spam redirecting to Blackhole 2.0 exploit kit and using CVE-2012-4681 adapted from the Metasploit framework.
The Blackhole 2.0 ad is translated and posted at malware.dontneedcoffee.com along with a very good analysis.
The spam campaigns are probably different but the one I encountered was using the subject "ADP Invoice Reminder" with ADP_Online_Invoice_DoNotReply@adp.com address sent from what it looks like a spam botnet. The body of the email looks very convincing  - see the legitimate ADP email below in comparison to the fake one. The links are legitimate compromised websites redirecting to the Blackhole exploit server. The payload is Zeus (Gameover P2P version not Citadel). Many websites already cleaned and giving error 404 and some are still active. I posted approximately 50 headers below for those who deal with spam filters as well as pcap and other information.

Thursday, September 6, 2012

Contagio file downloads are not available indefinitely (thanks to Mediafire and LeakID ideas about copyright)

Update5: 
Mediafire notified me the other day that they had confirmation from LeakID that the notices they submitted  were done in error. They restored all the file access.
I want to thank all who helped me with the posts and updates Paul Robert from SophosLabs, Soulskill- Slashdot, Dan Kaplan from SC Magazine for their articles, everyone who made posts on Twitter  and the Mediafire team for the über fast response to the posts and resolution. I guess LeakID do not speak to victims directly, never heard from them.

Monday, August 27, 2012

Java 7 0-day vulnerability analysis

Here is our second article about Java 7 0-day vulnerability. Read more at DeepEndResearch.org
ladyilonwick.wordpress.com
Considering that Rapid 7 posted a working exploit and addition to the exploit packs is imminent (Attackers Pounce on Zero-Day Java Exploit by Brian Krebs), plus other analysis articles are being published such as New Java 0day exploited in the wild  -by Alienvault, we decided that witholding details of the exploit will not offer additional protection but only hinder development of protection and signatures.

As we mentioned earlier, we contacted Michael Schierl, the Java expert who discovered a number of Java vulnerabilities and asked him to have a look. He sent back his detailed analysis, exploit source, the interim patch with the source code of the patched class.


Patch request:
  • Interim patch with the source code of the patched class. See the Readme of the patch in the previous post (thanks to Michael Schierl). 
Email from your company email address to admin <at> deependresearch.org  and explain the planned use, please.

DeepEnd Research: Java 7 0-Day vulnerability information and mitigation.



img.kids.discovery.com

The cat is out of the bag. There is 0-day out there currently being used in targeted attacks.  The number of these attacks has been relatively low, but it is likely to increase due to the fact that this is a fast and reliable exploit that can be used in drive-by attacks and all kinds of links in emails. Interestingly, Mark Wuergler mentioned on August 10 that VulnDisco SA CANVAS exploit pack now has a new Java 0-day. It makes you wonder if it is the same exploit that leaked from or was found in the wild and added to the CANVAS pack. Or if it is totally unrelated and there are two 0-day exploits now.

The purpose of this post is not to provide the vulnerability analysis or samples but to offer additional information that may help  prevent infections on some targeted networks.   We all know what kind of damage Java vulnerabilities can cause if used in drive by exploits or exploit packs and we think that revealing technical vulnerability details  in the form of a detailed technical analysis is dangerous, while releasing working exploits before the patch is vain and irresponsible.

Oracle patch cycle is 4 months (middle of February, June, October) with bugfixes 2 months after the patch. The next patch day is October 16 - almost two months away. Oracle almost never issue out-of-cycle patches but hopefully they will do consider it serious enough to do it time.
Read more at DeepEndResearch.org

Friday, August 17, 2012

Shamoon or DistTrack.A samples


Image from Kaspersky lab
Here are a couple of Shamoon samples. Such destructive malware is rare because it does not really make much sense to destroy computers when you can steal data or use them.  

CVE-2012-1535 - 7 samples and info


I was still writing my analysis when Alienvault posted CVE-2012-1535: Adobe Flash being exploited in the wild and mine would be pretty much the repeat of the same. I don't like repeating so I will just post the samples and link to Jaime Biasco's article.  As you see from SSDeep they are nearly identical in size, exploit, and payload. All Word documents were authored by "Mark" and have same strings and indicators present as in the analyzed file.

Sunday, August 12, 2012

3322 Dyndns badness


MD5


118f208998e12561b03200178edf826b members.3322.org PRORAT
c5ac14a3c80b3c6af4c943e0f3839fbe lengkusky1.3322.org Keylogger
03ac85edb00bcd8c6b4981ca67208f68 sfwu.3322.org
003212079a7c1de92b755a627f3913b7 sfwu.3322.org
c5a632a8e369e47a7e8f55f892c8d864 myyuming55.3322.org
c5a6de01e10c65a8894bcb32608055b5 yjdl.3322.org Puppetzombie.gen
8a41d4770858cb5af6860f95c00f8224 myyuming55.3322.org Virut
fe7d3e20d7bc640fe2edf645da218bd1 xinxin169.3322.org

Friday, August 10, 2012

Gauss samples - Nation-state cyber-surveillance + Banking trojan


Just a quick post for those who can't sleep until get to play with Gauss
Excerpt:
The highest number of infections is recorded in Lebanon, with more than 1600 computers affected. The Gauss code  (winshell.ocx) contains direct commands to intercept data required to work with Lebanese banks – including the Bank of  Beirut, Byblos Bank and Fransabank. 
In Israel and the Palestinian Territory, 750 incidents have been recorded." (Kaspersky)


Thursday, August 9, 2012

CVE-2012-0158 generated "8861 password" XLS samples and analysis



Symantec recently posted an article by Joji Hamada titled "Password “8861” Used in Targeted Attacks", where the attackers continuously using the same passwords sent in emails together with the malicious attachment. Indeed, the password not only allows to evade detection but also makes it difficult to analyse the exploit itself.

All the samples i have that have this password appear to be created via a generator and share certain similarities. I will point out a few but you can find many more if you analyse the files and payloads.  


- Exploit CVE-2012-0158
The hallmark ListView2, 1, 1, MSComctlLib, ListView are clearly seen in the files, as well as excessive calls to MSCOMCTL.OCX during the dynamic analysis.

- Same password 
8861 could be the attacker's lucky number, or it is job related, or being a primary number, it plays some role in the RSA encryption implementation in this generator ( this one perhaps is a bit far fetched, but not more than other theories)

- Antivirus/Malware detection

These files are mostly detected as Exploit.D-Encrypted  by different AV vendors but this signature detects other malicious password protected documents  - it is not limited to this 8861 generator files.


Yara SignaturesYou can develop your own yara signatures based on these and other indicators you find in the files. I will share signatures on Yara Signature Exchange Google Group. If you are interested in making and sharing, please see DeepEnd Research: Yara Signature Exchange Google Group
IDS:  Emerging threats IDS signatures - see below.


- Same file structure
They are each different sizes and have different payloads, however the first 120KB of each file are identical and are completley different from the headers of other typical user created password protected spreadsheets and other malicious and password protected XLS files. I will post two other malicious messages that were NOT generated using the same generator is seems and have a different password  (I don't know password for those two files yet, if your figure it out, please share)

- Same document code page 
Windows Simplified Chinese (PRC, Singapore)

- Same name for the dropped files (ews.exe and set.xls
The dropped payload and the clean XLS document are different sizes, different types of malware for trojans, but have the same names (some are renamed after creation), which suggests a template. The embedded clean XLS documents have different metadata - I guess those were downloaded from internet or stolen from different targets - some were created on the Kingsoft version of Office, different authors, etc.

- Non default encryption (RC4, Microsoft RSA SChannel Cryptographic Provider).
Default is "Office 97/2000 compatible", which I think is 40-bit RC4 encryption. The generator is probably not using Excel interface but has it's own implementation of the encryption for the VBA code.

- Targets do not seem to be related by their occupation
Targets are in different countries  - Japan, China, France and do not seem to be related by business or industry - human rights activists, businesses, politicians. This makes me think it is not the same group of attackers but it is just a generator purchased by/supplied to different groups attacking different targets. The same trojan types, C2 domains, and targets were covered on Contagio and other resources earlier.

Friday, August 3, 2012

Cridex Analysis using Volatility - by Andre' DiMino - samples and memory analysis resources



Andre' DiMino posted an excellent analysis of Cridex banking malware using Volatility on sempersecurus.blogspot.com and if you wish to repeat his steps or interested in this malware, I am posting the corresponding samples. Cridex is a complex financial trojan and is being distributed via spam messages (carrying exe files in zipped attachments) and Blackhole Exploit kit.
The messages have various themes - from UPS, Fedex, USPS to Groupon deals and "HP-scan" and other lures. Some message screenshots and corresponding malware are posted below.

If you are interested in memory analysis, please see the resource section of this post (links to the tools: Volatility, Mandiant Redline, memory dumps and other memory analysis done by Andre' and other researchers)

Thursday, August 2, 2012

CVE-2012-1889 Security Update Analysis - Analysis video and presentation from High-Tech Bridge by Brian Mariani and Frédéric Bourla


Sorry for being away for such a long time - I was out of town for almost 2 weeks and came back just a couple of days ago. However, the blog is not dead and I am planning to post more stuff soon. There is Madi/Mahdi epidemic in progress, the exploit pack table needs urgent updates, and I have a quite a few samples accumulated that I need to post before they get old and boring. For now, if you are looking for anything specific, you can ask and I will check if I have them in the pending category.

Today, please enjoy the second part of CVE-2012-1889 analysis (CVE-2012-1889 Security Update Analysis - in video and PDF format ) sent to us by Brian Mariani and Frédéric Bourla from High-Tech Bridge www.htbridge.com ( High-Tech Bridge CVE Acreditation)

Sunday, July 29, 2012

Flamer /SkyWiper Samples

August 13, 2012 - added an article by CERT Polska


If you didn't get enough of Flamer /SkyWiper yet, here are the samples donated by a reader. They are also available on various forums and Virustotal. Whether they are new or old, part of the "Olympic Games" or not, they are a fine example of a targeted attack.  Enjoy

 

Wednesday, July 4, 2012

CVE-2012-1889 Microsoft XML vulnerability - Samples and Analysis by Brian Mariani and Frédéric Bourla


Brian Mariani (High-Tech Bridge htbridge.com Geneva, Switzerland) sent a very detailed and helpful analysis of CVE 2012-1889 - "CVE-2012-1889 - Microsoft XML core services uninitialized memory vulnerability" presentation - by Brian Mariani and Frédéric Bourla, which I am publishing here.

Please download the slides in PDF format. The text of the presentation is also posted below. 
I am posting two samples - a metasploit poc file and a non-metasploit malicious code sample.


Sunday, June 24, 2012

Medre.A - AutoCAD worm samples


         Medre.A  is a an AutoCAD worm, written in AutoLISP and is a very unusual piece of malware. It was
          ESET reported Peru and neighboring countries as the target but I noticed that one of the samples' (MD5 25c7e10bb537b4265f6144f2cd7f6d95) original name is 未命名1 ( Unnamed 1), so I wonder if some targets/sources were Chinese speaking.
P.S. The samples were donated by an anonymous but the original source is someone from Malwarebytes forum and  I want to thank him/her (sorry don't know the name) for sharing. I hope they do not mind me posting them here.

Thursday, June 21, 2012

RAT samples from Syrian Targeted attacks - Blackshades RAT, XTreme RAT, Dark Comet RAT used by Syrian Electronic Army


CitizenLab
The CitizenLab published their report of the Blackshades RAT used by Syrian Electronic Army against activists. No need repeat their excellent analysis but you wish to analyze Blackshades and other RAT that were used in the Syrian attacks, here are the samples for 
Looks like they are changing their RAT monthly.

Friday, June 15, 2012

CVE-2012-1875 links and samples





CVE-2012-1875 Internet Explorer 8 exploit has been publicly available from various sources for a few days.
I am adding it here for reference.
For analysis info, see the AlienVault link below and the Metasploit module and demo.

P.S. In case you wonder, I have not stopped doing malware analysis, I still do,  but as as a longer term offline project combined with studying/reading. I pause what I am doing to share samples that come along and better be posted sooner - as is, as I do not want to wait until I write up something more expanded. Since most people prefer doing analysis on their own and I add reference links, I don't think it is a huge disappointment :)  ~ Mila

Tuesday, June 12, 2012

90 CVE-2012-0158 documents for testing and research.



While working on a project unrelated to Contagio, I collected a number of CVE-2012-0158 exploit documents (mostly RTF) via going through my own collection and what was shared (and publicly sharable) by Contagio readers. This post contains 90 files, mostly APT targeted but I did not analyze all and cannot guarantee that. These are CVE-2012-0158 exploits for files from April-June 2012. Some of them were already posted on Contagio.
The files inside the zip are named by SHA256_original file name.doc. I think I will be using SHA256 now for naming because it is more standard now and  it is much easier to auto generate VT links. The table below shows everything inside the archive with auto generated Virustotal links.
Some of them had Japanese and Chinese names that are now translated in English (with (JP) and (CN) in the name)


  Download all the files listed above (email if you need the password)
- thanks to all for sharing


Older similar collections for testing and research are here Version 4 April 2011 - 11,355+ Malicious documents - archive for signature testing and research


P.S. ok, these are actually cve-2010-3333. I will not remove them but fyi (thanks to xecure-lab.com)
  1. ec8b9c68872257cec2552ac727348c09314658d9497085f8a19f58004476c9b8_info.doc
  2. abbd1fa4dde11b94360338de8b5a2af7b09c6149ce1633797da825d5843cea7f_Criteria.doc
  3. 125b8babb6ee4442efc75a5688c6bb5d0c71f8a685bcdff6b4043f3a829e65eb_Oded - Working.rtf
P.P.S.  and Paul Baccas from Sophos pointed out that these two are not true exploits but RTF delivery for Buzus (thanks).


  1. 12d574de18f6820ba0d8d566152edb32386b86dde9f3ef7d1004c775b3b34dea_IMG_0056.doc
  2. 300649da673828756cfda29f332d7b39f272c1dd308f0087162e9d58fbacac1f_300649da673828756cfda29f332d7b39f272c1dd308f0087162e9d58fbacac1f.rtf

CVE-2012-0158
The (1) ListView, (2) ListView2, (3) TreeView, and (4) TreeView2 ActiveX controls in MSCOMCTL.OCX in the Common Controls in Microsoft Office 2003 SP3, 2007 SP2 and SP3, and 2010 Gold and SP1; Office 2003 Web Components SP3; SQL Server 2000 SP4, 2005 SP4, and 2008 SP2, SP3, and R2; BizTalk Server 2002 SP1; Commerce Server 2002 SP4, 2007 SP2, and 2009 Gold and R2; Visual FoxPro 8.0 SP1 and 9.0 SP2; and Visual Basic 6.0 Runtime allow remote attackers to execute arbitrary code via a crafted (a) web site, (b) Office document, or (c) .rtf file that triggers "system state" corruption, as exploited in the wild in April 2012, aka "MSCOMCTL.OCX RCE Vulnerability." 

Wednesday, June 6, 2012

May 31 - Tinba / Zusy - tiny banker trojan


Amazon.com 8" Gremlin
Tinba aka Zusy is an interesting tiny (18-20KB) banker trojan. It is not the smallest in use these days, Andromeda bot is 13 KB for resident and only 9 KB for non-resident versions. I got a few samples and hoped to come up with enough data for an IDS signature but they did a good emulation of the real systems, so it is not trivial. One thing very consistent is 13 byte initial RC4 encoded request.
I am posting details here, if you come up with a signature, please share with Emerging Threats or here.

Monday, May 28, 2012

Russian Cybercrime Presentation Slides 2012


Presented at a conference in May 2012
It is just pictures and not very useful without the narration. Email me if you need commentary for any of the slides
Download pdf 

Saturday, May 19, 2012

See you in two weeks


Angus McIntyre
Greetings,
I will be traveling and will not have time for posts until June. If you sent any files to me recently and I did not post / did not reply, please accept my sincere apologies, it has been a busy period.

Please continue to share and upload files to  Contagio Community and Contagio Mobile dump where it will be available immediately to others via the main download link posted there.
I hope you all have a great end of spring and glorious summer.
Thank you
Mila

P.S. If you are looking for something that is not listed, feel free to email and ask, i might have it.

Sunday, May 6, 2012

May 3 - CVE-2012-0779 World Uyghur Congress Invitation.doc



There are already quite a few samples of this recently patched exploit in the wild, including those targeting USA companies. This particular sample is targeting  Uyghur Congress, which is "an international organization aspiring to represent .. exiled Uyghur (Turkish ethnic group) people   both inside and outside of the Xinjiang Autonomous Region of the People's Republic of China." ~ Wikipedia. The text of the email cannot be translated with online translators, but judging by the content of the attachment, it is meant to look like an invitation for the World Uyghur Assembly .

More often than not, interesting samples come at the wrong time, when I cannot analyze them due to various reasons such as being busy with something else. I was planning to look at it this weekend but it did not happen, so here it CVE-2012-0779. Analyze it, write signatures, add detection to your filters. If you post an analysis, please send your link, I add. I will just post a few details about the file.

Thursday, May 3, 2012

019 Speech.doc MacOS_X/MS09-027.A -exploit for MS Word on Snow Leopard OSX



bbtoystore.com
Someone uploaded it on Contagio Exchange the other day. Thank you for sharing.
Document language code is Arabic, which is kind of interesting. Targeting Tibet human rights activists.

Research: Microsoft An interesting case of Mac OSX malware
Research: Total Defense MS09-027 Target: Mac OSX & Tibetan NGOs



Xpaj -MBR rootkit sample - sample


News about Xpaj file infector brought this new donation of a sample, which i am posting now. I will add the network capture and sandbox report to augment the detailed analysis reports released by Bitdefender Xpaj - the bootkit edition and Symantec W32.Xpaj.B is a File Infector with a Vengeance
The file is meant to look like a crack of sorts for Big Air Stoked game



I accidentally overwrote this post with a blank one, many thanks to Lotta for sending the cached page and helping recreate it. It was not a long and detailed post but I wouldn't have time to redo it.


Operation Cleanup Japan (OCJP) by 0Day.jp May 3


Operation Cleanup Japan (OCJP)  ( 【報告】オペレーション「Cleanup Japan」 / #OCJPとは?is the project initiated by Hendrik Adrian to make the Japanese internet safer through exposure of badware sites and data, the shutdown of malicious sites and in helping the Japanese community learn from security professionals about how to recognize and prevent malware.

0DAY.JP <http://unixfreaxjp.blogspot.com/> is the project blog and it is in Japanese. We will link to his publications - via Google translation  and provide you with the relevant samples. This will be an ongoing post with future updates. Please support OCJP and enjoy.
P.S. Contact Hendrik if you have difficulty understanding Google translation of some words or need help with screenshots. IE and Chrome handle the translated text formatting better than Firefox. Except when indicated otherwise, I did not analyze these samples and might not be able to answer questions.

Red dots indicate the sample download links - same password on all by the scheme. Email me if you need it. With many thanks to Hendrik for his work and contributions.
DOWNLOAD ALL SAMPLES FROM THIS FOLDER OR FROM LINKS BELOW

 2012-04-18 Case 39 ◘ Zeus

Thursday, April 19, 2012

CVE-2012-0158 - South China Sea, Insider Information and other samples and analysis

Update April 20, 2012 - I added 8 more samples (now there are 12 posted), did not look at all of them yet but I think you may find them useful for developing signatures, etc

The TrendMicro report "CVE-2012-0158 – Now Being Used in More Tibetan-Themed Targeted Attack Campaigns" appeared in the news a few days ago, highlighting the beginning of a new wave of exploits using RTF as a carrier.

Researchers based in Asia noticed these malicious documents in Japan and Taiwan before they started showing up/targeting USA companies. Three documents donated a few days ago by someone from Asia were crafted to run only on  the Taiwanese version of Windows. The document I found today was uploaded to an online analysis service and it is for English Windows, it was named "inside information.doc" and drops a decoy document called 英文 , which means English. I could not get "Taiwanese" binaries run on English OS but this one executed successfully.

The vulnerability is due to an error in ActiveX control, in this case embedded in an RTF document. All documents I looked at are very similar, most likely there is a generator involved in making these. I have not seen any documents that would run without crashing the Word, so you need to carve out at least the first stage binary manually.

Many thanks to Brandon Dixon and Binjo for technical advice and inspiration :)