Search found 26 matches

by Squirl
Thu Mar 28, 2013 3:25 pm
Forum: Malware
Topic: .js malware
Replies: 8
Views: 4400

Re: .js malware

Use http://technet.microsoft.com/en-gb/sysi ... 96645.aspx and filter on the term "2a3.js"

Delete the file and see what rewrites it. If it's a legitimate windows process, then something's injected into it.
by Squirl
Tue Mar 26, 2013 12:45 pm
Forum: Malware
Topic: Win32/Zeus (alias Zbot)
Replies: 281
Views: 359654

Zbot C2 config

url: hxxp://paypal-servcies.com/
hxxp://paypal-servcies.com:2082/login/
hxxp://paypal-servcies.com/server/cp.php?m=login

MySQL DB creds: User = admin
pass = "" [empty string]
by Squirl
Thu Mar 21, 2013 3:21 pm
Forum: Malware
Topic: Shutting down P2P botnet ?
Replies: 9
Views: 8948

Re: Shutting down P2P botnet ?

@Radikal, I'd suggest reading the Sophos ZeroAccess whitepaper: http://www.sophos.com/en-us/medialibrary/PDFs/technical%20papers/Sophos_ZeroAccess_Botnet.pdf?dl=true The reason this botnet is so hard to sinkhole, is because of it's peer-list updating mechanism; each bot will only update it's list wi...
by Squirl
Wed Mar 20, 2013 3:25 pm
Forum: Malware
Topic: Chameleon bot samples
Replies: 1
Views: 2212

Chameleon bot samples

Hi guys, I know this is really broad and not a whole lot of information to go on, but is anybody in possession of a sample described here: http://www.spider.io/blog/2013/03/chameleon-botnet/ Spider.io are being incredibly reserved with sample (and hash) sharing. Any help greatly appreciated, willing...
by Squirl
Tue Mar 19, 2013 4:12 pm
Forum: Malware
Topic: Zero Day Java Exploits(All Java Exploits goes here)
Replies: 68
Views: 318817

Re: Zero Day Java Exploits(All Java Exploits goes here)

Spam campaign serving up Blackhole. http://www.symantec.com/connect/blogs/pope-themed-spam-attacks-leads-malware URLs used in the campaign: hxxp://aven-clan.net76.net/popesued.html hxxp://daewoo.maglan.ru/popesued.html hxxp://7887.ru/popesued.html hxxp://dota-soul.ru/popesued.html All samples curren...
by Squirl
Tue Mar 19, 2013 8:48 am
Forum: Malware
Topic: Android Malware(All Android malware goes here)
Replies: 104
Views: 182810

Android.Notcompatible trojan

Currently being served up in a spam campaign, subject line of "Hot News": http://www.infosecurity-magazine.com/view/31277/still-notcompatible-android-trojan-takes-fresh-tack-with-spearphishing/?utm_source=twitterfeed&utm_medium=twitter Example URLs: hxxp://www.ceipjuandelacosa.es/xbnawwq/yqvjsycp/ql...
by Squirl
Tue Mar 05, 2013 2:26 pm
Forum: Malware
Topic: Zero Day Java Exploits(All Java Exploits goes here)
Replies: 68
Views: 318817

Re: Java 0day CVE-2013-1493

And here's the Jar
by Squirl
Tue Mar 05, 2013 1:38 pm
Forum: Malware
Topic: Zero Day Java Exploits(All Java Exploits goes here)
Replies: 68
Views: 318817

Re: Java 0day CVE-2013-1493

I'm just working on obtaining the Jar - in the meantime, here's the payload after a successful exploit.
by Squirl
Wed Feb 27, 2013 4:12 pm
Forum: Malware
Topic: Win32/MiniDuke
Replies: 6
Views: 10677

Win32/MiniDuke

Hi all, Does anybody have any of the droppers mentioned here: http://blog.crysys.hu/2013/02/miniduke/ http://www.crysys.hu/miniduke/miniduke_indicators_public.pdf MD5s: 3668b018b4bb080d1875aee346e3650a 88292d7181514fda5390292d73da28d4 3f301758aa3d5d123a9ddbad1890853b 0cdf55626e56ffbf1b198beb4f6ed559...
by Squirl
Tue Feb 26, 2013 4:49 pm
Forum: Malware
Topic: Phoenix Exploit Samples
Replies: 1
Views: 2318

Phoenix Exploit Samples

nakedworldcelebrities\x2ecom

redir to *.ddns.name

All samples in archive