Search found 224 matches

by R136a1
Tue Jan 26, 2016 6:38 pm
Forum: Malware
Topic: ZeroAccess (alias MaxPlus, Sirefef)
Replies: 557
Views: 564174

Re: ZeroAccess (alias MaxPlus, Sirefef)

I can share the hash on 1. February ;)
by R136a1
Tue Jan 26, 2016 3:51 pm
Forum: Malware
Topic: ZeroAccess (alias MaxPlus, Sirefef)
Replies: 557
Views: 564174

Re: Rootkit ZeroAccess (alias MaxPlus, Sirefef)

I'm trying to figure out if it's spreading at all, there does seem to be a very slow growth in number of online bots per day but that could be just all the crawlers using EP_X0FFs source :P I am also trying to figure out the infection vector itself for some time, but it remains unknown to me. I hav...
by R136a1
Tue Jan 26, 2016 12:28 pm
Forum: Malware
Topic: ZeroAccess (alias MaxPlus, Sirefef)
Replies: 557
Views: 564174

Re: Rootkit ZeroAccess (alias MaxPlus, Sirefef)

I am also surprised that the return of this botnet got no attention by any of the big security companies. Especially, because it's one of the few remaining malware families which deserves the term "sophisticated". On the other hand, it is understandable after they proclaimed victory over the botnet ...
by R136a1
Tue Jan 05, 2016 1:48 pm
Forum: Newbie Questions
Topic: Analyzing a com dll
Replies: 4
Views: 6249

Re: Analyzing a com dll

Well, there are some rare articles which deal with COM related malware: https://www.virusbtn.com/virusbulletin/archive/2014/08/vb201408-IcoScript https://www.vmray.com/blinding-malware-analysis-with-com-objects/ Anyway, the best way to understand COM is to read the Microsoft documentation and start ...
by R136a1
Mon Jan 04, 2016 6:29 pm
Forum: Newbie Questions
Topic: Analyzing a com dll
Replies: 4
Views: 6249

Re: Analyzing a com dll

Hi,

there is an article from Malwarebytes which gives a good introduction to reversing COM files: https://blog.malwarebytes.org/intellige ... ious-code/
by R136a1
Sun Jan 03, 2016 11:46 am
Forum: Malware
Topic: ZeroAccess (alias MaxPlus, Sirefef)
Replies: 557
Views: 564174

Re: Rootkit ZeroAccess (alias MaxPlus, Sirefef)

Hi folks, I have found a new year present from ZeroAccess author(s). This fresh variant comes in form of a dropper which contains the encrypted payload inside a .png file in the resource section. -> see Zeroaccess_2016 (attached) Last year around the same time an earlier (unencrypted) sample of this...
by R136a1
Tue Dec 15, 2015 12:36 pm
Forum: Malware
Topic: Ardbot [x86/x64]
Replies: 1
Views: 5921

Ardbot [x86/x64]

Hi folks, first discovered this bot a few months ago. It seems to be a work in progress, because bot and loader are full of debug strings. Currently, it constantly crashes explorer.exe after injection process on all Windows versions up to Windows 10. Might be anyway interesting for future research, ...
by R136a1
Thu Nov 26, 2015 9:09 pm
Forum: Malware
Topic: ModPOS (Backdoor.Straxbot, TrojanDropper:Win32/Rortiem.A)
Replies: 5
Views: 9288

ModPOS (Backdoor.Straxbot, TrojanDropper:Win32/Rortiem.A)

Hi folks, some info about this malware can be found here: http://www.isightpartners.com/2015/11/modpos/ Because the report does not mention any file hashes (which sucks!), I thought I give it a try and finally found some droppers. Might be older versions, since the PE time stamps date back to 2012. ...
by R136a1
Tue Oct 06, 2015 1:34 pm
Forum: Malware
Topic: Winnti backdoor
Replies: 6
Views: 10124

Re: Winnti backdoor

This bootkit is known in certain circle as "sunx bootkit". Unfortunately, I have deleted the sample that I have found which included a pdb path. Also, I saw a similar sample that also had a pdb path which was detected as Derusbi. Interestingly, this bootkit includes functionality that searches for t...