Search found 501 matches

by unixfreaxjp
Wed Feb 10, 2016 8:08 am
Forum: Malware
Topic: Linux/AES.DDoS (alias Dofloo, MrBlack)
Replies: 48
Views: 92570

Re: Linux/AES.DDoS (alias Dofloo, MrBlack)

Memo: AES.DDoS attack switch latest version (case switch 0x01 to 0x0C ) https://lh3.googleusercontent.com/-lToiPY0ztMQ/Vrru_fpsflI/AAAAAAAAUYs/47zUsroAGDE/s600/pic002.PNG Typical MO: /etc/sed[a-zA-Z0-9]{5} /etc/rc.d/rc.local /etc/init.d/boot.local Network: CNC: 115.231.219.147:48080 (ip base) AS4134...
by unixfreaxjp
Sun Feb 07, 2016 12:52 pm
Forum: Malware
Topic: Linux/Tsunami
Replies: 28
Views: 56092

Re: Linux/Tsunami

If anyone need samples directly from the source, the list is here↓

http://blog.malwaremustdie.org/2016/02/ ... ution.html
by unixfreaxjp
Fri Feb 05, 2016 8:35 am
Forum: Malware
Topic: WinNT/Banbra (Brazilian banker)
Replies: 8
Views: 14015

Re: Win32/Brazil Drivers? I don't know this..

Same stealer crook, using this bin w/ the same driver's drop: https://lh3.googleusercontent.com/-sNJMOK4nmzE/VrRccanCOMI/AAAAAAAAUXg/VSGhfZEQDq0/s600/008.PNG HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\hookmgr This time they stopped using .NET and switched to DelPhi compiled PE but used the sam...
by unixfreaxjp
Wed Feb 03, 2016 10:41 am
Forum: Malware
Topic: Linux/binsh
Replies: 3
Views: 8321

Linux/shell.elf | Re: Linux/binsh

This is the variant of the sample that I posted here in September 2014. The infection vector is the same shellshock. The sample is new. And this sample is also based on shellcode compiled as a tiny ELF. The functionality is connecting to te remote machine, opening to the backdoor and write anything ...
by unixfreaxjp
Tue Feb 02, 2016 4:30 pm
Forum: Malware
Topic: Linux/ChinaZ.DDoS
Replies: 10
Views: 20461

Re: Linux/ChinaZ.DDoS

The ChinaZ edition/version2 (they called it), with modified codes in many places. Attack main function as initial too is DNS-AMP. This time it doesn't need to load amp.dat or Config.ini to perform an attack, a PONG traffic can be used to trigger a specific DNS AMP attack to traffic's hard coded DNS ...
by unixfreaxjp
Sun Jan 31, 2016 9:27 am
Forum: Malware
Topic: WinNT/Banbra (Brazilian banker)
Replies: 8
Views: 14015

Re: Win32/Brazil Drivers? I don't know this..

This switch is part of dispatch routine for controls codes sent from user mode via DeviceIoControl. There three commands which are for copy memory and return pointers to PsGetCurrentThreadId and PsGetCurrentThreadProcessId to the user mode caller. :) Thank you very much, this explains a lot of expl...
by unixfreaxjp
Sun Jan 31, 2016 7:47 am
Forum: Malware
Topic: WinNT/Banbra (Brazilian banker)
Replies: 8
Views: 14015

WinNT/Banbra (Brazilian banker)

Hello @EP_X0FF Someone sent me a binary to be investigated as a banking trojan with 37Mb size - the point is it installed the small windows driver and I don't know what is the purpose, except grabbing process ID (and its installation) https://www.virustotal.com/en/file/57a2dd99dd0c153a45b52f065645a8...
by unixfreaxjp
Wed Jan 13, 2016 9:15 pm
Forum: Malware
Topic: Linux/Tsunami
Replies: 28
Views: 56092

Re: Linux/Tsunami

loonysquad uses "lame way" to :lol: encode :roll: the strings in the version of Tsunami/kaiten base they called STD bot. And using encrypted communication to poke CNC (checkin) Samples: https://www.virustotal.com/en/file/4ef73b1edac441bff5d024714c044da1b078d5bd65e5c40b8299bfe71309add1/analysis/ … ht...
by unixfreaxjp
Tue Jan 12, 2016 3:00 am
Forum: Malware
Topic: Linux/Torte (spooler) ELF
Replies: 0
Views: 3742

Linux/Torte (spooler) ELF

An incident report & analysis (MMD): http://blog.malwaremustdie.org/2016/01/mmd-0050-2016-incident-report-elf.html The threat report (Akamai): https://www.stateoftheinternet.com/downloads/pdfs/SpamBot-Investigation-whitepaper-R3.pdf x32: https://www.virustotal.com/en/file/800f8b125345784d532b29465b5...
by unixfreaxjp
Mon Jan 11, 2016 8:31 am
Forum: Malware
Topic: Win32/Bulta
Replies: 2
Views: 4910

Win32/Bulta

The malware was spotted as payload in HFS watering hole <PIC> CNC: kugo.f3322.net (58.128.228.168)port 51012 Origin is PRC/China. Many analysis evasion like: packed,check mouse,aiming specific OS,antivirus process detection, etc. Drops two files: \Common Files\ppt\symet.exe (self-copy) \C:\2370.vbs ...