Search found 501 matches

by unixfreaxjp
Sat Dec 05, 2015 5:30 pm
Forum: Malware
Topic: Linux/Mayhem
Replies: 26
Views: 59852

Not an .SO module, WP bruter version | Re: Linux/Mayhem

I received the report for the unusual Mayhem ELF attack via PHP dropper in a compromised WP with these (trimmed) logs: https://lh3.googleusercontent.com/-gYzI4ISLOoI/VmMcfx1MK5I/AAAAAAAAT0Q/l_3FfPevM3I/s600/2000.png It is not module ELF but the executable, and using the same usual PHP dropper scheme...
by unixfreaxjp
Sat Dec 05, 2015 4:18 am
Forum: Malware
Topic: Linux.Rekoobe
Replies: 4
Views: 6675

Re: Linux.Rekoobe

tWiCe wrote:http://vms.drweb.com/virus/?i=7754026
Small RAT for Linux on SPARC and Intel archs.
Good work and good share, with thanks. Looking at it now.
by unixfreaxjp
Thu Dec 03, 2015 10:45 pm
Forum: Malware
Topic: Linux/KDefend
Replies: 0
Views: 4139

Linux/KDefend

I am not so sure of the future of this ELF malware, since benkow spotted in very early stage. (nice work) Analysis is in http://blog.malwaremustdie.org/2015/12/mmd-0045-2015-kdefend-new-elf-threat.html Not much sample's seen yet, but this is a new development on going. Smells too many similarities w...
by unixfreaxjp
Mon Nov 23, 2015 8:14 am
Forum: Malware
Topic: Linux/Bash0day alias Shellshock alias Bashdoor
Replies: 42
Views: 126926

Re: Linux/Bash0day alias Shellshock alias Bashdoor

Our team infiltrated the source of the threat successfully..we are preparing to it. No need to reverse this threat, just read the crappy C codes. Together with the source code of DTOOL, STD flood with the Tsunami (with respect to KM moderators) I announced in here: http://blog.malwaremustdie.org/20...
by unixfreaxjp
Sun Nov 22, 2015 3:11 pm
Forum: Malware
Topic: Linux/Tsunami
Replies: 28
Views: 56137

(The recent) | Re: Linux/Tsunami

Too modified, not good. Must make some new memo here. IRC cnc server (plain) & ports (hashed) are well seen as usual in the bins..I go with interesting points only.. Sample: https://www.virustotal.com/en/file/26ac5f53a86fedc0362cb19269d4dffa1ad47dd869ce12bfbccce4df8042626b/analysis/1448201213/ https...
by unixfreaxjp
Wed Nov 18, 2015 1:29 am
Forum: Malware
Topic: Linux/FileCoder (Linux.Encoder)
Replies: 18
Views: 51429

Re: Linux/FileCoder (Linux.Encoder)

An additional.. more of "copy paster evidence" :) let's take a look into file restoring decryption, and AES key restoring decryption done by this ransomware. You can see in the above last picture of my reversing pad here in 0x400836 that aes_decrypt function was called. If you trailed that function ...
by unixfreaxjp
Tue Nov 17, 2015 5:01 am
Forum: Malware
Topic: Linux/FileCoder (Linux.Encoder)
Replies: 18
Views: 51429

Re: Linux/FileCoder (Linux.Encoder)

(beforehand see here for cypt file/dir list and for comments of the threat ) Just a quicky strolling the decrypting parts of this ELF Linux ransomware as per below, using sample I posted above in x86-64. This is the function that is used to decrypt all of the crypted file..called, decrypt_all() , wh...
by unixfreaxjp
Tue Nov 17, 2015 1:56 am
Forum: Malware
Topic: Linux/FileCoder (Linux.Encoder)
Replies: 18
Views: 51429

Re: Linux/FileCoder (Linux.Encoder)

the code is lame I agree. It seems to be a quicky job, unexperienced, yet dangerous idea. Automated analisys doesn't make much sense there, until you pass valid arguments to trojan. True, infact it relied on the argument commands. As I was picking through the args look to be: ./sample [encrypt|decr...
by unixfreaxjp
Tue Nov 17, 2015 1:47 am
Forum: Malware
Topic: Linux/FileCoder (Linux.Encoder)
Replies: 18
Views: 51429

Re: Linux/FileCoder (Linux.Encoder)

@Blaze good work for swiftly sharing the sample in here. Thanks. Linux ransomware. First, the Trojan encrypts files in the following directories: /home /root /var/lib/mysql /var/www /etc/nginx /etc/apache2 /var/log Just back from our ELF workshop. The above list is incomplete. Maybe the dynamic anal...
by unixfreaxjp
Wed Nov 04, 2015 11:59 am
Forum: Malware
Topic: Linux/GoARM.Bot
Replies: 14
Views: 24697

Re: Linux/GoARM.Bot

all CNC are in port 6004 at below hosts: scan1.28zst.cn(211.149.174.81)AS38283 CHINANET SiChuan TelecomIDC scana.28zst.cn(222.186.15.16)AS23650 CHINANET jiangsu scanb.28zst.cn(222.186.30.160)AS23650 CHINANET jiangsu Samples & more details info in VT comments.. https://virustotal.com/en/file/2ac91f9b...