Forum for analysis and discussion about malware.
-
EP_X0FF
- Global Moderator
- Posts: 4872
- Joined: Sun Mar 07, 2010 5:35 am
- Location: Russian Federation
-
Contact:
Post
by EP_X0FF » Wed Jun 06, 2012 7:10 am
I hope marketing division of Kaspersky Lab finally setup addon that will make them able to attach hashes of investigated components to their articles.
Ring0 - the source of inspiration
-
dumb110
- Posts: 111
- Joined: Tue Jun 05, 2012 1:29 pm
Post
by dumb110 » Wed Jun 06, 2012 8:15 am
Can somebody help with decryption of attached sample please..
You do not have the required permissions to view the files attached to this post.
-
rkhunter
- Posts: 1155
- Joined: Mon Mar 15, 2010 12:51 pm
- Location: Russian Federation
-
Contact:
Post
by rkhunter » Wed Jun 06, 2012 9:14 am
EP_X0FF wrote:I hope marketing division of Kaspersky Lab finally setup addon that will make them able to attach hashes of investigated components to their articles.
seems impossible in Flamer case...
I published hashes to Gostev-article.
-
rkhunter
- Posts: 1155
- Joined: Mon Mar 15, 2010 12:51 pm
- Location: Russian Federation
-
Contact:
Post
by rkhunter » Wed Jun 06, 2012 12:30 pm
Late last week, some Flamer command-and-control (C&C) servers sent an updated command to several compromised computers. This command was designed to completely remove Flamer from the compromised computer. The Flamer attackers were still in control of at least a few C&C servers, which allowed them to communicate with a specific set of compromised computers. They had retained control of their domain registration accounts, which allowed them to host these domains with a new hosting provider.
Compromised computers regularly contact their pre-configured control server to acquire additional commands. Following the request, the C&C server shipped them a file named browse32.ocx. This file can be summarized as the module responsible for removing Flamer from the compromised computer. One could also call it the "uninstaller".
http://www.symantec.com/connect/blogs/f ... nt-suicide
-
rkhunter
- Posts: 1155
- Joined: Mon Mar 15, 2010 12:51 pm
- Location: Russian Federation
-
Contact:
Post
by rkhunter » Wed Jun 06, 2012 4:30 pm
Seems nothing new...
would be great if anyone published browse32.ocx hash
