Digitally signed malware

Forum for analysis and discussion about malware.

Digitally signed malware

Postby shaheen » Thu Jul 07, 2011 3:49 am

Just wonder if there are any digitally signed malware( digitally signed executables, not just drivers) in the wild. I know about stuxnet already.

Thanks
shaheen
 
Posts: 35
Joined: Wed Jun 09, 2010 11:08 pm
Reputation point: 4

Re: Digitally signed malware

Postby EP_X0FF » Thu Jul 07, 2011 4:02 am

http://www.f-secure.com/weblog/archives ... signed.pdf

If you have specific request then format it and post in Malware Requests thread.
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4749
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 560

Re: Digitally signed malware

Postby shaheen » Thu Jul 07, 2011 6:35 pm

Thanks, interesting read.

Yes, I posted there as well.
shaheen
 
Posts: 35
Joined: Wed Jun 09, 2010 11:08 pm
Reputation point: 4

Re: Digitally signed malware

Postby markusg » Sun Nov 27, 2011 6:31 pm

looks like this one is signed, in the signature details i see comodo
You do not have the required permissions to view the files attached to this post.
markusg
 
Posts: 713
Joined: Mon Mar 15, 2010 2:53 pm
Reputation point: 141

Re: Digitally signed malware

Postby EP_X0FF » Mon Nov 28, 2011 7:04 am

markusg wrote:looks like this one is signed, in the signature details i see comodo


Both certs are invalid and non trustful. Injects payload dll into explorer.exe and from it in every starting process via CreateProcessW hook. Due to bugs in trojan explorer crashes every time when new program is launched by it.

Some sensitive self-explaining strings from the inside

KeyStore NewDomain UpLoad UpdateLoader BlockUrl BlockDomain UpdateAppConf32 MainProcess DeleteMutex SearchDomain SvUpdateLdr

PAVSHOOK.dll zwhoocklib.dll a2handler.dll ISWSHEX.dll iexplore.exe firefox.exe chrome.exe opera.exe msimn.exe reader_sl.exe skype.exe java.exe outlook.exe WinMail.exe system smss.exe csrss.exe winlogon.exe lsass.exe srss.exe services.exe K7Sysmon.exe verder32.exe Mcvsshld.exe usrreq.exe avgtray.exe bdagent.exe mcvsshld.exe npfuser.exe niguser.exe AVKTray.exe AVKTray.exe ONLINENT.EXE ONLINENT.EXE FSM32.exe %s_%08X%08X %04d.%02d.%02d % I s \ x m l d m \ % I s _ 4 . 9 _ % 0 8 X % 0 8 X . c f g %s\xmldm\%s_UAs%03d.dat %s\UAs\%s_UAs%03d.dat %snetbanke_%s_%s %s\ffc_%s%d@%s.ffx \srvblck2.tmp bankchangehost: none ActivateProxy \TSTheme.exe Software\Microsoft\Windows\CurrentVersion\Ext\Settings\ -extoff SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall DisplayName Software\Microsoft\Internet Explorer\TypedURLs http://www.google.de &do= &ver= &id=XXX_xxxxxxxxxxxxxxxxxxxxxxxxxxxx &q= &data= &data_type= &data_content= &GUID= &check=chek &ch= &action= &task= &file= le4 new lo url re A B D DS W u2 gt2 du2 pe Block BlockDomain apps Personal check Content-Type: multipart/form-data; boundary= Content-Type: application/x-www-form-urlencoded
Content-Disposition: form-data; name=" -- "

Content-Disposition: form-data; name=" ";filename=" "
Content-Type: text/plain
GetLastError \explorer.exe \iexplore.exe Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders Cookies \kock Cookie: \Low Software\Mozilla\Firefox\extensions Software\Microsoft\Internet Explorer\Main  Software\Microsoft\Internet Explorer\MAO Settings AddonLoadTimeThreshold SuppressPerfBarUntil $‘:Q¤ч%s\%s_%08d.mpst %s\%s_%08d.lkey yyyy.MM.dd. hhmmss %02X %03d %d %08X %s%08X%02X %08X%04X%08X \ x m l d m \ F r o m % s % s A c t i v e X % 0 8 X % 0 8 X _ % 0 8 d _ % s % I s % s J a v a % 0 8 X % 0 8 X _ % 0 8 d _ % I s .tmp [1] \Mozilla Firefox\sqlite3.dll \Mozilla Firefox\mozsqlite3.dll \Mozilla Firefox\firefox.exe \extensions.sqlite \Mozilla\Firefox\Profiles \cookies.sqlite .dat CREATE TABLE IF NOT EXISTS moz_cookies (id INTEGER PRIMARY KEY, name TEXT, value TEXT, host TEXT, path TEXT,expiry INTEGER, lastAccessed INTEGER, isSecure INTEGER, isHttpOnly INTEGER) SELECT id, name, value, host, path, expiry, lastAccessed, isSecure, isHttpOnly FROM moz_cookies INSERT or REPLACE INTO xoz_cookies VALUES (%I64d,'%s','%s','%s','%s',%I64d,%I64d,%Id,%Id) UPDATE addon SET visible=0,active=1,userDisabled=0 WHERE id='%s' AND location='winreg-app-user' UPDATE addon SET visible=0,userDisabled=0 WHERE id='%s' AND location='winreg-app-global' EnableBHOFF8 % I s \ x m l d m \ % I s . c f g X : \ P R O G R A ~ 1 \ J a v a ACTIVE~1.OCX java IEFrame ieframe.dll ComboBox Edit SunAwtCanvas [ D e l ] [ B a c k ] [ T a b ] [ E n t e r ] % 0 2 d : % 0 2 d % 0 2 d . % 0 2 d . % 0 4 d
[ R C L I C K ] [ L C L I C K ] [ L C L I C K D B L ] [ M C L I C K ]
Disk=X : \ P r o g r a m F i l e s \ J a v a . s t o r e \urhtps.tmp loaupdt.jpg Opera/11.1 (Windows NT 5.1: U: en) \blck2.wav \blckdom.res \*.* \*.txt \ e-Safekey EBJSecurity_4 RegOpenKeyExW DllRegisterServer DllUnregisterServer nspr4.dll PR_GetAddrInfoByName %d.%d Build %d
\\.\PhysicalDrive0 \UAs \xmldm\* \xmldm \task time \appconf32.exe Software\Microsoft\Windows\CurrentVersion\Run Userinit SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ Software\Microsoft\Windows\CurrentVersion\Internet Settings NoProtectedModeBanner zones\3 2500 WithProxy nerproxy \proxy.txt socks= CheckBlocks ChkProxy filesize filename id check content version2 fi 579 vendor data_type q do loaderlogs delete del w8 ver tst date net prh ins hist prd TASK URL GUID VERS FILE PATH OLD PAL .aaw.bin.bmp.cab.cac.cat.doc.evt.gz .htm.jag.jpe.mov.mp3.mpe.avi.mpg.png.wav.wma.xml.bat.zip.log.txt.ini.eta.lnk.exe.dll.ico.idx.dat.tmp.hst.ttf.jpg.gif.jar.avc.cla.pro.bfc.7en.js .css GET POST http://guugtomvader.com /index.php
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4749
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 560

Re: Digitally signed malware

Postby markusg » Mon Nov 28, 2011 10:34 am

what about this:
You do not have the required permissions to view the files attached to this post.
markusg
 
Posts: 713
Joined: Mon Mar 15, 2010 2:53 pm
Reputation point: 141

Re: Digitally signed malware

Postby EP_X0FF » Mon Nov 28, 2011 10:55 am

markusg wrote:what about this:


Malware BHO dll spying on user pressed keys.
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4749
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 560

Re: Digitally signed malware

Postby cjbi » Sat Dec 03, 2011 10:58 pm

Very interesting Korean "legal" fraud/rogue AV sample.

Two files are signed with the same digital certificate. But, only one is revoked.

anycopsetup.exe.vir http://www.virustotal.com/file-scan/rep ... 1322951522
MainBoan_setup.exe.vir http://www.virustotal.com/file-scan/rep ... 1322951869
You do not have the required permissions to view the files attached to this post.
cjbi
 
Posts: 92
Joined: Sun Mar 14, 2010 7:16 am
Reputation point: 84

Re: Digitally signed malware

Postby Cody Johnston » Sat Mar 17, 2012 9:29 am

Cody Johnston
 
Posts: 157
Joined: Sun May 01, 2011 4:33 pm
Location: Los Angeles, CA
Reputation point: 69

Re: Digitally signed malware

Postby rkhunter » Sat Mar 17, 2012 11:02 am

User avatar
rkhunter
 
Posts: 1144
Joined: Mon Mar 15, 2010 12:51 pm
Location: Russian Federation
Reputation point: 147

Next

Return to Malware

Who is online

Users browsing this forum: No registered users and 7 guests