Digitally signed malware

Forum for analysis and discussion about malware.
shaheen
Posts: 35
Joined: Wed Jun 09, 2010 11:08 pm

Digitally signed malware

Post by shaheen » Thu Jul 07, 2011 3:49 am

Just wonder if there are any digitally signed malware( digitally signed executables, not just drivers) in the wild. I know about stuxnet already.

Thanks

User avatar
EP_X0FF
Global Moderator
Posts: 4781
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: Digitally signed malware

Post by EP_X0FF » Thu Jul 07, 2011 4:02 am

http://www.f-secure.com/weblog/archives ... signed.pdf

If you have specific request then format it and post in Malware Requests thread.
Ring0 - the source of inspiration

shaheen
Posts: 35
Joined: Wed Jun 09, 2010 11:08 pm

Re: Digitally signed malware

Post by shaheen » Thu Jul 07, 2011 6:35 pm

Thanks, interesting read.

Yes, I posted there as well.

markusg
Posts: 730
Joined: Mon Mar 15, 2010 2:53 pm

Re: Digitally signed malware

Post by markusg » Sun Nov 27, 2011 6:31 pm

looks like this one is signed, in the signature details i see comodo
You do not have the required permissions to view the files attached to this post.

User avatar
EP_X0FF
Global Moderator
Posts: 4781
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: Digitally signed malware

Post by EP_X0FF » Mon Nov 28, 2011 7:04 am

markusg wrote:looks like this one is signed, in the signature details i see comodo
Both certs are invalid and non trustful. Injects payload dll into explorer.exe and from it in every starting process via CreateProcessW hook. Due to bugs in trojan explorer crashes every time when new program is launched by it.

Some sensitive self-explaining strings from the inside
KeyStore NewDomain UpLoad UpdateLoader BlockUrl BlockDomain UpdateAppConf32 MainProcess DeleteMutex SearchDomain SvUpdateLdr

PAVSHOOK.dll zwhoocklib.dll a2handler.dll ISWSHEX.dll iexplore.exe firefox.exe chrome.exe opera.exe msimn.exe reader_sl.exe skype.exe java.exe outlook.exe WinMail.exe system smss.exe csrss.exe winlogon.exe lsass.exe srss.exe services.exe K7Sysmon.exe verder32.exe Mcvsshld.exe usrreq.exe avgtray.exe bdagent.exe mcvsshld.exe npfuser.exe niguser.exe AVKTray.exe AVKTray.exe ONLINENT.EXE ONLINENT.EXE FSM32.exe %s_%08X%08X %04d.%02d.%02d % I s \ x m l d m \ % I s _ 4 . 9 _ % 0 8 X % 0 8 X . c f g %s\xmldm\%s_UAs%03d.dat %s\UAs\%s_UAs%03d.dat %snetbanke_%s_%s %s\ffc_%s%d@%s.ffx \srvblck2.tmp bankchangehost: none ActivateProxy \TSTheme.exe Software\Microsoft\Windows\CurrentVersion\Ext\Settings\ -extoff SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall DisplayName Software\Microsoft\Internet Explorer\TypedURLs http://www.google.de &do= &ver= &id=XXX_xxxxxxxxxxxxxxxxxxxxxxxxxxxx &q= &data= &data_type= &data_content= &GUID= &check=chek &ch= &action= &task= &file= le4 new lo url re A B D DS W u2 gt2 du2 pe Block BlockDomain apps Personal check Content-Type: multipart/form-data; boundary= Content-Type: application/x-www-form-urlencoded
Content-Disposition: form-data; name=" -- "

Content-Disposition: form-data; name=" ";filename=" "
Content-Type: text/plain
GetLastError \explorer.exe \iexplore.exe Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders Cookies \kock Cookie: \Low Software\Mozilla\Firefox\extensions Software\Microsoft\Internet Explorer\Main Software\Microsoft\Internet Explorer\MAO Settings AddonLoadTimeThreshold SuppressPerfBarUntil $‘:Q¤ч%s\%s_%08d.mpst %s\%s_%08d.lkey yyyy.MM.dd. hhmmss %02X %03d %d %08X %s%08X%02X %08X%04X%08X \ x m l d m \ F r o m % s % s A c t i v e X % 0 8 X % 0 8 X _ % 0 8 d _ % s % I s % s J a v a % 0 8 X % 0 8 X _ % 0 8 d _ % I s .tmp [1] \Mozilla Firefox\sqlite3.dll \Mozilla Firefox\mozsqlite3.dll \Mozilla Firefox\firefox.exe \extensions.sqlite \Mozilla\Firefox\Profiles \cookies.sqlite .dat CREATE TABLE IF NOT EXISTS moz_cookies (id INTEGER PRIMARY KEY, name TEXT, value TEXT, host TEXT, path TEXT,expiry INTEGER, lastAccessed INTEGER, isSecure INTEGER, isHttpOnly INTEGER) SELECT id, name, value, host, path, expiry, lastAccessed, isSecure, isHttpOnly FROM moz_cookies INSERT or REPLACE INTO xoz_cookies VALUES (%I64d,'%s','%s','%s','%s',%I64d,%I64d,%Id,%Id) UPDATE addon SET visible=0,active=1,userDisabled=0 WHERE id='%s' AND location='winreg-app-user' UPDATE addon SET visible=0,userDisabled=0 WHERE id='%s' AND location='winreg-app-global' EnableBHOFF8 % I s \ x m l d m \ % I s . c f g X : \ P R O G R A ~ 1 \ J a v a ACTIVE~1.OCX java IEFrame ieframe.dll ComboBox Edit SunAwtCanvas [ D e l ] [ B a c k ] [ T a b ] [ E n t e r ] % 0 2 d : % 0 2 d % 0 2 d . % 0 2 d . % 0 4 d
[ R C L I C K ] [ L C L I C K ] [ L C L I C K D B L ] [ M C L I C K ]
Disk=X : \ P r o g r a m F i l e s \ J a v a . s t o r e \urhtps.tmp loaupdt.jpg Opera/11.1 (Windows NT 5.1: U: en) \blck2.wav \blckdom.res \*.* \*.txt \ e-Safekey EBJSecurity_4 RegOpenKeyExW DllRegisterServer DllUnregisterServer nspr4.dll PR_GetAddrInfoByName %d.%d Build %d
\\.\PhysicalDrive0 \UAs \xmldm\* \xmldm \task time \appconf32.exe Software\Microsoft\Windows\CurrentVersion\Run Userinit SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ Software\Microsoft\Windows\CurrentVersion\Internet Settings NoProtectedModeBanner zones\3 2500 WithProxy nerproxy \proxy.txt socks= CheckBlocks ChkProxy filesize filename id check content version2 fi 579 vendor data_type q do loaderlogs delete del w8 ver tst date net prh ins hist prd TASK URL GUID VERS FILE PATH OLD PAL .aaw.bin.bmp.cab.cac.cat.doc.evt.gz .htm.jag.jpe.mov.mp3.mpe.avi.mpg.png.wav.wma.xml.bat.zip.log.txt.ini.eta.lnk.exe.dll.ico.idx.dat.tmp.hst.ttf.jpg.gif.jar.avc.cla.pro.bfc.7en.js .css GET POST http://guugtomvader.com /index.php
Ring0 - the source of inspiration

markusg
Posts: 730
Joined: Mon Mar 15, 2010 2:53 pm

Re: Digitally signed malware

Post by markusg » Mon Nov 28, 2011 10:34 am

what about this:
You do not have the required permissions to view the files attached to this post.

User avatar
EP_X0FF
Global Moderator
Posts: 4781
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: Digitally signed malware

Post by EP_X0FF » Mon Nov 28, 2011 10:55 am

markusg wrote:what about this:
Malware BHO dll spying on user pressed keys.
Ring0 - the source of inspiration

cjbi
Posts: 92
Joined: Sun Mar 14, 2010 7:16 am

Re: Digitally signed malware

Post by cjbi » Sat Dec 03, 2011 10:58 pm

Very interesting Korean "legal" fraud/rogue AV sample.

Two files are signed with the same digital certificate. But, only one is revoked.

anycopsetup.exe.vir http://www.virustotal.com/file-scan/rep ... 1322951522
MainBoan_setup.exe.vir http://www.virustotal.com/file-scan/rep ... 1322951869
You do not have the required permissions to view the files attached to this post.

Cody Johnston
Posts: 157
Joined: Sun May 01, 2011 4:33 pm
Location: Los Angeles, CA
Contact:

Re: Digitally signed malware

Post by Cody Johnston » Sat Mar 17, 2012 9:29 am


User avatar
rkhunter
Posts: 1150
Joined: Mon Mar 15, 2010 12:51 pm
Location: Russian Federation
Contact:

Re: Digitally signed malware

Post by rkhunter » Sat Mar 17, 2012 11:02 am


Post Reply