A forum for reverse engineering, OS internals and malware analysis 

Search found 6 matches

 Go to advanced search

ORX Locker

 by Mad_Dud ¦  Fri Sep 04, 2015 11:43 am ¦  Forum: Malware ¦  Topic: ORX Locker ¦  Replies: 3 ¦  Views: 3819

ORX locks all of the user’s files and demands a payment. The Ransomware is available on a Darknet website. Distribution method is not clear yet. ORX may be distributed via unsafe browsing, corrupted attachments, drive-by downloads, etc. The ransomware connects to the official TOR project website and...

Re: Black Energy 2.1+

 by Mad_Dud ¦  Thu Nov 06, 2014 10:51 am ¦  Forum: Malware ¦  Topic: WinNT/BlackEnergy ¦  Replies: 38 ¦  Views: 61777

It seems like there are two new unique observables identified in Black Energy used in Sandworm operation: Bots started to receive "destr" command, which destroys hard disk by overwriting with random data (on application level and driver level) at a certain time. Bots also use Google+ to check if bot...

Re: Zerolocker Ransomware

 by Mad_Dud ¦  Thu Aug 21, 2014 7:17 am ¦  Forum: Malware ¦  Topic: Zerolocker Ransomware ¦  Replies: 1 ¦  Views: 2717

Some technical details: ZeroLocker adds a .encrypt extension to all files it encrypts. Unlike most other ransomware ZeroLocker encrypts virtually all files on the system , rather than using a set of pre-defined filetypes to encrypt. It doesn't encrypt files larger than 20MB in size, or files located...

Re: Win32/Zeus (alias Zbot)

 by Mad_Dud ¦  Tue Apr 22, 2014 8:43 am ¦  Forum: Malware ¦  Topic: Win32/Zeus (alias Zbot) ¦  Replies: 281 ¦  Views: 363733

According to Fortinet - P2P Zeus Performs Critical Update On April 8, our monitoring system found that the version number included in the encrypted TCP packet has been updated to 0x3B. Apart from its original functions of banking information stealing, process injection, and so on, the new binary wou...

Ebury SSH rootkit

 by Mad_Dud ¦  Mon Feb 17, 2014 9:59 am ¦  Forum: Malware ¦  Topic: Ebury SSH rootkit ¦  Replies: 2 ¦  Views: 3313

Could anyone share source code or sample of this rootkit? SID: alert udp $HOME_NET any -> $EXTERNAL_NET 53 \ (msg:"Ebury SSH Rootkit data exfiltration";\ content:"|12 0b 01 00 00 01|"; depth:6;\ pcre:"/^\x12\x0b\x01\x00\x00\x01[\x00]{6}.[a-f0-9]{6,}\ (([\x01|\x02|\x03]\d{1,3}){4}|\x03::1)\x00\x00\x0...


 by Mad_Dud ¦  Tue Sep 17, 2013 4:03 pm ¦  Forum: Completed Malware Requests ¦  Topic: Downloader.Dromedian ¦  Replies: 2 ¦  Views: 2283

Hi guys. I'm analyzing Downloader.Dromedian - https://www.symantec.com/security_response/writeup.jsp?docid=2011-101915-4058-99&tabid=2 So far i don't have sample yet, but symantec reports several infections in last 24 hours. Most of the files is in format dx*.exe . Symantec lists several C&C domains...