A forum for reverse engineering, OS internals and malware analysis 

Search found 26 matches

 Go to advanced search

Re: .js malware

 by Squirl ¦  Thu Mar 28, 2013 3:25 pm ¦  Forum: Malware ¦  Topic: .js malware ¦  Replies: 8 ¦  Views: 4582

Use http://technet.microsoft.com/en-gb/sysi ... 96645.aspx and filter on the term "2a3.js"

Delete the file and see what rewrites it. If it's a legitimate windows process, then something's injected into it.

Zbot C2 config

 by Squirl ¦  Tue Mar 26, 2013 12:45 pm ¦  Forum: Malware ¦  Topic: Win32/Zeus (alias Zbot) ¦  Replies: 281 ¦  Views: 363746

url: hxxp://paypal-servcies.com/
hxxp://paypal-servcies.com:2082/login/
hxxp://paypal-servcies.com/server/cp.php?m=login

MySQL DB creds: User = admin
pass = "" [empty string]

Re: Shutting down P2P botnet ?

 by Squirl ¦  Thu Mar 21, 2013 3:21 pm ¦  Forum: Malware ¦  Topic: Shutting down P2P botnet ? ¦  Replies: 9 ¦  Views: 9192

@Radikal, I'd suggest reading the Sophos ZeroAccess whitepaper: http://www.sophos.com/en-us/medialibrary/PDFs/technical%20papers/Sophos_ZeroAccess_Botnet.pdf?dl=true The reason this botnet is so hard to sinkhole, is because of it's peer-list updating mechanism; each bot will only update it's list wi...

Chameleon bot samples

 by Squirl ¦  Wed Mar 20, 2013 3:25 pm ¦  Forum: Malware ¦  Topic: Chameleon bot samples ¦  Replies: 1 ¦  Views: 2303

Hi guys, I know this is really broad and not a whole lot of information to go on, but is anybody in possession of a sample described here: http://www.spider.io/blog/2013/03/chameleon-botnet/ Spider.io are being incredibly reserved with sample (and hash) sharing. Any help greatly appreciated, willing...

Re: Zero Day Java Exploits(All Java Exploits goes here)

 by Squirl ¦  Tue Mar 19, 2013 4:12 pm ¦  Forum: Malware ¦  Topic: Zero Day Java Exploits(All Java Exploits goes here) ¦  Replies: 68 ¦  Views: 320414

Spam campaign serving up Blackhole. http://www.symantec.com/connect/blogs/pope-themed-spam-attacks-leads-malware URLs used in the campaign: hxxp://aven-clan.net76.net/popesued.html hxxp://daewoo.maglan.ru/popesued.html hxxp://7887.ru/popesued.html hxxp://dota-soul.ru/popesued.html All samples curren...

Android.Notcompatible trojan

 by Squirl ¦  Tue Mar 19, 2013 8:48 am ¦  Forum: Malware ¦  Topic: Android Malware(All Android malware goes here) ¦  Replies: 105 ¦  Views: 192164

Currently being served up in a spam campaign, subject line of "Hot News": http://www.infosecurity-magazine.com/view/31277/still-notcompatible-android-trojan-takes-fresh-tack-with-spearphishing/?utm_source=twitterfeed&utm_medium=twitter Example URLs: hxxp://www.ceipjuandelacosa.es/xbnawwq/yqvjsycp/ql...

Re: Java 0day CVE-2013-1493

 by Squirl ¦  Tue Mar 05, 2013 2:26 pm ¦  Forum: Malware ¦  Topic: Zero Day Java Exploits(All Java Exploits goes here) ¦  Replies: 68 ¦  Views: 320414

And here's the Jar

Re: Java 0day CVE-2013-1493

 by Squirl ¦  Tue Mar 05, 2013 1:38 pm ¦  Forum: Malware ¦  Topic: Zero Day Java Exploits(All Java Exploits goes here) ¦  Replies: 68 ¦  Views: 320414

I'm just working on obtaining the Jar - in the meantime, here's the payload after a successful exploit.

Win32/MiniDuke

 by Squirl ¦  Wed Feb 27, 2013 4:12 pm ¦  Forum: Malware ¦  Topic: Win32/MiniDuke ¦  Replies: 6 ¦  Views: 11003

Hi all, Does anybody have any of the droppers mentioned here: http://blog.crysys.hu/2013/02/miniduke/ http://www.crysys.hu/miniduke/miniduke_indicators_public.pdf MD5s: 3668b018b4bb080d1875aee346e3650a 88292d7181514fda5390292d73da28d4 3f301758aa3d5d123a9ddbad1890853b 0cdf55626e56ffbf1b198beb4f6ed559...

Phoenix Exploit Samples

 by Squirl ¦  Tue Feb 26, 2013 4:49 pm ¦  Forum: Malware ¦  Topic: Phoenix Exploit Samples ¦  Replies: 1 ¦  Views: 2417

nakedworldcelebrities\x2ecom

redir to *.ddns.name

All samples in archive