A forum for reverse engineering, OS internals and malware analysis 

Search found 15 matches

 Go to advanced search

Re: Stuxnet case

 by swirl ¦  Sun Sep 19, 2010 9:30 pm ¦  Forum: Malware ¦  Topic: Stuxnet case ¦  Replies: 64 ¦  Views: 84687

swirl Gave a nice link to Langer which linked to here - http://www.upi.com/News_Photos/Features/The-Nuclear-Issue-in-Iran/1581/2/ - It quite clearly shows SCADA software with an error seen on a computer screen of the Bushehr nuclear power plant = Licence Expired :P about that image, some nice comme...

Re: Stuxnet case

 by swirl ¦  Sat Sep 18, 2010 11:38 pm ¦  Forum: Malware ¦  Topic: Stuxnet case ¦  Replies: 64 ¦  Views: 84687

Proof links? Al it is just a rumor? I don't think we will have any sort of proof.. but seems a plausible hypothesis given that stuxnet spreaded mostly in Iran and considering it's final aim. Most of the media hype and analysis focused on the .LNK vuln and in the later days on the 3 more vulns inclu...

BlackEnergy DDoS Agent

 by swirl ¦  Thu Apr 29, 2010 10:50 pm ¦  Forum: Malware ¦  Topic: WinNT/BlackEnergy ¦  Replies: 38 ¦  Views: 63079

just for sharing this interesting sample, it's old but overall nice compared to most of copy&paste malware out there.. for a complete analysis : http://www.secureworks.com/research/threats/blackenergy2/ http://blog.fireeye.com/research/2010/03/black-energy-crypto.html in the package (pw: infected): ...

Re: Backdoor.Rohimafo

 by swirl ¦  Sun Apr 25, 2010 4:56 pm ¦  Forum: Malware ¦  Topic: WinNT/Simda ¦  Replies: 43 ¦  Views: 58245

the !kill_os command is sent from the c&c, I let it run for some time but didn't received it, so I don't know what triggers it :\ My guess is that they could have some check on c&c side for known sandboxes based on the received info from the bot: username/computername/botid (which is generated from ...

WinNT/Simda

 by swirl ¦  Sat Apr 24, 2010 5:47 pm ¦  Forum: Malware ¦  Topic: WinNT/Simda ¦  Replies: 43 ¦  Views: 58245

some additional info to this: hxxp://blog.inreverse.net/2010/04/backdoorrohimafo.html pw for zip: infected asterixdylan.com: 91.213.174.3 - VolgaHost / Bondarenko Dmitriy Vladimirovich aaron99999999.com: 91.213.174.3 anabalikss.com: 193.105.207.10 - ALFAHOSTNET / Romanov Artem Alekseevich / 193.105....