[leeno]

m55: 3aacd24db6804515b992147924ed3811


Hi ,

sample of the Backdoor:MacOS_X/SabPab.A is attached . if any body can help me with the pcap as i lack mac vm/system

SabPab.rar

(11.48 KiB) Downloaded 48 times

[Xylitol]

sample already posted here http://www.kernelmode.info/forum/viewto ... 430#p12721

[EP_X0FF]

m55: 3aacd24db6804515b992147924ed3811


Hi ,

sample of the Backdoor:MacOS_X/SabPab.A is attached . if any body can help me with the pcap as i lack mac vm/system

SabPab.rar

What exactly you interested? It generates requests encrypted by something primitive (see _encode_buf_internal)

rtx556.onedumb.com is down.

[leeno]

sample already posted here http://www.kernelmode.info/forum/viewto ... 430#p12721

I am really sorry for duplication ,will avoid next time

[leeno]

m55: 3aacd24db6804515b992147924ed3811


Hi ,

sample of the Backdoor:MacOS_X/SabPab.A is attached . if any body can help me with the pcap as i lack mac vm/system

SabPab.rar

What exactly you interested? It generates requests encrypted by something primitive (see _encode_buf_internal)

rtx556.onedumb.com is down.

Thanks Man for the information It tries following http header request but i need pcap for snort sig generation . How did you find the rtx556.onedumb.com domain

POST /update.aspx HTTP/1.1
Accept: */*
Referer: %s
Content-Type: multipart/form-data; boundary=---------------------
------%x
Accept-Encoding: base64,gzip
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en) AppleWebKit/419 (KHTML, like Gecko) Safari/419.3
Host: %s
Content-Length: %d
Connection: Keep-Alive
Cache-Control: no-cache

[EP_X0FF]

How did you find the rtx556.onedumb.com domain

It is stored inside as encrypted base64 encoded text (e3SCNUA2Om97ZXJ1fGI+Y4Bt).