Skip navigation.
Home

blogs

SuperBowl Attack

This is a partial analysis of the file invovled in the malicious "superbowl" javascript. Ill be adding more to this soon. Sorry its a little late.

V.

Malware analysis: Nailuj sys file

Lately a lot of malwares are using rootkit techniques. Private and antivirus companies are trying to develop tools against malwares but, despite the fact that most of the techniques are well documented around the net, only a few companies are getting positive results. This particular malware is a perfect example because when it came out only a few tools were able to recognize its nasty operations. Don't know what you think but that's sound a little bit strange for me.

Hello.
Nothing new, nothing special... just a malware analysis from me.

Download the paper from here

Paper: Virtual Machine Threats


Virtual Machine Threats
by Symantec Research

As virtual machine emulators have become commonplace in the analysis of malicious code, malicious code has started to fight back. This paper describes known attacks against the most widely used virtual machine emulators (VMware and VirtualPC). This paper also demonstrates newly discovered attacks on other virtual machine emulators (Bochs, Hydra, QEMU, and Xen), and describes how to defend against them.

New technology of rootkits: Unreal

Unreal rootkit hides file and driver. Works on NT-based operation systems with NTFS file systems. It doesnt have process, so it's not hides processes! It do not hide also a registry keys, so no registry keys are hidden! Make sure, that you readed this post before you start tests or write something.

Read the Forum Post from SysInternals

pretty interesting read.
it seems like no rootkit detector is able to detect this.

Paper: Static Analyzer of Vicious Executables (SAVE)

SAVE seeks to classify closely related pieces of malicious software for the purposes of identifying future ones. The core idea is a good one: Byte code is modified for the purpose of obfuscating the signature of a piece of malware. The stated goal is to modify it in such a way that it is possible fool antivirus scanners. This is done in five different ways.

  1. Null operations are inserted into dead code. Assuming that one is modifying a section of code, insert null operations into the region. Nops are inserted at various places.

Another Stration Run...

Those guys are pretty busy, 18 different packers/scramblers used in this sample this morning:

2e908d07dcd1a131ff64961c75890bce
7ad860ecf541824a3daf4fc829266f56
be220034958e7369761949a932b96aca

Fat-Fingered Worm Writers Strike Again

The Internet Storm Center has a post about a strange variant of the Big Yellow Worm that has been scanning an unusual port:
http://isc.sans.org/diary.html?storyid=2040

The port in question (2968/tcp) is reportedly used by the Netware version of SAV. Specifically, it's the port that rtvscan.nlm listens on. It also happens to be one off from the normal SAV port (2967/tcp). I had a chance to go over some of the captures that this beastie is sending out and it is identical to a variant that was released just before Christmas. No differences to account for the fact that it's attacking a Netware system.

New Graybird.Trojan variant

Stumbled across a new variant of the Graybird trojan last night. Overall it seems to be pretty standard. It drops a file called prsvr.exe (a copy of itself) in the system32 directory. It also creates a small batch file called DELME.bat that it uses to delete the initial .exe file. It creates multiple startup entries in the registry, almost all of which can be identified by searching for "prsvr.exe" or "Procedure Distribution Service".

On the network side of the house it sends out some DNS lookup requests for 44384.ipread.com, which resolves to 218.28.29.141 (a netblock in China). It then tries to connect to this IP on port 8000, presumably to download the next stage. Alas for this critter this system seems to have been cleaned since all it gets back are RST packets.

Recently uploaded to collection

ef430c604d3ba7aede5ef69679497a74 citi.scr 487,936 bytes
f5d9f30e2b83daf503e26ebf06604a27 fotos.scr 415,744 bytes
b15afa599cc10f86a8d7ea63376d6843 downloader.exe 48,640 bytes
058377b3fea342a37bf08aa9eb683550 clientsrv.exe 589,312 bytes

Zolb variant... registered!

Zolb variant... registered!

in disguise codec... but download adware or spyware!

File: 2c5bc9d3faeba122e435e5f5d0c96b27.exe
MD5: 2c5bc9d3faeba122e435e5f5d0c96b27
Size: 54800

File: 63d8eef9a6b748c8aca89847cbc1fed2.exe
MD5: 63d8eef9a6b748c8aca89847cbc1fed2
Size: 56976

File: 94c979b2f3fcddb5c083d4faa5998bc0.exe
MD5: 94c979b2f3fcddb5c083d4faa5998bc0
Size: 73632

File: a77ccf9705483b31f53d70de8b2ead32.exe
MD5: a77ccf9705483b31f53d70de8b2ead32
Size: 96980

File: a032878bede5c8a31403f4d74d7928c9.exe
MD5: a032878bede5c8a31403f4d74d7928c9
Size: 68888

File: bb33e231225a6dbd9b30a5982172fa79.exe

Syndicate content