Skip navigation.
Home
WARNING: This site contains samples of live malware. Use at your own risk.

PHP pBot Dissection

Today I'll dissect a website infected with PHP:Pbot-A according to Avast naming convenction.

Be careful link reported is still alive!

From a malicious domains DB emerged this infected URL

http://jamera2.justfree.com/cmdupload2.txt

As you can see it seems a classical .txt file, but this is a classical evidence of RFI Infection.

MD5 : da67134fc6953201d3556f5fedbcd50d

/*
*
* #crew@corp. since 2003
* edited by: devil__ and MEIAFASE
* Friend: LP
* COMMANDS:
*
* .user //login to the bot
* .logout //logout of the bot
* .die //kill the bot
* .restart //restart the bot

YARA 1.3 released

I'm glad to announce a new version of YARA which includes three new major features, some of them inspired by requests and suggestions of some users out there. They are:

* C-style includes. Now you can include a YARA source file into another just like you do in your C programs with the #include pre-processor directive.

* Metadata in rules. Rules now can contain associated metadata in identifier/value pairs. Metadata information can be string, integer or boolean values. This metadata can be accessed later from the yara-python extension.

* Multi-source compilation in yara-python. A group of YARA source files can be compiled together in yara-python. In this way rules from different sources can be matched at the same time against your data, which is more efficient than compiling and matching each source independently.

Here is an example of the "include" and "metadata" features:

include "./includes/some_other_rules.yar"

rule silent_banker : banker
{
    meta:                                         
        description = "This is just an example"
        thread_level = 3
        in_the_wild = true

    strings: 
        $a = {6A 40 68 00 30 00 00 6A 14 8D 91}  
        $b = {8D 4D B0 2B C1 83 C0 27 99 6A 4E 59 F7 F9}
        $c = "UVODFRYSIHLNWPEJXQZAKCBGMT"
    condition:
        $a or $b or $c
}

For more info:
http://code.google.com/p/yara-project/

Turbodiff v1.01 Beta Released

| |

Turbodiff is a high-performance IDA plugin designed to detect differences between executable binaries.
It works on architectures supported by IDA 4.9 FREE, IDA 5.0 through 5.5.
Turbodiff was developed by Nicolas A. Economou, from the Exploit Writers Team of Core Security Technologies.

The tool's page is here: Coresecurity's Turbodiff

You can also read the
presentation of Turbodiff at Ekoparty '09
.

Buenos Aires, Argentina.

Swimming into Trojan and Rootkit GameThief Win32 Magania Hostile Code

Hi,

Here my last paper.

Abstract

Trojan-GameThief.Win32.Magania, according to Kaspersky naming convention, monitors the user activities trying to obtain valuable information from the affected user, especially about gaming login accounts. This long tutorial analyze this malware but is also a general document which explains how to analyze a modern nested-dolls malware.

http://www.accessroot.com/arteam/site/download.php?view.313

Regards,
Giuseppe 'Evilcry' Bonfa'

Tool for visualizing encrypted and/or packed data with special focus on PE-files ...

|

Hi folks,

I developed a tool which might be of interest for you/us reversers. It's
capable of creating histograms for the spreading of byte-codes for a
whole file as well as section-wise regarding PE-files. This will make
the detection of crypted and/or packed data much easier. The tool (a
windows and a linux version) and a decent description is available under
our CERT-homepage:

http://cert.at/downloads/software/bytehist_en.html

Plz let me know if you encounter any problems or have any questions.

Cheers,
Christian Wojner.
CERT.at

W32/Rustock.F, a quite unknown Rustock.C dropper

Some days ago a friend of mine posted me a suspicious malware, unfortunately I couldn’t look at it before yesterday night because I was out for work.

By submitting the file to virustotal.com I could see that only the 39,02% of the av recognizes it as a malware (some popular antivirus like Kaspersky or Symantec, for example, don’t recognize it), Microsoft calls it “TrojanDropper:Win32/Rustock.F” while for Panda it is “Trj/Rustock.L”.

As resulting from the analysis this is really a dropper for the famous malware Rustock.C.

A lot of papers has been written on Rustock.C so I will analyze only this dropper in order to make you know that this is a malware even if your antivirus does not signal it as a bad application.

The file I’m talking about is called “is7771.exe”.

In the article I will explain the behaviour of the dropper in details, take a look at it here:


http://revengstuff.wordpress.com/files/2009/09/rustock_f1.pdf

My Ether Installation Method

I've gotten a few emails from people asking questions about how to install Ether. I thought I would put some very rough notes together for my general method to install it. Artem Dinaburg and crew have some good notes at the official Ether website but there are a few more things I do to get things rolling.

Here goes:

  1. Download the Debian AMD64 5.x net installation ISO and install it. Get your network card and configuration working.
  2. Install ONLY the linux-image-2.6.26-*-xen-amd6 package. You just want the kernel for this one. This is where I've gotten myself into trouble by installing the kernel source that comes with the patched Xen system.
  3. Download the Xen and the ether_ctl source and patch as described on the Ether installation instructions page.
  4. Install the Debian packages necessary to get the system up and running. I recently installed a system and this is the output of dpkg --get-selections command: ether_install_packages.log
    Hint: grep '[[:space:]]install$=' ether_install_packages.log| awk '{print $1}'| xargs aptitude install
  5. Start compilation of Ether in the following directories not the main xen-3.1.0-src directory
    1. cd xen ; make && make install
    2. cd ../tools ; make && make install
    3. cd firmware ; make && make install
  6. Edit the /boot/grub/menu.lst to have an entry that looks something like this (be sure to substitute your information):


    title Debian GNU/Linux, kernel 2.6.26-2-xen-amd64
    root (hd0,0)
    kernel /boot/xen-3.1.0.gz dom0_mem=1G
    module /boot/vmlinuz-2.6.26-2-xen-amd64 root=/dev/sda1 ro quiet
    module /boot/initrd.img-2.6.26-2-xen-amd64

  7. Reboot. You should see a Xen logo then your system will start up and look like normal.
  8. Make a Windows VM and follow the modification instructions on the Ether website.

That should be all it takes to get a working system up and running. While you're playing with Ether be sure to check out Vera as well.

Updates

  • 10/9/2009 - I've heard from a number of people that you may have to disable NX protection in your motherboard's BIOS to get this to work correctly.
  • 10/27/2009 - Updated to not need compilation of libdisasm, updated installed modules list

Google Groups Used To Control Botnets

It's seems good that symantec guys discovered C&C ( command & control ) on the private google pages, from the symantec blog the following quotes are available :

Maintaining a reliable command and control (C&C) structure is a priority for back door Trojan writers. Recent developments have included the utilization of Web 2.0 social networking websites to deliver commands. By integrating C&C messages into valid communications, it becomes increasingly difficult to identify and shut down such sources. It's a concept very similar to that of chaffing and winnowing. Symantec has observed an interesting variation on this concept in the wild. A back door Trojan that we are calling Trojan.Grups has been using the Google Groups newsgroups to distribute commands. Trojan distribution via newsgroups is relatively common, but this is the first instance of newsgroup C&C usage that Symantec has detected.

It’s worth noting that Google Groups is not at fault here; rather, it is a neutral party. The authors of this threat have chosen Google Groups simply for its bevy of features and versatility.

The Trojan itself is quite simple. It is distributed as a DLL, and when executed will log onto a specific account:

Escape[REMOVED]@gmail.com
h0[REMOVED]t

The Web-based newsgroup can store both static “pages” and postings. When successfully logged in, the Trojan requests a page from a private newsgroup, escape2sun. The page contains commands for the Trojan to carry out. The command consists of an index number, a command line to execute, and optionally, a file to download. Responses are uploaded as posts to the newsgroup using the index number as a subject. The post and page contents are encrypted using the RC4 stream cipher and then base64 encoded. The attacker can thus issue confidential commands and read responses. If no command is received from the static page, the infected host uploads the current time.

Vizsec 2009: Visualizing Compiled Executables for Malware Analysis

The Vizsec 2009 program looks to be a pretty exciting this year. Please join us in Atlantic City New Jersey; I will be presenting more visualization techniques for malware. I'm presenting a paper titled "Visualizing Compiled Executables for Malware Analysis." I hope to see you there.

Visualizing Compile Executables for Malware Analysis PDF - This won best paper at the workshop.

Abstract

Reverse engineering compiled executables is a task with a steep learning curve. It is complicated by the task of translating assembly into a series of abstractions that represent the overall flow of a program. Most of the steps involve finding interesting areas of an executable and determining their overall functionality. This paper presents a method using dynamic analysis of program execution to visually represent the overall flow of a program. We use the Ether hypervisor framework to covertly monitor a program. The data is processed and presented for the reverse engineer. Using this method the amount of time needed to extract key features of an executable is greatly reduced, improving productivity. A preliminary user study indicates that the tool is useful for both new and experienced users.

OSSS: Security Suite. Fourth public beta (Vista support)

| |

For the recent six weeks we have implemented a number of new functions.

The first one to mention is automatic customization of rules via Security Master already at the program installation stage.

Starting with version v1.1, search for software in use is performed during the OSSS installation, whereupon the accumulated data are analyzed on our server and the set of rules for the detected applications is generated automatically.