Monday, August 29, 2011
I can add that it runs what it looks like a quick DoS test against one Google IP. In addition, it creates a lot of traffic: RDP scans, downloads, receiving commands, and interesting DNS queries for command and control servers.
Judging by the domain owners of CC servers (China) and their location (Hong Kong), I would say it is likely it be cybercrimeware originating in erm,...Asia. I don't know how difficult it is for a foreigner to register domains with Jiangsu Bangning Science & technology Co. Ltd.in China. One of the domains existed for a few years and changed several Chinese registrars and hosting companies. Like in Russia, DDoS attack crimes are very common in China (I don't have stats for other Asian countries but I am guessing common there too :)
I want to thank jsunpack.jeek.org and malc0de.com for the sample.
Thursday, August 11, 2011
I received a phishing email sample indicating that the attackers described in the above post continue their efforts with a very slight modifications to the original themes and I must note that this incident is even more simple than the previous one. I don't know if any accounts were compromised this time, I hope the public disclosure of the previous attacks along with the notifications on Forward rules and two-factor authentication in Gmail helped prevent most if not all compromises.
P.S. Google are aware of this, there is not much they can do to prevent these from coming in but I am sure they are trying. If you are concerned about your account safety, please use two-factor authentication and change your passwords often.
Wednesday, August 10, 2011
Microsoft and Adobe Flash patches vs corresponding document and web exploits (non PDF, CVE numbered)
Again, thanks to Malware Tracker keeping exploit timeline for Microsoft products (MS Office, HTML help, Windows thumbnail), these are the patches you need to have installed for protection or should not *not* have if you want successful sandbox testing of these exploits.
Some of these like Flash were also used as Web exploits. The table below includes only exploits used in documents.
There are too many Flash exploits to list with the links, however, the two lists below allow very easy correlation
Posted by Mila at 1:09 AM
Tuesday, August 9, 2011
Building VM sandbox environment for testing malicious documents? I found that sometimes tracking all the full versions and minor updates of Adobe Reader via Old Apps or Adobe.com and corresponding CVE numbers is more time consuming than actual testing. Here are all the necessary for testing versions available from Contagio download. In some cases you need to install the base version and then apply all the incremental updates to get to the version you need
Many thanks to Malware tracker for making this easier - see their PDF threats timeline post here Current PDF Threats
Or, Download all together from HERE
Posted by Mila at 11:47 AM