Sunday, June 24, 2012

Medre.A - AutoCAD worm samples

         Medre.A  is a an AutoCAD worm, written in AutoLISP and is a very unusual piece of malware. It was
          ESET reported Peru and neighboring countries as the target but I noticed that one of the samples' (MD5 25c7e10bb537b4265f6144f2cd7f6d95) original name is 未命名1 ( Unnamed 1), so I wonder if some targets/sources were Chinese speaking.
P.S. The samples were donated by an anonymous but the original source is someone from Malwarebytes forum and  I want to thank him/her (sorry don't know the name) for sharing. I hope they do not mind me posting them here.

Thursday, June 21, 2012

RAT samples from Syrian Targeted attacks - Blackshades RAT, XTreme RAT, Dark Comet RAT used by Syrian Electronic Army

The CitizenLab published their report of the Blackshades RAT used by Syrian Electronic Army against activists. No need repeat their excellent analysis but you wish to analyze Blackshades and other RAT that were used in the Syrian attacks, here are the samples for 
Looks like they are changing their RAT monthly.

Friday, June 15, 2012

CVE-2012-1875 links and samples

CVE-2012-1875 Internet Explorer 8 exploit has been publicly available from various sources for a few days.
I am adding it here for reference.
For analysis info, see the AlienVault link below and the Metasploit module and demo.

P.S. In case you wonder, I have not stopped doing malware analysis, I still do,  but as as a longer term offline project combined with studying/reading. I pause what I am doing to share samples that come along and better be posted sooner - as is, as I do not want to wait until I write up something more expanded. Since most people prefer doing analysis on their own and I add reference links, I don't think it is a huge disappointment :)  ~ Mila

Tuesday, June 12, 2012

90 CVE-2012-0158 documents for testing and research.

While working on a project unrelated to Contagio, I collected a number of CVE-2012-0158 exploit documents (mostly RTF) via going through my own collection and what was shared (and publicly sharable) by Contagio readers. This post contains 90 files, mostly APT targeted but I did not analyze all and cannot guarantee that. These are CVE-2012-0158 exploits for files from April-June 2012. Some of them were already posted on Contagio.
The files inside the zip are named by SHA256_original file name.doc. I think I will be using SHA256 now for naming because it is more standard now and  it is much easier to auto generate VT links. The table below shows everything inside the archive with auto generated Virustotal links.
Some of them had Japanese and Chinese names that are now translated in English (with (JP) and (CN) in the name)

  Download all the files listed above (email if you need the password)
- thanks to all for sharing

Older similar collections for testing and research are here Version 4 April 2011 - 11,355+ Malicious documents - archive for signature testing and research

P.S. ok, these are actually cve-2010-3333. I will not remove them but fyi (thanks to
  1. ec8b9c68872257cec2552ac727348c09314658d9497085f8a19f58004476c9b8_info.doc
  2. abbd1fa4dde11b94360338de8b5a2af7b09c6149ce1633797da825d5843cea7f_Criteria.doc
  3. 125b8babb6ee4442efc75a5688c6bb5d0c71f8a685bcdff6b4043f3a829e65eb_Oded - Working.rtf
P.P.S.  and Paul Baccas from Sophos pointed out that these two are not true exploits but RTF delivery for Buzus (thanks).

  1. 12d574de18f6820ba0d8d566152edb32386b86dde9f3ef7d1004c775b3b34dea_IMG_0056.doc
  2. 300649da673828756cfda29f332d7b39f272c1dd308f0087162e9d58fbacac1f_300649da673828756cfda29f332d7b39f272c1dd308f0087162e9d58fbacac1f.rtf

The (1) ListView, (2) ListView2, (3) TreeView, and (4) TreeView2 ActiveX controls in MSCOMCTL.OCX in the Common Controls in Microsoft Office 2003 SP3, 2007 SP2 and SP3, and 2010 Gold and SP1; Office 2003 Web Components SP3; SQL Server 2000 SP4, 2005 SP4, and 2008 SP2, SP3, and R2; BizTalk Server 2002 SP1; Commerce Server 2002 SP4, 2007 SP2, and 2009 Gold and R2; Visual FoxPro 8.0 SP1 and 9.0 SP2; and Visual Basic 6.0 Runtime allow remote attackers to execute arbitrary code via a crafted (a) web site, (b) Office document, or (c) .rtf file that triggers "system state" corruption, as exploited in the wild in April 2012, aka "MSCOMCTL.OCX RCE Vulnerability." 

Wednesday, June 6, 2012

May 31 - Tinba / Zusy - tiny banker trojan 8" Gremlin
Tinba aka Zusy is an interesting tiny (18-20KB) banker trojan. It is not the smallest in use these days, Andromeda bot is 13 KB for resident and only 9 KB for non-resident versions. I got a few samples and hoped to come up with enough data for an IDS signature but they did a good emulation of the real systems, so it is not trivial. One thing very consistent is 13 byte initial RC4 encoded request.
I am posting details here, if you come up with a signature, please share with Emerging Threats or here.