Saturday, February 16, 2013

Jan 2013 Shylock (skype version) sample

In January 2013,  Iurii Khvyl and Peter Kruse from CSIS posted analysis of Shylock variant capable of spreading through Skype.

You can read their research here Shylock calling Skype. The sample is below

Jan 2013 - Linux SSHDoor - sample

Just a few accumulated samples here found and shared by others. This one is for Linux SSHDoor malware, which can steal your SSH passwords. ESET covered that in detail in Linux/SSHDoor.A Backdoored SSH daemon that steals passwords ( 24 JAN 2013)

The related Linux.Chapro.A sample was posted earlier this year as well

Friday, February 15, 2013

Manipulating Memory for Fun and Profit by Frédéric Bourla - High-Tech Bridge

I am sure you remember excellent reverse engineering presentations by High-Tech Bridge experts I posted earlier.  High-Tech Bridge presented  at the ISACA event in Luxembourg and you can download their detailed and very interesting presentation:  “Manipulating Memory for Fun and Profit".
The presentation includes detailed memory forensics process using Volatility

by Frédéric BOURLA
Chief Security Specialist
Head of Ethical Hacking & Computer Forensics Departments
High-Tech Bridge SA

Table of Contents
0x00 - About me
0x01 - About this conference
0x02 - Memory introduction
0x03 - Memory manipulation from an offensive angle
0x04 - Memory manipulation from a defensive angle
0x05 - Conclusion

Download the full presentation in PDF 

The text of the presentation (for Google search and to get an idea about the contents:)

Sunday, February 10, 2013

Trojan 'Nap" aka Kelihos/Hlux status update by DeepEnd Research and samples

FireEye posted details about the sleep function found in Kelihos/Hlux (An encounter with Trojan Nap), which is interesting, and indeed is present in some of the samples we saw. The trojan, of course, has many more features, and most of them were documented in previous publications online. This post is a quick update on the state of Kelihos/Hlux botnet, along with  the list of known fast flux domains (1500+) associated with with Kelihos distribution or Command&Control. (current > 2012).  The current and most active name servers are pointing to the ns[1-6], ns[1-6], and ns[1-6] which are also fast flux domains. The double fast flux nature of the botnet makes it very difficult to take down, and sinkholing is a temporary measure. Despite the two large attempts to take it down (Sep.2011 and Mar. 2012), the botnet is definitely on the rise again.

Please read the rest of our post here

You can download the associated binaries (97 files) and pcap below.