Wednesday, June 9, 2010

A Collection of Web Backdoors & Shells – from DK (http://michaeldaw.org) and ARTeam (http://www.accessroot.com)

"I have collected some WEB backdoors in the past to exploit vulnerable file upload facilities
and others. I think a library like this may be useful in a variety of situations.
Understanding how these backdoors work can help security administrators
implement firewalling and security policies to mitigate obvious attacks."   - DK
cmd-asp-5.1.asp      8baa99666bf3734cbdfdd10088e0cd9f
cmdasp.asp             57b51418a799d2d016be546f399c2e9b
cmdasp.aspx           5e83b6ed422399de04408b80f3e5470e
cmdjsp.jsp               815611cc39f17f05a73444d699341d4
jsp-reverse.jsp         8b0e6779f25a17f0ffb3df14122ba594
php-backdoor.php z0mbie 2b5cb105c4ea9b5ebc64705b4bd86bf7
simple-backdoor.php f091d1b9274c881f8e41b2f96e6b9936
perlcmd.cgi              97ae7222d7f13e908c6d7f563cb1e72b
cfexec.cfm              bd04f47283c53ca0ce6436a79ccd600f

Original Post  http://michaeldaw.org/projects/web-backdoor-compilation

Index of /ARTeam/webshell



Download link 1 http://michaeldaw.org/projects/wbc-v1b.tar.gz
Download link 2 Webshells from ARTeam http://xchg.info/ARTeam/webshell/

Many thanks to Michael and Gunther for sharing.



Posted by Mila at 7:22 AM 0 comments Tags: , , , , , Links to this post

Tuesday, June 8, 2010

Jun 8 CVE-2009-4324 Korean Peninsula Situation from iirj@nccu.edu.tw


Nothing new or exciting here except that they used  a computer located at the National Chengchi University (Taiwan) and that many AV still fail at the detection of this particular CVE.


 
 Download ATT77316.pdf  100cf902ac31766f7d8a521eeb6f8d68 as a password protected archive (let me know if you need the password)



-----Original Message-----
From: iirj [mailto:iirj@nccu.edu.tw]
Sent: Tuesday, June 08, 2010 10:05 PM
To: XXXXX
Subject: 天安艦後的朝鮮半島新局勢

您好
附上天安艦後的朝鮮半島新局勢

請參照附件
政治大學國際關係研究中心
蔡增家

Machine translation
----- Original Message -----From: iirj [mailto: iirj@nccu.edu.tw]Sent: Tuesday, June 08, 2010 10:05 PMTo: XXXXXSubject: Tian ship the new situation after the Korean PeninsulaHelloAn enclosed vessel days after the new situation on the Korean PeninsulaPlease refer to AppendixUniversity of International Relations and PoliticalZheng-Jia Tsai

 File ATT77316.pdf received on 2010.06.28 02:04:43 (UTC)
http://www.virustotal.com/analisis/6b182f64a8b04b3f0c287e29ccb8bacf66cc59b8be5756cf7fb968455fc78d6f-1277690683
Result: 12/40 (30%)
Antivirus     Version     Last Update     Result
a-squared    5.0.0.30    2010.06.28    Exploit.JS.Mult!IK
Avast    4.8.1351.0    2010.06.27    JS:Pdfka-AEE
Avast5    5.0.332.0    2010.06.27    JS:Pdfka-AEE
BitDefender    7.2    2010.06.28    Exploit.PDF-JS.Gen
Comodo    5238    2010.06.27    UnclassifiedMalware
F-Prot    4.6.1.107    2010.06.27    JS/ShellCode.BF.gen
F-Secure    9.0.15370.0    2010.06.28    Exploit.PDF-JS.Gen
GData    21    2010.06.28    Exploit.PDF-JS.Gen
Ikarus    T3.1.1.84.0    2010.06.28    Exploit.JS.Mult
McAfee-GW-Edition    2010.1    2010.06.27    Heuristic.BehavesLike.PDF.Suspicious.O
Microsoft    1.5902    2010.06.27    Exploit:JS/Mult.CV
nProtect    2010-06-27.02    2010.06.27    Exploit.PDF-JS.Gen
Additional information
File size: 221345 bytes
MD5...: 100cf902ac31766f7d8a521eeb6f8d68
 Headers

Received: from faculty.nccu.edu.tw (HELO faculty.nccu.edu.tw) (140.119.166.66)
  by xxxxxxxxx
Received: By OpenMail Mailer;Wed, 09 Jun 2010 10:04:41 +0800 (CST)
From: "iirj"
Reply-To: iirj@nccu.edu.tw
Subject: =?big5?B?pNGmd8Slq+GqurTCwkGlYq5xt3OnvbbV?=
Message-ID: <1276049080.14398.iirj@nccu.edu.tw>
To: xxxxx
Date: Wed, 9 Jun 2010 10:04:40 +0800
MIME-Version: 1.0
Return-Path: iirj@nccu.edu.tw
Content-Type: multipart/mixed; boundary="---DBgb4Rh?+gBMpNxwZd2aL(DYw/="
 140.119.166.66
General IP Information
Hostname:    faculty.nccu.edu.tw
ISP:    MOEC
Organization:    National Chengchi University
Proxy:    None detected
Type:    Broadband
Assignment:    Static IP
Country:    Taiwan tw flag
State/Region:    T'ai-pei

Posted by Mila at 10:26 PM 0 comments Tags: , , , Links to this post

Jun 8 Adobe 0 Day CVE-2010-1297 Analysis

Posted by Mila at 5:37 PM 0 comments Tags: , , , Links to this post

Jun 8 Adobe 0 Day CVE-2010-1297 POC by Joshua J. Drake.


CVE-2010-1297 POC by Joshua J. Drake.


 POC here (will crash your browser) http://qoop.org/security/poc/cve-2010-1297  

The POC is based on the same sample as here   Jun 7 Adobe 0 day CVE-2010-1297 11d2f8d754f3e52893c631f0.pdf


 Download  POC files (password infected)






Posted by Mila at 11:56 AM 0 comments Tags: , , , Links to this post

Monday, June 7, 2010

Jun 7 Adobe 0 day CVE-2010-1297 11d2f8d754f3e52893c631f0.pdf




 Download  original_11d2f8d754f3e52893c631f0 plus other files from jsunpack (no password this time)


I hear it worked ok on Adobe 9.3.0 with Win XP Sp3, creates C:\-.exe  (thanks, TaPion)


File original_11d2f8d754f3e52893c631f0  received on 2010.06.07 20:55:29 (UTC)Result: 23/41 (56.1%)
http://www.virustotal.com/analisis/bd2776e507cf0284a9cfb7deb9a241d6699243a221c125f9911fa753ca8f01d1-1275928154
Antivirus     Version     Last Update     Result
a-squared    5.0.0.26    2010.06.07    HTML.Malicious!IK
AntiVir    8.2.2.6    2010.06.07    HTML/Malicious.PDF.Gen
Authentium    5.2.0.5    2010.06.07    PDF/Expl.HW
Avast    4.8.1351.0    2010.06.07    JS:Pdfka-gen
Avast5    5.0.332.0    2010.06.07    JS:Pdfka-gen
AVG    9.0.0.787    2010.06.07    Exploit_c.GGK
BitDefender    7.2    2010.06.07    Exploit.SWF.J
ClamAV    0.96.0.3-git    2010.06.07    Exploit.PDF-28487
eTrust-Vet    36.1.7617    2010.06.07    PDF/Pidief.RP
F-Prot    4.6.0.103    2010.06.07    PDF/Expl.HW
F-Secure    9.0.15370.0    2010.06.07    Exploit:W32/Pidief.CPT
GData    21    2010.06.07    Exploit.SWF.J
Ikarus    T3.1.1.84.0    2010.06.07    HTML.Malicious
Kaspersky    7.0.0.125    2010.06.07    Exploit.JS.Pdfka.ckq
Microsoft    1.5802    2010.06.07    Exploit:Win32/Pdfjsc.gen!A
Norman    6.04.12    2010.06.07    JS/Shellcode.IK
nProtect    2010-06-07.01    2010.06.07    Trojan-Exploit/W32.Pidief.268333.EY
PCTools    7.0.3.5    2010.06.07    Trojan.Pidief
Sophos    4.53.0    2010.06.07    Troj/SWFDlr-S
Symantec    20101.1.0.89    2010.06.07    Trojan.Pidief.J
TrendMicro    9.120.0.1004    2010.06.07    TROJ_PIDIEF.WX
TrendMicro-HouseCall    9.120.0.1004    2010.06.07    TROJ_PIDIEF.WX
ViRobot    2010.6.7.2341    2010.06.07    JS.S.EX-Pdfka.268333

Additional information
File size: 268333 bytes
MD5...: 721601bdbec57cb103a9717eeef0bfca
SHA1..: 11d2f8d754f3e52893c631f0201b72c909d52cd8


References  - thanks to Ratsoul for the tip
(you can download it from there too)
http://jsunpack.jeek.org/dec/go?report=7fca0277b807433a437553113bf702160ccb365e 

Posted by Mila at 5:57 PM 3 comments Tags: , , , Links to this post

Exploit that cannot be named - I don't have it, it is a Google glitch

Update Jun 8 - see later posts

If you came here looking for the recent Flash exploit you see on the picture below, I don't have it. Not yet.
I don't have any links or words on my site that would make Google send everyone here and I am not engaged in any SEO experiements :)  But if you came from the search, like many others, I thought I would save you time searching though the blog.
Please help yourself to any other samples, read other posts and come again - I will post that sample as soon as I have it.
Regards,
Mila

Posted by Mila at 1:47 AM 0 comments Links to this post

CVE-2010-0188 + CVE-2009-4324 PDF The information you want from tibetstudent@gmail.com



Download 46bd79357c01e68715adf4f63d6a0c6d address book.pdf and 1d539bba6ef0a7c02a40f6bd5a2d5590 data.pdf as a password protected archive (contact me if you need the password)



From: Mr.Wong [mailto:tibetstudent@gmail.com]
Sent: Monday, June 07, 2010 4:52 AM
To: XXXXXXXXXXXXXXXX
Subject: The information you want

Sorry after a long time to think of it.  This is the analysis of last outstanding issues and their contacts  that  you want. Why  your mailbox always  bounce ? Please check if the mailbox is  full .

CVE-2009-4324
 File Address_Book.pdf received on 2010.06.28 04:29:57 (UTC)
http://www.virustotal.com/analisis/21ebe23b16213eb37575c90a9e07e35792d3707c007e7c8236a44b7723da9e60-1277699397
Result: 12/40 (30%)
a-squared    5.0.0.30    2010.06.28    Exploit.PDF-JS!IK
Avast    4.8.1351.0    2010.06.27    JS:Pdfka-gen
Avast5    5.0.332.0    2010.06.27    JS:Pdfka-gen
BitDefender    7.2    2010.06.28    Exploit.PDF-JS.Gen
eSafe    7.0.17.0    2010.06.27    Win32.Pidief.H
F-Secure    9.0.15370.0    2010.06.28    Exploit.PDF-JS.Gen
GData    21    2010.06.28    Exploit.PDF-JS.Gen
Ikarus    T3.1.1.84.0    2010.06.28    Exploit.PDF-JS
McAfee-GW-Edition    2010.1    2010.06.27    Heuristic.BehavesLike.Exploit.PDF.CodeExec.EBEO
nProtect    2010-06-27.02    2010.06.27    Exploit.PDF-JS.Gen
PCTools    7.0.3.5    2010.06.28    Trojan.Pidief
Symantec    20101.1.0.89    2010.06.28    Trojan.Pidief.H
Additional information
File size: 327857 bytes
MD5...: 46bd79357c01e68715adf4f63d6a0c6d

CVE-2010-0188 (PDF Exploit base64 shellcode in TIFF - generated with metasploit)
http://www.virustotal.com/analisis/88b6a2bb9d866f12ff5a5c56cacd2bd1add406f4aa01f40ccefb715e134e71ff-1277699645
File Data.pdf received on 2010.06.28 04:34:05 (UTC)
Result: 17/41 (41.47%)
a-squared    5.0.0.30    2010.06.28    Trojan.Script!IK
AhnLab-V3    2010.06.27.01    2010.06.27    PDF/Exploit
Antiy-AVL    2.0.3.7    2010.06.25    Exploit/Win32.Pidief
Authentium    5.2.0.5    2010.06.27    PDF/Expl.HS
Avast    4.8.1351.0    2010.06.27    PDF:CVE-2010-0188
Avast5    5.0.332.0    2010.06.27    PDF:CVE-2010-0188
BitDefender    7.2    2010.06.28    Trojan.Script.435196
eSafe    7.0.17.0    2010.06.27    Win32.Pidief.H
eTrust-Vet    36.1.7668    2010.06.25    PDF/Pidief.QS
F-Prot    4.6.1.107    2010.06.27    JS/Crypted.DT
F-Secure    9.0.15370.0    2010.06.28    Trojan.Script.435196
GData    21    2010.06.28    Trojan.Script.435196
Ikarus    T3.1.1.84.0    2010.06.28    Trojan.Script

PCTools    7.0.3.5    2010.06.28    Trojan.Pidief
Sophos    4.54.0    2010.06.28    Troj/PDFJs-JI
Symantec    20101.1.0.89    2010.06.28    Trojan.Pidief.H
VirusBuster    5.0.27.0    2010.06.27    Exploit.PDFDrop.A
Additional information
File size: 926302 bytes
MD5...: 1d539bba6ef0a7c02a40f6bd5a2d5590



Posted by Mila at 1:09 AM 0 comments Tags: , , , , Links to this post

Saturday, June 5, 2010

June 5 Twitter Bifrost spreader h1.ripway.com and some others

 This is a very prolific twitter malware generator using approximately 70-100 twitter accounts (as of 5pm June 5, 2010 and their number is growing fast) and one domain h1.ripway.com. The malware appears to be Bifrost, many binaries are different MD5, different detection rate, and callback IPs. The subjects and languages of the twitter posts are different too.

  Download 6 samples (some are listed below, all are versions of the same trojan)  as a password protected archive (contact me if you need the password) 



https://twitter.com/#search?q=ripway - twitter search

Other malware spreaders you may find interesting are (I did not check every link for malware presence so please correct me if any of the links/searches are false positives). They look bad to me though.

https://twitter.com/#search?q=shup.com
https://twitter.com/#search?q=localhostr.com 
https://twitter.com/#search?q=freewebtown.com
https://twitter.com/#search?q=su1%20exe
http://twitter.com/#search?q=upload2009
http://twitter.com/#search?q=up-00 
http://twitter.com/#search?q=arabsh 
http://twitter.com/#search?q=Download%20Accelerator%20Plus 
http://twitter.com/#search?q=fileave 
http://twitter.com/#search?q=anilaali.com 

Domain  h1.ripway.com

http://www.robtex.com/ip/64.62.181.46.html
64.62.128.0/18
Hurricane Electric 55 South Market St San Jose, CA AS6939
HURRICANE Electric


Malware (a few samples used )
 video.xnxx.comvideo61715petite_babe_big_faci.exe
http://virscan.org/report/d7615d0c0d4a6cc91245617662095b62.html    

a-squared 5.0.0.11 20100605043517 2010-06-05 Backdoor.Win32.Bifrose!IK 12.027
AVAST! 4.7.4 100605-0 2010-06-05 Win32:VB-OUL [Trj] 0.008
GData 21.297/21.98 20100605 2010-06-05 Win32:VB-OUL [Trj] [Engine:B] 15.672
Ikarus T3.1.01.84 2010.06.05.76004 2010-06-05 Backdoor.Win32.Bifrose 6.630
JiangMin 13.0.900 2010.06.05 2010-06-05 Trojan/Buzus.hlp 2.267
McAfee 5400.1158 6004 2010-06-05 BackDoor-CEP.gen.cb 17.766
Microsoft 1.5802 2010.06.05 2010-06-05 VirTool:Win32/VBInject.gen!CI 6.919
Norman 6.04.12 6.04.00 2010-06-04 W32/VBInject.AS 6.028
Panda 9.05.01 2010.06.05 2010-06-05 Bck/Bifrost.gen      5.889
Quick Heal 10.00 2010.06.05 2010-06-05 Suspicious - DNAScan 1.765


File Name :   video.exe
http://virscan.org/report/02e932f4725a22c9301b3db9e8e102c0.html
File Size :   193125 byte
File Type :   PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 :   2f4f4c151ed20283443e79f5c35f8d45
AntiVir 8.2.2.6 7.10.7.251 2010-06-04 TR/Spy.218394 0.257
McAfee 5400.1158 6004 2010-06-05 BackDoor-CEP.gen.cb 16.025
Panda 9.05.01 2010.06.05 2010-06-05 Bck/Bifrost.gen      1.708
Quick Heal 10.00 2010.06.05 2010-06-05 Suspicious - DNAScan 1.528
VirusBuster 4.5.11.10 10.126.67/2027645 2010-06-06


File Name :   mahaaa.exe
http://virscan.org/report/b3835cdc5c45685c1c9350fc1318ef11.html   mahaaa.exe 
File Size :   230604 byte
MD5 :   079b2752644e75609ef0ba8329fcabb9
SHA1 :   917139aab4bbc51af958a3e03c00dd19c57b7846
a-squared 5.0.0.11 20100605043517 2010-06-05 Backdoor.Win32.Bifrose!IK 0.888
AntiVir 8.2.2.6 7.10.7.251 2010-06-04 TR/Spy.205381.1 0.264
AVAST! 4.7.4 100605-0 2010-06-05 Win32:Spyware-gen [Spy] 0.014
BitDefender 7.90123.6157321 7.32048 2010-06-06 Gen:Trojan.Heur.om2@rT8DpFoaQ 3.957
GData 21.298/21.99 20100605 2010-06-05 Win32:Spyware-gen [Spy] [Engine:B] 7.262
Ikarus T3.1.01.84 2010.06.05.76004 2010-06-05 Backdoor.Win32.Bifrose 6.541
JiangMin 13.0.900 2010.06.05 2010-06-05 Trojan/Buzus.gvi 1.195
McAfee 5400.1158 6004 2010-06-05 BackDoor-CEP.gen.cb 15.966
Panda 9.05.01 2010.06.05 2010-06-05 Bck/Bifrost.gen      1.721
Quick Heal 10.00 2010.06.05 2010-06-05 Suspicious - DNAScan 1.624


Anubis Report 1  Captain.ex.exe
http://anubis.iseclab.org/?action=result&task_id=182f301d06a8b2c74ed26c9817f6a8c48&format=html
Malware TCP traffic to
 -    82.137.245.67
Syrian Arab Republic (none)  82.137.192.0/18
STE Public Data Network Backbone and LIR AS29386
STE-AS2 Syrian Telecommunications Establishment

 Anubis Report 2 viurgn.com.exe
http://anubis.iseclab.org/?action=result&task_id=1354dfeb3e9278c44a95390c4d036902d&format=html
Malware TCP Traffic to 94.98.220.37:963
http://www.robtex.com/ip/94.98.220.37.html#ip
Hostname:    94.98.220.37.dynamic.saudi.net.sa
ISP:    SaudiNet, Saudi Telecom Company
Organization:    SaudiNet, Saudi Telecom Company
Country:    Saudi Arabia sa flag
State/Region:    Ar Riyad


These are some of the accounts as of June 5 and examples of links/posts



xsyria
hxxp://h1.ripway.com/xboldx/Captain.zip قصائد نزار قباني والشاعر عماد السيد لن تروها الا هنا
hxxp://h1.ripway.com/xboldx/Captain.exe لعبة السكس الشهيرة عالميا اصبحت مجانا جربوها ولن تخسروا بل ستربح اللذة 
hxxp://h1.ripway.com/xboldx/Captain.exe Game Captain now famous celebrity free Ejreboha will Tkhosro Stervhawwa pleasure, but the truth

w3elly
hxxp://h1.ripway.com/hamadh6200/NasSim_x721x .exe Tool speed up the work of Computer

xxhotgirlxx20
hxxp://h1.ripway.com/sexanal/I%20need%20a%20friend.rar

dofus159
hxxp://h1.ripway.com/ftp/video.xnxx.comvideo61715petite_babe_big_faci.exe

xxhotgirlxx20
hxxp://h1.ripway.com/sexanal/I%20need%20a%20friend.rar

ishq7man
hxxp://h1.ripway.com/ishq7man/Chat%20With%20Girls.exe This programm is easy to use you can chat with any one specially (Girls) With Cam

hamodhay
Be free ardoghan Gazah need you'r help .. setub ardoghan tollbar for help us hxxp://h1.ripway.com/hamodhay/ordo.exe
تحريرا لشعوب غزة ونصر رجب اوردوغان لنوحد شعارنا غزة و اردوغان.. حمل برنامج دعم اردوغان .. hxxp://h1.ripway.com/hamodhay/ordo.rar

bda7
hxxp://h1.ripway.com/abda7/ghost_dz.exe Another version of the solution and the problems of windows XP Abe, Vista program ghost_dz

g0od_b0y
(hxxp://h1.ripway.com/fs0l/Difference.bat } The difference between men and women ...... scientifically

fucksoso
hi am sara and i love sex so much is u wanna know more about me come here hxxp://h1.ripway.com/reem0979/reeeeem.rar we will chatting

fsol_sam
{ hxxp://h1.ripway.com/fs0l/sexy.bat } Games +18

nasser1001
Hello guys Allehaa Turkkm with the download Tvdilo hxxp://h1.ripway.com/vxx9/y1g.com

xxhotgirlxx20
hxxp://h1.ripway.com/sexanal/I%20need%20a%20friend.rar hi
hxxp://h1.ripway.com/sexanal/I%20need%20a%20friend.rar 
hxxp://h1.ripway.com/ababneh11/flash%20pic%20for%20mee%20!!.pif


read more...
Posted by Mila at 5:46 PM 0 comments Tags: , Links to this post

Friday, May 28, 2010

May 28 CVE-2009-3129 XLS for office 2002-2007 with fud keylogger EIDHR from david@humanright-watch.org


Update: Noticed an ineresting post by Nart Villeneuve (Internet Censorship Explorer) regarding this malware and decided to update and resurrect the post 

 Download  4f681733fd9e473c09f967fa87c9faef  EIDHR.xls and all the files described below as a password protected archive (contact me if you need the password)


From: david@humanright-watch.org [mailto:david@humanright-watch.org] On Behalf Of ??
Sent: Friday, May 28, 2010 2:31 AM
To: XXXXXX
Subject: 關於EIDHR項目

諸位
關於EIDHR歐洲人權項目我詳細咨詢了歐盟的朋友,爲了使申請能順利通過,還須補充一些資料,具體資料項目和内容概要都附在後面了,祝各位順利。
張英

From: SHARPE Simon (RELEX-BEIJING)
Sent: Monday, May 24, 2010 6:15 PM
Subject: FW: EIDHR 项目征求书

大家好:
 
欧盟现在有一个EIDHR的项目征求。项目的目的在于资助推动人权的项目,涵盖的领域很广泛。大家可以跟其他感兴趣的朋友分享这个信息。
 
项目活动的主题
具有以下主题的计划书会受到优先考虑:
1. 思考自由,宗教自由和信仰自由的权利
2. 言论和表达的自由,包括艺术和文化的表达,信息和沟通的权利,包括媒体自由,反对审查和网络自由
3. 和平集会和结社自由的权利,包括建立和参加工会的权利
4. 在一国境内自由行动的权利,离开任何国家(包括本国)和回到本国的权利
 
项目活动
项目活动可以包括从监督,倡导,公开信息,提高意识到能力建设,培训以及与利益攸关者对话等一系列形式。最终目标都是为了提高所在国的公民社会组织的自主权。
项目的资助总额最低为15万欧元,最高为120万欧元。项目的延续时间应不少于18个月,但不超过3年。比较重要的是附件中的项目指导,首先需要提交一个简短的项目概念书,申请的最后期限是6月15日。项目申请时要填写链接中的Annex A,B,C 等表格。
申请有两种方法:
1. 通过PADOR系统注册申请。http://ec.europa.eu/europeaid/onlineservices/pador/index_en.htm
2. 或将申请所需的项目概念书以及表格A,B,C寄往如下地址:
邮寄地址
 
European Commission
EuropeAid Co-operation Office
   Unit F4 – Finances, Contracts and Audit for thematic budget lines
   Call for Proposals Sector
   Office: L-41 03/154
   B - 1049 Brussels
BELGIUM
 
快递地址
 
European Commission   
            EuropeAid Cooperation Office
Unit F4 – Finances, Contracts and Audit for thematic budget lines
   Call for Proposals Sector          
   Office: L-41 03/154
            Central Mail Service     
            Avenue du Bourget 1    
            B-1140 Brussels (Evère)
BELGIUM
 
关于项目的具体内容在https://webgate.ec.europa.eu/europeaid/onlineservices/index.cfm?do=publi.welcome&nbPubliList=15&orderby=upd&orderbyad=Desc&searchtype=RS&aofr=126352
如果需要更多的信息,请随时与我们联系。谢谢!
 
欧盟驻华代表团夏明
See machine translation in the end

Headers
Received: (qmail 3230 invoked from network); 28 May 2010 06:31:58 -0000
Received: from static-ip-251-116-134-202.rev.dyxnet.com (HELO mx02.diaocha8.com) (202.134.116.251)  by XXXXXXXXXXXXXXXXXXX with SMTP; 28 May 2010 06:31:58 -0000
Received: from sppfszwr (unknown [180.98.74.10])
    by mx02.diaocha8.com (EMOS V1.5 (Postfix)) with ESMTPA id 37B71109A81
    for
Reply-To:
Sender: david@humanright-watch.org
Message-ID:
From: =?utf-8?B?5by16Iux?=
To: XXXXXXXXXXXXXXX
Subject: =?utf-8?B?6Zec5pa8RUlESFLpoIXnm64=?=
Date: Fri, 28 May 2010 14:31:10 +0800

Hostname:    180.98.74.10
ISP:    CHINANET jiangsu province network
Organization:    CHINANET jiangsu province network
State/Region:    Jiangsu
City:    Suzhou


-
File EIDHR.xls received on 2010.06.02 04:13:50 (UTC)
http://www.virustotal.com/analisis/8b8960a855603393190152439c64ac9fd16655b304d472ecb83422900369a266-1275452030
Result: 17/41 (41.47%)
a-squared    5.0.0.26    2010.06.02    Trojan-Dropper.MSExcel.Agent!IK
AntiVir    8.2.1.242    2010.06.01    TR/Drop.MSExcel.Agent.BC
Antiy-AVL    2.0.3.7    2010.06.01    Trojan/MSExcel.Agent
Authentium    5.2.0.5    2010.06.02    MSExcel/Dropper.B!Camelot
BitDefender    7.2    2010.06.02    Exploit.D-Encrypted.Gen
F-Secure    9.0.15370.0    2010.06.02    Exploit.D-Encrypted.Gen
GData    21    2010.06.02    Exploit.D-Encrypted.Gen
Ikarus    T3.1.1.84.0    2010.06.02    Trojan-Dropper.MSExcel.Agent
Jiangmin    13.0.900    2010.05.31    Heur:Exploit.CVE-2009-3129
Kaspersky    7.0.0.125    2010.06.02    Trojan-Dropper.MSExcel.Agent.bc
McAfee-GW-Edition    2010.1    2010.06.02    Heuristic.BehavesLike.Exploit.X97.CodeExec.EBEB
Norman    6.04.12    2010.06.01    ShellCode.B
nProtect    2010-06-01.02    2010.06.01    Exploit.D-Encrypted.Gen
PCTools    7.0.3.5    2010.06.02    HeurEngine.MaliciousExploit
Symantec    20101.1.0.89    2010.06.02    Bloodhound.Exploit.306
TrendMicro    9.120.0.1004    2010.06.02    TROJ_MDROPR.MRV
TrendMicro-HouseCall    9.120.0.1004    2010.06.02    TROJ_MDROPR.MRV
Additional information
File size: 64166 bytes
MD5...: 4f681733fd9e473c09f967fa87c9faef

Excel successfully opens, displaying hello, and a Chinese font set as default. The properties show that it was created on a Lenovo (Beijing) Limited laptop.

Files created

  1. D52EF63FDC5C5452D9DA23BD6D4BF0F5 %userprofile%\Local Settings\Temp\1001.tmp11kb  0/41 Virustotal
  2. D52EF63FDC5C5452D9DA23BD6D4BF0F5 C:\WINDOWS\ntshrui.dll  11kb  0/41 Virustotal
  3. A363ABE09A44176386C50EE887359270 %userprofile%\Local Settings\Temp\set.xls  17kb  -clean spreadsheet you see above




read more...
Posted by Mila at 8:02 AM 2 comments Tags: , , , , , , Links to this post

Monday, May 24, 2010

some APT malware samples

 This post is to be continued...


and more



Helper.dll and Helper.exe - Presumably password loggers

C:\windows\system32

 Download helper.exe helper.sys as a password protected archive (contact me if you need the password)


File helper.exe received on 2010.05.06 03:07:02 (UTC)
Result: 1/41 (2.44%)
Sunbelt    6265    2010.05.06    BehavesLike.Win32.Malware (v)
File size: 49152 bytes
MD5...: cf795574914ac35c5a13f1fdeed9dcda

File helper.sys received on 2010.05.06 03:24:10 (UTC)
Result: 3/41 (7.32%)
a-squared    4.5.0.50    2010.05.06    Trojan-PWS.Perfloger!IK
AVG    9.0.0.787    2010.05.05    PSW.Perfloger.DJ
Ikarus    T3.1.1.84.0    2010.05.06    Trojan-PWS.Perfloger
File size: 9600 bytes
MD5   : 2d366e990f5a697ef826b30337c49f01
AppMgmt.dll
C\Documents and Settings\Default User
File AppMgmt.dll received on 2010.05.06 03:57:39 (UTC)
Result: 5/40 (12.5%)
BitDefender    7.2    2010.05.06    Trojan.CryptRedol.Gen.3
F-Secure    9.0.15370.0    2010.05.06    Trojan.CryptRedol.Gen.3
GData    21    2010.05.06    Trojan.CryptRedol.Gen.3
Microsoft    1.5703    2010.05.05    Backdoor:Win32/Mdmbot.D
nProtect    2010-05-05.01    2010.05.05    Trojan.CryptRedol.Gen.3
Additional information
File size: 30720 bytes
MD5...: e40670e6a0ad1c41211f38b92bfe436a

Service name Application Management
Description Processes installation, removal, and enumeration requests for Active Directory IntelliMirror group policy programs. If the service is disabled, users will be unable to install, remove, or enumerate any IntelliMirror programs. If this service is disabled, any services that explicitly depend on it will fail to start.
Default - Manual

Legitimate key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AppMgmt\Parameters\ServiceDll\%SystemRoot%\System32\appmgmts.dll
Service starts - Manual

Compromised key
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\AppMgmt\Parameters\ServiceDll
C:\Documents and Settings\Default User\AppMgmt.dll
Service starts - automatic

read more...
Posted by Mila at 1:59 AM 1 comments Tags: , Links to this post

Malware - Blackmailer - Ransomware (warning NSFW)

Malware - Blackmailer - Ransomware (warning NSFW)
Original location hxxp://hotblondy.ru/video-loaderv2.exe
 File b4ac31487f8874a20b05f7c31eba9ca6 received on 2010.04.22 05:19:43 (UTC)
Result: 29/40 (72.50%)
Antivirus     Version     Last Update     Result
a-squared     4.5.0.50     2010.04.22     Trojan.Win32.Inject!IK
AntiVir     7.10.6.169     2010.04.21     TR/Inject.alte
Avast     4.8.1351.0     2010.04.21     Win32:Malware-gen
Avast5     5.0.332.0     2010.04.21     Win32:Malware-gen
AVG     9.0.0.787     2010.04.21     Generic15.CGKN
BitDefender     7.2     2010.04.22     Trojan.Generic.3068304
CAT-QuickHeal     10.00     2010.04.22     Trojan.Inject.aknv
Comodo     4663     2010.04.22     UnclassifiedMalware
DrWeb     5.0.2.03300     2010.04.22     Trojan.Blackmailer.1555
F-Secure     9.0.15370.0     2010.04.22     Trojan.Generic.3068304
Fortinet     4.0.14.0     2010.04.21     Malware_fam.A
GData     21     2010.04.22     Trojan.Generic.3068304
Ikarus     T3.1.1.80.0     2010.04.22     Trojan.Win32.Inject
Jiangmin     13.0.900     2010.04.20     Trojan/Inject.icg
Kaspersky     7.0.0.125     2010.04.22     Trojan.Win32.Inject.alte
McAfee     5.400.0.1158     2010.04.22     Generic.dx!hvk
McAfee-GW-Edition     6.8.5     2010.04.22     Heuristic.LooksLike.Win32.SuspiciousPE.C
Microsoft     1.5703     2010.04.21     Trojan:Win32/Trufip!rts
NOD32     5048     2010.04.21     a variant of Win32/LockScreen.FF
Norman     6.04.11     2010.04.21     W32/Inject.UIN
nProtect     2010-04-21.01     2010.04.21     Trojan/W32.Inject.367616
Panda     10.0.2.7     2010.04.21     Trj/CI.A
PCTools     7.0.3.5     2010.04.22     Trojan.Generic
Prevx     3.0     2010.04.22     Medium Risk Malware
Sophos     4.53.0     2010.04.22     Mal/Generic-A
Sunbelt     6206     2010.04.22     Trojan.Win32.Generic!SB.0
Symantec     20091.2.0.41     2010.04.22     Trojan Horse
VBA32     3.12.12.4     2010.04.19     Trojan.Win32.Inject.amif
VirusBuster     5.0.27.0     2010.04.21     Trojan.Delf.EBNJ
Additional information
File size: 367616 bytes
MD5   : b4ac31487f8874a20b05f7c31eba9ca6
Posted by Mila at 1:10 AM 0 comments Tags: Links to this post

Thursday, May 20, 2010

May 20 CVE-2006-2389 DOC osnov ugroz bezopas from yuduinnin@mail.ru




Download ugroz_bezopas_v_TSA.doc 3d77fe374ec8175648646ec4ce5eb2b6! as a password protected archive (contact me if you need the password)


-----Original Message-----
From: Dubinin yurij [mailto:yuduinnin@mail.ru]
Sent: Thursday, May 20, 2010 4:52 AM
To: XXXXXXXXXX
Subject: osnov ugroz bezopas v tsentra Azi



 File ugroz_bezopas_v_TSA.doc received on 2010.06.28 04:01:59 (UTC)
http://www.virustotal.com/analisis/250ff87ba85b2cb7bd04c9e4442eb08f70d5c1d555347c16addaa0d05bda8cb0-1277215255
Result: 6/41 (14.64%)
Authentium    5.2.0.5    2010.06.22    MSWord/Dropper.B!Camelot
eTrust-Vet    36.1.7657    2010.06.22    Win32/Ceeban
F-Prot    4.6.1.107    2010.06.21    CVE-2006-2389
McAfee-GW-Edition    2010.1    2010.06.22    Heuristic.BehavesLike.Exploit.W97.CodeExec.PGPG
Microsoft    1.5902    2010.06.22    Exploit:Win32/Wordinvop.gen
Sophos    4.54.0    2010.06.22    Mal/OLE2SC-A
Additional information
File size: 234241 bytes
MD5...: 3d77fe374ec8175648646ec4ce5eb2b6!

Vicheck,ca analysis
https://www.vicheck.ca/malware.php?hash=3d77fe374ec8175648646ec4ce5eb2b6


Headers

Received: from mx1.euroweb.ro (HELO mx1.euroweb.ro) (193.226.61.14)
  by XXXXXXXXXXX
Received: from Dubinin?yuri (unknown [80.239.136.20])
    (Authenticated sender: rab@mb.roknet.ro)
    by mx1.euroweb.ro (Postfix) with ESMTPA id 19C36180127;
    Thu, 20 May 2010 11:51:52 +0300 (EEST)
Reply-To: "Dubinin yurij"
From: "Dubinin yurij"
To: ""XXXXXXXXXX
Subject: osnov ugroz bezopas v tsentra Azi
Date: Thu, 20 May 2010 16:52:00 +0800
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----=_Mail_Part_1"
Message-ID: <20100520085155.19C36180127@mx1.euroweb.ro>
80.239.136.20
Hostname:    ftp.de.telia.net
ISP:    TeliaSonera AB
Organization:    Telia International Carrier
Proxy:    None detected
Type:    Corporate
Geolocation Information
Country:    Germany de flag
State/Region:    Hessen
City:    Frankfurt Am Main
Posted by Mila at 12:19 AM 0 comments Tags: , , , , , Links to this post

Friday, May 14, 2010

Phoenix 2.0 Exploit kit

I normally do not post exploit packs, even partial but I am posting it in this case as it appears to be the source of the java files analyzed by InReverse.  Read this for more details and Java analysis.
The other possibility is the Crimepack. Let me know if there are others, I may post them too.


 Download  Phoenix2.zip as a password protected archive (contact me if you need the password)

   

List of included files


AdgredY.java    11895    416ff21ed3ddb4ce5665a4917964c5ce
all.js    5167    9432b83d52fc325f5bda83d58598e825  -- All listed except newplayer cve-2009-4324
deie.html    15097    a88f45102b57595d6c7b1cf2c2b4b241  --
flash.as    2746    718803346bbbed11e934c63af99c4a9f
ie.html    14939    1c8bd04644942a0f1832844ee4b44e63
newplayer.js    2595    a2344d3a54f26ae863011323a0973ac8 newplayer cve-2009-4324


Filename MD5 File Size   Extension
flash.swfC643C2B8E901E52C14A8D6CE8096E3271,645swf
all.pdf66BDB0DC68294890E359E91F1EF18D9E2,677
pdf
allv7.pdfB948321DE93582951598F3BDDDCC57352,465pdf
collab.pdfEF68F7B0018EDA2C149EF92EAAA666E22,012 CVE-2007-5659 pdf
geticon.pdf1ED11F0EEE47135067F36E73FD5E889E2,003 CVE-2009-0927pdf
libtiff.pdfE1E581CC0D817A808DC33CEB230F91B43,514 CVE-2010-0188pdf
newplayer.pdf37F28E5BE542AD2E32DA19EE5C44967C1,975 CVE-2009-4324pdf
printf.pdfAF680ECCA07B3294553F672F785545881,907 CVE-2008-2992pdf
index.jsB07E39D831F8EA3F8BCD84DCC9A60FFF14,272js
des.jar98F5ACDB21E8B8116FE5C7B4BA17D0E98,539jar
ie.html30C1A7B87C419A1427932773642FEEE714,929 CVE-2009-3867 html
index.html9939596B9BA5ECD4EE5FD648171EF01C14,462html
vistaie7.htmlE8888E4EDA75F6CE016A5FBA9BE02FA314,415html
vistan7ie8.html6D11908E6CCC01B14ED0097561853F868,747html
vistan7other.html3E4B94ED2A6ED5F7FF42165BB165A46B13,734html
xpie7.htmlEDE58120D8C76212E458898B348D2B8014,420html
xpie8.htmlA18CCEEE89E13B137C77F88688668CED8,714html
xpother.html355A809F8B5BDE1E511C628DD75CD87114,129html

Flash exploits are

CVE-2009-1869
CVE-2007-0071

PDF exploits
 CVE-2007-5659
 CVE-2009-0927
 CVE-2010-0188
 CVE-2009-4324
 CVE-2008-2992

Internet Explorer Exploits
CVE-2009-0806

Java Exploits
CVE-2009-3867
CVE-2008-5353

Let me know if i missed any

Java exploit GetSoundBank Read inReverse Ratsoul's posts for more information here or on their new blog here 
Also, see some malware links with this exploit here





deie.html
MDAC exploit

 Flashloader - using object and embed for different browsers. Read this article for more details http://borodin.livejournal.com/10471.html


Actionscript
 

IE 2010-0806




read more...
Posted by Mila at 1:54 AM 4 comments Tags: , , , , , , , , , , , , , , , , , Links to this post

Thursday, May 13, 2010

JAVA from Crimepack

 Download   95f3ec9b3bb5e1792fd604eb6a0b5af0 gsb50  as a password protected archive (contact me if you need the password)


I think, correct me if I am wrong, this exploit was available in Crimepack since at least 2.2.1 , not sure if this is from 2.2.1 or 2.8


File gsb50 received on 2010.05.14 02:44:37 (UTC)
http://www.virustotal.com/analisis/44916e0b40e2b8709a89f1209cceffab9a9bf8e26296ff85236cadd7d7a76258-1273805077
Result: 18/40 (45%)
AhnLab-V3    2010.05.14.00    2010.05.13    JAVA/Exploit
AntiVir    8.2.1.242    2010.05.13    EXP/Java.WebStart
Antiy-AVL    2.0.3.7    2010.05.13    Exploit/Java.CVE-2009-3867
AVG    9.0.0.787    2010.05.13    Generic2_c.XRX
DrWeb    5.0.2.03300    2010.05.14    Exploit.Java.27
eSafe    7.0.17.0    2010.05.13    Win32.Exploit.ByteVe
Ikarus    T3.1.1.84.0    2010.05.14    Exploit.Java.WebStart
Kaspersky    7.0.0.125    2010.05.14    Exploit.Java.CVE-2009-3867.b
McAfee    5.400.0.1158    2010.05.14    Exploit-ByteVerify
McAfee-GW-Edition    2010.1    2010.05.13    Exploit-ByteVerify
NOD32    5113    2010.05.13    OSX/Exploit.Smid.B
Norman    6.04.12    2010.05.13    JAVA/CrimePack.gen
PCTools    7.0.3.5    2010.05.14    Trojan.Generic
Sophos    4.53.0    2010.05.14    Exp/WebStart-A
Sunbelt    6301    2010.05.14    Trojan.Java.Webstart.a (v)
Symantec    20101.1.0.89    2010.05.14    Trojan Horse  -laconic, as usual .. but nothing wrong with it, this covers most them anyway (M)
TrendMicro    9.120.0.1004    2010.05.13    JAVA_WEBSTART.A
TrendMicro-HouseCall    9.120.0.1004    2010.05.14    JAVA_WEBSTART.A
Additional information
File size: 2909 bytes
MD5...: 95f3ec9b3bb5e1792fd604eb6a0b5af0


Posted by Mila at 11:08 PM 0 comments Tags: , , Links to this post

Malware files rasauto16.dll and rasauto32.dll Remote Access Auto Connection Manager service - Backdoor

Update May 13 - added Rasauto32.dll

rasauto16.dll

Download 
rasauto16.dll 15138604260b1d27f92bf1ec6468b326 +
rasauto16.dll 80ca8b948409138be40ffbc5d6d95ef1 

Also, rasauto32.dll  995b44ef8460836d9091a8b361fde489 

  ac as a password protected archives (please contact me for the password if you need it)

Variant 1


File rasauto16.dll received on 2010.05.10 17:00:18 (UTC)
http://www.virustotal.com/analisis/bb1116f23874a36b0de47af8441c55687ccdcb0bad11384ab3718053f8eb7574-1273510818
Current status: finished
Result: 3/41 (7.32%)
Result: 3/41 (7.32%)
DrWeb    5.0.2.03300    2010.05.10    BACKDOOR.Trojan - yes, it is a backdoor and was used as such
McAfee-GW-Edition    2010.1    2010.05.10    Heuristic.BehavesLike.Win32.Backdoor.H
PCTools    7.0.3.5    2010.05.10    Trojan.Conficker.c.gen  --I don't think so.
Additional information
File size: 107008 bytes
MD5   : 15138604260b1d27f92bf1ec6468b326
SHA1  : 7cd0faddaf926573be91f725b07865c14dd44254
SHA256: bb1116f23874a36b0de47af8441c55687ccdcb0bad11384ab3718053f8eb7574
PEInfo: PE Structure information
entrypointaddress.: 0x12B83
timedatestamp.....: 0x4B566B52 (Wed Jan 20 03:32:50 2010)


 file dated just like other files on the system

rasauto16.dll replaces legitimate rasauto.dll

Rasauto
Service description:
Remote Access Auto Connection Manager
Creates a connection to a remote network whenever a program references a remote DNS or NetBIOS name or address.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasAuto\Parameters
ServiceDll %SystemRoot%\System32\rasauto16.dll

TCP traffic

 202.175.83.10:443
z83l10.static.ctm.net
ISP:CTM Internet Services
Organization:CTM Internet Services
Country:Macau
City:Macau
address: Rua da Lagos, Telecentro
address: P.O. Box 868, Taipa
address: Macau
country: MO


Variant 2


http://www.virustotal.com/analisis/0de9fe6378a4c024f6f2c81b300897b8978d036caafbae9902850870d8f4dc04-1273511085
File rasauto16.dll received on 2010.05.10 17:04:45 (UTC)
Result: 4/41 (9.76%)
AntiVir    8.2.1.236    2010.05.10    TR/Spy.Gen
Comodo    4816    2010.05.10    ApplicUnwnt.Win32.AdWare.EZula.~GGC
McAfee-GW-Edition    2010.1    2010.05.10    Heuristic.BehavesLike.Win32.Backdoor.H
Sophos    4.53.0    2010.05.10    Mal/Emogen-Y
Additional information
File size: 669696 bytes
MD5...: 80ca8b948409138be40ffbc5d6d95ef1
SHA1..: f54b24660ec8664280e999e44148457e15f5489a
SHA256: 0de9fe6378a4c024f6f2c81b300897b8978d036caafbae9902850870d8f4dc04
ssdeep: 12288:CqjmOwFjklKkoTDLa77d46+HkQIwAy0WTuzjOFE:XjNwVxkofLFTjIyXTu
3O
entrypointaddress.: 0x22b03
timedatestamp.....: 0x4b679e56 (Tue Feb 02 03:39:02 2010)
machinetype.......: 0x14c (I386)

Creation and modified dates - 8/4/2004 8:00 am


rasauto16.dll replaces legitimate rasauto.dll

Rasauto
Service description:
Remote Access Auto Connection Manager
Creates a connection to a remote network whenever a program references a remote DNS or NetBIOS

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasAuto\Parameters
ServiceDll %SystemRoot%\System32\rasauto16.dll



Variant 3

Rasauto32.dll 
File rasauto32.dll received on 2010.05.13 16:19:29 (UTC)
http://www.virustotal.com/analisis/4da40b63c4027db5fb02e37db78da7333144809d1ddf0c86442e12d28cd7c47c-1273767569
Result: 12/41 (29.27%)
AntiVir    8.2.1.242    2010.05.13    TR/Spy.Gen
Antiy-AVL    2.0.3.7    2010.05.13    Trojan/Win32.Agent.gen
Avast    4.8.1351.0    2010.05.13    Win32:Malware-gen
Avast5    5.0.332.0    2010.05.13    Win32:Malware-gen
AVG    9.0.0.787    2010.05.13    Agent2.AMWN
GData    21    2010.05.13    Win32:Malware-gen
Jiangmin    13.0.900    2010.05.13    Trojan/Agent.drkq
Kaspersky    7.0.0.125    2010.05.13    Trojan.Win32.Agent.dnwh
Panda    10.0.2.7    2010.05.12    Suspicious file
Sophos    4.53.0    2010.05.13    Troj/RasSpy-Gen
TheHacker    6.5.2.0.280    2010.05.13    Trojan/Agent.dnwh
VBA32    3.12.12.4    2010.05.13    Trojan.Win32.Agent.dnwh
Additional information
File size: 647168 bytes
MD5...: 995b44ef8460836d9091a8b361fde489







TCP traffic

202.153.103.83:443
Hostname:beta.nethost.hk
ISP:TaiKoo Place, Quarry Bay
Organization: TaiKoo Place, Quarry Bay
Country:Hong Kong
City:Central District
Posted by Mila at 2:39 PM 0 comments Tags: , , , Links to this post
Subscribe to: Posts (Atom)
Home