OSX/Flashback.O sample + some domains

 

1. A few hours after I posted the Flashback.K, someone anonymously uploaded Flashback.O sample (thank you very much!), which I am posting below. Like in the first case, it is a payload binary from a victim, not the downloader, which makes it impossible to install.  If you succeed or have a binary that installs, please share. I personally have not tried to run them yet, did not have a vm.

2. Matt Thompson from Unveillance emailed his comments about the Flackback.K sample please see the quote below.

3. Update April 11 - I will put domains and URLs in a separate post because they relate to various versions of Flashback, not v.40/O

Java CVE-2012-0507 / CVE-2011-3521 (see update below) samples

Examples of referrers blacklisted
by Blackhole exploit kit

Blackhole exploit kit was updated to version 1.2.3 on March 25 and now includes exploit Java CVE-2012-0507. Brian Krebs posted the news in his New Java Attack Rolled into Exploit Packs

In addition, Exploit pack known as "Incognito" (there are rumors that Incognito development stopped after v.2 in 2011 and this is something else) and  Eleonore added CVE-2011-3521(? likely, see comments below) as well.

I will add "Incognito" version when I can.

This is just a quick post to share samples (kindly offered by 0Day.jp Hendrik Adrian) and found in the wild, and links to analysis that was already done for these or similar samples.

Mar 2 CVE-2012-0754 SWF in DOC Iran's Oil and Nuclear Situation.doc

Update: March 9, 2012 - I added another sample donated by anonymous  - it is the same exploit but embedded in an Excel spreadsheet. The details about this sample are highlighted in yellow below.

This is a message from a targeted attack and quite possibly you already received a few on your own - there seem to be a new campaign underway using this new CVE-2012-0754 exploit. The vulnerability exists in Flash and is exploited when it tries to parse a crafted MP4 file. Successful exploitation allows an attacker to execute an arbitrary code.
In this case, the attachment comes as a Word document "Iran's Oil and Nuclear Situation.doc" (and it can come as any document), which contains flash instructing it to download and parse a malformed MP4. The dropped binary is a rather common trojan characterized by its traffic. When it comes to AV names, I don't know whether Graftor or Yayih.A are meaningful or some generic names but maybe you have your own name for it.  

Welcome to Contagio Exchange - community malware dump

http://contagioexchange.blogspot.com/

Greetings,
Contagio Exchange is meant to be a communal malware collection. Contagio mobile dump has been very successful and useful because researchers can upload their samples and download them without waiting for me to analyze or post it - directly from the mediafire box.

Whenever I have time, I will moderate and post descriptions for the files and individual download links (in addition to the main dropbox link) in the same format you see on the  mobile malware dump.

This collection is meant to be a shared library of malware samples, not a repository of every type and sample in existence. I would like it to have current and useful samples for everyone to analyze and play with. Links for search and download are in the right hand column.


This collection is not meant to be a

•  replacement for Contagio malware dump, it will continue to operate as usual.
•  mega catchall dump of everything you can download from Malwaredomainlist,   Cleanmx, or offensivecomputing.net
•  competitor to the above or any similar collections and sites
•  mess of zipped and unzipped generic and "lord knows what it is" files
•  repository of every sample in existence
•  danger to society

For this collection to succeed, please follow these simple rules:

1. Zip all and every file with the password 'infected' before uploading. Zip is better than rar for consistency.
2. Read #1 again - it is very important to prevent the mediafire dropbox from turning into a hazard
3. Add your name to the description (if you want a credit), description itself, links to research or sandbox results to explain what it is.  You can add a text file inside the package called description.txt or use the comment box during the upload. Please do not upload mystery files.
4. Name zip files like this "virusname_md5.zip" or include MD5 in the name of the zip - if possible
5. If you are not sure what it is and / or the detection is generic, please do not dump it into a sorted main exchange box but use U.F.O. - Unidentified Flying Object box so that others knew what to expect

Mediafire dropbox information

• This is a paid and long standing mediafire account with unlimited storage and more than enough bandwidth to support it. 
• Your samples are not held hostage as you can download them and store on your system each time or on a schedule. If there is ever any change to this storage, I will give enough warning or ways to get them.   
• All links are direct, no ads
• Dropbox works on all OS but best on Firefox and Chrome. I did not try it on Safari and it has issues on IE and Palemoon. If you have a problem with using it, you can email the samples (rename the file extension and double zip exe files) and indicate it is for the exchange.
• As an added benefit, you can use the dropbox for malware exchange with anyone - if you don't mind your sample to become public. Once you upload, go to the download link on top of the upload box and click on a round gear next to the sample and select 'share'. It will generate a direct link you can post or email.

P.S. I don't financially benefit from the dropbox downloads (in fact, it is the opposite) , posts, or malware samples. It is for the sake of fun and education.

Feb 9 CVE-2011-1980 MSOffice DLL Loading vulnerability + Trojan Nflog

fputlsat.dll

On February 9, 2012 Symantec disclosed that the previously patched MS Office insecure library loading vulnerability was exploited in the wild. DLL loading vulnerabilities were used in targeted attacks at least with two other exploits in 2011 and they did not reach epidemic proportions like it happend with CVE-2010-3333 RTF or some of the Adobe PDF exploits. I refer to
Contagio: Sept. 23 CVE-2011-1991 type (1) deskpan.dll Windows components DLL loading vulnerability
and
Contagio: Apr 13 CVE-2011-2100 PDF - Adobe DLL Loading Vulnerability - Agenda.7z

DLL search order hijacking exploits had and will have many new reincarnations because of the DLL loading preference order - Current Working Directory is preferred for most DLL files. You can read more about the root of these problems (not necessarily related to MS Office but in general) in M-unition: DLL Search Order Hijacking Revisited by Nick Harbour

As described in the Symantec article, fputlsat.dll must be present in the same directory as the Word document in order to be activated by the ActiveX control embedded in the Word document. The payload of this sample is a backdoor trojan Nflog. 

TDL4 - Purple Haze (Pihar) Variant - sample and analysis

Lately things just don't seem the same
Actin' funny, but I don't know why
'Scuse me....... while I kiss the sky
 Jimi Hendrix "Purple Haze"

I recently ran into an interesting piece of malware that was downloaded on a victim's computer. I thought it was TDL/TDSS or maybe a new version of it as it had same components as TDL4 bootkit with a functionality of a mass scale PPC (pay-per-click) fraud. TDL had this functionality too and it is most likely spread by the same Russian-speaking gangs using the Blackhole exploit kit. It did not have the same type of config file that you may find in TDL4 (and first I could not find it at all). I call it "Purple Haze" thanks to the strings found in the code.

I shared it with Alexander Matrosov from ESET. He and Eugene Rodionov  analyzed it and posted an article on the ESET blog: "TDL4 reloaded: Purple Haze all in my brain" (edited by David Harley)
Eset also updated the removal tool for this variant - direct download link: OlmarikTDL4 remover

Blackhole Ramnit - samples and analysis

Ramnit - a Zeus-like trojan/worm/file infector with rootkit capabilities has been in the wild for a long time but recently made news because Seculert reported about a financial variant of this malware aimed at stealing Facebook credentials.

While I did not see any Facebook related activity in my samples, I am posting them anyway for your research as their functionality is the same.

The samples I have are being spread not via Facebook but via Blackhole exploit kit, which is a very effective method. Blackhole exploit kit was associated with the spread of ZeuS, Spyeye, and it is not surprising that Ramnit is being spread in the same manner by the same groups. The group of command and control servers that I researched is associated with pharma spam and "Canadian" online pharmacies.

Adobe Zero Day CVE-2011-2462 - with samples

Update: Adobe Released the patch yesterday and  I posted a few samples below. There were several campaigns with two variants - 
1) unencrypted (some are not working - see explanation below)
2) AESV3 encrypted  (try to use Origami to decrypt these). Each of the posted samples are marked by their 'type"

CVE-2011-2462 the new Adobe Zero files come with the same payload we saw in CVE-2010-3654 Adobe Flash player zero day vulnerability, trojan Sykipot - using the same technique with injecting a DLL file into
iexplore, or firefox.exe, or outlook.exe and communicating with  hXXps://www.prettylikeher.com/asp/kys_allow_get.asp?name=getkys.kys over HTTPS. Brandon Dixon from 9bplus.com posted a great initial analysis of Java script and payload from a file with this exploit, I am just adding a few additional details.

30 PDF files processed by Cuckoo Sandbox - results and samples

Update - posted a list of the dropped files for each file and the C&C info from pcaps in the end of the post - for review and easy Googling.

Shutterstock image

In addition to the post about the Cuckoo sandbox, please see below sandbox results and samples for 30 recent  PDF files (APT type). I excluded the payload/dropped files because of the large number of benign files in the same folder as the payload. Perhaps seeing the output will help you decide whether you want to deploy the sandbox or not.
If you need to see the payload 'files' folders, please see the previous post for example or contact me.According to the author, the file dumps filtering will be added soon.
 What you will see in the package:
Original analysis folder (excluding "Files" - dropped files)

• Analysis.config - you will see the name of the analysed file there.
• Analysis.log + report.txt- all API calls and created files log
• Dump.pcap file
• logs folder - in csv fomat
• shots folder - screenshots taken
• Original file itself  

 Additonal files

• List of all hashes of all files
• All pcap files converted to text
• Filtered logs showing dropped files.

Nov 3 CVE-2011-0611 1104statment.pdf analyzed via Cuckoo sandbox

I have been away and busy with all kinds of stuff (some malware related and some not :)  but I am back.

I played a little recently with Cuckoo sandbox - an awesome free sandbox developed by Claudio Guarnieri (Linkedin). The sandbox has been out for several months, constantly being improved and got a lot of fans. You can read the Cuckoo guide here and also follow active discussions on the Malwr forum. I think the sandbox works very well and very flexible -  it can be developed and extended to analyze any (many) kinds of exploits. You can find descriptions of the sandbox online but I want to post results of the sandbox analysis - something I didn't have chance to see until I installed it. I will post unfiltered results and with some minimal processing (conversion of pcaps to text, filtering out search results, etc.). This tool is still in development and you will not get polished reports like you see on Threatexpert but they are exportable into a database of your choice, searchable, and "tweakable". If you already tried it a while ago, try it again, I heard the later versions are much better than the earlier ones.

Hi

Believe it or not, I am still alive and will post something soon.

Step by step binary analysis with Frankie Li ( dg003.exe dropper from "XinTang Event.chm" )

With the express written permission from the author, here is a an excellent paper "A Detailed Analysis of an Advanced Persistent Threat Malware" and the corresponding malware sample, which you can reverse engineer following step by step explanation by the author Frankie Li (http://espionageware.blogspot.com/)- from vxrl.org (Valkyrie-X Security Research Group)

Another great analysis from the same group of another CHM file can be found here: Evidence of Advanced Persistent Threat: A Case Study of Malware for Political Espionage (paper for IEEE 6th International Conference on Malicious and Unwanted Software (Malware 2011)).

Do you wonder if your sample APT or just crimeware? Use their Xecure Deezer - APT identification engine 

Oct 18 CVE-2009-3129 XLS 2011-10-18 101 calendar

Another day, another sample. CVE-2009-3129 XLS file from kevins19702@gmail.com, but it was actually sent by a Hinet server (I guess Gmail addresses are accepted better than Hinet)

The trojan calls home to 220.246.76.125

POST http://check.amanerolor.com:443/index.php HTTP/1.0

 

Oct 17 CVE-2010-2883 PDF Report on the coming Presidential Election in TW

Here is one more sample. Call home to 112.213.126.67 googlemail.proxydns.com

Oct 24 CVE-2011-0611 PDF 2011-10-24 NorthKorea with Taidoor

CVE-2011-0611 PDF file with yet another Taidoor Trojan calling home to 211.233.62.148 (LG DACOM KIDC Korea)

Oct 23 CVE-2011-0611 PDF 2011-10-23 Gaddafi death with Taidoor

I will post a few samples without analysis. This one is CVE-2011-0611 PDF with Taidoor Trojan exploiting Gaddafi's death with outgoing connection to 2.116.180.66 host66-180-static.116-2-b.business.telecomitalia.it

Welcome DeepEnd Research - Dirt Jumper DDoS bot analysis

We are pleased to introduce DeepEnd Research, an independent information security research group that will focus on threat and intelligence analysis. Our emphasis will be on malware, exploit analysis, botnet tracking, the underground economy and overall cyberthreats. We will blog about various collection and analysis techniques, observations, and other areas of interest.

Another primary goal of DeepEnd Research is to foster collaborative research and analysis efforts with other security groups and organizations. We welcome any opportunities or inquiries as to projects involving common areas of interest.

 

Dirt Jumper DDoS Bot - New versions, New targets

 

 

Duqu - RAT Trojan, "Precursor to the Next Stuxnet" - samples

Img: materkat.wordpress.com

Oct 20 = Note: I added another file. 

According to Symantec:

"Duqu does not contain any code related to industrial control systems and is primarily a remote access Trojan (RAT). The threat does not self-replicate. Our telemetry shows the threat was highly targeted toward a limited number of organizations for their specific assets. However, it’s possible that other attacks are being conducted against other organizations in a similar manner with currently undetected variants.

The attackers used Duqu to install another infostealer that could record keystrokes and gain other system information. "

Rustock samples and analysis links. Rustock.C, E, I, J and other variants

 

 I thought that Russian Matryoshka aka Rustock the Nested Doll would be a good subject after the previous post about Trojan.Matryoshka (Taidoor) analyzed by Jared Myers from CyberESI. Russian rootkit Rustock is as notorious as TDSS or Stuxnet and is very sophisticated. Many researchers made detailed analysis of Rustock and this is why it is a great subject of study. The botnet is down but the malware is here for you to play and try to reverse on your own or following one of the analysis papers posted below.

Sep 28 CVE-2010-3333 Manuscript with Taidoor (Trojan.Matryoshka by CyberESI)

CyberESI

Jared Myers from CyberESI posted a fantastic detailed analysis of Taidoor trojan variant he called Trojan. Matryoshka for being just a container/carrier for another malicious file "Trojan.Einstein". See Trojan.Matryoshka and Trojan.Einstein   The trojan arrived in a malicious RTF attachment CVE-2010-3333 from a a spoofed address of the National Chengchi University / NCCU of Taiwan. The actual sending host was a server  IBM111, which is used by a particular group of attackers and is seen quite frequently. This sample was donated by a reader but I have a lot of IBM111-produced attachments if you are after them.