Xpaj -MBR rootkit sample - sample

News about Xpaj file infector brought this new donation of a sample, which i am posting now. I will add the network capture and sandbox report to augment the detailed analysis reports released by Bitdefender Xpaj - the bootkit edition and Symantec W32.Xpaj.B is a File Infector with a Vengeance
The file is meant to look like a crack of sorts for Big Air Stoked game



I accidentally overwrote this post with a blank one, many thanks to Lotta for sending the cached page and helping recreate it. It was not a long and detailed post but I wouldn't have time to redo it.

Operation Cleanup Japan (OCJP) by 0Day.jp May 3

Operation Cleanup Japan (OCJP)  ( 【報告】オペレーション「Cleanup Japan」 / #OCJPとは？is the project initiated by Hendrik Adrian to make the Japanese internet safer through exposure of badware sites and data, the shutdown of malicious sites and in helping the Japanese community learn from security professionals about how to recognize and prevent malware.

0DAY.JP <http://unixfreaxjp.blogspot.com/> is the project blog and it is in Japanese. We will link to his publications - via Google translation  and provide you with the relevant samples. This will be an ongoing post with future updates. Please support OCJP and enjoy.
P.S. Contact Hendrik if you have difficulty understanding Google translation of some words or need help with screenshots. IE and Chrome handle the translated text formatting better than Firefox. Except when indicated otherwise, I did not analyze these samples and might not be able to answer questions.

Red dots indicate the sample download links - same password on all by the scheme. Email me if you need it. With many thanks to Hendrik for his work and contributions.
DOWNLOAD ALL SAMPLES FROM THIS FOLDER OR FROM LINKS BELOW

 2012-04-18 Case 39 ◘ Zeus

PoisonIvy traffic

Screenshots for  https://docs.google.com/spreadsheet/ccc?key=0AjvsQV3iSLa1dDFfWHduQlA5THBRd081eFhsZThwUlE#gid=0

http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-detecting-apt-activity-with-network-traffic-analysis.pdf

Figure 4: 256-byte challenge request from the RSA PoisonIvy
sample

CVE-2012-0158 - South China Sea, Insider Information and other samples and analysis

Update April 20, 2012 - I added 8 more samples (now there are 12 posted), did not look at all of them yet but I think you may find them useful for developing signatures, etc

The TrendMicro report "CVE-2012-0158 – Now Being Used in More Tibetan-Themed Targeted Attack Campaigns" appeared in the news a few days ago, highlighting the beginning of a new wave of exploits using RTF as a carrier.

Researchers based in Asia noticed these malicious documents in Japan and Taiwan before they started showing up/targeting USA companies. Three documents donated a few days ago by someone from Asia were crafted to run only on  the Taiwanese version of Windows. The document I found today was uploaded to an online analysis service and it is for English Windows, it was named "inside information.doc" and drops a decoy document called 英文 , which means English. I could not get "Taiwanese" binaries run on English OS but this one executed successfully.

The vulnerability is due to an error in ActiveX control, in this case embedded in an RTF document. All documents I looked at are very similar, most likely there is a generator involved in making these. I have not seen any documents that would run without crashing the Word, so you need to carve out at least the first stage binary manually.

Many thanks to Brandon Dixon and Binjo for technical advice and inspiration :)

DarkMegi rootkit - sample (distributed via Blackhole)

Update April 20, 2012 Kimberly wrote an excellent analysis of this sample. Please go to

Stopmalvertising to read

This is a "DarkMegie" rootkit sample, kindly donated by Hendrik Adrian. Just like described in the McAfee article "Darkmegi: This is Not the Rootkit You’re Looking For" by Craig Schmugar, it is anything but quiet and stealthy. In fact, it makes so many system changes that it is hard to cover it all in a quick post.
Indeed, it drops the rootkit components in drivers with the incredible padding to 25MB and generates a lot of traffic. Unfortunately, I did not have time yet to sort out the mess and purpose of all files that this malware creates so I am just posting it here along with sandbox results for you to analyze. If you write a detailed analysis, please share,  I will link to.

Java OSX CVE-2012-0507, CVE-2011-3544 and Flashback.35/J sample

Dr. Web published BackDoor.Flashback.39 (Flashback.K-11th variant) epidemic chronology to augment their discovery of the Mac botnet "Doctor Web exposes 550 000 strong Mac botnet".  In general, the Flashback OSX epidemic started on or before August 2011 (F-Secure) with variants distributed as a fake Adobe Flash player. In January 2012, Intego reported Flashback.35/ J (the 10th) which was also distributed as a fake Flash download.

 I am posting here 3 Java exploits used to distribute Flashback trojans:

SAMPLE 1 JAVA CVE-2012-0507 is dated April 4, and appears to be distributing Flashback.35/J - as seen from the payload
SAMPLE 2 is java_signed_applet social engineering exploit (see Michael Schierl's comment below)
and 3 is JAVA CVE-2011-3544 and are dated February 2012.


I don't know which domains distributed these exploits (let me know if you do) but perhaps we are seeing the malware distribution scheme common for Windows-targeting exploit packs

OSX/Flashback.K sample + Mac OS malware study set (30+ older samples)

Update April 12, 2012  Added another binary sv.4 - with plist fle (edited to remove userid)


OSX Flashback malware has been in the news a lot after Kaspersky's announcement about 600,000 botnet "Kaspersky Lab Confirms Flashfake / Flashback Botnet Infected more than 600,000 Mac OS X Computers, Describes Ramifications and Remedies "

I got a sample tonight thanks to Tim Strazzere and I have not analyzed it but I want to try. Meanwhile, I am posting this sample and 30+ other Mac OS malware samples accumulated by Contagio and also from vxheavens collection (thank you all). They are dated by the year and provide a good historical set to study the evolution of Mac malware - I would start here: SANS Mac OS X Malware Analysis or check out Reverse Engineering Mac Defender (OS X) malware analysis for beginners

OSX Flashback URLs, Domains, etc

Dr.Web image

I have been tracking infections too and will be posting the domains I come across. I don't have the DGA script or list of domains to date, but even if I had, I think the best way to find them is via User Agent followed by the id:  I posting URLs and domains below and will add more soon.


Since it generates new domains every day, the full list would be much much longer but I will post those that I run across below in case it helps anyone. These below appear to be a variant of v.39/K

OSX/Flashback.O sample + some domains

 

1. A few hours after I posted the Flashback.K, someone anonymously uploaded Flashback.O sample (thank you very much!), which I am posting below. Like in the first case, it is a payload binary from a victim, not the downloader, which makes it impossible to install.  If you succeed or have a binary that installs, please share. I personally have not tried to run them yet, did not have a vm.

2. Matt Thompson from Unveillance emailed his comments about the Flackback.K sample please see the quote below.

3. Update April 11 - I will put domains and URLs in a separate post because they relate to various versions of Flashback, not v.40/O

Java CVE-2012-0507 / CVE-2011-3521 (see update below) samples

Examples of referrers blacklisted
by Blackhole exploit kit

Blackhole exploit kit was updated to version 1.2.3 on March 25 and now includes exploit Java CVE-2012-0507. Brian Krebs posted the news in his New Java Attack Rolled into Exploit Packs

In addition, Exploit pack known as "Incognito" (there are rumors that Incognito development stopped after v.2 in 2011 and this is something else) and  Eleonore added CVE-2011-3521(? likely, see comments below) as well.

I will add "Incognito" version when I can.

This is just a quick post to share samples (kindly offered by 0Day.jp Hendrik Adrian) and found in the wild, and links to analysis that was already done for these or similar samples.

Mar 2 CVE-2012-0754 SWF in DOC Iran's Oil and Nuclear Situation.doc

Update: March 9, 2012 - I added another sample donated by anonymous  - it is the same exploit but embedded in an Excel spreadsheet. The details about this sample are highlighted in yellow below.

This is a message from a targeted attack and quite possibly you already received a few on your own - there seem to be a new campaign underway using this new CVE-2012-0754 exploit. The vulnerability exists in Flash and is exploited when it tries to parse a crafted MP4 file. Successful exploitation allows an attacker to execute an arbitrary code.
In this case, the attachment comes as a Word document "Iran's Oil and Nuclear Situation.doc" (and it can come as any document), which contains flash instructing it to download and parse a malformed MP4. The dropped binary is a rather common trojan characterized by its traffic. When it comes to AV names, I don't know whether Graftor or Yayih.A are meaningful or some generic names but maybe you have your own name for it.  

Welcome to Contagio Exchange - community malware dump

http://contagioexchange.blogspot.com/

Greetings,
Contagio Exchange is meant to be a communal malware collection. Contagio mobile dump has been very successful and useful because researchers can upload their samples and download them without waiting for me to analyze or post it - directly from the mediafire box.

Whenever I have time, I will moderate and post descriptions for the files and individual download links (in addition to the main dropbox link) in the same format you see on the  mobile malware dump.

This collection is meant to be a shared library of malware samples, not a repository of every type and sample in existence. I would like it to have current and useful samples for everyone to analyze and play with. Links for search and download are in the right hand column.


This collection is not meant to be a

•  replacement for Contagio malware dump, it will continue to operate as usual.
•  mega catchall dump of everything you can download from Malwaredomainlist,   Cleanmx, or offensivecomputing.net
•  competitor to the above or any similar collections and sites
•  mess of zipped and unzipped generic and "lord knows what it is" files
•  repository of every sample in existence
•  danger to society

For this collection to succeed, please follow these simple rules:

1. Zip all and every file with the password 'infected' before uploading. Zip is better than rar for consistency.
2. Read #1 again - it is very important to prevent the mediafire dropbox from turning into a hazard
3. Add your name to the description (if you want a credit), description itself, links to research or sandbox results to explain what it is.  You can add a text file inside the package called description.txt or use the comment box during the upload. Please do not upload mystery files.
4. Name zip files like this "virusname_md5.zip" or include MD5 in the name of the zip - if possible
5. If you are not sure what it is and / or the detection is generic, please do not dump it into a sorted main exchange box but use U.F.O. - Unidentified Flying Object box so that others knew what to expect

Mediafire dropbox information

• This is a paid and long standing mediafire account with unlimited storage and more than enough bandwidth to support it. 
• Your samples are not held hostage as you can download them and store on your system each time or on a schedule. If there is ever any change to this storage, I will give enough warning or ways to get them.   
• All links are direct, no ads
• Dropbox works on all OS but best on Firefox and Chrome. I did not try it on Safari and it has issues on IE and Palemoon. If you have a problem with using it, you can email the samples (rename the file extension and double zip exe files) and indicate it is for the exchange.
• As an added benefit, you can use the dropbox for malware exchange with anyone - if you don't mind your sample to become public. Once you upload, go to the download link on top of the upload box and click on a round gear next to the sample and select 'share'. It will generate a direct link you can post or email.

P.S. I don't financially benefit from the dropbox downloads (in fact, it is the opposite) , posts, or malware samples. It is for the sake of fun and education.

Feb 9 CVE-2011-1980 MSOffice DLL Loading vulnerability + Trojan Nflog

fputlsat.dll

On February 9, 2012 Symantec disclosed that the previously patched MS Office insecure library loading vulnerability was exploited in the wild. DLL loading vulnerabilities were used in targeted attacks at least with two other exploits in 2011 and they did not reach epidemic proportions like it happend with CVE-2010-3333 RTF or some of the Adobe PDF exploits. I refer to
Contagio: Sept. 23 CVE-2011-1991 type (1) deskpan.dll Windows components DLL loading vulnerability
and
Contagio: Apr 13 CVE-2011-2100 PDF - Adobe DLL Loading Vulnerability - Agenda.7z

DLL search order hijacking exploits had and will have many new reincarnations because of the DLL loading preference order - Current Working Directory is preferred for most DLL files. You can read more about the root of these problems (not necessarily related to MS Office but in general) in M-unition: DLL Search Order Hijacking Revisited by Nick Harbour

As described in the Symantec article, fputlsat.dll must be present in the same directory as the Word document in order to be activated by the ActiveX control embedded in the Word document. The payload of this sample is a backdoor trojan Nflog. 

TDL4 - Purple Haze (Pihar) Variant - sample and analysis

Lately things just don't seem the same
Actin' funny, but I don't know why
'Scuse me....... while I kiss the sky
 Jimi Hendrix "Purple Haze"

I recently ran into an interesting piece of malware that was downloaded on a victim's computer. I thought it was TDL/TDSS or maybe a new version of it as it had same components as TDL4 bootkit with a functionality of a mass scale PPC (pay-per-click) fraud. TDL had this functionality too and it is most likely spread by the same Russian-speaking gangs using the Blackhole exploit kit. It did not have the same type of config file that you may find in TDL4 (and first I could not find it at all). I call it "Purple Haze" thanks to the strings found in the code.

I shared it with Alexander Matrosov from ESET. He and Eugene Rodionov  analyzed it and posted an article on the ESET blog: "TDL4 reloaded: Purple Haze all in my brain" (edited by David Harley)
Eset also updated the removal tool for this variant - direct download link: OlmarikTDL4 remover

Blackhole Ramnit - samples and analysis

Ramnit - a Zeus-like trojan/worm/file infector with rootkit capabilities has been in the wild for a long time but recently made news because Seculert reported about a financial variant of this malware aimed at stealing Facebook credentials.

While I did not see any Facebook related activity in my samples, I am posting them anyway for your research as their functionality is the same.

The samples I have are being spread not via Facebook but via Blackhole exploit kit, which is a very effective method. Blackhole exploit kit was associated with the spread of ZeuS, Spyeye, and it is not surprising that Ramnit is being spread in the same manner by the same groups. The group of command and control servers that I researched is associated with pharma spam and "Canadian" online pharmacies.

Adobe Zero Day CVE-2011-2462 - with samples

Update: Adobe Released the patch yesterday and  I posted a few samples below. There were several campaigns with two variants - 
1) unencrypted (some are not working - see explanation below)
2) AESV3 encrypted  (try to use Origami to decrypt these). Each of the posted samples are marked by their 'type"

CVE-2011-2462 the new Adobe Zero files come with the same payload we saw in CVE-2010-3654 Adobe Flash player zero day vulnerability, trojan Sykipot - using the same technique with injecting a DLL file into
iexplore, or firefox.exe, or outlook.exe and communicating with  hXXps://www.prettylikeher.com/asp/kys_allow_get.asp?name=getkys.kys over HTTPS. Brandon Dixon from 9bplus.com posted a great initial analysis of Java script and payload from a file with this exploit, I am just adding a few additional details.

30 PDF files processed by Cuckoo Sandbox - results and samples

Update - posted a list of the dropped files for each file and the C&C info from pcaps in the end of the post - for review and easy Googling.

Shutterstock image

In addition to the post about the Cuckoo sandbox, please see below sandbox results and samples for 30 recent  PDF files (APT type). I excluded the payload/dropped files because of the large number of benign files in the same folder as the payload. Perhaps seeing the output will help you decide whether you want to deploy the sandbox or not.
If you need to see the payload 'files' folders, please see the previous post for example or contact me.According to the author, the file dumps filtering will be added soon.
 What you will see in the package:
Original analysis folder (excluding "Files" - dropped files)

• Analysis.config - you will see the name of the analysed file there.
• Analysis.log + report.txt- all API calls and created files log
• Dump.pcap file
• logs folder - in csv fomat
• shots folder - screenshots taken
• Original file itself  

 Additonal files

• List of all hashes of all files
• All pcap files converted to text
• Filtered logs showing dropped files.

Nov 3 CVE-2011-0611 1104statment.pdf analyzed via Cuckoo sandbox

I have been away and busy with all kinds of stuff (some malware related and some not :)  but I am back.

I played a little recently with Cuckoo sandbox - an awesome free sandbox developed by Claudio Guarnieri (Linkedin). The sandbox has been out for several months, constantly being improved and got a lot of fans. You can read the Cuckoo guide here and also follow active discussions on the Malwr forum. I think the sandbox works very well and very flexible -  it can be developed and extended to analyze any (many) kinds of exploits. You can find descriptions of the sandbox online but I want to post results of the sandbox analysis - something I didn't have chance to see until I installed it. I will post unfiltered results and with some minimal processing (conversion of pcaps to text, filtering out search results, etc.). This tool is still in development and you will not get polished reports like you see on Threatexpert but they are exportable into a database of your choice, searchable, and "tweakable". If you already tried it a while ago, try it again, I heard the later versions are much better than the earlier ones.

Hi

Believe it or not, I am still alive and will post something soon.

Step by step binary analysis with Frankie Li ( dg003.exe dropper from "XinTang Event.chm" )

With the express written permission from the author, here is a an excellent paper "A Detailed Analysis of an Advanced Persistent Threat Malware" and the corresponding malware sample, which you can reverse engineer following step by step explanation by the author Frankie Li (http://espionageware.blogspot.com/)- from vxrl.org (Valkyrie-X Security Research Group)

Another great analysis from the same group of another CHM file can be found here: Evidence of Advanced Persistent Threat: A Case Study of Malware for Political Espionage (paper for IEEE 6th International Conference on Malicious and Unwanted Software (Malware 2011)).

Do you wonder if your sample APT or just crimeware? Use their Xecure Deezer - APT identification engine