May 31 - Tinba / Zusy - tiny banker trojan

Amazon.com 8" Gremlin

Tinba aka Zusy is an interesting tiny (18-20KB) banker trojan. It is not the smallest in use these days, Andromeda bot is 13 KB for resident and only 9 KB for non-resident versions. I got a few samples and hoped to come up with enough data for an IDS signature but they did a good emulation of the real systems, so it is not trivial. One thing very consistent is 13 byte initial RC4 encoded request.
I am posting details here, if you come up with a signature, please share with Emerging Threats or here.

Russian Cybercrime Presentation Slides 2012

Presented at a conference in May 2012
It is just pictures and not very useful without the narration. Email me if you need commentary for any of the slides
Download pdf 

See you in two weeks

Angus McIntyre

Greetings,
I will be traveling and will not have time for posts until June. If you sent any files to me recently and I did not post / did not reply, please accept my sincere apologies, it has been a busy period.

Please continue to share and upload files to  Contagio Community and Contagio Mobile dump where it will be available immediately to others via the main download link posted there.
I hope you all have a great end of spring and glorious summer.
Thank you
Mila

P.S. If you are looking for something that is not listed, feel free to email and ask, i might have it.

May 3 - CVE-2012-0779 World Uyghur Congress Invitation.doc

There are already quite a few samples of this recently patched exploit in the wild, including those targeting USA companies. This particular sample is targeting  Uyghur Congress, which is "an international organization aspiring to represent .. exiled Uyghur (Turkish ethnic group) people   both inside and outside of the Xinjiang Autonomous Region of the People's Republic of China." ~ Wikipedia. The text of the email cannot be translated with online translators, but judging by the content of the attachment, it is meant to look like an invitation for the World Uyghur Assembly .

More often than not, interesting samples come at the wrong time, when I cannot analyze them due to various reasons such as being busy with something else. I was planning to look at it this weekend but it did not happen, so here it CVE-2012-0779. Analyze it, write signatures, add detection to your filters. If you post an analysis, please send your link, I add. I will just post a few details about the file.

019 Speech.doc MacOS_X/MS09-027.A -exploit for MS Word on Snow Leopard OSX

bbtoystore.com

Someone uploaded it on Contagio Exchange the other day. Thank you for sharing.
Document language code is Arabic, which is kind of interesting. Targeting Tibet human rights activists.

Research: Microsoft An interesting case of Mac OSX malware
Research: Total Defense MS09-027 Target: Mac OSX & Tibetan NGOs

Xpaj -MBR rootkit sample - sample

News about Xpaj file infector brought this new donation of a sample, which i am posting now. I will add the network capture and sandbox report to augment the detailed analysis reports released by Bitdefender Xpaj - the bootkit edition and Symantec W32.Xpaj.B is a File Infector with a Vengeance
The file is meant to look like a crack of sorts for Big Air Stoked game



I accidentally overwrote this post with a blank one, many thanks to Lotta for sending the cached page and helping recreate it. It was not a long and detailed post but I wouldn't have time to redo it.

Operation Cleanup Japan (OCJP) by 0Day.jp May 3

Operation Cleanup Japan (OCJP)  ( 【報告】オペレーション「Cleanup Japan」 / #OCJPとは？is the project initiated by Hendrik Adrian to make the Japanese internet safer through exposure of badware sites and data, the shutdown of malicious sites and in helping the Japanese community learn from security professionals about how to recognize and prevent malware.

0DAY.JP <http://unixfreaxjp.blogspot.com/> is the project blog and it is in Japanese. We will link to his publications - via Google translation  and provide you with the relevant samples. This will be an ongoing post with future updates. Please support OCJP and enjoy.
P.S. Contact Hendrik if you have difficulty understanding Google translation of some words or need help with screenshots. IE and Chrome handle the translated text formatting better than Firefox. Except when indicated otherwise, I did not analyze these samples and might not be able to answer questions.

Red dots indicate the sample download links - same password on all by the scheme. Email me if you need it. With many thanks to Hendrik for his work and contributions.
DOWNLOAD ALL SAMPLES FROM THIS FOLDER OR FROM LINKS BELOW

 2012-04-18 Case 39 ◘ Zeus

PoisonIvy traffic

Screenshots for  https://docs.google.com/spreadsheet/ccc?key=0AjvsQV3iSLa1dDFfWHduQlA5THBRd081eFhsZThwUlE#gid=0

http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-detecting-apt-activity-with-network-traffic-analysis.pdf

Figure 4: 256-byte challenge request from the RSA PoisonIvy
sample

CVE-2012-0158 - South China Sea, Insider Information and other samples and analysis

Update April 20, 2012 - I added 8 more samples (now there are 12 posted), did not look at all of them yet but I think you may find them useful for developing signatures, etc

The TrendMicro report "CVE-2012-0158 – Now Being Used in More Tibetan-Themed Targeted Attack Campaigns" appeared in the news a few days ago, highlighting the beginning of a new wave of exploits using RTF as a carrier.

Researchers based in Asia noticed these malicious documents in Japan and Taiwan before they started showing up/targeting USA companies. Three documents donated a few days ago by someone from Asia were crafted to run only on  the Taiwanese version of Windows. The document I found today was uploaded to an online analysis service and it is for English Windows, it was named "inside information.doc" and drops a decoy document called 英文 , which means English. I could not get "Taiwanese" binaries run on English OS but this one executed successfully.

The vulnerability is due to an error in ActiveX control, in this case embedded in an RTF document. All documents I looked at are very similar, most likely there is a generator involved in making these. I have not seen any documents that would run without crashing the Word, so you need to carve out at least the first stage binary manually.

Many thanks to Brandon Dixon and Binjo for technical advice and inspiration :)

DarkMegi rootkit - sample (distributed via Blackhole)

Update April 20, 2012 Kimberly wrote an excellent analysis of this sample. Please go to

Stopmalvertising to read

This is a "DarkMegie" rootkit sample, kindly donated by Hendrik Adrian. Just like described in the McAfee article "Darkmegi: This is Not the Rootkit You’re Looking For" by Craig Schmugar, it is anything but quiet and stealthy. In fact, it makes so many system changes that it is hard to cover it all in a quick post.
Indeed, it drops the rootkit components in drivers with the incredible padding to 25MB and generates a lot of traffic. Unfortunately, I did not have time yet to sort out the mess and purpose of all files that this malware creates so I am just posting it here along with sandbox results for you to analyze. If you write a detailed analysis, please share,  I will link to.

Java OSX CVE-2012-0507, CVE-2011-3544 and Flashback.35/J sample

Dr. Web published BackDoor.Flashback.39 (Flashback.K-11th variant) epidemic chronology to augment their discovery of the Mac botnet "Doctor Web exposes 550 000 strong Mac botnet".  In general, the Flashback OSX epidemic started on or before August 2011 (F-Secure) with variants distributed as a fake Adobe Flash player. In January 2012, Intego reported Flashback.35/ J (the 10th) which was also distributed as a fake Flash download.

 I am posting here 3 Java exploits used to distribute Flashback trojans:

SAMPLE 1 JAVA CVE-2012-0507 is dated April 4, and appears to be distributing Flashback.35/J - as seen from the payload
SAMPLE 2 is java_signed_applet social engineering exploit (see Michael Schierl's comment below)
and 3 is JAVA CVE-2011-3544 and are dated February 2012.


I don't know which domains distributed these exploits (let me know if you do) but perhaps we are seeing the malware distribution scheme common for Windows-targeting exploit packs

OSX/Flashback.K sample + Mac OS malware study set (30+ older samples)

Update April 12, 2012  Added another binary sv.4 - with plist fle (edited to remove userid)


OSX Flashback malware has been in the news a lot after Kaspersky's announcement about 600,000 botnet "Kaspersky Lab Confirms Flashfake / Flashback Botnet Infected more than 600,000 Mac OS X Computers, Describes Ramifications and Remedies "

I got a sample tonight thanks to Tim Strazzere and I have not analyzed it but I want to try. Meanwhile, I am posting this sample and 30+ other Mac OS malware samples accumulated by Contagio and also from vxheavens collection (thank you all). They are dated by the year and provide a good historical set to study the evolution of Mac malware - I would start here: SANS Mac OS X Malware Analysis or check out Reverse Engineering Mac Defender (OS X) malware analysis for beginners

OSX Flashback URLs, Domains, etc

Dr.Web image

I have been tracking infections too and will be posting the domains I come across. I don't have the DGA script or list of domains to date, but even if I had, I think the best way to find them is via User Agent followed by the id:  I posting URLs and domains below and will add more soon.


Since it generates new domains every day, the full list would be much much longer but I will post those that I run across below in case it helps anyone. These below appear to be a variant of v.39/K

OSX/Flashback.O sample + some domains

 

1. A few hours after I posted the Flashback.K, someone anonymously uploaded Flashback.O sample (thank you very much!), which I am posting below. Like in the first case, it is a payload binary from a victim, not the downloader, which makes it impossible to install.  If you succeed or have a binary that installs, please share. I personally have not tried to run them yet, did not have a vm.

2. Matt Thompson from Unveillance emailed his comments about the Flackback.K sample please see the quote below.

3. Update April 11 - I will put domains and URLs in a separate post because they relate to various versions of Flashback, not v.40/O

Java CVE-2012-0507 / CVE-2011-3521 (see update below) samples

Examples of referrers blacklisted
by Blackhole exploit kit

Blackhole exploit kit was updated to version 1.2.3 on March 25 and now includes exploit Java CVE-2012-0507. Brian Krebs posted the news in his New Java Attack Rolled into Exploit Packs

In addition, Exploit pack known as "Incognito" (there are rumors that Incognito development stopped after v.2 in 2011 and this is something else) and  Eleonore added CVE-2011-3521(? likely, see comments below) as well.

I will add "Incognito" version when I can.

This is just a quick post to share samples (kindly offered by 0Day.jp Hendrik Adrian) and found in the wild, and links to analysis that was already done for these or similar samples.

Mar 2 CVE-2012-0754 SWF in DOC Iran's Oil and Nuclear Situation.doc

Update: March 9, 2012 - I added another sample donated by anonymous  - it is the same exploit but embedded in an Excel spreadsheet. The details about this sample are highlighted in yellow below.

This is a message from a targeted attack and quite possibly you already received a few on your own - there seem to be a new campaign underway using this new CVE-2012-0754 exploit. The vulnerability exists in Flash and is exploited when it tries to parse a crafted MP4 file. Successful exploitation allows an attacker to execute an arbitrary code.
In this case, the attachment comes as a Word document "Iran's Oil and Nuclear Situation.doc" (and it can come as any document), which contains flash instructing it to download and parse a malformed MP4. The dropped binary is a rather common trojan characterized by its traffic. When it comes to AV names, I don't know whether Graftor or Yayih.A are meaningful or some generic names but maybe you have your own name for it.  

Welcome to Contagio Exchange - community malware dump

http://contagioexchange.blogspot.com/

Greetings,
Contagio Exchange is meant to be a communal malware collection. Contagio mobile dump has been very successful and useful because researchers can upload their samples and download them without waiting for me to analyze or post it - directly from the mediafire box.

Whenever I have time, I will moderate and post descriptions for the files and individual download links (in addition to the main dropbox link) in the same format you see on the  mobile malware dump.

This collection is meant to be a shared library of malware samples, not a repository of every type and sample in existence. I would like it to have current and useful samples for everyone to analyze and play with. Links for search and download are in the right hand column.


This collection is not meant to be a

•  replacement for Contagio malware dump, it will continue to operate as usual.
•  mega catchall dump of everything you can download from Malwaredomainlist,   Cleanmx, or offensivecomputing.net
•  competitor to the above or any similar collections and sites
•  mess of zipped and unzipped generic and "lord knows what it is" files
•  repository of every sample in existence
•  danger to society

For this collection to succeed, please follow these simple rules:

1. Zip all and every file with the password 'infected' before uploading. Zip is better than rar for consistency.
2. Read #1 again - it is very important to prevent the mediafire dropbox from turning into a hazard
3. Add your name to the description (if you want a credit), description itself, links to research or sandbox results to explain what it is.  You can add a text file inside the package called description.txt or use the comment box during the upload. Please do not upload mystery files.
4. Name zip files like this "virusname_md5.zip" or include MD5 in the name of the zip - if possible
5. If you are not sure what it is and / or the detection is generic, please do not dump it into a sorted main exchange box but use U.F.O. - Unidentified Flying Object box so that others knew what to expect

Mediafire dropbox information

• This is a paid and long standing mediafire account with unlimited storage and more than enough bandwidth to support it. 
• Your samples are not held hostage as you can download them and store on your system each time or on a schedule. If there is ever any change to this storage, I will give enough warning or ways to get them.   
• All links are direct, no ads
• Dropbox works on all OS but best on Firefox and Chrome. I did not try it on Safari and it has issues on IE and Palemoon. If you have a problem with using it, you can email the samples (rename the file extension and double zip exe files) and indicate it is for the exchange.
• As an added benefit, you can use the dropbox for malware exchange with anyone - if you don't mind your sample to become public. Once you upload, go to the download link on top of the upload box and click on a round gear next to the sample and select 'share'. It will generate a direct link you can post or email.

P.S. I don't financially benefit from the dropbox downloads (in fact, it is the opposite) , posts, or malware samples. It is for the sake of fun and education.

Feb 9 CVE-2011-1980 MSOffice DLL Loading vulnerability + Trojan Nflog

fputlsat.dll

On February 9, 2012 Symantec disclosed that the previously patched MS Office insecure library loading vulnerability was exploited in the wild. DLL loading vulnerabilities were used in targeted attacks at least with two other exploits in 2011 and they did not reach epidemic proportions like it happend with CVE-2010-3333 RTF or some of the Adobe PDF exploits. I refer to
Contagio: Sept. 23 CVE-2011-1991 type (1) deskpan.dll Windows components DLL loading vulnerability
and
Contagio: Apr 13 CVE-2011-2100 PDF - Adobe DLL Loading Vulnerability - Agenda.7z

DLL search order hijacking exploits had and will have many new reincarnations because of the DLL loading preference order - Current Working Directory is preferred for most DLL files. You can read more about the root of these problems (not necessarily related to MS Office but in general) in M-unition: DLL Search Order Hijacking Revisited by Nick Harbour

As described in the Symantec article, fputlsat.dll must be present in the same directory as the Word document in order to be activated by the ActiveX control embedded in the Word document. The payload of this sample is a backdoor trojan Nflog. 

TDL4 - Purple Haze (Pihar) Variant - sample and analysis

Lately things just don't seem the same
Actin' funny, but I don't know why
'Scuse me....... while I kiss the sky
 Jimi Hendrix "Purple Haze"

I recently ran into an interesting piece of malware that was downloaded on a victim's computer. I thought it was TDL/TDSS or maybe a new version of it as it had same components as TDL4 bootkit with a functionality of a mass scale PPC (pay-per-click) fraud. TDL had this functionality too and it is most likely spread by the same Russian-speaking gangs using the Blackhole exploit kit. It did not have the same type of config file that you may find in TDL4 (and first I could not find it at all). I call it "Purple Haze" thanks to the strings found in the code.

I shared it with Alexander Matrosov from ESET. He and Eugene Rodionov  analyzed it and posted an article on the ESET blog: "TDL4 reloaded: Purple Haze all in my brain" (edited by David Harley)
Eset also updated the removal tool for this variant - direct download link: OlmarikTDL4 remover

Blackhole Ramnit - samples and analysis

Ramnit - a Zeus-like trojan/worm/file infector with rootkit capabilities has been in the wild for a long time but recently made news because Seculert reported about a financial variant of this malware aimed at stealing Facebook credentials.

While I did not see any Facebook related activity in my samples, I am posting them anyway for your research as their functionality is the same.

The samples I have are being spread not via Facebook but via Blackhole exploit kit, which is a very effective method. Blackhole exploit kit was associated with the spread of ZeuS, Spyeye, and it is not surprising that Ramnit is being spread in the same manner by the same groups. The group of command and control servers that I researched is associated with pharma spam and "Canadian" online pharmacies.