Shamoon or DistTrack.A samples

Image from Kaspersky lab

Here are a couple of Shamoon samples. Such destructive malware is rare because it does not really make much sense to destroy computers when you can steal data or use them.  

• Kaspersky Shamoon the Wiper - Copycats at Work 
•  W32/DistTrack.A Norman
• Shamoon, a two-stage targeted attack - Seculert

CVE-2012-1535 - 7 samples and info

I was still writing my analysis when Alienvault posted CVE-2012-1535: Adobe Flash being exploited in the wild and mine would be pretty much the repeat of the same. I don't like repeating so I will just post the samples and link to Jaime Biasco's article.  As you see from SSDeep they are nearly identical in size, exploit, and payload. All Word documents were authored by "Mark" and have same strings and indicators present as in the analyzed file.

3322 Dyndns badness

MD5


118f208998e12561b03200178edf826b members.3322.org PRORAT
c5ac14a3c80b3c6af4c943e0f3839fbe lengkusky1.3322.org Keylogger
03ac85edb00bcd8c6b4981ca67208f68 sfwu.3322.org
003212079a7c1de92b755a627f3913b7 sfwu.3322.org
c5a632a8e369e47a7e8f55f892c8d864 myyuming55.3322.org
c5a6de01e10c65a8894bcb32608055b5 yjdl.3322.org Puppetzombie.gen
8a41d4770858cb5af6860f95c00f8224 myyuming55.3322.org Virut
fe7d3e20d7bc640fe2edf645da218bd1 xinxin169.3322.org

Gauss samples - Nation-state cyber-surveillance + Banking trojan

Just a quick post for those who can't sleep until get to play with Gauss

Here is a great paper by Kaspersky Gauss:Abnormal Distribution 

and the blogpost: "Gauss: Nation-state cyber-surveillance meets banking Trojan"

Excerpt:
The highest number of infections is recorded in Lebanon, with more than 1600 computers affected. The Gauss code  (winshell.ocx) contains direct commands to intercept data required to work with Lebanese banks – including the Bank of  Beirut, Byblos Bank and Fransabank. 

In Israel and the Palestinian Territory, 750 incidents have been recorded." (Kaspersky)

CVE-2012-0158 generated "8861 password" XLS samples and analysis

Symantec recently posted an article by Joji Hamada titled "Password “8861” Used in Targeted Attacks", where the attackers continuously using the same passwords sent in emails together with the malicious attachment. Indeed, the password not only allows to evade detection but also makes it difficult to analyse the exploit itself.

All the samples i have that have this password appear to be created via a generator and share certain similarities. I will point out a few but you can find many more if you analyse the files and payloads.  

- Exploit CVE-2012-0158

The hallmark ListView2, 1, 1, MSComctlLib, ListView are clearly seen in the files, as well as excessive calls to MSCOMCTL.OCX during the dynamic analysis.

- Same password 

8861 could be the attacker's lucky number, or it is job related, or being a primary number, it plays some role in the RSA encryption implementation in this generator ( this one perhaps is a bit far fetched, but not more than other theories)

- Antivirus/Malware detection

These files are mostly detected as Exploit.D-Encrypted  by different AV vendors but this signature detects other malicious password protected documents  - it is not limited to this 8861 generator files.

Yara Signatures: You can develop your own yara signatures based on these and other indicators you find in the files. I will share signatures on Yara Signature Exchange Google Group. If you are interested in making and sharing, please see DeepEnd Research: Yara Signature Exchange Google Group
IDS:  Emerging threats IDS signatures - see below.

- Same file structure

They are each different sizes and have different payloads, however the first 120KB of each file are identical and are completley different from the headers of other typical user created password protected spreadsheets and other malicious and password protected XLS files. I will post two other malicious messages that were NOT generated using the same generator is seems and have a different password  (I don't know password for those two files yet, if your figure it out, please share)

- Same document code page 

Windows Simplified Chinese (PRC, Singapore)

- Same name for the dropped files (ews.exe and set.xls) 

The dropped payload and the clean XLS document are different sizes, different types of malware for trojans, but have the same names (some are renamed after creation), which suggests a template. The embedded clean XLS documents have different metadata - I guess those were downloaded from internet or stolen from different targets - some were created on the Kingsoft version of Office, different authors, etc.

- Non default encryption (RC4, Microsoft RSA SChannel Cryptographic Provider).

Default is "Office 97/2000 compatible", which I think is 40-bit RC4 encryption. The generator is probably not using Excel interface but has it's own implementation of the encryption for the VBA code.

- Targets do not seem to be related by their occupation

Targets are in different countries  - Japan, China, France and do not seem to be related by business or industry - human rights activists, businesses, politicians. This makes me think it is not the same group of attackers but it is just a generator purchased by/supplied to different groups attacking different targets. The same trojan types, C2 domains, and targets were covered on Contagio and other resources earlier.

Cridex Analysis using Volatility - by Andre' DiMino - samples and memory analysis resources

Andre' DiMino posted an excellent analysis of Cridex banking malware using Volatility on sempersecurus.blogspot.com and if you wish to repeat his steps or interested in this malware, I am posting the corresponding samples. Cridex is a complex financial trojan and is being distributed via spam messages (carrying exe files in zipped attachments) and Blackhole Exploit kit.
The messages have various themes - from UPS, Fedex, USPS to Groupon deals and "HP-scan" and other lures. Some message screenshots and corresponding malware are posted below.

If you are interested in memory analysis, please see the resource section of this post (links to the tools: Volatility, Mandiant Redline, memory dumps and other memory analysis done by Andre' and other researchers)

CVE-2012-1889 Security Update Analysis - Analysis video and presentation from High-Tech Bridge by Brian Mariani and Frédéric Bourla

Sorry for being away for such a long time - I was out of town for almost 2 weeks and came back just a couple of days ago. However, the blog is not dead and I am planning to post more stuff soon. There is Madi/Mahdi epidemic in progress, the exploit pack table needs urgent updates, and I have a quite a few samples accumulated that I need to post before they get old and boring. For now, if you are looking for anything specific, you can ask and I will check if I have them in the pending category.

Today, please enjoy the second part of CVE-2012-1889 analysis (CVE-2012-1889 Security Update Analysis - in video and PDF format ) sent to us by Brian Mariani and Frédéric Bourla from High-Tech Bridge www.htbridge.com ( High-Tech Bridge CVE Acreditation)

Flamer /SkyWiper Samples

August 13, 2012 - added an article by CERT Polska

If you didn't get enough of Flamer /SkyWiper yet, here are the samples donated by a reader. They are also available on various forums and Virustotal. Whether they are new or old, part of the "Olympic Games" or not, they are a fine example of a targeted attack.  Enjoy

 

CVE-2012-1889 Microsoft XML vulnerability - Samples and Analysis by Brian Mariani and Frédéric Bourla

Brian Mariani (High-Tech Bridge htbridge.com Geneva, Switzerland) sent a very detailed and helpful analysis of CVE 2012-1889 - "CVE-2012-1889 - Microsoft XML core services uninitialized memory vulnerability" presentation - by Brian Mariani and Frédéric Bourla, which I am publishing here.

Please download the slides in PDF format. The text of the presentation is also posted below. 

I am posting two samples - a metasploit poc file and a non-metasploit malicious code sample.

Medre.A - AutoCAD worm samples

         Medre.A  is a an AutoCAD worm, written in AutoLISP and is a very unusual piece of malware. It was

ACAD/Medre.A – 10000′s of AutoCAD files leaked in suspected industrial espionage and the corresponding whitepaper ACAD/Medre.A and ESET technical analysis is here ACAD/Medre.A Technical Analysis

          ESET reported Peru and neighboring countries as the target but I noticed that one of the samples' (MD5 25c7e10bb537b4265f6144f2cd7f6d95) original name is 未命名1 ( Unnamed 1), so I wonder if some targets/sources were Chinese speaking.

P.S. The samples were donated by an anonymous but the original source is someone from Malwarebytes forum and  I want to thank him/her (sorry don't know the name) for sharing. I hope they do not mind me posting them here.

RAT samples from Syrian Targeted attacks - Blackshades RAT, XTreme RAT, Dark Comet RAT used by Syrian Electronic Army

CitizenLab

The CitizenLab published their report of the Blackshades RAT used by Syrian Electronic Army against activists. No need repeat their excellent analysis but you wish to analyze Blackshades and other RAT that were used in the Syrian attacks, here are the samples for 

• Blackshades RAT - June 2012 Citizen Lab Syrian Activists Targeted with BlackShades Spy Software
• XTreme RAT - May 2012  F-Secure Targeted Attacks in Syria
•  Dark Comet RAT - April 2012 - TrendLabs by Nart Villenueve
  

Looks like they are changing their RAT monthly.

CVE-2012-1875 links and samples

CVE-2012-1875 Internet Explorer 8 exploit has been publicly available from various sources for a few days.
I am adding it here for reference.

For analysis info, see the AlienVault link below and the Metasploit module and demo.

P.S. In case you wonder, I have not stopped doing malware analysis, I still do,  but as as a longer term offline project combined with studying/reading. I pause what I am doing to share samples that come along and better be posted sooner - as is, as I do not want to wait until I write up something more expanded. Since most people prefer doing analysis on their own and I add reference links, I don't think it is a huge disappointment :)  ~ Mila

90 CVE-2012-0158 documents for testing and research.

While working on a project unrelated to Contagio, I collected a number of CVE-2012-0158 exploit documents (mostly RTF) via going through my own collection and what was shared (and publicly sharable) by Contagio readers. This post contains 90 files, mostly APT targeted but I did not analyze all and cannot guarantee that. These are CVE-2012-0158 exploits for files from April-June 2012. Some of them were already posted on Contagio.
The files inside the zip are named by SHA256_original file name.doc. I think I will be using SHA256 now for naming because it is more standard now and  it is much easier to auto generate VT links. The table below shows everything inside the archive with auto generated Virustotal links.
Some of them had Japanese and Chinese names that are now translated in English (with (JP) and (CN) in the name)


  Download all the files listed above (email if you need the password)
- thanks to all for sharing


Older similar collections for testing and research are here Version 4 April 2011 - 11,355+ Malicious documents - archive for signature testing and research


P.S. ok, these are actually cve-2010-3333. I will not remove them but fyi (thanks to xecure-lab.com)

1. ec8b9c68872257cec2552ac727348c09314658d9497085f8a19f58004476c9b8_info.doc
2. abbd1fa4dde11b94360338de8b5a2af7b09c6149ce1633797da825d5843cea7f_Criteria.doc
3. 125b8babb6ee4442efc75a5688c6bb5d0c71f8a685bcdff6b4043f3a829e65eb_Oded - Working.rtf

P.P.S.  and Paul Baccas from Sophos pointed out that these two are not true exploits but RTF delivery for Buzus (thanks).

1. 12d574de18f6820ba0d8d566152edb32386b86dde9f3ef7d1004c775b3b34dea_IMG_0056.doc
2. 300649da673828756cfda29f332d7b39f272c1dd308f0087162e9d58fbacac1f_300649da673828756cfda29f332d7b39f272c1dd308f0087162e9d58fbacac1f.rtf

CVE-2012-0158

The (1) ListView, (2) ListView2, (3) TreeView, and (4) TreeView2 ActiveX controls in MSCOMCTL.OCX in the Common Controls in Microsoft Office 2003 SP3, 2007 SP2 and SP3, and 2010 Gold and SP1; Office 2003 Web Components SP3; SQL Server 2000 SP4, 2005 SP4, and 2008 SP2, SP3, and R2; BizTalk Server 2002 SP1; Commerce Server 2002 SP4, 2007 SP2, and 2009 Gold and R2; Visual FoxPro 8.0 SP1 and 9.0 SP2; and Visual Basic 6.0 Runtime allow remote attackers to execute arbitrary code via a crafted (a) web site, (b) Office document, or (c) .rtf file that triggers "system state" corruption, as exploited in the wild in April 2012, aka "MSCOMCTL.OCX RCE Vulnerability." 

May 31 - Tinba / Zusy - tiny banker trojan

Amazon.com 8" Gremlin

Tinba aka Zusy is an interesting tiny (18-20KB) banker trojan. It is not the smallest in use these days, Andromeda bot is 13 KB for resident and only 9 KB for non-resident versions. I got a few samples and hoped to come up with enough data for an IDS signature but they did a good emulation of the real systems, so it is not trivial. One thing very consistent is 13 byte initial RC4 encoded request.
I am posting details here, if you come up with a signature, please share with Emerging Threats or here.

Russian Cybercrime Presentation Slides 2012

Presented at a conference in May 2012
It is just pictures and not very useful without the narration. Email me if you need commentary for any of the slides
Download pdf 

See you in two weeks

Angus McIntyre

Greetings,
I will be traveling and will not have time for posts until June. If you sent any files to me recently and I did not post / did not reply, please accept my sincere apologies, it has been a busy period.

Please continue to share and upload files to  Contagio Community and Contagio Mobile dump where it will be available immediately to others via the main download link posted there.
I hope you all have a great end of spring and glorious summer.
Thank you
Mila

P.S. If you are looking for something that is not listed, feel free to email and ask, i might have it.

May 3 - CVE-2012-0779 World Uyghur Congress Invitation.doc

There are already quite a few samples of this recently patched exploit in the wild, including those targeting USA companies. This particular sample is targeting  Uyghur Congress, which is "an international organization aspiring to represent .. exiled Uyghur (Turkish ethnic group) people   both inside and outside of the Xinjiang Autonomous Region of the People's Republic of China." ~ Wikipedia. The text of the email cannot be translated with online translators, but judging by the content of the attachment, it is meant to look like an invitation for the World Uyghur Assembly .

More often than not, interesting samples come at the wrong time, when I cannot analyze them due to various reasons such as being busy with something else. I was planning to look at it this weekend but it did not happen, so here it CVE-2012-0779. Analyze it, write signatures, add detection to your filters. If you post an analysis, please send your link, I add. I will just post a few details about the file.

019 Speech.doc MacOS_X/MS09-027.A -exploit for MS Word on Snow Leopard OSX

bbtoystore.com

Someone uploaded it on Contagio Exchange the other day. Thank you for sharing.
Document language code is Arabic, which is kind of interesting. Targeting Tibet human rights activists.

Research: Microsoft An interesting case of Mac OSX malware
Research: Total Defense MS09-027 Target: Mac OSX & Tibetan NGOs

Xpaj -MBR rootkit sample - sample

News about Xpaj file infector brought this new donation of a sample, which i am posting now. I will add the network capture and sandbox report to augment the detailed analysis reports released by Bitdefender Xpaj - the bootkit edition and Symantec W32.Xpaj.B is a File Infector with a Vengeance
The file is meant to look like a crack of sorts for Big Air Stoked game



I accidentally overwrote this post with a blank one, many thanks to Lotta for sending the cached page and helping recreate it. It was not a long and detailed post but I wouldn't have time to redo it.

Operation Cleanup Japan (OCJP) by 0Day.jp May 3

Operation Cleanup Japan (OCJP)  ( 【報告】オペレーション「Cleanup Japan」 / #OCJPとは？is the project initiated by Hendrik Adrian to make the Japanese internet safer through exposure of badware sites and data, the shutdown of malicious sites and in helping the Japanese community learn from security professionals about how to recognize and prevent malware.

0DAY.JP <http://unixfreaxjp.blogspot.com/> is the project blog and it is in Japanese. We will link to his publications - via Google translation  and provide you with the relevant samples. This will be an ongoing post with future updates. Please support OCJP and enjoy.
P.S. Contact Hendrik if you have difficulty understanding Google translation of some words or need help with screenshots. IE and Chrome handle the translated text formatting better than Firefox. Except when indicated otherwise, I did not analyze these samples and might not be able to answer questions.

Red dots indicate the sample download links - same password on all by the scheme. Email me if you need it. With many thanks to Hendrik for his work and contributions.
DOWNLOAD ALL SAMPLES FROM THIS FOLDER OR FROM LINKS BELOW

 2012-04-18 Case 39 ◘ Zeus