Dec. 2012 Skynet Tor botnet / Trojan.Tbot samples

Here are 7 binaries for Skynet Tor botnet aka Trojan.Tbot.  Claudio's analysis is wonderfully detailed, I just added  pcaps  and a few words in the description

Read more here:
Rapid7.  Claudio Guarnieri.  Skynet, a Tor-powered botnet straight from Reddit

ZeroAccess / Sirefef Rootkit - 5 fresh samples

Stocking stuffers.
ZeroAccess rootkit is far from new and exciting but but this is a fresh lot with still active C2 servers.
Although the dropper is detected by at least half of AV engines, post infection detection is another story. I tried Kaspersky TDSS Killer, Avast Rootkit utility and RootRepeal without any success. I used Gmer and LordPE to carve out the hidden file from the memory. You can use Redline or Volatility too.
You can download 5 files below together with pcaps from one of the files and the file dumped from memory. It appears that free videos and apps names are used as the lure in this case.

* * * Merry Christmas and Happy New Year! * * *

More presents to come, pa rum pum pum pum
    rum pum pum pum, rum pum pum pum

Dec 2012 Linux.Chapro - trojan Apache iframer

Here is another notable development of 2012 - Linux malware (see Wirenet trojan posted earlier too)
Research: ESET Malicious Apache module used for content injection: Linux/Chapro.A
All the samples are below. I did not test it thus no pcaps this time.
------Linux/Chapro.A  e022de72cce8129bd5ac8a0675996318
------Injected iframe    111e3e0bf96b6ebda0aeffdb444bcf8d
------Java exploit         2bd88b0f267e5aa5ec00d1452a63d9dc
------Zeus binary         3840a6506d9d5c2443687d1cf07e25d0

Dec. 2012 Trojan.Stabuniq samples - financial infostealer trojan

Holiday presents.
Research: Symantec. Trojan.Stabuniq Found on Financial Institution Servers
More research: Stabuniq in-Depth  by Emanuele De Lucia

Here is a another minor news maker of 2012.
It is very well detected by most AV but if you want to play or make IDS or yara signatures, the pcap and the sample is below.

Dec 2012 Dexter - POS Infostealer samples and information

End of the year presents. Point of Sale (POS) infostealer, aka Dexter.
I got 3 more "tester-type" samples and added them below - in addition to the well known 4 samples mentioned by Seculert.
You can read more about it here:
Seculert Dexter - Draining blood out of Point of Sales 
TrendMicro Infostealer Dexter Targets Checkout Systems
Verizon: Dexter: More of the same, or hidden links?
Volatility labs Unpacking Dexter POS "Memory Dump Parsing" Malware
Trustwave labs: The Dexter Malware: Getting Your Hands Dirty
Symantec Infostealer.Dexter

Sample for Sanny / Win32.Daws in CVE-2012-0158 "ACEAN Regional Security Forum" targeting Russian companies

End of the year presents continue.
Here is an excellent analysis made by the Fireeye: To Russia with Targeted Attack. I am posting all the necessary details for this type of malware to be findable on Google plus the sample and pcap for signature development. Fireeye named it “Sanny” after one of the email addresses and many AV vendors called the dropper Win32.Daws.

Aug 2012 - Hikit APT rootkit sample

End of the year presents:

This is a sample of Hikit rootkit 
Aug 2012
Related News and Analysis:
The “Hikit” Rootkit: Advanced and Persistent Attack Techniques (Part 1) - Mandiant

Aug 2012 W32.Crisis and OSX.Crisis - JAR file Samples - APT

End of the year presents:
Malicious Java file containing W32.Crisis and OSX.Crisis
Related News and Analysis:
Aug 2012
Crisis for Windows Sneaks onto Virtual Machines - Symantec
New Apple Mac Trojan Called OSX/Crisis Discovered - Intego

Nov 2012 Worm Vobfus Samples

End of the year presents:
This is a sample of W32.Vobfus / Worm_Vobfus

Related News and Analysis:
Nov 2012  
Trend Micro What’s the Fuss with WORM_VOBFUS?

Nov 2012 - Backdoor.W32.Makadocs Sample

End of the year presents:
These is a sample of W32.Makadocs
Related News and Analysis:
November 2012
Malware Targeting Windows 8 Uses Google Docs | Symantec
Backdoor.Makadocs | Symantec

Aug 2012 Backdoor.Wirenet - OSX and Linux

End of the year presents:
Backdoor.Wirenet.1
Related News and Analysis:
August 2012
The first Trojan in history to steal Linux and Mac OS X passwords  Dr.Web

Nov 2012 - W32.Narilam Sample

End of the year presents:
This is a sample of W32.Narilam 

Related News and Analysis:
Nov 2012 (malware is much older but re-surfaced in Nov 2012)
W32.Narilam – Business Database Sabotage
W32.Narilam | Symantec

Oct 2012 - Skype Dorkbot / W32.Phopifas samples

End of the year presents:
These are 4 samples of Skype Dorkbot / W32.Phopifas
Related News and Analysis:
October 2012
Infection Spreads Profile Pic Messages to Skype Users -GFI
W32.Phopifas | Symantec

OSX/Dockster.A and Win32/Trojan.Agent.AXMO Samples, pcaps, OSX malware analysis tools

Img.baronet4tibet. Tibetan furniture
 featuring a leopard and a lion

Better late than never. Here are the samples of the recent twin newsmakers OSX/Dockster.A and Win32/Trojan.Agent.AXMO.  The malware was already described and hashes published but I thought I would add traffic captures and samples themselves.

 I ran these samples on Thursday, November 29  (OSX) and Friday, November 30 (Agent.AXMO) when the C&C servers were still online. Intego mentioned the address itsec.eicp.net was not registered and it was possibly a test but it is a dynamic DNS address and it was down by the weekend.Credit for the sample goes to an anonymous Santa. 

I have to admit that my knowledge of  OSX malware leaves much to be desired. When we deal with Windows malware, range of choices for capturing, logging, recording, and analyzing is similar to this. I cannot name more than a few for MAC OSX - Wireshark, native Apple syslogs, IDA, Macmemoryze from Mandiant, and a few more below. If you have some good recent papers and tools lists for OSX malware analysis please share.

Read more here
http://www.f-secure.com/weblog/archives/00002466.html

Common Exploit Kits 2012 Poster (based on Exploit pack table Update 18, Nov 12, 2012)

Update November 14, 2012
1. We forgot to mention that in the best tradition of the Antivirus industry, all posters come with one (1) year of free updates. Email us when a new version of the poster comes out ( use same email address or reply to the original message) and we will send you the file (same size you ordered, in JPG format). We cannot reprint Zazzle posters but you can use your own printing, or upload and order your own from Zazzle.

2. We added two more sizes for smaller wall spaces and budgets (asking for $15 and $10 to be donated to charity )

Hurricane Sandy, Jersey Shore
Src. Twitter Oct 28,2012
 author unknown

This update to the exploit pack table comes in the form of a poster (Exploit pack table update 18 is coming soon too).
The poster includes most common exploit packs of 2012. The poster will be updated and new issues posted in the future.







Poster sizes: 

If you wish to order a larger poster print,  (up to 60"x40" or 152cm x 101cm), follow this link to Zazzle.com 
Zazzle cancelled orders due to logos in fish images, despite the fact that their use falls under "Nominative Fair use" policy  (Read: "Lawful use of another's trademark") and we make zero money on it. Here is an example of PC magazine using it lawfully to compare browsers  - they also publish and sell their magazine is stores.
We filed a complaint with Zazzle. But even if they don't cancel,  Zazzle is also very overpriced so you are likely to find cheaper ways to print it. so we do not recommend using it anymore.

If Zazzle cancelled your order, email us and we will send you the full file for free. 

 Staten Island Hurricane Sandy Relief (Staten Island Project Hospitality).

See Staten Island hurricane aftermath photos here:

Time.com   NY Times

• If you wish to use your own printing services and/or need multiple copies, you can request the poster file (see sizes below)  in exchange for donation to the Hurricane Relief  or a charity of your choice. Email us (admin at deependresearch.org) a receipt of a donation made in the past month (you can partially hide/obscure your personal info, if needed) and we will send you the file.
• 8900 x 6000 px = up to 40" x 60"      (101 x 150 cm) = $25  Donate here or charity of your choice
• 5340 x 3600 px = up to 24" x 35.6"   (~ 61 x 91 cm) = $15 Donate here or charity of your choice
• 3578 x 2415 px = up to 16" x 24"      (~ 40 x 60 cm) = $10 Donate here or charity of your choice
• 1720 x 1200 px = up to 11"x14"        (~ 20 x 30 cm) = Free Download

CVE-2012-5076 Java sample from "Cool" exploit pack

Here is quick post for a CVE-2012-5076 sample (from Cool pack, as described by Kafeine here Cool EK : "Hello my friend..." CVE-2012-5076 )

Group Photos.zip OSX/Revir | OSX/iMuler samples March 2012-November 2012

Sophos posted information about a variant of iMuler OSX trojan targeting Tibet activists (New variant of Mac Trojan discovered, targeting Tibet )  and posted the MD5 2d84bfbae1f1b7ab0fc1ca9dd372d35e (FileAgent 37.3 KB) of the trojan  . This post is for the actual dropper, which is a full 1.9 MB package (Group photo.zip MD5: 9e34256ded3a2ead43f7a51b9f197937)

 I don't have a Mac OS VM handy tonight to provide more details about the traffic or behavior so I will just describe the package and post the previous version of the same trojan that was targeting fans of Russian topless models.

CVE-2012-1535 Sep.9, 2012 "房號表.doc - Data for Reference.doc" and Taidoor trojan sample set for signature development

As promised, here is one sample of CVE-2012-1535 that you can use to follow the exploit analysis in the previous post CVE-2012-1535 Adobe Flash Player Integer Overflow Vulnerability Analysis by Brian Mariani & Frédéric Bourla. It is from September 9, 2012, I have one from October, which I will post shortly as well. If you are not interested in the exploit, you can use the Taidoor payload plus 18 other Taidoor binaries to develop your own signatures for this trojan or test your AV. 

This message was sent to Taiwan government and is digitally signed with a valid signature. I am not sure if the signature is obtained for a fake account or the account is hijacked, this is why I am not posting the email address. If you work for TW government, you can ask for it. There was also a PDF attached with a personally identifiable information (full application) of an applicant for International Cooperation and Development Fund (Taiwan) - Women Development program. It is not included in this post. I assume it was stolen earlier as well. 

CVE-2012-1535 Adobe Flash Player Integer Overflow Vulnerability Analysis by Brian Mariani & Frédéric Bourla

Brian Mariani and Frédéric Bourla from High-Tech Bridge SA – www.htbridge.com sent their excellent deep analysis of  CVE-2012-1535 vulnerability in Adobe Flash Player. The Word documents with Flash that exploited that vulnerability appeared in August but did not become as popular as RTF CVE-2012-0158, which remains to be the most widely used exploit for targeted email attachments. 

The reason for it is that integer overflows are difficult to exploit in general and CVE-2012-1535 is less reliable than other exploits prevalent today. This does not mean it is not in use and I will post several recent samples with this exploit in the next article.
The full analysis is posted below, plus you can download it in PDF format.