Wednesday, December 7, 2011

Adobe Zero Day CVE-2011-2462 - with samples

Update: Adobe Released the patch yesterday and  I posted a few samples below. There were several campaigns with two variants - 
1) unencrypted (some are not working - see explanation below)
2) AESV3 encrypted  (try to use Origami to decrypt these). Each of the posted samples are marked by their 'type"

CVE-2011-2462 the new Adobe Zero files come with the same payload we saw in CVE-2010-3654 Adobe Flash player zero day vulnerability, trojan Sykipot - using the same technique with injecting a DLL file into
iexplore, or firefox.exe, or outlook.exe and communicating with  hXXps:// over HTTPS. Brandon Dixon from posted a great initial analysis of Java script and payload from a file with this exploit, I am just adding a few additional details.

Tuesday, November 29, 2011

30 PDF files processed by Cuckoo Sandbox - results and samples

Update - posted a list of the dropped files for each file and the C&C info from pcaps in the end of the post - for review and easy Googling.

Shutterstock image
In addition to the post about the Cuckoo sandbox, please see below sandbox results and samples for 30 recent  PDF files (APT type). I excluded the payload/dropped files because of the large number of benign files in the same folder as the payload. Perhaps seeing the output will help you decide whether you want to deploy the sandbox or not.
If you need to see the payload 'files' folders, please see the previous post for example or contact me.According to the author, the file dumps filtering will be added soon.
 What you will see in the package:
Original analysis folder (excluding "Files" - dropped files)
  • Analysis.config - you will see the name of the analysed file there.
  • Analysis.log + report.txt- all API calls and created files log
  • Dump.pcap file
  • logs folder - in csv fomat
  • shots folder - screenshots taken
  • Original file itself  
 Additonal files
  • List of all hashes of all files
  • All pcap files converted to text
  • Filtered logs showing dropped files.

Nov 3 CVE-2011-0611 1104statment.pdf analyzed via Cuckoo sandbox

I have been away and busy with all kinds of stuff (some malware related and some not :)  but I am back.
I played a little recently with Cuckoo sandbox - an awesome free sandbox developed by Claudio Guarnieri (Linkedin). The sandbox has been out for several months, constantly being improved and got a lot of fans. You can read the Cuckoo guide here and also follow active discussions on the Malwr forum. I think the sandbox works very well and very flexible -  it can be developed and extended to analyze any (many) kinds of exploits. You can find descriptions of the sandbox online but I want to post results of the sandbox analysis - something I didn't have chance to see until I installed it. I will post unfiltered results and with some minimal processing (conversion of pcaps to text, filtering out search results, etc.). This tool is still in development and you will not get polished reports like you see on Threatexpert but they are exportable into a database of your choice, searchable, and "tweakable". If you already tried it a while ago, try it again, I heard the later versions are much better than the earlier ones.

Thursday, November 17, 2011


Believe it or not, I am still alive and will post something soon.

Thursday, November 3, 2011

Step by step binary analysis with Frankie Li ( dg003.exe dropper from "XinTang Event.chm" )

With the express written permission from the author, here is a an excellent paper "A Detailed Analysis of an Advanced Persistent Threat Malware" and the corresponding malware sample, which you can reverse engineer following step by step explanation by the author Frankie Li ( from (Valkyrie-X Security Research Group)

Another great analysis from the same group of another CHM file can be found here: Evidence of Advanced Persistent Threat: A Case Study of Malware for Political Espionage (paper for IEEE 6th International Conference on Malicious and Unwanted Software (Malware 2011)).

Do you wonder if your sample APT or just crimeware? Use their Xecure Deezer - APT identification engine 

Thursday, October 27, 2011

Oct 18 CVE-2009-3129 XLS 2011-10-18 101 calendar

Another day, another sample. CVE-2009-3129 XLS file from, but it was actually sent by a Hinet server (I guess Gmail addresses are accepted better than Hinet)

The trojan calls home to


Wednesday, October 26, 2011

Oct 17 CVE-2010-2883 PDF Report on the coming Presidential Election in TW

Here is one more sample. Call home to

Oct 24 CVE-2011-0611 PDF 2011-10-24 NorthKorea with Taidoor

CVE-2011-0611 PDF file with yet another Taidoor Trojan calling home to (LG DACOM KIDC Korea)

Sunday, October 23, 2011

Oct 23 CVE-2011-0611 PDF 2011-10-23 Gaddafi death with Taidoor

I will post a few samples without analysis. This one is CVE-2011-0611 PDF with Taidoor Trojan exploiting Gaddafi's death with outgoing connection to

Wednesday, October 19, 2011

Welcome DeepEnd Research - Dirt Jumper DDoS bot analysis

We are pleased to introduce DeepEnd Research, an independent information security research group that will focus on threat and intelligence analysis. Our emphasis will be on malware, exploit analysis, botnet tracking, the underground economy and overall cyberthreats. We will blog about various collection and analysis techniques, observations, and other areas of interest.

Another primary goal of DeepEnd Research is to foster collaborative research and analysis efforts with other security groups and organizations. We welcome any opportunities or inquiries as to projects involving common areas of interest.

Duqu - RAT Trojan, "Precursor to the Next Stuxnet" - samples

Oct 20 = Note: I added another file. 

According to Symantec:
"Duqu does not contain any code related to industrial control systems and is primarily a remote access Trojan (RAT). The threat does not self-replicate. Our telemetry shows the threat was highly targeted toward a limited number of organizations for their specific assets. However, it’s possible that other attacks are being conducted against other organizations in a similar manner with currently undetected variants.
The attackers used Duqu to install another infostealer that could record keystrokes and gain other system information. "

Friday, October 7, 2011

Rustock samples and analysis links. Rustock.C, E, I, J and other variants


 I thought that Russian Matryoshka aka Rustock the Nested Doll would be a good subject after the previous post about Trojan.Matryoshka (Taidoor) analyzed by Jared Myers from CyberESI. Russian rootkit Rustock is as notorious as TDSS or Stuxnet and is very sophisticated. Many researchers made detailed analysis of Rustock and this is why it is a great subject of study. The botnet is down but the malware is here for you to play and try to reverse on your own or following one of the analysis papers posted below.

Thursday, October 6, 2011

Sep 28 CVE-2010-3333 Manuscript with Taidoor (Trojan.Matryoshka by CyberESI)

Jared Myers from CyberESI posted a fantastic detailed analysis of Taidoor trojan variant he called Trojan. Matryoshka for being just a container/carrier for another malicious file "Trojan.Einstein". See Trojan.Matryoshka and Trojan.Einstein   The trojan arrived in a malicious RTF attachment CVE-2010-3333 from a a spoofed address of the National Chengchi University / NCCU of Taiwan. The actual sending host was a server  IBM111, which is used by a particular group of attackers and is seen quite frequently. This sample was donated by a reader but I have a lot of IBM111-produced attachments if you are after them.

Wednesday, September 28, 2011

Sept. 23 CVE-2011-1991 type (1) deskpan.dll Windows components DLL loading vulnerability

These 4 phish message attempt to utilize CVE-2011-1991 type (1) deskpan.dll in the Display Panning CPL Extension. Here is a clear explanation of the deskpan.dll functionality  - it is "a module related to the display settings of pictures on your display screen" It is normally located in C:\ windows\ system32\. The phishing messages contain a word document (0/44 on VT) and a dll file called deskpan.dll in one zip or rar archive, which is in fact a Taidoor trojan dll unrelated to the authentic Windows library. This exploit has strict requirements for execution. I have not been able to meet them and get it to work, just like in Apr 13 CVE-2011-2100 PDF - Adobe DLL Loading Vulnerability - Agenda.7z,  it is hard to trigger. A reader sent explanation how his exploit can be triggered -

Wednesday, September 21, 2011

Sept 21 Greedy Shylock - financial malware

Not one, my lord.
Besides, it should appear, that if he had
The present money to discharge the Jew,
He would not take it. Never did I know
A creature, that did bear the shape of man,
So keen and greedy to confound a man:
(The Merchant of Venice W. Shakespeare Act 3, Scene 2 )

On September 7, 2011,  Trusteer announced they are investigating new financial malware they called Shylock that "uses unique mechanisms not found in other financial malware toolkits, including: an improved method for injecting code into additional browser processes to take control of the victim’s computer; a better evasion technique to prevent malware scanners from detecting its presence; a sophisticated watchdog service that allows it to resist removal attempts and restore operations"

Trusteer called the malware Shylock for Shakespeare quotes in the properties of the file.

Monday, September 19, 2011

Mebromi BIOS rootkit affecting Award BIOS (aka "BMW" virus)

On September 13, 2011, Marco Giuliani from Webroot posted a detailed analysis of Mebromi - BIOS rootkit affecting Chinese computers with AWARD BIOS, which was earlier discovered by Qihoo 360. As noted by cfans from and kerne1_madman from, the infection starts with a binary with MD5 1AA4C64363B68622C9426CE96C4186F2 that downloads the actual dropper MD5 BB5511A6586BA04335712E6C65E83671. While looking for the samples, I found one domain referenced on CleanMX on 2011-08-31 that was used for distribution of the downloader with binary called qvodffs.exe MD5 1AA4C64363B68622C9426CE96C4186F2  hxxp://  In other cases it was called 123.exe (noted by Prevx  -seen on Aug 29, 2011 )

Sunday, September 11, 2011

Russian Black SEO ❤

Introducing ESAT NQD32 and "Test Version" of Windows

ESAT robot iz  very sad
I wasn't planning to make any posts while traveling for the lack of fast internet connection and ability to handle malicious files. For the same reason I will not be posting any analysis or malware zip archives in this post, only malicious links.

I visited Russia and needed to help someone purchase a new computer. This post is the result of the interesting experience, which should at least partially explain the share of malware from Russia .

 The two reasons I saw were the widespread use of pirated Windows that cannot be updated and poisoned results for any commonly used software - nearly all Google Sponsored Links for searches of Adobe products, antivirus products, free players and utilities will redirect you to malware downloads. is most commonly used domain for advertising these malicious "products".

Wednesday, September 7, 2011

Mediafire DMCA Office2010-kb2289161-fullfile-x64-glb.exe patch email

This summary is not available. Please click here to view the post.