Thursday, October 27, 2011

Oct 18 CVE-2009-3129 XLS 2011-10-18 101 calendar

Another day, another sample. CVE-2009-3129 XLS file from, but it was actually sent by a Hinet server (I guess Gmail addresses are accepted better than Hinet)

The trojan calls home to


Wednesday, October 26, 2011

Oct 17 CVE-2010-2883 PDF Report on the coming Presidential Election in TW

Here is one more sample. Call home to

Oct 24 CVE-2011-0611 PDF 2011-10-24 NorthKorea with Taidoor

CVE-2011-0611 PDF file with yet another Taidoor Trojan calling home to (LG DACOM KIDC Korea)

Sunday, October 23, 2011

Oct 23 CVE-2011-0611 PDF 2011-10-23 Gaddafi death with Taidoor

I will post a few samples without analysis. This one is CVE-2011-0611 PDF with Taidoor Trojan exploiting Gaddafi's death with outgoing connection to

Wednesday, October 19, 2011

Welcome DeepEnd Research - Dirt Jumper DDoS bot analysis

We are pleased to introduce DeepEnd Research, an independent information security research group that will focus on threat and intelligence analysis. Our emphasis will be on malware, exploit analysis, botnet tracking, the underground economy and overall cyberthreats. We will blog about various collection and analysis techniques, observations, and other areas of interest.

Another primary goal of DeepEnd Research is to foster collaborative research and analysis efforts with other security groups and organizations. We welcome any opportunities or inquiries as to projects involving common areas of interest.

Duqu - RAT Trojan, "Precursor to the Next Stuxnet" - samples

Oct 20 = Note: I added another file. 

According to Symantec:
"Duqu does not contain any code related to industrial control systems and is primarily a remote access Trojan (RAT). The threat does not self-replicate. Our telemetry shows the threat was highly targeted toward a limited number of organizations for their specific assets. However, it’s possible that other attacks are being conducted against other organizations in a similar manner with currently undetected variants.
The attackers used Duqu to install another infostealer that could record keystrokes and gain other system information. "

Friday, October 7, 2011

Rustock samples and analysis links. Rustock.C, E, I, J and other variants


 I thought that Russian Matryoshka aka Rustock the Nested Doll would be a good subject after the previous post about Trojan.Matryoshka (Taidoor) analyzed by Jared Myers from CyberESI. Russian rootkit Rustock is as notorious as TDSS or Stuxnet and is very sophisticated. Many researchers made detailed analysis of Rustock and this is why it is a great subject of study. The botnet is down but the malware is here for you to play and try to reverse on your own or following one of the analysis papers posted below.

Thursday, October 6, 2011

Sep 28 CVE-2010-3333 Manuscript with Taidoor (Trojan.Matryoshka by CyberESI)

Jared Myers from CyberESI posted a fantastic detailed analysis of Taidoor trojan variant he called Trojan. Matryoshka for being just a container/carrier for another malicious file "Trojan.Einstein". See Trojan.Matryoshka and Trojan.Einstein   The trojan arrived in a malicious RTF attachment CVE-2010-3333 from a a spoofed address of the National Chengchi University / NCCU of Taiwan. The actual sending host was a server  IBM111, which is used by a particular group of attackers and is seen quite frequently. This sample was donated by a reader but I have a lot of IBM111-produced attachments if you are after them.