Oct 18 CVE-2009-3129 XLS 2011-10-18 101 calendar

Another day, another sample. CVE-2009-3129 XLS file from kevins19702@gmail.com, but it was actually sent by a Hinet server (I guess Gmail addresses are accepted better than Hinet)

The trojan calls home to 220.246.76.125

POST http://check.amanerolor.com:443/index.php HTTP/1.0

 

Oct 17 CVE-2010-2883 PDF Report on the coming Presidential Election in TW

Here is one more sample. Call home to 112.213.126.67 googlemail.proxydns.com

Oct 24 CVE-2011-0611 PDF 2011-10-24 NorthKorea with Taidoor

CVE-2011-0611 PDF file with yet another Taidoor Trojan calling home to 211.233.62.148 (LG DACOM KIDC Korea)

Oct 23 CVE-2011-0611 PDF 2011-10-23 Gaddafi death with Taidoor

I will post a few samples without analysis. This one is CVE-2011-0611 PDF with Taidoor Trojan exploiting Gaddafi's death with outgoing connection to 2.116.180.66 host66-180-static.116-2-b.business.telecomitalia.it

Welcome DeepEnd Research - Dirt Jumper DDoS bot analysis

We are pleased to introduce DeepEnd Research, an independent information security research group that will focus on threat and intelligence analysis. Our emphasis will be on malware, exploit analysis, botnet tracking, the underground economy and overall cyberthreats. We will blog about various collection and analysis techniques, observations, and other areas of interest.

Another primary goal of DeepEnd Research is to foster collaborative research and analysis efforts with other security groups and organizations. We welcome any opportunities or inquiries as to projects involving common areas of interest.

 

Dirt Jumper DDoS Bot - New versions, New targets

 

 

Duqu - RAT Trojan, "Precursor to the Next Stuxnet" - samples

Img: materkat.wordpress.com

Oct 20 = Note: I added another file. 

According to Symantec:

"Duqu does not contain any code related to industrial control systems and is primarily a remote access Trojan (RAT). The threat does not self-replicate. Our telemetry shows the threat was highly targeted toward a limited number of organizations for their specific assets. However, it’s possible that other attacks are being conducted against other organizations in a similar manner with currently undetected variants.

The attackers used Duqu to install another infostealer that could record keystrokes and gain other system information. "

Rustock samples and analysis links. Rustock.C, E, I, J and other variants

 

 I thought that Russian Matryoshka aka Rustock the Nested Doll would be a good subject after the previous post about Trojan.Matryoshka (Taidoor) analyzed by Jared Myers from CyberESI. Russian rootkit Rustock is as notorious as TDSS or Stuxnet and is very sophisticated. Many researchers made detailed analysis of Rustock and this is why it is a great subject of study. The botnet is down but the malware is here for you to play and try to reverse on your own or following one of the analysis papers posted below.

Sep 28 CVE-2010-3333 Manuscript with Taidoor (Trojan.Matryoshka by CyberESI)

CyberESI

Jared Myers from CyberESI posted a fantastic detailed analysis of Taidoor trojan variant he called Trojan. Matryoshka for being just a container/carrier for another malicious file "Trojan.Einstein". See Trojan.Matryoshka and Trojan.Einstein   The trojan arrived in a malicious RTF attachment CVE-2010-3333 from a a spoofed address of the National Chengchi University / NCCU of Taiwan. The actual sending host was a server  IBM111, which is used by a particular group of attackers and is seen quite frequently. This sample was donated by a reader but I have a lot of IBM111-produced attachments if you are after them.