Saturday, March 31, 2012

Java CVE-2012-0507 / CVE-2011-3521 (see update below) samples

Examples of referrers blacklisted
by Blackhole exploit kit

Blackhole exploit kit was updated to version 1.2.3 on March 25 and now includes exploit Java CVE-2012-0507. Brian Krebs posted the news in his New Java Attack Rolled into Exploit Packs

In addition, Exploit pack known as "Incognito" (there are rumors that Incognito development stopped after v.2 in 2011 and this is something else) and  Eleonore added CVE-2011-3521(? likely, see comments below) as well.

I will add "Incognito" version when I can.

This is just a quick post to share samples (kindly offered by Hendrik Adrian) and found in the wild, and links to analysis that was already done for these or similar samples.

Monday, March 5, 2012

Mar 2 CVE-2012-0754 SWF in DOC Iran's Oil and Nuclear Situation.doc

Update: March 9, 2012 - I added another sample donated by anonymous  - it is the same exploit but embedded in an Excel spreadsheet. The details about this sample are highlighted in yellow below.

This is a message from a targeted attack and quite possibly you already received a few on your own - there seem to be a new campaign underway using this new CVE-2012-0754 exploit. The vulnerability exists in Flash and is exploited when it tries to parse a crafted MP4 file. Successful exploitation allows an attacker to execute an arbitrary code.
In this case, the attachment comes as a Word document "Iran's Oil and Nuclear Situation.doc" (and it can come as any document), which contains flash instructing it to download and parse a malformed MP4. The dropped binary is a rather common trojan characterized by its traffic. When it comes to AV names, I don't know whether Graftor or Yayih.A are meaningful or some generic names but maybe you have your own name for it.  

Thursday, March 1, 2012

Welcome to Contagio Exchange - community malware dump

Contagio Exchange is meant to be a communal malware collection. Contagio mobile dump has been very successful and useful because researchers can upload their samples and download them without waiting for me to analyze or post it - directly from the mediafire box.

Whenever I have time, I will moderate and post descriptions for the files and individual download links (in addition to the main dropbox link) in the same format you see on the  mobile malware dump.

This collection is meant to be a shared library of malware samples, not a repository of every type and sample in existence. I would like it to have current and useful samples for everyone to analyze and play with. Links for search and download are in the right hand column.

This collection is not meant to be a

  •  replacement for Contagio malware dump, it will continue to operate as usual.
  •  mega catchall dump of everything you can download from Malwaredomainlist,   Cleanmx, or
  •  competitor to the above or any similar collections and sites
  •  mess of zipped and unzipped generic and "lord knows what it is" files
  •  repository of every sample in existence
  •  danger to society
For this collection to succeed, please follow these simple rules:
  1. Zip all and every file with the password 'infected' before uploading. Zip is better than rar for consistency.
  2. Read #1 again - it is very important to prevent the mediafire dropbox from turning into a hazard
  3. Add your name to the description (if you want a credit), description itself, links to research or sandbox results to explain what it is.  You can add a text file inside the package called description.txt or use the comment box during the upload. Please do not upload mystery files.
  4. Name zip files like this "" or include MD5 in the name of the zip - if possible
  5. If you are not sure what it is and / or the detection is generic, please do not dump it into a sorted main exchange box but use U.F.O. - Unidentified Flying Object box so that others knew what to expect

Mediafire dropbox information
  • This is a paid and long standing mediafire account with unlimited storage and more than enough bandwidth to support it. 
  • Your samples are not held hostage as you can download them and store on your system each time or on a schedule. If there is ever any change to this storage, I will give enough warning or ways to get them.   
  • All links are direct, no ads
  • Dropbox works on all OS but best on Firefox and Chrome. I did not try it on Safari and it has issues on IE and Palemoon. If you have a problem with using it, you can email the samples (rename the file extension and double zip exe files) and indicate it is for the exchange.
  • As an added benefit, you can use the dropbox for malware exchange with anyone - if you don't mind your sample to become public. Once you upload, go to the download link on top of the upload box and click on a round gear next to the sample and select 'share'. It will generate a direct link you can post or email.

P.S. I don't financially benefit from the dropbox downloads (in fact, it is the opposite) , posts, or malware samples. It is for the sake of fun and education.