Monday, May 28, 2012

Russian Cybercrime Presentation Slides 2012

Presented at a conference in May 2012
It is just pictures and not very useful without the narration. Email me if you need commentary for any of the slides
Download pdf 

Saturday, May 19, 2012

See you in two weeks

Angus McIntyre
I will be traveling and will not have time for posts until June. If you sent any files to me recently and I did not post / did not reply, please accept my sincere apologies, it has been a busy period.

Please continue to share and upload files to  Contagio Community and Contagio Mobile dump where it will be available immediately to others via the main download link posted there.
I hope you all have a great end of spring and glorious summer.
Thank you

P.S. If you are looking for something that is not listed, feel free to email and ask, i might have it.

Sunday, May 6, 2012

May 3 - CVE-2012-0779 World Uyghur Congress Invitation.doc

There are already quite a few samples of this recently patched exploit in the wild, including those targeting USA companies. This particular sample is targeting  Uyghur Congress, which is "an international organization aspiring to represent .. exiled Uyghur (Turkish ethnic group) people   both inside and outside of the Xinjiang Autonomous Region of the People's Republic of China." ~ Wikipedia. The text of the email cannot be translated with online translators, but judging by the content of the attachment, it is meant to look like an invitation for the World Uyghur Assembly .

More often than not, interesting samples come at the wrong time, when I cannot analyze them due to various reasons such as being busy with something else. I was planning to look at it this weekend but it did not happen, so here it CVE-2012-0779. Analyze it, write signatures, add detection to your filters. If you post an analysis, please send your link, I add. I will just post a few details about the file.

Thursday, May 3, 2012

019 Speech.doc MacOS_X/MS09-027.A -exploit for MS Word on Snow Leopard OSX
Someone uploaded it on Contagio Exchange the other day. Thank you for sharing.
Document language code is Arabic, which is kind of interesting. Targeting Tibet human rights activists.

Research: Microsoft An interesting case of Mac OSX malware
Research: Total Defense MS09-027 Target: Mac OSX & Tibetan NGOs

Xpaj -MBR rootkit sample - sample

News about Xpaj file infector brought this new donation of a sample, which i am posting now. I will add the network capture and sandbox report to augment the detailed analysis reports released by Bitdefender Xpaj - the bootkit edition and Symantec W32.Xpaj.B is a File Infector with a Vengeance
The file is meant to look like a crack of sorts for Big Air Stoked game

I accidentally overwrote this post with a blank one, many thanks to Lotta for sending the cached page and helping recreate it. It was not a long and detailed post but I wouldn't have time to redo it.

Operation Cleanup Japan (OCJP) by May 3

Operation Cleanup Japan (OCJP)  ( 【報告】オペレーション「Cleanup Japan」 / #OCJPとは?is the project initiated by Hendrik Adrian to make the Japanese internet safer through exposure of badware sites and data, the shutdown of malicious sites and in helping the Japanese community learn from security professionals about how to recognize and prevent malware.

0DAY.JP <> is the project blog and it is in Japanese. We will link to his publications - via Google translation  and provide you with the relevant samples. This will be an ongoing post with future updates. Please support OCJP and enjoy.
P.S. Contact Hendrik if you have difficulty understanding Google translation of some words or need help with screenshots. IE and Chrome handle the translated text formatting better than Firefox. Except when indicated otherwise, I did not analyze these samples and might not be able to answer questions.

Red dots indicate the sample download links - same password on all by the scheme. Email me if you need it. With many thanks to Hendrik for his work and contributions.

 2012-04-18 Case 39 ◘ Zeus