Thursday, December 27, 2012

Dec. 2012 Skynet Tor botnet / Trojan.Tbot samples

Here are 7 binaries for Skynet Tor botnet aka Trojan.Tbot.  Claudio's analysis is wonderfully detailed, I just added  pcaps  and a few words in the description

Read more here:
Rapid7.  Claudio Guarnieri.  Skynet, a Tor-powered botnet straight from Reddit

Wednesday, December 26, 2012

ZeroAccess / Sirefef Rootkit - 5 fresh samples

Stocking stuffers.
ZeroAccess rootkit is far from new and exciting but but this is a fresh lot with still active C2 servers.
Although the dropper is detected by at least half of AV engines, post infection detection is another story. I tried Kaspersky TDSS Killer, Avast Rootkit utility and RootRepeal without any success. I used Gmer and LordPE to carve out the hidden file from the memory. You can use Redline or Volatility too.
You can download 5 files below together with pcaps from one of the files and the file dumped from memory. It appears that free videos and apps names are used as the lure in this case.

Tuesday, December 25, 2012

* * * Merry Christmas and Happy New Year! * * *

More presents to come, pa rum pum pum pum
    rum pum pum pum, rum pum pum pum

Monday, December 24, 2012

Dec 2012 Linux.Chapro - trojan Apache iframer

Here is another notable development of 2012 - Linux malware (see Wirenet trojan posted earlier too)
Research: ESET Malicious Apache module used for content injection: Linux/Chapro.A
All the samples are below. I did not test it thus no pcaps this time.
------Linux/Chapro.A  e022de72cce8129bd5ac8a0675996318
------Injected iframe    111e3e0bf96b6ebda0aeffdb444bcf8d
------Java exploit         2bd88b0f267e5aa5ec00d1452a63d9dc
------Zeus binary         3840a6506d9d5c2443687d1cf07e25d0

Dec. 2012 Trojan.Stabuniq samples - financial infostealer trojan

Holiday presents.
Research: Symantec. Trojan.Stabuniq Found on Financial Institution Servers
More research: Stabuniq in-Depth  by Emanuele De Lucia

Here is a another minor news maker of 2012.
It is very well detected by most AV but if you want to play or make IDS or yara signatures, the pcap and the sample is below.

Sunday, December 23, 2012

Dec 2012 Dexter - POS Infostealer samples and information

End of the year presents. Point of Sale (POS) infostealer, aka Dexter.
I got 3 more "tester-type" samples and added them below - in addition to the well known 4 samples mentioned by Seculert.
You can read more about it here:
Seculert Dexter - Draining blood out of Point of Sales 
TrendMicro Infostealer Dexter Targets Checkout Systems
Verizon: Dexter: More of the same, or hidden links?
Volatility labs Unpacking Dexter POS "Memory Dump Parsing" Malware
Trustwave labs: The Dexter Malware: Getting Your Hands Dirty
Symantec Infostealer.Dexter

Monday, December 17, 2012

Sample for Sanny / Win32.Daws in CVE-2012-0158 "ACEAN Regional Security Forum" targeting Russian companies

End of the year presents continue.
Here is an excellent analysis made by the Fireeye: To Russia with Targeted Attack. I am posting all the necessary details for this type of malware to be findable on Google plus the sample and pcap for signature development. Fireeye named it “Sanny” after one of the email addresses and many AV vendors called the dropper Win32.Daws.

Friday, December 7, 2012

Aug 2012 - Hikit APT rootkit sample

End of the year presents:
This is a sample of Hikit rootkit 
Aug 2012
Related News and Analysis:
The “Hikit” Rootkit: Advanced and Persistent Attack Techniques (Part 1) - Mandiant

Aug 2012 W32.Crisis and OSX.Crisis - JAR file Samples - APT

End of the year presents:
Malicious Java file containing W32.Crisis and OSX.Crisis
Related News and Analysis:
Aug 2012
Crisis for Windows Sneaks onto Virtual Machines - Symantec
New Apple Mac Trojan Called OSX/Crisis Discovered - Intego

Nov 2012 Worm Vobfus Samples

End of the year presents:
This is a sample of W32.Vobfus / Worm_Vobfus

Related News and Analysis:
Nov 2012  
Trend Micro What’s the Fuss with WORM_VOBFUS?

Nov 2012 - Backdoor.W32.Makadocs Sample

End of the year presents:
These is a sample of W32.Makadocs
Related News and Analysis:
November 2012
Malware Targeting Windows 8 Uses Google Docs | Symantec
Backdoor.Makadocs | Symantec

Aug 2012 Backdoor.Wirenet - OSX and Linux

End of the year presents:
Related News and Analysis:
August 2012
The first Trojan in history to steal Linux and Mac OS X passwords  Dr.Web

Thursday, December 6, 2012

Nov 2012 - W32.Narilam Sample

End of the year presents:
This is a sample of W32.Narilam 

Related News and Analysis:
Nov 2012 (malware is much older but re-surfaced in Nov 2012)
W32.Narilam – Business Database Sabotage
W32.Narilam | Symantec

Oct 2012 - Skype Dorkbot / W32.Phopifas samples

End of the year presents:
These are 4 samples of Skype Dorkbot / W32.Phopifas
Related News and Analysis:
October 2012
Infection Spreads Profile Pic Messages to Skype Users -GFI
W32.Phopifas | Symantec

Wednesday, December 5, 2012

OSX/Dockster.A and Win32/Trojan.Agent.AXMO Samples, pcaps, OSX malware analysis tools

Img.baronet4tibet. Tibetan furniture
 featuring a leopard and a lion
Better late than never. Here are the samples of the recent twin newsmakers OSX/Dockster.A and Win32/Trojan.Agent.AXMO.  The malware was already described and hashes published but I thought I would add traffic captures and samples themselves.
 I ran these samples on Thursday, November 29  (OSX) and Friday, November 30 (Agent.AXMO) when the C&C servers were still online. Intego mentioned the address was not registered and it was possibly a test but it is a dynamic DNS address and it was down by the weekend.Credit for the sample goes to an anonymous Santa. 
I have to admit that my knowledge of  OSX malware leaves much to be desired. When we deal with Windows malware, range of choices for capturing, logging, recording, and analyzing is similar to this. I cannot name more than a few for MAC OSX - Wireshark, native Apple syslogs, IDA, Macmemoryze from Mandiant, and a few more below. If you have some good recent papers and tools lists for OSX malware analysis please share.

Read more here