Here are the links:
Pages
▼
Wednesday, February 20, 2013
Linux/CentOS SSHd Spam Exploit — libkeyutils.so.1.9 - sample
Here are the links:
Saturday, February 16, 2013
Jan 2013 Shylock (skype version) sample
In January 2013, Iurii Khvyl and Peter Kruse from CSIS posted analysis of Shylock variant capable of spreading through Skype.
You can read their research here Shylock calling Skype. The sample is below
Jan 2013 - Linux SSHDoor - sample
Just a few accumulated samples here found and shared by others. This one is for Linux SSHDoor malware, which can steal your SSH passwords. ESET covered that in detail in Linux/SSHDoor.A Backdoored SSH daemon that steals passwords ( 24 JAN 2013)
The related Linux.Chapro.A sample was posted earlier this year as well
Friday, February 15, 2013
Manipulating Memory for Fun and Profit by Frédéric Bourla - High-Tech Bridge
I am sure you remember excellent reverse engineering presentations by High-Tech Bridge experts I posted earlier. High-Tech Bridge presented at the ISACA event in Luxembourg and you can download their detailed and very interesting presentation: “Manipulating Memory for Fun and Profit".
The presentation includes detailed memory forensics process using Volatility
by Frédéric BOURLA
Chief Security Specialist
Head of Ethical Hacking & Computer Forensics Departments
High-Tech Bridge SA
Table of Contents
0x00 - About me
0x01 - About this conference
0x02 - Memory introduction
0x03 - Memory manipulation from an offensive angle
0x04 - Memory manipulation from a defensive angle
0x05 - Conclusion
Download the full presentation in PDF
The text of the presentation (for Google search and to get an idea about the contents:)
Sunday, February 10, 2013
Trojan 'Nap" aka Kelihos/Hlux status update by DeepEnd Research and samples
FireEye posted details about the sleep function found in Kelihos/Hlux (An encounter with Trojan Nap), which is interesting, and indeed is present in some of the samples we saw. The trojan, of course, has many more features, and most of them were documented in previous publications online. This post is a quick update on the state of Kelihos/Hlux botnet, along with the list of known fast flux domains (1500+) associated with with Kelihos distribution or Command&Control. (current > 2012). The current and most active name servers are pointing to the ns[1-6].boomsco.com, ns[1-6].larstor.com, and ns[1-6].zempakiv.ru which are also fast flux domains. The double fast flux nature of the botnet makes it very difficult to take down, and sinkholing is a temporary measure. Despite the two large attempts to take it down (Sep.2011 and Mar. 2012), the botnet is definitely on the rise again.
Please read the rest of our post here http://www.deependresearch.org/2013/02/trojan-nap-aka-kelihoshlux-feb-2013.html.
You can download the associated binaries (97 files) and pcap below.