×

Notice: this is a preview of the original feed. Please, read our copyright notice. If you are the copyright holder of this feed click here.

feed

Tags: blogspot contagiodump google.ru russian contagio malware

contagio
malware dump...

by Mila, published: Mon 21 Jul 2014 06:57:00 AM CEST.

Favicon CZ Solution Ltd. signed samples of Xtreme Rat, Zeus, Spy-Net, Gh0st, BozokRAT and other
21 Jul 2014, 6:57 am

Here are all samples (+ more) mentioned in this post by Fireeye : The Little Signature That Could: The Curious Case of CZ Solution"
All files are digitally signed with a "CZ Solutions" certificate making it easy to create a Yara or ClamAV signature.

A few Zeus samples seem to be still beaconing. Most are sinkholed.
The certificate is now revoked by VeriSign.

Enjoy




Download


Download. Email me if you need the password





File Information

Listed by Fireeye 
  1. Xtreme Rat_78CED3B6C04D372CE10B6B8606B3B747 78ced3b6c04d372ce10b6b8606b3b747
  2. Spy-Net 2.6_6A56F6735F4B16A60F39B18842FD97D0 6_6A56F6735F4B16A60F39B18842FD97D0
  3. Xtreme Rat_7C00BA0FCBFEE6186994A8988A864385.msg msg 7c00ba0fcbfee6186994a8988a864385
  4. XtremeRAT 3.5 Private _2E776E18DEC61CF6CCD68FBACD55FAB3 2e776e18dec61cf6ccd68fbacd55fab3
  5. XtremeRAT 3.5 Private _BD70A7CAE3EBF85CF1EDD9EE776D8364 bd70a7cae3ebf85cf1edd9ee776d8364
  6. XtremeRAT 3.5 Private_0BE3B0E296BE33903BF76B8CD9CF52CA 0be3b0e296be33903bf76b8cd9cf52ca
  7. XtremeRAT 3.5 Private_7416EC2889227F046F48C15C45C102DA 7416ec2889227f046f48c15c45c102da
  8. XtremeRAT 3.5 Private_BE47EC66D861C35784DA527BF0F2E03A be47ec66d861c35784da527bf0f2e03a
  9. XtremeRAT 3.5 Private_C27232691DACF4CFF24A4D04B3B2896B c27232691dacf4cff24a4d04b3b2896b
  10. XtremeRAT 3.5 Private_E79636E4C7418544D188A29481C100BB e79636e4c7418544d188a29481c100bb
  11. Zeus_9C11EF09131A3373EEF5C9D83802D56B 9c11ef09131a3373eef5c9d83802d56b
  12. Zeus_DCD3E45D40C8817061F716557E7A05B6 dcd3e45d40c8817061f716557e7a05b6


Additional (mix of RATs and Trojans)

  1. 2D186068153091927B26CD3A6831BE68 2d186068153091927b26cd3a6831be68
  2. 4A997E3395A8BB8D73193E158289F4CE 4a997e3395a8bb8d73193e158289f4ce
  3. 7E92A754AAAA0853469566D5DBF2E70C 7e92a754aaaa0853469566d5dbf2e70c
  4. 9CFD17C48FC0D300E4AA22E2C8C029D6 9cfd17c48fc0d300e4aa22e2c8c029d6
  5. 37FEE821695B664EBE66D55D8C0696F2 37fee821695b664ebe66d55d8c0696f2
  6. 445C22E94EAB61B3D4682824A19F8E92 445c22e94eab61b3d4682824a19f8e92
  7. 819B4C40F56F69C72E62EF06C85EA3E1 819b4c40f56f69c72e62ef06c85ea3e1
  8. 947C21CB8E28B854FF02C2241399A450 947c21cb8e28b854ff02c2241399a450
  9. 2859089CC3E31DA60C64D56C416175E2 2859089cc3e31da60c64d56c416175e2
  10. A9EE1BF62DEE532BE2BE217D3E4A8927 a9ee1bf62dee532be2be217d3e4a8927
  11. AC87BC7DD4B38FA3EBA23BF042B160CE ac87bc7dd4b38fa3eba23bf042b160ce
  12. B953FD2B3D5C10EC735681982D3C6352 b953fd2b3d5c10ec735681982d3c6352
  13. BD5188031BB8EB317FB58F0A49CCBF9C bd5188031bb8eb317fb58f0a49ccbf9c
  14. D7CF30E3DBFD32A1D1E38CEE464EC6A6 d7cf30e3dbfd32a1d1e38cee464ec6a6
  15. E1AFC706C8C96FACEDB6CB62E6CBFD2D e1afc706c8c96facedb6cb62e6cbfd2d
  16. Gh0stB_7A26BBD7B5942B49FC0A9CB7268BD030 7a26bbd7b5942b49fc0a9cb7268bd030
  17. SpyRat_E0B0BBA2F6399B0577C37E2A3BC3390A e0b0bba2f6399b0577c37e2a3bc3390a
  18. Zeus_0D8F9C5898596251233C3FD1DCB34161 0d8f9c5898596251233c3fd1dcb34161
  19. Zeus_7A6BBC32868A9F776452355F909F95D6 7a6bbc32868a9f776452355f909f95d6
  20. Zeus_7CD6C4A6103F23858C7ED047391F1D3B 7cd6c4a6103f23858c7ed047391f1d3b
  21. Zeus_52BE0408084F536E42FEB7C57F521592 52be0408084f536e42feb7c57f521592
  22. Zeus_5746DD569623431BA41A247FA64847D7 5746dd569623431ba41a247fa64847d7
  23. Zeus_A79089B5E6744C622D61BEFA40AF77D3 a79089b5e6744c622d61befa40af77d3
  24. Zeus_E2190F61B532BD51E585449BAAE31BC1 e2190f61b532bd51e585449baae31bc1
  25. Zeus_F76A509FEE28C5F65046D6DC072658B2 f76a509fee28c5f65046d6dc072658b2

Share this post


Favicon An Overview of Exploit Packs (Update 20) Jan 2014
8 Jan 2014, 7:30 am

Update Jan 8, 2014

 This is version 20 of the exploit pack table - see the added exploit packs and vulnerabilities listed below.

                                             Exploit Pack Table Update 20                                           
  Click to view or download from Google Apps

I want to give special thanks to Kafeine  L0NGC47,  Fibon and  Curt Shaffer for their help and update they made.  Note the new Yara rules sheet / tab for yara rules for exploit kit.
I also want to thank Kahu securityKafeineMalforsec and all security companies listed in References for their research.

If you wish to be a contributor (be able to update/change the exploits or add yara rules), please contact me :)
If you have additions or corrections, please email, leave post comments, or tweet (@snowfl0w) < thank you!

The Wild Wild West image was created by Kahu Security  - It shows current and retired (retiring) kits.

List of changed kits
Gong Da / GonDad Redkit 2.2 x2o (Redkit Light)Fiesta (=Neosploit)  Cool  Styxy DotkaChef
CVE-2011-3544CVE-2013-2551CVE-2013-2465CVE-2010-0188CVE-2010-0188CVE-2012-5692
CVE-2012-0507CVE-2013-2471CVE-2013-0074/3896CVE-2011-3402CVE-2013-1493
CVE-2012-1723CVE-2013-1493CVE-2013-0431
CVE-2013-0431
CVE-2013-2423
CVE-2012-1889CVE-2013-2460CVE-2013-0634 CVE-2013-1493
CVE-2012-4681CVE-2013-2551 CVE-2013-2423
CVE-2012-5076
CVE-2013-0422
CVE-2013-0634
CVE-2013-2465



Angler FlashPack = SafePack White Lotus Magnitude (Popads)Nuclear 3.x Sweet Orange 
CVE-2013-0074/3896CVE-2013-0074/3896CVE-2011-3544CVE-2011-3402CVE-2010-0188CVE-2013-2423
CVE-2013-0634CVE-2013-2551CVE-2013-2465CVE-2012-0507CVE-2012-1723CVE-2013-2471
CVE-2013-2551 CVE-2013-2551CVE-2013-0634CVE-2013-0422CVE-2013-2551
CVE-2013-5329CVE-2013-2460CVE-2013-2423
CVE-2013-2471 ??CVE-2013-2471CVE-2013-2460
CVE-2013-2551CVE-2013-2551

CK HiManNeutrino  Blackhole (last)Grandsoft  Private EK
CVE-2011-3544CVE-2010-0188CVE-2013-0431CVE-2013-0422CVE-2010-0188 CVE-2006-0003
CVE-2012-1889CVE-2011-3544CVE-2013-2460CVE-2013-2460CVE-2011-3544CVE-2010-0188
CVE-2012-4681CVE-2013-0634CVE-2013-2463*CVE-2013-2471CVE-2013-0422CVE-2011-3544
CVE-2012-4792*CVE-2013-2465CVE-2013-2465*and + all or someCVE-2013-2423CVE-2013-1347
CVE-2013-0422CVE-2013-2551CVE-2013-2551exploitsCVE-2013-2463CVE-2013-1493
CVE-2013-0634* switch 2463*<>2465*from the previousCVE-2013-2423
CVE-2013-3897Possibly + exploitsversionCVE-2013-2460
* removedfrom the previous
version

Sakura 1.x LightsOutGlazunov Rawin Flimkit  Cool EK (Kore-sh)Kore (formely Sibhost) 
cve-2013-2471CVE-2012-1723CVE-2013-2463CVE-2012-0507CVE-2012-1723CVE-2013-2460CVE-2013-2423
CVE-2013-2460CVE-2013-1347cve-2013-2471CVE-2013-1493CVE-2013-2423CVE-2013-2463CVE-2013-2460
and + all or someCVE-2013-1690CVE-2013-2423CVE-2013-2471CVE-2013-2463
exploitsCVE-2013-2465CVE-2013-2471
from the previous
version


Styx 4.0Cool Topic EK Nice EK
CVE-2010-0188CVE-2012-0755CVE-2013-2423CVE-2012-1723
CVE-2011-3402CVE-2012-1876
CVE-2012-1723CVE-2013-0634
CVE-2013-0422CVE-2013-2465
CVE-2013-1493cve-2013-2471
CVE-2013-2423and + all or some
CVE-2013-2460exploits
CVE-2013-2463from the previous
CVE-2013-2472version
CVE-2013-2551
Social Eng








=================================================================

The Explot Pack Table has been updated and you can view it here.

Exploit Pack Table Update 19.1  - View or Download from Google Apps

If you keep track of exploit packs and can/wish  to contribute and be able to make changes, please contact me (see email in my profile)
I want to thank L0NGC47, Fibon, and Kafeine,  Francois Paget, Eric Romang, and other researchers who sent information for their help.




Update April 28, 2013 - added CVE-2013-2423 (Released April 17, 2013) to several packs. 
Now the following packs serve the latest Java exploit (update your Java!)

  1. Styx
  2. Sweet Orange
  3. Neutrino
  4. Sakura
  5. Whitehole
  6. Cool
  7. Safe Pack
  8. Crime Boss
  9. CritX



Other changes
Updated:
  1. Whitehole
  2. Redkit
  3. Nuclear
  4. Sakura
  5. Cool Pack
  6. Blackhole
  7. Gong Da
Added:
  1. KaiXin
  2. Sibhost
  3. Popads 
  4. Alpha Pack
  5. Safe Pack
  6. Serenity
  7. SPL Pack

    There are 5 tabs in the bottom of the sheet
  1. 2011-2013
  2. References
  3. 2011 and older
  4. List of exploit kits
  5. V. 16 with older credits



March 2013
The Explot Pack Table, which has been just updated, has migrated to Google Apps - the link is below. The new format will allow easier viewing and access for those who volunteered their time to keep it up to date.

In particular, I want to thank
L0NGC47, Fibon, and Kafeine  for their help.

There are 5 tabs in the bottom of the sheet
  1. 2011-2013
  2. References
  3. 2011 and older
  4. List of exploit kits
  5. V. 16 with older credits
The updates include
  1. Neutrino  - new
  2. Cool Pack - update
  3. Sweet Orange - update
  4. SofosFO aka Stamp EK - new
  5. Styx 2.0 - new
  6. Impact - new
  7. CritXPack - new
  8. Gong Da  - update
  9. Redkit - update
  10. Whitehole - new
  11. Red Dot  - new





The long overdue Exploit pack table Update 17 is finally here. It got a colorful facelift and has newer packs (Dec. 2011-today) on a separate sheet for easier reading.
Updates / new entries for the following 13 packs have been added (see exploit listing below)


  1. Redkit 
  2. Neo Sploit
  3. Cool Pack
  4. Black hole 2.0
  5. Black hole 1.2.5
  6. Private no name
  7. Nuclear 2.2 (Update to 2.0 - actual v. # is unknown)
  8. Nuclear 2.1  (Update to 2.0 - actual v. # is unknown)
  9. CrimeBoss
  10. Grandsoft
  11. Sweet Orange 1.1 Update to 1.0 actual v. # is unknown)
  12. Sweet Orange 1.0
  13. Phoenix  3.1.15
  14. NucSoft
  15. Sakura 1.1 (Update to 1.0  actual v. # is unknown)
  16. AssocAID (unconfirmed)  






Exploit lists for the added/updated packs


AssocAID (unconfirmed)
09-'12
CVE-2011-3106
CVE-2012-1876
CVE-2012-1880
CVE-2012-3683
Unknown CVE
5


Redkit
08-'12
CVE-2010-0188
CVE-2012-0507
CVE-2012-4681
3

Neo Sploit
09-'12
CVE-2012-1723
CVE-2012-4681
2?

Cool
08-'12
CVE-2006-0003
CVE-2010-0188
CVE-2011-3402
CVE-2012-0507
CVE-2012-1723
CVE-2012-4681
5

Black hole 2.0
09-'12
CVE-2006-0003
CVE-2010-0188
CVE-2012-0507
CVE-2012-1723
CVE-2012-4681
CVE-2012-4969 promised
5

Black hole 1.2.5
08-'12
CVE-2006-0003
CVE-2007-5659 /2008-0655
CVE-2008-2992
CVE-2009-0927
CVE-2010-0188
CVE-2010-1885
CVE-2011-0559
CVE-2011-2110
CVE-2012-1723
CVE-2012-1889
CVE-2012-4681
11

Private no name
09-'12
CVE-2010-0188
CVE-2012-1723
CVE-2012-4681
3

Nuclear 2.2 (Update to 2.0 - actual v. # is unknown)
03-'12
CVE-2010-0188
CVE-2011-3544
CVE-2012-1723
CVE-2012-4681
4

Nuclear 2.1 (Update to 2.0 - actual v. # is unknown)
03-'12
CVE-2010-0188
CVE-2011-3544
CVE-2012-1723
3

CrimeBoss
09-'12
Java Signed Applet
CVE-2011-3544
CVE-2012-4681
3

Grandsoft
09-'12
CVE-2010-0188
CVE-2011-3544
2?

Sweet Orange 1.1
09-'12
CVE-2006-0003
CVE-2010-0188
CVE-2011-3544
CVE-2012-4681
4?

Sweet Orange 1.0
05-'12
CVE-2006-0003
CVE-2010-0188
CVE-2011-3544
3?

Phoenix  3.1.15
05-'12
CVE-2010-0842
CVE: 2010-0248
CVE-2011-2110
CVE-2011-2140
CVE: 2011-2371
CVE-2011-3544
CVE-2011-3659
Firefox social
CVE: 2012-0500
CVE-2012-0507
CVE-2012-0779
11

NucSoft
2012
CVE-2010-0188
CVE-2012-0507
2

Sakura 1.1
08-'12
CVE-2006-0003
CVE-2010-0806
CVE-2010-0842
CVE-2011-3544
CVE-2012-4681
5


Version 16. April 2, 2012

Thanks to Kahu security
for Wild Wild West graphic 

The full table in xls format - Version 16 can be downloaded from here. 



 










ADDITIONS AND CHANGES:

1. Blackhole Exploit Kit 1.2.3
Added:
  1. CVE-2011-0559 - Flash memory corruption via F-Secure
  2. CVE-2012-0507 - Java Atomic via Krebs on Security
  3. CVE-2011-3544 - Java Rhino  via Krebs on Security
2. Eleonore Exploit Kit 1.8.91 and above- via Kahu Security
Added:
  1. CVE-2012-0507 - Java Atomic- after 1.8.91was released
  2. CVE-2011-3544 - Java Rhino
  3. CVE-2011-3521 - Java Upd.27  see Timo HirvonenContagio, Kahu Security and Michael 'mihi' Schierl 
  4. CVE-2011-2462 - Adobe PDF U3D
Also includes
"Flash pack" (presumably the same as before)
"Quicktime" - CVE-2010-1818 ?
3. Incognito Exploit Pack v.2 and above 
there are rumors that Incognito development stopped after v.2 in 2011 and it is a different pack now. If you know, please send links or files.

Added after v.2 was released:
  1. CVE-2012-0507 - Java Atomic
See V.2 analysis via StopMalvertizing

4. Phoenix Exploit Kit v3.1 - via Malware Don't Need Coffee
Added:
  1. CVE-2012-0507 -  Java Atomic
  2. CVE-2011-3544 -  Java Rhino + Java TC (in one file)

5. Nuclear Pack v.2 - via TrustWave Spiderlabs


  1. CVE-2011-3544 Oracle Java Rhino
  2. CVE-2010-0840 JRE Trusted Method Chaining
  3. CVE-2010-0188 Acrobat Reader  – LibTIFF
  4. CVE-2006-0003 MDAC
6. Sakura Exploit Pack > v.1 via DaMaGeLaB

  1. CVE-2011-3544 - Java Rhino (It was in Exploitpack table v15, listing it to show all packs with this exploit)

7. Chinese Zhi Zhu Pack via Kahu Security and Francois Paget (McAfee)
  1. CVE-2012-0003 -  WMP MIDI 
  2. CVE-2011-1255 - IE Time Element Memory Corruption
  3. CVE-2011-2140 - Flash 10.3.183.x
  4. CVE-2011-2110 - Flash 10.3.181.x 
  5. CVE-2010-0806 - IEPeers

8. Gong Da Pack via Kahu Security 
  1. CVE-2011-2140  - Flash 10.3.183.x
  2. CVE-2012-0003 -  WMP MIDI  
  3. CVE-2011-3544 - Java Rhino 
9. Dragon Pack - via DaMaGeLab  December 2010 - it is old, listing for curiosity sake





  1. CVE-2010-0886 - Java SMB
  2. CVE-2010-0840 - JRE Trusted Method Chaining
  3. CVE-2008-2463 - Snapshot
  4. CVE-2010-0806 - IEPeers
  5. CVE-2007-5659/2008-0655 - Collab.collectEmailInfo
  6. CVE-2008-2992 - util.printf
  7. CVE-2009-0927 - getIco
  8. CVE-2009-4324 - newPlayer



Version 15. January 28, 2012

Additions - with many thanks to Kahu Security

 Hierarchy Exploit Pack
=================
CVE-2006-0003
CVE-2009-0927
CVE-2010-0094
CVE-2010-0188
CVE-2010-0806
CVE-2010-0840
CVE-2010-1297
CVE-2010-1885
CVE-2011-0611
JavaSignedApplet


Siberia Private
==========
CVE-2005-0055
CVE-2006-0003
CVE-2007-5659
CVE-2008-2463
CVE-2008-2992
CVE-2009-0075
CVE-2009-0927
CVE-2009-3867
CVE-2009-4324
CVE-2010-0806


Techno XPack
===========
CVE-2008-2992
CVE-2010-0188
CVE-2010-0842
CVE-2010-1297
CVE-2010-2884
CVE-2010-3552
CVE-2010-3654
JavaSignedApplet


"Yang Pack"
=========
CVE-2010-0806
CVE-2011-2110
CVE-2011-2140
CVE-2011-354




Version 14. January 19, 2012


Version 14 Exploit Pack table additions:

Credits for the excellent Wild Wild West (October 2011 edition) go to kahusecurity.com

With many thanks to  XyliBox (Xylitol - Steven),  Malware Intelligence blog,  and xakepy.cc for the information:

  1. Blackhole 1.2.1  (Java Rhino added, weaker Java exploits removed)
  2. Blackhole 1.2.1 (Java Skyline added)
  3. Sakura Exploit Pack 1.0  (new kid on the block, private pack)
  4. Phoenix 2.8. mini (condensed version of 2.7)
  5. Fragus Black (weak Spanish twist on the original, black colored admin panel, a few old exploits added)
If you find any errors or CVE information for packs not featured , please send it to my email (in my profile above, thank you very much) .
























 
The full table in xls format - Version 14 can be downloaded from here. 

The exploit pack table in XLSX format
The exploit pack table in csv format 

P.S. There are always corrections and additions thanks to your feedback after the document release, come back in a day or two to check in case v.15 is out.



Version 13. Aug 20, 2011


Kahusecurity issued an updated version of their Wild Wild West graphic that will help you learn Who is Who in the world of exploit packs. You can view the full version of their post in the link above.

Version 13 exploit pack table additions:
  1. Bleeding Life 3.0
  2. Merry Christmas Pack (many thanks to kahusecurity.com)+
  3. Best Pack (many thanks to kahusecurity.com)
  4. Sava Pack (many thanks to kahusecurity.com)
  5. LinuQ 
  6. Eleonore 1.6.5
  7. Zero Pack
  8. Salo Pack (incomplete but it is also old)



List of packs in the table in alphabetical order
  1. Best Pack
  2. Blackhole Exploit 1.0
  3. Blackhole Exploit 1.1
  4. Bleeding Life 2.0
  5. Bleeding Life 3.0
  6. Bomba
  7. CRIMEPACK 2.2.1
  8. CRIMEPACK 2.2.8
  9. CRIMEPACK 3.0
  10. CRIMEPACK 3.1.3
  11. Dloader
  12. EL Fiiesta
  13. Eleonore 1.3.2
  14. Eleonore 1.4.1
  15. Eleonore 1.4.4 Moded
  16. Eleonore 1.6.3a
  17. Eleonore 1.6.4
  18. Eleonore 1.6.5
  19. Fragus 1
  20. Icepack
  21. Impassioned Framework 1.0
  22. Incognito
  23. iPack
  24. JustExploit
  25. Katrin
  26. Merry Christmas Pack
  27. Liberty  1.0.7
  28. Liberty 2.1.0*
  29. LinuQ pack
  30. Lupit
  31. Mpack
  32. Mushroom/unknown
  33. Open Source Exploit (Metapack)
  34. Papka
  35. Phoenix  2.0 
  36. Phoenix 2.1
  37. Phoenix 2.2
  38. Phoenix 2.3
  39. Phoenix 2.4
  40. Phoenix 2.5
  41. Phoenix 2.7
  42. Robopak
  43. Salo pack
  44. Sava Pack
  45. SEO Sploit pack
  46. Siberia
  47. T-Iframer
  48. Unique Pack Sploit 2.1
  49. Webattack
  50. Yes Exploit 3.0RC
  51. Zero Pack
  52. Zombie Infection kit
  53. Zopack


----------------------------------------------
Bleeding Life 3.0
New Version Ad is here 

Merry Christmas Pack
read analysis at
kahusecurity.com
  
Best Pack
read analysis at 
kahusecurity.com
Sava Pack
read analysis at
kahusecurity.com
Eleonore 1.6.5 
[+] CVE-2011-0611
[+] CVE-2011-0559
[+] CVE-2010-4452
[-] CVE-2010-0886
Salo Pack
Old (2009), added just for
the collection


Zero Pack
62 exploits from various packs (mostly Open Source pack)
LinuQ pack
Designed to compromise linux servers using vulnerable PHPMyAdmin. Comes with DDoS bot but any kind of code can be loaded for Linux botnet creation.
LinuQ pack is PhpMyAdmin exploit pack with 4 PMA exploits based on a previous Russian version of the Romanian PMA scanner ZmEu. it is not considered to be original, unique, new, or anything special. All exploits are public and known well.


It is designed to be installed on an IRC server (like UnrealIRCD). IP ranges already listed in bios.txt can be scanned, vulnerable IPs and specific PMA vulnerabilities will be listed in vuln.txt, then the corresponding exploits can be launched against the vulnerable server. It is more like a bot using PMA vulnerabilities than exploit pack.
It is using
CVE-2009-1148 (unconfirmed)
CVE-2009-1149 (unconfirmed)
CVE-2009-1150 (unconfirmed)
CVE-2009-1151 (confirmed)




 ====================================================================
Version 12. May 26, 2011
additional changes (many thanks to kahusecurity.com)
Bomba
Papka

See the list of packs covered in the list below


The full table in xls format - Version 12 can be downloaded from here.
I want to thank everyone who sent packs and information  :)





Version 11 May 26, 2011 Changes:
    1. Phoenix2.7
    2. "Dloader" (well, dloader is a loader but the pack is  some unnamed pack http://damagelab.org/lofiversion/index.php?t=20852)
    3. nuclear pack
    4. Katrin
    5. Robopak
    6. Blackhole exploit kit 1.1.0
    7. Mushroom/unknown
    8. Open Source Exploit kit






    ====================================================================

    10. May 8, 2011 Version 10        Exploit Pack Table_V10May11
    First, I want to thank everyone who sent and posted comments for updates and corrections. 

    *** The Wild Wild West picture is from a great post about evolution of exploit packs by Kahu Security  Wild Wild West Update


    As usual, send your corrections and update lists.


    Changes:
    • Eleonore 1.6.4
    • Eleonore 1.6.3a
    • Incognito
    • Blackhole
    Go1Pack  (not included) as reported as being a fake pack, here is a gui. Here is a threatpost article referencing it as it was used for an attack 
    Also, here is another article claiming it is not a fake http://community.websense.com/blogs/securitylabs/archive/2011/04/19/Mass-Injections-Leading-to-g01pack-Exploit-Kit.aspx
    Go1 Pack CVE are reportedly
    CVE-2006-0003
    CVE-2009-0927
    CVE-2010-1423
    CVE-2010-1885

    Does anyone have this pack or see it offered for sale?

    Exploit kits I am planning to analyze and add (and/or find CVE listing for) are:

    • Open Source Exploit Kit
    • SALO
    • K0de

    Legend: 
    Black color entries by Francois Paget
    Red color entries by Gunther
    Blue color entries by Mila

    Also, here is a great presentation by Ratsoul (Donato Ferrante) about Java Exploits (http://www.inreverse.net/?p=1687)

    --------------------------------------------------------
     9.  April 5, 2011  Version 9        ExploitPackTable_V9Apr11

    It actually needs another update but I am posting it now and will issue version 10 as soon as I can.

    Changes:
    Phoenix 2.5
    IFramer
    Tornado
    Bleeding life

    Many thanks to Gunther for his contributions.
    If you wish to add some, please send your info together with the reference links. Also please feel free to send corrections if you notice any mistakes






    8. Update 8 Oct 22, 2010 Version 8 ExploitPackTable_V8Oct22-10

    Changes: 
    1. Eleonore 1.4.4 Moded added (thanks to malwareint.blogspot.com)
    2. Correction on CVE-2010-0746 in Phoenix 2.2 and 2.3. It is a mistake and the correct CVE is CVE-2010-0886 (thanks to etonshell for noticing)
    3. SEO Sploit pack added (thanks to whsbehind.blogspot.com,  evilcodecave.blogspot.com and blog.ahnlab.com)


    7. Update 7 Oct 18, 2010 Version 7 ExploitPackTable_V7Oct18-10 released
     thanks to SecNiche we have updates for Phoenix 2.4 :)
      
    We also added shorthand/slang/abbreviated names for exploits for easy matching of exploits to CVE in the future. Please send us more information re packs, exploit names that can be added in the list. Thank you!

     
    6. Update 6 Sept 27, 2010 Version 6 ExploitPackTable_V6Sept26-10 released
     Thanks to Francois Paget (McAfee) we have updates for Phoenix 2.2 and Phoenix 2.3


    5. Update 5. Sept 27, 2010 Version 5 ExploitPackTable_V5Sept26-10 released
    Added updates for Phoenix 2.1 and Crimepack 3.1.3

      
    4 Update 4  July 23, 2010  Version 4 ExploitPackTable_V4Ju23-10 released. Added a new Russian exploit kit called Zombie Infection Kit to the table. Read more at malwareview.com
    Update 3  July 7, 2010. Please read more about this on the Brian Krebs' blog Pirate Bay Hack Exposes User Booty 
    Update 2 June 27, 2010 Sorry but Impassioned Framework is back where it belongs - blue
    Update 1 June 24, 2010 Eleonore 1.4.1 columns was updated to include the correct list of the current exploits.

    Francois Paget  www.avertlabs.com kindly agreed to allow us to make additions to his Overview of Exploit Packs table published on Avertlabs (McAfee Blog)

    Many thanks to Gunther from ARTeam for his help with the update. There are a few blanks and question marks, please do no hesitate to email me if you know the answer or if you see any errors.



    Please click on the image below to expand it (it is a partial screenshot)  Impassioned Framework is tentatively marked a different color because the author claims it is a security audit tool not exploit pack. However, there was no sufficient information provided yet to validate such claims. The pack is temporarily/tentatively marked a different color. We'll keep you posted.


    Share this post


    Favicon Collection of Pcap files from malware analysis
    1 Jan 2014, 5:39 am


    Update:Dec 31. 2013 - added new pcaps

    I did some spring cleaning yesterday and came up with these malware and exploit pcaps. Such pcaps are very useful for IDS and signature testing and development, general education, and malware identification. While there are some online public sandboxes offering pcaps for download like Cuckoo or Anubis but  looking for them is a tedious task and you cannot be totally sure the pcap is for the malware family supposedly analysed - in other words, if the sandbox says it is Zeus does not necessarily mean that it is.

    I found some good pcap repositories here (http://www.netresec.com/?page=PcapFiles) but there are very few pcaps from malware.

    These are from identified and verified (to the best of my knowledge and belief - email me if you find errors) malware samples.

    All of them show the first stage with the initial callback and most have the DNS requests as well. A few pcaps show extended malware runs (e.g. purplehaze pcap is over 500mb).
    Most pcaps are mine, a few are from online sandboxes, and one is borrowed from malware.dontneedcoffee.com. That said, I can probably find the corresponding samples for all that have MD5 listed if you really need them. Search contagio, some are posted with the samples.

    Each file has the following naming convention:
    BIN [RTF, PDF] - the filetype of the dropper used, malware family name, MD5, and year+month of the malware analysis.

    I will be adding more pcaps in the future. Please donate your pcaps from identified samples, I am sure many of you have.

    Thank you




    Download


    Download all together or separately.

    All pcaps archives have the same password (same scheme), email me if you need it. I tried posting it without any passwords and pass infected but they get flagged as malware. Modern AV rips though zips and zips with the pass 'infected' with ease.



    APT PCAPS

    See Library of Malware Traffic Patterns for the corresponding sample downloads and other details

    Download all together or separately.
    1. 2012-12-31 BIN_Xinmic_8761F29AF1AE2D6FACD0AE5F487484A5-pcap
    2. 2013-09-08 BIN_TrojanPage_86893886C7CBC7310F7675F4EFDE0A29-pcap
    3. 2013-09-08 BIN_Darkcomet_DC98ABBA995771480AECF4769A88756E-pcap
    4. 2013-09-02 8202_tbd_ 6D2C12085F0018DAEB9C1A53E53FD4D1-pcap
    5. 2013-09-02 BIN_8202_6d2c12085f0018daeb9c1a53e53fd4d1-pcap
    6. 2013-09-02 BIN_Vidgrab_6fd868e68037040c94215566852230ab-pcap
    7. 2013-09-02 BIN_PlugX_2ff2d518313475a612f095dd863c8aea-pcap
    8. 2013-09-02 BIN_Taidoor_46ef9b0f1419e26f2f37d9d3495c499f-pcap
    9. 2013-09-02 BIN_Vidgrab_660709324acb88ef11f71782af28a1f0-pcap
    10. 2013-09-02 BIN_Gh0st-gif_f4d4076dff760eb92e4ae559c2dc4525-pcap.zip
    11. 2013-07-15 BIN_Taleret.E_5328cfcb46ef18ecf7ba0d21a7adc02c.pcap
    12. 2013-05-14 BIN_Mediana_0AE47E3261EA0A2DBCE471B28DFFE007_2012-10.pcap
    13. 2013-05-14 BIN_Hupigon_8F90057AB244BD8B612CD09F566EAC0C
    14. 2013-05-14 BIN_LetsGo_yahoosb_b21ba443726385c11802a8ad731771c0_2011-07-19
    15. 2013-05-13 BIN_IXESHE_0F88D9B0D237B5FCDC0F985A548254F2-2013-05-pcap
    16. 2013-05-06 BIN_DNSWatch_protux_4F8A44EF66384CCFAB737C8D7ADB4BB8_2012-11-pcap
    17. 2013-05-06 BIN_9002_D4ED654BCDA42576FDDFE03361608CAA_2013-01-30-pcap
    18. 2013-05-06 BIN_BIN_RssFeeder_68EE5FDA371E4AC48DAD7FCB2C94BAC7-2012-06-pcap (not a common name, see the traffic ssheet http://bit.ly/maltraffic )
    19. 2013-04-30 BIN_MSWab_Yayih_FD1BE09E499E8E380424B3835FC973A8_us-pcap
    20. 2013-04-29 BIN_LURK_AF4E8D4BE4481D0420CCF1C00792F484_20120-10-pcap
    21. 2013-04-29 BIN_XTremeRAT_DAEBFDED736903D234214ED4821EAF99_2013-04-13-pcap
    22. BIN_Enfal_Lurid_0fb1b0833f723682346041d72ed112f9_2013-01.pcap
    23. BIN_Gh0st_variant-v2010_B1D09374006E20FA795B2E70BF566C6D_2012-08.pcap
    24. BIN_Likseput_E019E37F19040059AB5662563F06B609_2012-10.pcap
    25. BIN_Nettravler_1f26e5f9b44c28b37b6cd13283838366.pcap
    26. BIN_Nettravler_DA5832657877514306EDD211DEF61AFE_2012-10.pcap
    27. BIN_Sanny-Daws_338D0B855421867732E05399A2D56670_2012-10.pcap
    28. BIN_Sofacy_a2a188cbf74c1be52681f998f8e9b6b5_2012-10.pcap
    29. BIN_Taidoor_40D79D1120638688AC7D9497CC819462_2012-10.pcap
    30. BIN_TrojanCookies_840BD11343D140916F45223BA05ABACB_2012_01.pcap
    31. PDF_CVE-2011-2462_Pdf_2011-12.pcap
    32. RTF_Mongall_Dropper_Cve-2012-0158_C6F01A6AD70DA7A554D48BDBF7C7E065_2013-01.pcap
    33. OSX_DocksterTrojan.pcap

    CRIMEWARE PCAPS

    See Library of Malware Traffic Patterns for the corresponding sample downloads and other details

    Download all together or separately.
    1. 2013-11-12_BIN_ChePro_2A5E5D3C536DA346849750A4B8C8613A-1.pcap
    2. 2013-10-15_BIN_cryptolocker_9CBB128E8211A7CD00729C159815CB1C.pcap
    3. 2013-09-20_BIN_Lader-dlGameoverZeus_12cfe1caa12991102d79a366d3aa79e9.pcap
    4. 2013-09-08 BIN_Tijcont_845B0945D5FE0E0AAA16234DC21484E0-pcap
    5. 2013-09-08 BIN_Kelihos_C94DC5C9BB7B99658C275B7337C64B33-pcap.zip
    6. 2013-08-19 BIN_Nitedrem_508af8c499102ad2ebc1a83fdbcefecb-pcap
    7. 2013-08-17 BIN_sality_CEAF4D9E1F408299144E75D7F29C1810-pcap
    8. 2013-08-15 BIN_torpigminiloader-pcap.zip
    9. 2013-13-08 EK_popads_109.236.80.170_2013-08-13.pcap
    10. 2013-11-08 BIN_Alinav5.3_4C754150639AA3A86CA4D6B6342820BE.pcap
    11. 2013-08-08 BIN_BitcoinMiner_F865C199024105A2FFDF5FA98F391D74-pcap
    12. 2013-08-07 BIN_ZeroAccess_Sirefef_C2A9CCC8C6A6DF1CA1725F955F991940_2013-08-pcap
    13. 2013-07-05 BIN_Kuluoz-Asprox_9F842AD20C50AD1AAB41F20B321BF84B
    14. 2013-05-31 Wordpress-Mutopy_Symmi_20A6EBF61243B760DD65F897236B6AD3-2pcap.pcap
    15. 2013-05-15 BIN_Zeus_b1551c676a54e9127cd0e7ea283b92cc-2012-04.pcap
    16. 2013-05-15 BIN_Gypthoy_3EE49121300384FF3C82EB9A1F06F288-2013-05.pcap
    17. 2013-05-12 BIN_PassAlert_B4A1368515C6C39ACEF63A4BC368EDB2-2013-05-13
    18. 2013-05-12 BIN_HorstProxy_EFE5529D697174914938F4ABF115F762-2013-05-13-pcap
    19. 2013-05-12 BIN_Bitcoinminer_12E717293715939C5196E604591A97DF-2013-05-12-pcap
    20. 2013-05-07 BIN_ZeroAccess_Sirefef_29A35124ABEAD63CD8DB2BBB469CBC7A_2013-05-pcapc
    21. 2013-05-05 BIN_PowerLoader_4497A231DA9BD0EEA327DDEC4B31DA12_2013-05-pcap
    22. 2013-05-05 BIN_GameThief_ECBA0FEB36F9EF975EE96D1694C8164C_2013-03-pcap
    23. 2013-05-05 BIN_PowerLoader_4497A231DA9BD0EEA327DDEC4B31DA12_2013-05-pcap
    24. 2013-04-27 EK_BIN_Blackhole_leadingto_Medfos_0512E73000BCCCE5AFD2E9329972208A_2013-04-pcap
    25. 2013-04-26 -- BIN_Citadel_3D6046E1218FB525805E5D8FDC605361-2013-04-samp 
    26. BIN_CitadelPacked_2012-05.pcap
    27. BIN_CitadelUnpacked_2012-05.pcap
    28. BIN_Cutwail_284Fb18Fab33C93Bc69Ce392D08Fd250_2012-10.pcap
    29. BIN_Darkmegi_2012-04.pcap
    30. BIN_DarknessDDoS_v8g_F03Bc8Dcc090607F38Ffb3A36Ccacf48_2011-01.pcap-
    31. BIN_dirtjumper_2011-10.pcap
    32. BIN_DNSChanger_2011-12.pcap
    33. BIN_Drowor_worm_0f015bb8e2f93fd7076f8d178df2450d_2013-04.pcap
    34. BIN_Googledocs_macadocs_2012-12.pcap
    35. BIN_Imaut_823e9bab188ad8cb30c14adc7e67066d.pcap
    36. BIN_IRCbot_c6716a417f82ccedf0f860b735ac0187_2013-04.pcap
    37. BIN_Kelihos_aka_Nap_0feaaa4adc31728e54b006ab9a7e6afa.pcap
    38. BIN_LoadMoney_MailRu_dl_4e801b46068b31b82dac65885a58ed9e_2013-04 .pcap
    39. BIN_purplehaze-2012-01.pcap
    40. BIN_ponyloader_470a6f47de43eff307a02f53db134289.pcap
    41. BIN_Ramnitpcap_2012-01.pcap
    42. BIN_Reedum_0ca4f93a848cf01348336a8c6ff22daf_2013-03.pcap
    43. BIN_SpyEye_2010-02.pcap
    44. BIN_Stabuniq_F31B797831B36A4877AA0FD173A7A4A2_2012-12.pcap
    45. BIN_Tbot_23AAB9C1C462F3FDFDDD98181E963230_2012-12.pcap
    46. BIN_Tbot_2E1814CCCF0C3BB2CC32E0A0671C0891_2012-12.pcap
    47. BIN_Tbot_5375FB5E867680FFB8E72D29DB9ABBD5_2012-12.pcap
    48. BIN_Tbot_A0552D1BC1A4897141CFA56F75C04857_2012-12.pcap
    49. BIN_Tbot_FC7C3E087789824F34A9309DA2388CE5_2012-12.pcap
    50. BIN_Tinba_2012-06.pcap
    51. BIN_Vobfus_634AA845F5B0B519B6D8A8670B994906_2012-12.pcap
    52. BIN_Xpaj_2012-05.pcap
    53. BIN_ZeroAccess_3169969E91F5FE5446909BBAB6E14D5D_2012-10.pcap
    54. BIN_ZeusGameover_2012-02.pcap
    55. BIN_Zeus_2010-12.pcap
    56. EK_Blackholev1_2012-03.pcap
    57. EK_Blackholev1_2012-08.pcap
    58. EK_Blackholev2_2012-09.pcap
    59. EK_Blackhole_Java_CVE-2012-4681_2012-08.pcap
    60. EK_Phoenix_2012-04.pcap
    61. EK_Smokekt150(Malwaredontneedcoffee)_2012-09.pcap -  credit malware.dontneedcoffee.com


    Share this post


    Favicon OSX malware and exploit collection (~100 files) + links and resources for OSX malware analysis
    22 Nov 2013, 6:22 pm


    'Tis the season.

    Here is a nice collection of ~100 Mac OS malware and Word document exploits carrying MacOS payload (all are CVE-2009-0563) along with links for OSX malware analysis.

    Please send your favorite tools for OSX if they are not listed.




    CVE-2009-0563

    CVE-2009-0563
    Stack-based buffer overflow in Microsoft Office Word 2002 SP3, 2003 SP3, and 2007 SP1 and SP2; Microsoft Office for Mac 2004 and 2008; Open XML File Format Converter for Mac; Microsoft Office Word Viewer 2003 SP3; Microsoft Office Word Viewer; and Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP1 and SP2 allows remote attackers to execute arbitrary code via a Word document with a crafted tag containing an invalid length field, aka "Word Buffer Overflow Vulnerability."



    Links



    Some OSX malware analysis tools and links 


    Tools


    Malware in the provided package - links to research and news articles






    Download



    Download. Email me if you need the password
    OSX_CrisisB_a32e073132ae0439daca9c82b8119009 
    Additional older downloads

    1. OSX_Docklight payload  http://contagioexchange.blogspot.com/2012/05/019-speechdoc-macosxms09-027a-word.html 
    2. misc OSX malware on contagio http://contagiodump.blogspot.com/search/label/-%20OSX
    3. 30 samples of ancient Mac OS malware http://contagiodump.blogspot.com/2012/04/osxflashbackk-sample-mac-os-malware.html



    List of files provided in this post


    1. OSX_AoboKeylogger_362D5DDB3924C625589B42030B66CA69
    2. OSX_BackTrack-A_B03276BFBF85CFDD7C8998004C1200DA
    3. OSX_Boonana_B3A0B0DA5AA01FF200CEBC8AF359A3C3
    4. OSX_ChatZum_487E5CD581587D63783CDD356DE9CF24
    5. OSX_ChatZum_57A4EB15CAA4FCC0A8F6AFBBD66C4859
    6. OSX_Clapzok_99FE5AD5FF514F5AAEA8E501DDBAF95B
    7. OSX_Crisis_04BBDA5B11FA0FD3C767CAF4719D6A4D
    8. OSX_Crisis_42C112036E319ED8DF0F55C7F4C0DA85
    9. OSX_CrisisBOSX_CrisisB_a32e073132ae0439daca9c82b8119009 _a32e073132ae0439daca9c82b8119009 
    10. OSX_Crisis_59FE83E0AE12E085E0FA301ECCA6776F
    11. OSX_Crisis_6F055150861D8D6E145E9ACA65F92822
    12. OSX_Crisis_A32E073132AE0439DACA9C82B8119009_Biglietto Visita
    13. OSX_Crisis_ACEC5F00057D3EC94849511F3EDDCB91
    14. OSX_Crisis_FAAB883598C8C379ACFD0B9DCCC93D0C
    15. OSX_Dockster_Backdoor_C6CA5071907A9B6E34E1C99413DCD142
    16. OSX_FkCodec_74812C7B6E0A55347284ABFA7D5670BF
    17. OSX_FkCodec_74812C7B6E0A55347284ABFA7D5670BF_Codec-M
    18. OSX_FkCodec_B4ECE10D1E706B87B065523A654D48A7_download.dmg
    19. OSX_FkCodec1C5AE9F1DD9FE6F506EAABD382925CA8_codec-M.safariextz
    20. OSX_Flashback_3DCB6D6A9EA8D9755EB61AE057B3D74A
    21. OSX_Flashback_9FCFE8EF92F51F1C29A26E1516EF7003_FlashPlayer-11-macos.pkg
    22. OSX_Flashback_C2819C3C183BBF7547CF76C6A004EA15_FlashPlayer-11-macos.pkg
    23. OSX_Fucobha_IceFog_A615DD792093191E9FC975132A2DB409A_CleanMyMac
    24. OSX_Fucobha_IceFog_B4249F9B49A9A177B4D2F4439373029A
    25. OSX_Fucobha_IceFog_CF1815491D41202EB8647341A8695E1E
    26. OSX_GetShell_68078CBD1A34EB7BE8A044287F05CCE4
    27. OSX_GetShell_AC99ACE403D31C7079C938F9B0FD0895
    28. OSX_GetShell_ACC2B4A595939F17F7D07DE2CF75CDC8
    29. OSX_Hacktool_Hoylecann_FED8E22AE6F080F9B05A309C7E48B5EF
    30. OSX_HellRaiser_CA74984601287459AFB7B39EBEBDD394
    31. OSX_HellRTS.AH_KeystrokeRecorder X Pref Editor_C19377D07A234D1585D85F8FA3CF77FB
    32. OSX_HellRTS_F1AD75AEB4B4C2883DF2221C8804DA2A.AH
    33. OSX_Hovdy_Backdoor_FED713CAC7012D25F60B236E6DDCF513
    34. OSX_Inqtana.zip
    35. OSX_Iservice_4C9E7EE7C0F5C19C68B45CA6C81F8D62
    36. OSX_Iservice_E34BA325F3EEB8DF07A09EE9FBF1071D
    37. OSX_Jahlav_12F32EACBB3CD2C5623EE6976A51913A_QuickTime.xpt
    38. OSX_Jahlav_CCB72243EF478EEFE90B5898EC32389B
    39. OSX_Jahlav_D7DDF72D17F889C2C5B302AC0A5FBDC5
    40. OSX_Jahlav_FB79A75A6152EF47BBF88AE8544545CC.pl
    41. OSX_Jahlav_flash.zip
    42. OSX_Kitmos_A_39FAA22EB9D6B750EC345EFCB38189F5
    43. OSX_Kitmos_A_3AA9C558D4D5F1B2A6D3CE47AA26315F
    44. OSX_Kitmos_A_B3D49091875DE190F200110C2F2032D4
    45. OSX_Lamadai_20F0D0CE8A413A51EB16DEE860021E6A
    46. OSX_Lamadai_DE90189F040494E3708D83A33E37E40E
    47. OSX_Leverage_A_Backdoor_C425D2BE8B4AF733A44EC1518F182BE8
    48. OSX_LocalRoot_3DC01743FB42E917E9F9EDE5009F10CD
    49. OSX_Macarena_A_BFC7B7B9D3E1DF9D6E1A31D3E7BED628
    50. OSX_MacDefender_8AE7163C7C3C02564A4C69DF1F7C483E_Archive.pax
    51. OSX_MacDefender_E187F4071723808560E135647245562A_Archive.pax
    52. OSX_MacKontrol_89C35C057655E67580EFD0FF8242D960
    53. OSX_MacKontrol_E88027E4BFC69B9D29CAEF6BAE0238E8_matiriyal.dmg
    54. OSX_Macsweeper_4836CC480796386ED6929C38E5AAD525
    55. OSX_Miner_DevilRobber_417369B713F1A5F3A3DC0DAF76BDCFD6
    56. OSX_Miner_DevilRobber_EE2BA586232007FA41703EB120AC7408
    57. OSX_Miner_F8EBF03E88928EBF91A8420E3D5993FE
    58. OSX_Olyx_Backdoor_93A9B55BB66D0FF80676232818D5952F
    59. OSX_Olyx_Backdoor_93A9B55BB66D0FF80676232818D5952F_Current events 2009 July 5
    60. OSX_OpinionSpy_C98AE54F4BE1082B4E82548D7511077E_Crystal-Clock-screensaver.zip
    61. OSX_OpinionSpy_CC33C95C59372AFCA60A0552A58D0EF8_Crystal-Clock-screensaver.zip
    62. OSX_PSides_32F4792B1141BA259067F9613E2E88B5
    63. OSX_PUP_AABEDBAAB63EF19657A3A82C930CCE18_Genieo_InstallGenieo.dmg
    64. OSX_PUP_PerfectKeylog_1B192319C8F41036A2D6B8E987809D42
    65. OSX_Renepo_80753666A54A8AE97BD6ED3A4E2F3702
    66. OSX_RevirA_FE4AEFE0A416192A1A6916F8FC1CE484_revir-a.dmg
    67. OSX_RevirC_Imuler_7DBA3A178662E7FF904D12F260F0FFF3
    68. OSX_Safari_B24C0E60AF3D3E836FBE8A92FBCC8EB7.dat
    69. OSX_SniperSpy
    70. OSX_Wirenet_50D4F0DA2E38874E417BD13B59F4C067
    71. OSX_Wirenet_B56AD86A4BACEF92EF46D36EABEF6467
    72. OSX_Wirenet_D048F7AE2D244A264E58AF67B1A20DB0
    73. OSX_Yontoo_16ACCB0ABC051D667640B1EE4FF3A7A1
    74. OSX_Yontoo_7C433B3AC0E8072BA5E6B57298E1B28B
    75. OSXWeapoX_7FDEBB5FEC63FB3739A79A66265BB765



    EXPLOITS
    OSX_CVE-2009-0563 targeting Tibetan and Uyghur activists (filenames shortened here)

    1. 0DA957B9B952420241F945A9A2C52A50_C2-alma.apple.cloudns.org_ParticipantsArrivalDeparture.doc
    2. 0E5110493FD197813068310E57467B44_C2-alma.apple.cloudns.org _Uighur Han unrest.doc
    3. 0E945428D07464EC33EBDFF5712FE788_C2-update.googmail.org_Jenwediki yighingha.doc
    4. 1218840F3B66832CC58C33C75AD3D419_C2-update.googmail.org_Uyghur_Xitayning Yengi Rehberlik.doc
    5. 1CE3C4A8907A242250D366586711CBDC_C2-alma.apple.cloudns.org _Rabiye_hanim_bilen_Dolkun_Isa.doc
    6. 2567399683111CFCB838C5DA80DF181D_Tibetan Parliament urges World to take concrete step on Tibet.doc
    7. 28821C5FD38B11EE630D87961C11A3D7_DUQning reyisi namzatlar isimliki.doc
    8. 3D28AE551B9BD4C62FFC6C72F5668D96_Tibet_The United Nations Commission for Human Rights.doc
    9. 3D90D04C09C6B4D5D52888C89BDE9685_Tibetan Parliament urges World.doc
    10. 567ECE88B2D6F4F12F0D0760C30605EE_C2-apple12.crabdance.com_list.doc
    11. 58A0A5824A6B30EA7EEBBB51818AE04B_uYGHUR_Jenwe yinghinining xeweri.doc
    12. 786A7D1A1DCEC50E6A89E3CC8F33A3AE_Uyghur_Dunya Uyghur Qurultayigha iane qilish toghrisida.doc
    13. 7D7A5C530A7DBF24C42145A0EFCC8669_kurban-bayrami.doc
    14. 8618BCCB98F7D20634EBEDC488981E86_C2-update.googmail.org_email73.doc
    15. 908116A30F53EDF9D1749E3F0F267680_Website-TGSL.doc
    16. 9F9F96D5C882528D08315201042647DF_C2-update.googmail.org_Uyghur_The Duke Program.doc
    17. BA76DE3471497A8B1858AF4A8C700AE1_www.uyghurcongress.org.doc
    18. C024E159A96F3292915B257070FC3325_Sartin-TGSL.doc
    19. DD7C486BC17772A5E96425271FA5ED4D_c2-apple12.crabdance.com_10. Jahresgedenktag.doc
    20. E510AE50B0344EFBE1F8888771C7446C_www.tughlan.com.doc
    21. E683339BCCFDEB0F06C7E567F2C284C5_Planning for action.doc
    22. ECE44C00D46BE019AFF38FD5D31B9110_C2-update.googmail.org_UAA 2012 Saylam Komtiti saylam.doc
    23. F81775C93F7337E0664F1D106E13C7B3_C2-update.googmail.org_Uyghur_Human Rights Education.doc
    24. FBE399BF714184ED7FEA313F36A86514_C2-apple12.crabdance.com_Uyghur_Putun Dunyadiki Sherqi.doc
    25. MacOSSabpub-A_43F281076E185E55BECE7EB2F0EC8164.doc


    Share this post


    Favicon Sandbox MIMIng. CVE-2012-0158 in MHTML samples and analysis
    3 Sep 2013, 7:52 am


    Wikipedia
    Update - Sept 4, 2013
    I added more descriptions and changed NjRat / Backdoor.LV to Vidgrab - in the traffic communications are similar to NjRat/Backdoor;lv but it does not use base64 and sends initial request starting with ...3 (0x01 0x00 0x00 0x00 0x33) followed by null bytes  - it does not start with  lv|

    I am still looking for names for a few other backdoors below, so if you recognize them, please let me know. 

    Recently, my custom sandbox has been trying to open some Word attachments in a browser because the filetype fingerprint service detected them as MIME HTML files. Browsers are usually the default applications for such types and they did contain the CVE-2012-0158 exploit. A quick Google lookup yielded a May 2013 report from the Chinese company Antiy  "The Latest APT Attack by Exploiting CVE-2012-0158 Vulnerability", which described this new exploit vector.
    Antiy noted that these MHTML files evade antivirus and indeed only half of vendors represented on Virustotal detect. However, many companies rely on their automated tools, inline and standalone sandboxes not just Antivirus to determine if the file is malicious.

    I checked how these files (file without any extension) were processed by other commercial and open source mailboxes. 3 out of 5 well known commercial and open source mail scan and web sandbox vendors returned no output or informed me that that filetype was not supported. While writing this post, I noticed that Malwaretracker also mentioned the rise in this vector usage in his post on Friday, so I am sure the sandbox vendors are fixing the issue as we speak.

    I checked 25 MHTML CVE-2012-0158 files and compared their targets (at least those I could obtain) and payload. The analysis showed a good variety of trojans and predominantly human rights (Tibet, Uyghur) activists. I will post a month worth of these files.
    CVE #

    CVE-2012-0158
    The (1) ListView, (2) ListView2, (3) TreeView, and (4) TreeView2 ActiveX controls in MSCOMCTL.OCX in the Common Controls in Microsoft Office 2003 SP3, 2007 SP2 and SP3, and 2010 Gold and SP1; Office 2003 Web Components SP3; SQL Server 2000 SP4, 2005 SP4, and 2008 SP2, SP3, and R2; BizTalk Server 2002 SP1; Commerce Server 2002 SP4, 2007 SP2, and 2009 Gold and R2; Visual FoxPro 8.0 SP1 and 9.0 SP2; and Visual Basic 6.0 Runtime allow remote attackers to execute arbitrary code via a crafted (a) web site, (b) Office document, or (c) .rtf file that triggers "system state" corruption, as exploited in the wild in April 2012, aka "MSCOMCTL.OCX RCE Vulnerability."


    Download

    Email me (see profile) if you need the password

    Download MIME HTML files only


     Download MIME HTML with their created and pcap files (10 mb zip = 1.2gb uncompressed MD5:  f19b49dc8cd7daa2c0a388ad043757a2)

    Folder contents ( name of some files changed on Sept 4 - see update above)

    1. 8-30 Plugx the translation D0D2079E1AB0E93C68DA9C293918A376
    2. 8-30 TBD-Arstechnica 4B31A4C3A633A0ADB9DBB8A5125DDA85
    3. 8-28 Surtr Conflict between VN and IN F8CCCCAA018E9EC96BCC65F4A9E549B1
    4. 8-28 TBD-Insta11 Tibet Sikyong Tour Program  658C55D6F92B2E8CCCCB82C6980CE2AB
    5. 8-27 Surtr TibetanNunReleased B5EC46322334D5712ACD386622EE0F04
    6. 8-27 Surtr CTA condemns 8BE76FCB0A2DA692CFD2DA0C85F2EC33
    7. 8-27 TBD-8202 Regarding double sponsor 9B41475A88D12183048A465FFD32EBF9
    8. 8-26 Vidgrab  NJRat-backdoorLV resume F0B821697949C713D9B17550A533ECFE
    9. 8-24 Vidgrab  NJRat-backdoorLV Judgement EBBE175A6EB8DC91E986FF21D66BCD70
    10. 8-24 TBD-8202 Members of Parliament 6DB8AA8455DF96CBAED8803536217ECB
    11. 8-22 Surtr Chinese police FEA931812540035C9A4D0950D50DD103
    12. 8-22 Vidgrab  NJRat-backdoorLVCitizens nomination BF4668C0A55903A0E4D5BA61D6B338CF
    13. 8-19 Vidgrab  NJRat-backdoorLV CNTiananmen Square AAED8F6D19F9617311B9E7630A5D214D
    14. 8-15 PlugX CN Tibetan writer 682A71EDB073760EA81241F7D701ED1D
    15. 8-14 TBD-Insta11 Second-time 59A14B490FE4BA650E31B67117302239
    16. 8-12 Taidoor Continental discipline 51708AE7F107FBE8B1C1F679DAFABBF7
    17. 8-07 Vidgrab  NJRat-backdoorLV People Power 539A1ADCC98ECEE099BF3B42A42E9099
    18. 7-30 Mongall CNGovernment 2A0BDC62EEB6ECF6783B954B20BE3DE9
    19. 7-30 Gh0st Apple 82644661F6639C9FCB021AD197B565F7


    P.S, pcap files for the malicious document that have not been described below (newer than Aug 24) are named by MD5 of the dropper MHTML document, not the malware binary.
    Some malware needs still need to be identified.

    Document Analysis 

    MHTML files (a small description you probably could read elsewhere)
    MIME HTML files have been around for ages and are so called "web archive" files allowing to embed media, inline images,  style sheets, objects like office files, flash files, and other goodies into one file. RFC 2557 is a short document describing it. They normally receive .mht extension and viewed in browsers. 

    Opening them in MS Word works too and works well for this exploit, although it is not the default application. This flexibility of res URI have been exploited in the past - see CVE-2004-0380 Microsoft Outlook Express MHTML Forced File Execution Vulnerability. For more damage via MHTML see  
    Generating Word documents and embedding all kinds of arbitrary objects is extremely easy via php and is very popular - just search for strings like 
    <!--[if gte mso 9]><xml> <o:DocumentProperties>  <o:Author>User123</o:Author>v

    and you will see many google hits on benign documents hosted on web servers. In addtion, check out this article Word document generation for how-tos.

    Malicious Indicators for MIME HTML files with CVE-2012-0158
    (as of Sept. 1, 2013 as they may mutate in the future)

    1. The vulnerable Windows Common control (MSCOMCTL.OCX - MS12-027)
    is present in clear text in one of the ActiveX object tags. I am not sure why they used ShockwaveFlash1 label for that object, maybe it also was used for flash .
    Venustech (Chinese security company) has a very detailed analysis of the exploit itself on their site CVE-2012-0158 Analysis Report 2012-04-28. There must be a similar detailed English language report somewhere too but with so many publications on CVE-2012-0158 incidents I could not immediately find it.

    span lang=3DEN-US><object classid=3D"CLSID:BDD1F04B-858B-11D1-B16A-00C0F0283628" id=3DShockwaveFlash1 width=3D9 height=3D9 data=3D"Doc1.files/ocxstg001.mso"></object..

    This is only control in use, the other three fixed by MS12-027 were not present.

    2. Content location path is always the same.

    Content-Location:  file:///C:/2673C891/Doc1.files/ocxstg001.mso - compare to a different path in the benign version of MIME document here: ocxstg001.mso.
    Object name ocxstg001.mso is an indicator of embedded Word Document. Decoding Base64 blob that follows it produces a file with the Word Document magic header number D0 CF 11 E0 A1 B1 1A E1. It can be benign  like here or malicious like in our example and will be detected as Shellcode and CVE-2012-0158 on Virustotal
    decoded Base64 blob

    3. All files contain Chinese language and font tags, even for English and Russian language documents 
    This one is not necessarily malicious, just an additional indicator.

    span lang=3DEN-USstyle=3D'font-size:10.5pt;mso-bidi-font-size:12.0pt;font-family:"Times New =
    Roman";mso-fareast-font-family:SimSun;mso-font-kerning:1.0pt;mso-ansi-language:EN-=
    mso-fareast-language:ZH-CN;mso-bidi-language:AR-SA'


    Payload Analysis 

    I will put the email and lure screenshots, lists of created files, pcaps and traffic (if C2 was not down),  malware family names and some brief indicators. The messages will be posted from the oldest July 30, 2013 to the newest August 30, 2013. Not all C2 were up or responding as expected, some pcaps have only initial callbacks.

    Note: all the "victim" information you may find in pcaps such as  IPs, sandbox user name, documents names that are being stolen- all are staged and fake.

    ________________________________________________________________________
    #1 Gh0st - July 30, 2013 China Labor Watch-Apple.doc 

    File name and MD5:
    China Labor Watch-Apple.doc
    82644661F6639C9FCB021AD197B565F7

    Payload malware family: Gh0st gif  
    Malware online mentions:
    Alienvault
    Deepend Research malware traffic library

    Delivery
    Email attachment. Header available upon request

    Created Files:
    C:\Documents and Settings\[UserProfileName]\Local Settings\Temp\kbdmgr.dll

    C:\Documents and Settings\[UserProfileName]\Local Settings\Temp\kbdmgr.exe

    Links are to Virustotal:
    dserver.doc c4aefcb1c3366e0e93458809db28c118
    DW20.exe 5d2a996e66369c93f9e0bdade6ac5299  - Strings
    kbdmgr.dll 41ae059e71838e68b16b2019afc6dec5
    kbdmgr.exe 5d2a996e66369c93f9e0bdade6ac5299

    Traffic:
    Download pcap here or above with all the files
    202.85.136.181 port 110
    ASN iAdvantage Limited - 9729
    IP Geo Location Central District, 00, HK

    GET /h.gif?pid =113&v=130586214568 HTTP/1.1
    Accept: */*
    Accept-Language: en-us
    Pragma: no-cache
    User-Agent: Mozilla/4.0(compatible; MSIE 6.0; Windows NT 5.1)
    Connection: Keep-Alive

    pDNS data:
    godson355.vicp.cc. A 202.85.136.181
    genniu.com. A 202.85.136.181
    www.genniu.com. A 202.85.136.181

    first seen 2013-03-29 11:20:09 -0000 last seen 2013-05-03 09:12:12 -0000 godson355.vicp.cc. A 50.117.115.89
    first seen 2013-03-12 10:40:18 -0000 last seen 2013-03-13 06:00:18 -0000 godson355.vicp.cc. A 58.154.26.31
    first seen 2012-07-18 21:30:07 -0000 last seen 2012-07-19 05:30:07 -0000 godson355.vicp.cc. A 59.123.56.154
    first seen 2012-07-20 10:30:06 -0000 last seen 2012-07-27 01:20:03 -0000 godson355.vicp.cc. A 59.180.7.43
    first seen 2012-07-19 07:00:07 -0000 last seen 2013-03-13 12:20:17 -0000 godson355.vicp.cc. A 61.178.77.111
    first seen 2012-09-06 09:00:14 -0000 last seen 2012-09-24 04:20:08 -0000 godson355.vicp.cc. A 61.178.77.111
    first seen 2012-09-06 09:00:14 -0000 last seen 2012-09-24 04:20:08 -0000 godson355.vicp.cc. A 164.100.25.26
    first seen 2012-07-20 04:30:08 -0000 last seen 2012-07-20 07:00:06 -0000 godson355.vicp.cc. A 61.234.4.233
    first seen 2012-10-29 12:40:08 -0000 last seen 2012-10-30 05:00:07 -0000 godson355.vicp.cc. A 61.234.4.239
    first seen 2013-03-13 13:40:17 -0000  last seen 2013-03-29 10:40:09 -0000 godson355.vicp.cc. A 65.19.141.203
    first seen 2013-03-11 06:00:18 -0000 last seen 2013-03-12 06:40:18 -0000 godson355.vicp.cc. A 65.25.15.26
    first seen 2012-07-27 03:40:03 -0000 last seen 2012-09-06 07:00:10 -0000 godson355.vicp.cc. A 164.100.25.39
    first seen 2012-09-24 13:00:07 -0000 last seen 2012-09-25 02:40:07 -0000 godson355.vicp.cc. A 164.100.56.21
    first seen 2012-09-25 11:20:07 -0000 last seen 2012-09-26 02:40:06 -0000 godson355.vicp.cc. A 164.100.64.36
    first seen 2013-06-30 01:05:38 -0000 last seen 2013-06-30 01:05:38 -0000 godson355.vicp.cc. A 202.85.136.181

    ________________________________________________________________________
    #2 Mongall - July 31, 2013 中央政府各機關派赴國外各地區出差人員生活費日支數額表.doc 政府各
    機關派赴國外各地區出差人員生活費日支數額表.doc
    中央政府各機關派赴國外各地區出差人員生活費日支數額表.doc
    Central Government Agency travel abroad personnel expenses at various regions Amount Table
    2A0BDC62EEB6ECF6783B954B20BE3DE9 16 / 46

    Delivery
    Email attachment. Header available upon request

    Payload malware family: Mongall
    Created files
    C:\WINDOWS\system32\netbridge.exe



    aa.doc d3160c603ab94a53feb18881a7917697
    DW20.exe d7dd5cda909190c6c03db5e7f8afd721  -Strings
    netbridge.exe d7dd5cda909190c6c03db5e7f8afd721

    Traffic:
    C2 is currently down - no pcap
    www.ndbssh.com
    port 5331

    GET /3000FC08000024FE0700363635353544304331303530313136300052656D6F746520504300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000070161646D696E000000000000000000000000000000000000000000000000000000000000000000000000 HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)
    Host: www.ndbssh.com:5331
    Cache-Control: no-cache:

    Sponsoring Registrar ............ HICHINA ZHICHENG TECHNOLOGY LTD.
    Name Server ..................... dns15.hichina.com
                                      dns16.hichina.com
    Registrant ID ................... hc477142527-cn
    Registrant Name ................. jamaal jamaal
    Registrant Organization ......... jamaal
    Registrant Address .............. beijingshi
    Registrant City ................. beijing
    Registrant Province/State ....... BJ
    Registrant Postal Code .......... 510200
    Registrant Country Code ......... CN
    Registrant Phone Number ......... +86.01085986585
    Registrant Fax .................. +86.01085986585
    Registrant Email ................



    ________________________________________________________________________
    #3 Vidgrab August 7,2013 人民力量 - 2017年行政長官普選建議.doc

    File name and MD5:
    People Power - 2017 Chief Executive by universal suffrage proposal
    人民力量 - 2017年行政長官普選建議.doc
    539A1ADCC98ECEE099BF3B42A42E9099

    Payload malware family: Vidgrab












    Malware online mentions:  http://www.symantec.com/security_response/writeup.jsp?docid=2013-072614-2434-99&tabid=2

    Delivery
    Email attachment. Header available upon request

    Created Files:

    C\Documents and Settings\[Userprofilename]\Local Settings\Temp\DW20.exe
    C:\Documents and Settings\[Userprofilename]\Application Data\360\Live360.exe

    C:\Documents and Settings\[Userprofilename]\Application Data\temp\temp1.exe


    aa.doc  f73a8b503bd7aa9849616af3fe37c942
    DW20.exe  660709324acb88ef11f71782af28a1f0
    Live360.exe  660709324acb88ef11f71782af28a1f0
    temp1.exe     660709324acb88ef11f71782af28a1f0
    users.bin  e5ad512524b634f9eb4e2ab2f70531c8

    Traffic:
    Download pcap here or above with all the files
    222.77.70.233
    IP ASN Chinanet - 4134
    IP Geo Location Fuzhou, 07, CN

    ....3
    HTTP/1.1 301 Moved Permanently
    Location:http://windowsupdate.microsoft.com/
    Content-Type: text/html
    Connection: Keep-Alive
    <h1>Bad Request (Invalid Verb)</h1>
    .....HK|(172.16.253.130)|1067|WinXP|D|L|No|0..0....1..52..|No|V2010-v24|2184|0|3111947|0|1|.


    pDNS data:
    no record

    ________________________________________________________________________
    #4 Taidoor Aug 12, 2013 大陸紀檢組織運行揭密.doc


    File name and MD5:
    大陸紀檢組織運行揭密.doc
    Google translate makes no sense - something about discipline
    51708AE7F107FBE8B1C1F679DAFABBF7 13 / 45

    Payload malware family: Taidoor
    Malware online mentions:
    http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-detecting-apt-activity-with-network-traffic-analysis.pdf
    http://contagiodump.blogspot.com/2012/10/cve-2012-1535-sep9-2012-doc-data-for.html
    Deepend Research malware traffic library

    Created Files:

    ~dfds3.reg 5ef49f70a2b16eaaff0dc31a0f69c52c
    aa.doc c3c2d15604f02ba3688d5a35a7ef6531
    DW20.exe 46ef9b0f1419e26f2f37d9d3495c499f
    SysmonLog.exe  46ef9b0f1419e26f2f37d9d3495c499f
     Strings  
    Traffic:
    Download pcap here or above with all the files
    61.222.137.66
    IP Reverse Lookup ftp.hilosystems.com.tw
    IP ASN Data Communication Business Group - 3462
    IP Geo Location TW

    GET http://61.222.137.66:443/page.jsp?tq=pcudeb1161B9GF318E
    GET http://61.222.137.66:80/user.jsp?xg=arifuq1161B9GF318E

    pDNS data:
    ftp.hilosystems.com.tw. A 61.222.137.66


    ________________________________________________________________________
    #5 PlugX Aug 15, 2013 营救岗吉.doc 


    File name and MD5:
    营救岗吉.doc
    Rescue Gang Ji
    682A71EDB073760EA81241F7D701ED1D






    Payload malware family: PlugX
    Malware online mentions:
    http://nakedsecurity.sophos.com/2013/02/27/targeted-attack-nvidia-digital-signature/
    http://sophosnews.files.wordpress.com/2013/05/sophosszappanosplugxmalwarefactoryversion6-rev3.pdf
    http://www.contextis.com/files/PlugX_-_Payload_Extraction_March_2013_1.pdf
    https://www.circl.lu/files/tr-12/tr-12-circl-plugx-analysis-v1.pdf

    Created Files:

    C:\Documents and Settings\All Users\SxS\bug.log
    C:\Documents and Settings\All Users\SxS\hccutils.dll
    C:\Documents and Settings\All Users\SxS\hccutils.dll.hcc
    C:\Documents and Settings\All Users\SxS\hkcmd.exe
    C:\Documents and Settings\All Users\SxS\NvSmart.hlp

    a\Local Settings\Temp\RarSFX0\hccutils.dll
    \Local Settings\Temp\RarSFX0\hccutils.dll.hcc
    \Local Settings\Temp\word.doc




    Intel Digital Signature on hkcmd.exe
     Expires 4/23/2011
    bug.log e06eb95819c666d7a4326c79bcc24574
    DFR4.tmp d41d8cd98f00b204e9800998ecf8427e 0/47
    DW20.exe 2ff2d518313475a612f095dd863c8aea 4 / 47 - Strings 
    hccutils.dll         8682e9826cfa736f78660fe388b2b21f 3 / 47
    hccutils.dll.hcc a190aa9deabf549d1462ce058e1cc4a2
    hkcmd.exe 23f2c3dbdb65c898a11e7f4ddc598a10 0/47 Strings
    NvSmart.hlp 9fcb203a2f62acfb56be80188960c2fe 0 / 47

    word.doc         80fe8c4a0e555769c719ada476d15e15

    Traffic:
    Download pcap here or above with all the files
    113.10.246.46
    port 6000

    WHOIS Source: APNIC


    Intel Digital Signature on hkcmd.exe
     Expires 4/23/2011


    IP Address:   113.10.246.46
    Country:      Hong Kong
    Network Name: NWTBB-HK
    Owner Name:   NWT Broadband Service
    From IP:      113.10.246.0
    To IP:        113.10.246.255
    Allocated:    Yes
    Contact Name: Network Management Center
    Address:      17/F Chevalier Commercial Centre,, 8 Wang Hoi Road, Kowloon Bay,, Hong Kong.
    Email:        nmc@newworldtel.com
    Abuse Email:  abuse@newworldtel.com
    Phone:        + 852 - 2130-0120
    Fax:          + 852 - 2133 2175

    TCP    172.16.253.132:1074    113.10.246.46:6000     ESTABLISHED     3376
      C:\WINDOWS\system32\mswsock.dll
      C:\WINDOWS\system32\WS2_32.dll
      -- unknown component(s) --

      C:\WINDOWS\system32\kernel32.dll

                                                   | Frames  Bytes | | Frames  Bytes | | Frames  Bytes |
    172.16.253.132       <-> 113.10.246.46            132      9802      90      5426     222     15228

    pDNS data:
    no record

    ________________________________________________________________________
    #6 Vidgrab Aug 19, 2013 海内外民运人士策划六四25周年“重回天安门”活动(图片).doc

    File name and MD5:
    海内外民运人士策划六四25周年“重回天安门”活动(图片).doc
    25th anniversary of pro-democracy activists planning sixty-four "return to Tiananmen Square" campaign (picture). Doc
    aaed8f6d19f9617311b9e7630a5d214d



    Payload malware family: Vidgrab







    Malware online mentions: 
     http://www.symantec.com/security_response/writeup.jsp?docid=2013-072614-2434-99&tabid=2
      Delivery
      Email attachment. Header available upon request

      Created Files:
      \Application Data\360\Live360.exe
      \Application Data\temp\temp1.exe

      DW20.exe 6fd868e68037040c94215566852230ab
      Live360.exe 6fd868e68037040c94215566852230ab
      temp1.exe 6fd868e68037040c94215566852230ab
      users.bin f112d0caf2b49e99657d519eca8c1819
      word.doc 14af2f439bce8a236295b0e28c59ddc8

      Traffic:
      Download pcap here or above with all the files
      113.10.246.46
      port 9325
      inetnum:        113.10.246.0 - 113.10.246.255
      netname:        NWTBB-HK
      descr:          NWT Broadband Service
      country:        HK
      admin-c:        NC315-AP
      tech-c:         KW315-AP
      status:         ASSIGNED NON-PORTABLE
      remarks:        For network abuse email <>
      mnt-irt:        IRT-NEWWORLDTEL-HK
      changed:         20101208
      mnt-by:         MAINT-HK-NEWWORLDTEL
      source:         APNIC


      pDNS data:
      no record

      ________________________________________________________________________
      #7 Surtr Aug 20, 2013 Tibetan Self-Immolator.rtf 


      File name and MD5:
      Tibetan Self-Immolator.rtf
      6DBBD689FC4DADE6953FD221473DF4F0

      Payload malware family: Surtr (Smoaler)








      Malware online mentions:
      https://citizenlab.org/2013/08/surtr-malware-family-targeting-the-tibetan-community/
      http://sophosnews.files.wordpress.com/2013/07/sophosszappanosplugxrevisitedintroducingsmoaler-rev1.pdf

      Delivery
      Email attachment.

      Created Files:
      C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\Burn\DELLXT.dll
      C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\LiveUpdata_Mem\QVLoOJ_Fra.dll
      C:\Documents and Settings\[Userprofilename]\Local Settings\Temp\DW20.dll

      0bJTrD.dll 51,840 KB
      3.dll                 22,208 KB
      DELLXT.dll 29,696 KB
      mTJxm6_One.dll 61,484 KB
      QVLoOJ_Fra.dll 68,224 KB

      DW20.dll 8e187ae152c48099f715af442339c340 43 KB  - Strings
      Exit.log 7fc56270e7a70fa81a5935b72eacbe29 1 KB
      Prod.t d9e3b52be43b06bf8004a4a2819da311 1 KB
      Proe.t dc4052397258ae1ffd61c7637a29acc5 1 KB
      3.tmp 4b319c6a7e6f30d16d8ca74bf6d4b495 40 KB


      Traffic: 
      No Pcap
      free1999.jkub.com

      pDNS data:
      no record

      ________________________________________________________________________
      #8 Vidgrab  Aug 22,2013 公民提名及提名委員會.doc 公民提名及提名委員會.doc
      File name and MD5:
      公民提名及提名委員會.doc
      Citizens nomination and nomination committee. Doc
      BF4668C0A55903A0E4D5BA61D6B338CF
      File





      strings: http://contagioexchange.blogspot.com/2013/09/njrat-backdoorlv-strings-apt.html

      Payload malware family: Vidgrab

      Malware online mentions: 
       http://www.symantec.com/security_response/writeup.jsp?docid=2013-072614-2434-99&tabid=2
        Delivery
        Email attachment.

        Created Files:
        C:\Documents and Settings\[UserProfileName}\Application Data\360\Live360.exe
        C:\Documents and Settings\[UserProfileName}\Application Data\temp\temp1.exe
        C:\Documents and Settings\[UserProfileName}\Local Settings\Temp\word.doc
        C:\Documents and Settings\[UserProfileName}\users.bin

        DW20.exe 588d3316d4bbfdbb25658d436f06ed96 116 KB
        Live360.exe 588d3316d4bbfdbb25658d436f06ed96 116 KB
        temp1.exe 588d3316d4bbfdbb25658d436f06ed96 116 KB
        users.bin 427c95e54c4d6062dd5cedf4cb12e348 1 KB
        word.doc 150d788d58a7b9c632cf20fecfabfab5 165 KB

        Traffic: C2 are down, no pcap

        DNS requests to:

        www.yahooip.net

         wanghao
         howah technology
         HuBeiShengWuHanShiWuHanDaXueXueShengGongYu12ChuangB605
         WuHanShi HuBeiSheng, 430070 CN
         +86.02787740588
        whthoughtful@163.com

        IP Address:   111.174.41.205
        Owner Name:   CHINANET HUBEI PROVINCE NETWORK
        Contact Name: CHINANET HB ADMIN
        Address:      8th floor of JinGuang Building, #232 of Macao Road, HanKou Wuhan Hubei Province, P.R.China
        Email:        hbadd@189.cn

        ----
        www.yahooprotect.com
        www.yahooprotect.net

         wanghao
         wuhan zhousafe co.ltd
         hubei wuhan wuhandaxue
         WuHanShi HuBeiSheng, 430070  CN
         +86.02787660801
        whthoughtful@163.com

        IP Address:   69.46.86.194
        Country:      USA - California
        Network Name: EGIHOSTING-4
        Address:      55 S. Market St., Suite 1616, San Jose


        pDNS data:

        ergobabyscarrier.ca. A 69.46.86.194
        www.wholesalenfljerseyshop.us. A 69.46.86.194
        oakleysunglassesoutlet-store.us. A 69.46.86.194
        www.oakleysunglassesoutlet-store.us. A 69.46.86.194
        dolphinsjerseysale.com. A 69.46.86.194
        www.dolphinsjerseysale.com. A 69.46.86.194
        www.newpanthersjerseys.com. A 69.46.86.194
        www.packerslimitedjersey.com. A 69.46.86.194
        www.buccaneersjerseysproshop.com. A 69.46.86.194
        www.eaglesjerseysproshop2012.com. A 69.46.86.194
        elitefootballjersey.org. A 69.46.86.194
        www.elitefootballjersey.org. A 69.46.86.194
        oakleysunglassesoutlet-store.org. A 69.46.86.194


        first seen 2013-05-03 04:13:44 -0000 last seen 2013-05-03 11:14:02 -0000 www.yahooip.net. A 59.173.24.14
        first seen 2013-04-27 14:13:37 -0000 last seen 2013-05-03 02:14:02 -0000 www.yahooip.net. A 111.172.61.245
        first seen 2013-04-05 21:13:37 -0000 last seen 2013-04-11 04:13:41 -0000 www.yahooip.net. A 111.173.194.8
        first seen 2013-04-23 02:13:57 -0000 last seen 2013-04-27 12:13:37 -0000 www.yahooip.net. A 111.173.195.28
        first seen 2012-09-06 19:26:41 -0000 last seen 2012-09-06 19:26:41 -0000 www.yahooip.net. A 111.174.39.148
        first seen 2013-04-12 12:13:21 -0000 last seen 2013-04-12 19:13:41 -0000 www.yahooip.net. A 111.174.105.69
        first seen 2012-09-24 21:26:29 -0000 last seen 2012-09-24 21:26:29 -0000 www.yahooip.net. A 202.130.112.237


        ________________________________________________________________________
        #9 Surtr Aug 22, 2013 against Tibetan.rtf

        File name and MD5:
        against Tibetan.rtf
        FEA931812540035C9A4D0950D50DD103

        Payload malware family: Surtr (Smoaler)
        Malware online mentions:
        https://citizenlab.org/2013/08/surtr-malware-family-targeting-the-tibetan-community/
        http://sophosnews.files.wordpress.com/2013/07/sophosszappanosplugxrevisitedintroducingsmoaler-rev1.pdf

        Delivery
        Email attachment. Header available upon request

        Created Files:
        C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\Burn\DELLXT.dll
        C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\LiveUpdata_Mem\n47eeF.dll
        C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\LiveUpdata_Mem\Z6r2sv_One.dll
        C:\Documents and Settings\[Userprofilename]\Local Settings\Temp\DW20.dll

        deleted_files\C\Documents and Settings\All Users\Application Data\Microsoft\Windows\Burn\DELLXT.dll
        deleted_files\C\Documents and Settings\All Users\Application Data\Microsoft\Windows\Exit.log
        deleted_files\C\Documents and Settings\All Users\Application Data\Microsoft\Windows\Prod.t
        deleted_files\C\Documents and Settings\All Users\Application Data\Microsoft\Windows\Proe.t
        deleted_files\C\Documents and Settings\[Userprofilename]\Local Settings\Temp\4.dll
        deleted_files\C\Documents and Settings\[Userprofilename]\Local Settings\Temp\4.tmp


        4.dll                                                34,624 KB
        4.tmp         4b319c6a7e6f30d16d8ca74bf6d4b495 40 KB
        DELLXT.dll                                35,712 KB
        DW20.dll 8e187ae152c48099f715af442339c340 43 KB
        Exit.log 7fc56270e7a70fa81a5935b72eacbe29 1 KB
        n47eeF.dll                                61,484 KB
        Prod.t         d41d8cd98f00b204e9800998ecf8427e 0 KB
        Proe.t 41d8cd98f00b204e9800998ecf8427e 0 KB
        Z6r2sv_One.dll                                61,484 KB


        Traffic:
        no activity captured

        ________________________________________________________________________
        #10 8202 (TBD) Aug 24, 2013 attachment.doc 
        Tibetan Parliament to Convene 6th Session from 18 – 28 September

        File name and MD5:
        6DB8AA8455DF96CBAED8803536217ECB
        attachment.doc

        Payload malware family: TBD 8202
        I plan to have a closer look at this malware as I don't recognize it. It could be (related to) 9002 trojan.
        Delivery
        Email attachment. Header available upon request

        Created Files:
        C:\Documents and Settings\All Users\Application Data\8202u392325.log
        C:\Documents and Settings\All Users\Application Data\8202u3923pi.db
        C:\Documents and Settings\All Users\Application Data\Javame\Java\Jre\helper\103302\Adobe Flash Updated { 120433}.lnk
        C:\Documents and Settings\All Users\Application Data\Sun Orcal\Java\Jre\DATAS\SunJavaErrror.log
        C:\Documents and Settings\All Users\Application Data\Sun Orcal\Java\Jre\updateerror_2.log
        C:\Documents and Settings\All Users\Application Data\Sun Orcal\Java\Jre\updateerror_2tmp.log
        C:\Documents and Settings\[UserProfileName]\Local Settings\Temp\4.tmp
        C:\Documents and Settings\[UserProfileName]\Local Settings\Temp\DW20.dll

        deleted_files\C\Documents and Settings\All Users\Application Data\8202u39232d.log
        deleted_files\C\Documents and Settings\All Users\Application Data\8202u39232e.db
        deleted_files\C\Documents and Settings\All Users\Application Data\8202u39232s.db
        deleted_files\C\Documents and Settings\All Users\Application Data\Javame\Java\Jre\helper\103302\Adobe_FlashUpdate.lnk
        deleted_files\C\Documents and Settings\All Users\Application Data\len.txt
        deleted_files\C\Documents and Settings\All Users\Application Data\start.txt
        deleted_files\C\Documents and Settings\All Users\Application Data\Sun Orcal\Java\Jre\DATAS\error.log
        deleted_files\C\Documents and Settings\All Users\Application Data\Sun Orcal\Java\Jre\updateerror_2tmp.log

        Strings
        ~WINWORD e743b2c32ff43743046b0ce560abff25 599 KB
        start.txt c1d3f8cc1f46abaf2231637b5e67414a 1 KB
        len.txt db8700492269d59072aad57f54848fda 1 KB
        4.tmp 6d2c12085f0018daeb9c1a53e53fd4d1 56 KB
        updateerror_2tmp.log 60aea6d6f27cfb91f1461755e2283ffc 116 KB
        updateerror_2.log 60aea6d6f27cfb91f1461755e2283ffc 116 KB
        SunJavaErrror.log ba1e3b06c990e0c90e3a52ac7b4a42d4 36 KB
        error.log 2a4451d9989782f180df790d01f2997a 1 KB
        8202u392325.log d41d8cd98f00b204e9800998ecf8427e 0 KB
        8202u39232d.log ba1e3b06c990e0c90e3a52ac7b4a42d4 36 KB
        Adobe_FlashUpdate 8a15ca5527530c553e285805ca1dce2e 1 KB
        Adobe Flash Updated { 120433} 99a7f4ec2ea846ae5cbb0257cc0a8e20 1 KB
        DW20.dll 064ae9b451f0503982842c9f41a58053 59 KB
        8202u39232s.db a453bb1f1b5bb3f4810e38290190516c 1 KB
        8202u39232e.db 884ca4afc294779d168158496485ec3a 1 KB
        8202u3923pi.db 36e91eac9712bb3f3e1739a915b4b5b0 1 KB


        Traffic:
        Download pcap here or above with all the files

        sa.foundcloudsearch.com  
        Domain Name: FOUNDCLOUDSEARCH.COM
        Registrar URL: http://www.godaddy.com
        Registrant Name: Flsdjhfdsal dfyaldk
        Name Server: NS77.DOMAINCONTROL.COM
        Name Server: NS78.DOMAINCONTROL.COM

        IP Address:   192.200.99.194
        Country:      USA - California
        Network Name: GSI
        Owner Name:   GorillaServers, Inc.
        Allocated:    Yes
        Contact Name: GorillaServers, Inc.
        Address:      800 S Hope St, Suite B100, Los Angeles
        Email:        arin-tech@GorillaServers.com

          Proto  Local Address          Foreign Address        State           PID
          TCP    172.16.253.129:1045    192.200.99.194:80      ESTABLISHED     3892
          C:\WINDOWS\system32\mswsock.dll
          C:\WINDOWS\system32\ws2_32.dll

        ________________________________________________________________________
        #11 Vidgrab Aug 24 , 2013 judgment.doc

        File name and MD5:




        judgment.doc

        Delivery
        Email attachment. Header available upon request

        Payload malware family: Vidgrab
        C:\Documents and Settings\[UserprofileName]\Application Data\360\Live360.exe
        C:\Documents and Settings\[UserprofileName]\Application Data\temp\temp1.exe
        C:\Documents and Settings\[UserprofileName]\Local Settings\Temp\DW20.exe
        C\Documents and Settings\[UserprofileName]\users.bin

        DW20.exe 6fd868e68037040c94215566852230ab 116 KB (same as above)
        Live360.exe 6fd868e68037040c94215566852230ab 116 KB
        temp1.exe 6fd868e68037040c94215566852230ab 116 KB
        users.bin 354d4b710a3f9b570471d174c38ce66a 1 KB
        word.doc 17b9d6735a39576a0a598617954d4cdb 160 KB


        Traffic:

        ....3
        HTTP/1.1 301 Moved Permanently
        Location:http://windowsupdate.microsoft.com/
        Content-Type: text/html
        Connection: Keep-Alive
        <h1>Bad Request (Invalid Verb)</h1>
        ...20130819....|(172.16.253.130)|1067|WinXP|D|L|No|0..0....2..5..|No|V2010-v24|288|0|5aff68c5|0

        113.10.246.46 
        IP Address:   113.10.246.46
        Country:      Hong Kong
        Network Name: NWTBB-HK
        Owner Name:   NWT Broadband Service
        Contact Name: Network Management Center
        Address:      17/F Chevalier Commercial Centre,, 8 Wang Hoi Road, Kowloon Bay,, Hong Kong.
        Email:        nmc@newworldtel.com


        pDNS data:
        no record

        ________________________________________________________________________
        #12 Vidgrab  Aug 26, 2013 resume.doc

        File name and MD5:
        F0B821697949C713D9B17550A533ECFE
        resume.doc
        个人简历.doc

        Delivery
        Email attachment.

        Created Files:
        C:\Documents and Settings\[UserProfileName]\Application Data\360\Live360.exe
        C:\Documents and Settings\[UserProfileName]\Application Data\temp\temp1.exe
        C:\Documents and Settings\[UserProfileName]\Local Settings\Temp\DW20.dll
        C:\Documents and Settings\[UserProfileName]\users.bin

        3.tmp 1164cf0c769f1656c235ba108874a9d6 116 KB
        Live360.exe 1164cf0c769f1656c235ba108874a9d6 116 KB
        temp1.exe 1164cf0c769f1656c235ba108874a9d6 116 KB
        users.bin dca2f9c264b782cf186a3eed5077b043 1 KB

        Traffic:
        no pcap
        DNS req for
        webposter.gicp.net

        pDNS data
        first seen 2012-01-03 01:39:09 -0000 last seen 2012-04-28 06:42:35 -0000 webposter.gicp.net. A 0.0.0.0
        first seen 2012-03-20 00:39:47 -0000 last seen 2012-03-20 00:39:47 -0000 webposter.gicp.net. A 1.234.3.186
        first seen 2013-07-31 16:45:13 -0000 last seen 2013-07-31 16:45:13 -0000 webposter.gicp.net. A 59.188.73.63
        first seen 2010-12-04 02:13:46 -0000 last seen 2010-12-05 03:10:12 -0000 webposter.gicp.net. A 61.152.93.40
        first seen 2010-12-19 02:47:54 -0000 last seen 2010-12-19 03:23:42 -0000 webposter.gicp.net. A 66.79.164.110
        first seen 2011-10-08 01:49:51 -0000 last seen 2012-02-14 01:35:45 -0000 webposter.gicp.net. A 111.68.2.34
        first seen 2012-03-20 06:41:49 -0000 last seen 2012-03-20 06:41:49 -0000 webposter.gicp.net. A 112.121.164.106
        first seen 2010-12-11 19:23:03 -0000 last seen 2010-12-11 21:15:24 -0000 webposter.gicp.net. A 117.71.149.130
        first seen 2010-10-10 13:07:50 -0000 last seen 2010-10-10 23:32:09 -0000 webposter.gicp.net. A 117.71.168.222
        first seen 2010-11-21 15:52:00 -0000 last seen 2010-11-21 23:44:54 -0000 webposter.gicp.net. A 117.71.197.145
        first seen 2010-12-26 03:18:45 -0000 last seen 2010-12-26 03:28:11 -0000 webposter.gicp.net. A 117.71.203.145
        first seen 2010-11-28 05:09:32 -0000 last seen 2010-11-28 07:53:30 -0000 webposter.gicp.net. A 117.71.207.107
        first seen 2010-11-28 03:25:56 -0000 last seen 2010-11-28 04:52:01 -0000 webposter.gicp.net. A 122.210.123.58
        first seen 2010-12-25 00:11:40 -0000 last seen 2010-12-25 00:28:36 -0000 webposter.gicp.net. A 123.101.134.12
        first seen 2010-11-28 07:54:43 -0000 last seen 2010-11-28 08:18:42 -0000 webposter.gicp.net. A 124.113.190.134
        first seen 2010-11-28 00:50:25 -0000 last seen 2010-11-28 01:32:14 -0000 webposter.gicp.net. A 124.113.194.85
        first seen 2010-11-28 08:36:23 -0000 last seen 2010-12-05 03:26:56 -0000 webposter.gicp.net. A 205.209.161.133
        first seen 2010-10-10 23:34:19 -0000 last seen 2013-07-31 04:19:02 -0000 webposter.gicp.net. A 220.179.124.85
        ________________________________________________________________________
        #13 Surtr (Smoaler) Aug 27, 2013 


        File name and MD5:
        CTA condemns alleged sexual assault on minor girl in Mundgod.doc
        8BE76FCB0A2DA692CFD2DA0C85F2EC33

        Payload malware family: Surtr (Smoaler)
        C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\Burn\DELLXT.dll
        C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\LiveUpdata_Mem\cjwUon_One.dll
        C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\LiveUpdata_Mem\leZOi1.dll
        C:\Documents and Settings\[UserProfileName]\Local Settings\Temp\DW20.dll
        deleted_files\C\Documents and Settings\All Users\Application Data\Microsoft\Windows\Burn\DELLXT.dll
        deleted_files\C\Documents and Settings\All Users\Application Data\Microsoft\Windows\Exit.log
        deleted_files\C\Documents and Settings\All Users\Application Data\Microsoft\Windows\Prod.t
        deleted_files\C\Documents and Settings\All Users\Application Data\Microsoft\Windows\Proe.t
        deleted_files\C\Documents and Settings\[UserProfileName]\Local Settings\Temp\B.dll
        deleted_files\C\Documents and Settings\[UserProfileName]\Local Settings\Temp\B.tmp

        Name MD5 Checksum Size
        Exit.log 7fc56270e7a70fa81a5935b72eacbe29 1 KB
        Proe.t a529d1f0fa53b4326808288b2251c891 1 KB
        Prod.t c9ed72372fb6fe7c928c39f2672a52bf 1 KB
        dat9.tmp 58159b40b65d3e5446edd7e1d617c66f 5 KB
        ~WINWORD d1a75058f831f35134ad218eae5ad548 13 KB
        B.tmp 32f3ea95f8b39b1003ed138864205860 36 KB
        leZOi1.dll 20,524 KB
        DELLXT.dll 20,524 KB
        cjwUon_One.dll 20,524 KB
        B.dll 20,524 KB

        Traffic:
         no pcap

        ________________________________________________________________________
        #14 8202 TBD Aug 27 , 2013



        File name and MD5:
        Regarding Double Sponsor.doc
        9B41475A88D12183048A465FFD32EBF9

        Delivery
        Email attachment.

        Payload malware family: TBD (called here 8202.. for the created db files)
        Malware online mentions
        • Let me know if you can ID it.
        Created Files:

        ~WINWORD 25dd1a04d8d084581effea2aeb2e0011 13 KB
        start.txt          c1d3f8cc1f46abaf2231637b5e67414a 1 KB
        len.txt          db8700492269d59072aad57f54848fda 1 KB
        3.tmp          6d2c12085f0018daeb9c1a53e53fd4d1 56 KB
        updateerror_2tmp.log 60aea6d6f27cfb91f1461755e2283ffc 116 KB
        updateerror_2.log 60aea6d6f27cfb91f1461755e2283ffc 116 KB
        SunJavaErrror.log ba1e3b06c990e0c90e3a52ac7b4a42d4 36 KB
        error.log 75c73813b6a5dad200da4837c207a549 1 KB
        8202u392325.log d41d8cd98f00b204e9800998ecf8427e 0 KB
        8202u39232d.log ba1e3b06c990e0c90e3a52ac7b4a42d4 36 KB
        Adobe_FlashUpdate                    8a15ca5527530c553e285805ca1dce2e 1 KB
        Adobe Flash Updated { 123824} 1e22098b5fb61118a48daa780755e8cb 1 KB
        8202u39232s.db a453bb1f1b5bb3f4810e38290190516c 1 KB
        8202u39232e.db 884ca4afc294779d168158496485ec3a 1 KB
        8202u3923pi.db 36e91eac9712bb3f3e1739a915b4b5b0 1 KB

        Traffic:

        sa.foundcloudsearch.com

        Domain Name: FOUNDCLOUDSEARCH.COM
        Registrar URL: http://www.godaddy.com
        Registrant Name: Flsdjhfdsal dfyaldk
        Registrant Organization: 
        Name Server: NS77.DOMAINCONTROL.COM
        Name Server: NS78.DOMAINCONTROL.COM

        192.200.99.194
        Country:      USA - California
        Network Name: GSI
        Owner Name:   GorillaServers, Inc.
        Contact Name: GorillaServers, Inc.
        Address:      800 S Hope St, Suite B100, Los Angeles
        Email:        arin-tech@GorillaServers.com

        Traffic:
        Download pcap here or above with all the files

        pDNS data:
        mail2.netdacco.com. A 192.200.99.194

        ________________________________________________________________________
        #15 Surtr - Smoaler Aug 27 , 2013 The Great Calling.doc
                                     

        File name and MD5:
        The Great Calling.doc
         BD85FE0A7C5D15ADB57FB6B01043F4B6

        Delivery
        Email attachment. Header available upon request

        Payload malware family: Surtr (Smoaler)
        C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\Burn\DELLXT.dll
        C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\LiveUpdata_Mem\Gki33A.dll
        C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\LiveUpdata_Mem\oJDc43_One.dll
        C:\Documents and Settings\[UserProfileName]\Local Settings\Temp\DW20.dll
        deleted_files\C\Documents and Settings\All Users\Application Data\Microsoft\Windows\Burn\DELLXT.dll
        deleted_files\C\Documents and Settings\All Users\Application Data\Microsoft\Windows\Exit.log
        deleted_files\C\Documents and Settings\All Users\Application Data\Microsoft\Windows\Prod.t
        deleted_files\C\Documents and Settings\All Users\Application Data\Microsoft\Windows\Proe.t
        deleted_files\C\Documents and Settings\[UserProfileName]\Local Settings\Temp\4.dll
        deleted_files\C\Documents and Settings\[UserProfileName]\Local Settings\Temp\4.tmp

        Exit.log 7fc56270e7a70fa81a5935b72eacbe29 1 KB
        Proe.t ec1c1b989ae29e84f4652b1476076810 1 KB
        Prod.t e38ad8e5bc99862fc0d36d57f9bda656 1 KB
        ~WINWORD 25e8bc41a4e59df2c16b4ce4eda85566 13 KB
        4.tmp 32f3ea95f8b39b1003ed138864205860 36 KB
        DW20.dll 1325ec00149cd2dd9a2982769f1fa12a 39 KB
        MSComctlLib.exd d29387fc9ed9dda50d5917830e237bb0 143 KB
        MSForms.exd 25472b982a9041f3e9f585226694ae23 163 KB
        DELLXT.dll 14,080 KB
        oJDc43_One.dll 20,524 KB
        Gki33A.dll 20,524 KB
        4.dll 20,524 KB


        no traffic


        ________________________________________________________________________
        #16 Surtr - Smoaler Aug 27 , 2013

        File name and MD5:
        B5EC46322334D5712ACD386622EE0F04
        Tibetan Nun Released From Jail.rtf 
        Delivery
        Email attachment. Header available upon request

        Payload malware family: Surtr (Smoaler)
        C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\Burn\DELLXT.dll
        C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\LiveUpdata_Mem\HbEsg1_One.dll
        C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\LiveUpdata_Mem\kr8mZP.dll
        C:\Documents and Settings\[UserProfileName]\Local Settings\History\History.IE5\MSHist012013083120130901\index.dat
        C:\Documents and Settings\[UserProfileName]\Local Settings\Temp\DW20.dll 
        \deleted_files\C\Documents and Settings\All Users\Application Data\Microsoft\Windows\Burn\DELLXT.dll
        \deleted_files\C\Documents and Settings\All Users\Application Data\Microsoft\Windows\Exit.log
        \deleted_files\C\Documents and Settings\All Users\Application Data\Microsoft\Windows\Prod.t
        \deleted_files\C\Documents and Settings\All Users\Application Data\Microsoft\Windows\Proe.t 
        \deleted_files\C\Documents and Settings\[UserProfileName]\Local Settings\Temp\4.dll
        \deleted_files\C\Documents and Settings\[UserProfileName]\Local Settings\Temp\4.tmp 

        Proe.t d41d8cd98f00b204e9800998ecf8427e 0 KB
        Prod.t d41d8cd98f00b204e9800998ecf8427e 0 KB
        Exit.log 7fc56270e7a70fa81a5935b72eacbe29 1 KB
        ~WINWORD 968ef270dafb0e602d0e05e6ad62a2d6 27 KB
        4.tmp 4b319c6a7e6f30d16d8ca74bf6d4b495 40 KB
        DW20.dll 8e187ae152c48099f715af442339c340 43 KB
        DELLXT.dll 21,760 KB
        4.dll                 43,520 KB
        kr8mZP.dll 61,484 KB
        HbEsg1_One.dll 61,484 KB


        Traffic:
        no traffic

        ________________________________________________________________________
        #17 TBD Insta11 Aug 25 , 2013 tibetTour Program.doc 

        File name and MD5:
        tibetTour Program.doc 
        658C55D6F92B2E8CCCCB82C6980CE2AB.txt

        Delivery
        Email attachment.

        Payload malware family: TBD Insta11 (named here by the payload name)
        Malware online mentions
        • Let me know if you ID it
        Created Files:

        C:\Documents and Settings\[UserProfileName]\Local Settings\Temp\7zF06B6E04\code
        C:\Documents and Settings\[UserProfileName]\Local Settings\Temp\7zF06B6E04\data
        C:\Documents and Settings\[UserProfileName]\Local Settings\Temp\7zF06B6E04\insta11.exe
        C:\Documents and Settings\[UserProfileName]\Local Settings\Temp\word.doc
        deleted_files\C\Documents and Settings\[UserProfileName]\Local Settings\Temp\7zF06B6E04\install0.dat
        deleted_files\C\Documents and Settings\[UserProfileName]\Local Settings\Temp\7zF06B6E04\install1.dat
        deleted_files\C\Documents and Settings\[UserProfileName]\Local Settings\Temp\7zF06B6E04\install2.dat
        deleted_files\C\Documents and Settings\[UserProfileName]\Local Settings\Temp\7zF06B6E04\install3.dat
        deleted_files\C\Documents and Settings\[UserProfileName]\Local Settings\Temp\7zF06B6E04\install4.dat
        deleted_files\C\Documents and Settings\[UserProfileName]\Local Settings\Temp\7zF06B6E04\install5.dat
        deleted_files\C\Documents and Settings\[UserProfileName]\Local Settings\Temp\7zF06B6E04\kernel32.dat
        deleted_files\C\Documents and Settings\[UserProfileName]\Local Settings\Temp\7zF06B6E04\kernel64.dat
        deleted_files\C\Documents and Settings\[UserProfileName]\Local Settings\Temp\DW20.exe
        deleted_files\C\Documents and Settings\[UserProfileName]\Local Settings\Temp\~$word.doc
        C:\WINDOWS\Temp\code
        C:\WINDOWS\Temp\data
        C:\WINDOWS\Temp\install0.dat
        C:\WINDOWS\Temp\install3.dat
        C:\WINDOWS\Temp\install4.dat
        C:\WINDOWS\Temp\kernel32.dat
        C:\WINDOWS\Temp\kernel64.dat
        C:\WINDOWS\Temp\work.dat


        data                  d6d60a7689f6f73d1ceb589df97dd868 10 KB
        code                582c61c67df96c561363e14bd080093b 3 KB
        insta11.exe               5f057a03ba1b211f00af97259027ad10 24 KB   0/46 VT
        DW20.exe                d7e7ef1f41635365148a7bb6e08f56ff 125 KB 0/46 VT
        word.doc        b502500ba5198135086a25c83722f261 153 KB
        work.dat        299ab2c8a3db4a57e64d1792060e27e8 44 KB
        kernel64.dat 7e4d72e2f92298c5c29ef0db8b34fd4a 14 KB
        kernel32.dat 5213596d2d17a01444767cfece9060e2 12 KB
        install5.dat b01bf5e4dc9c218b2c1a7b54fd1a9eaf 9 KB
        install4.dat d7560612e4634ba498720bbf909592d9 28 KB
        install3.dat 299ab2c8a3db4a57e64d1792060e27e8 44 KB
        install2.dat 91a28843d260c8314a69f2d6b29fa3a8 5 KB
        install1.dat ec52f53a553d1eaac48b26c8fab6a698 6 KB
        install0.dat ceb731fbb083edf3d41d660d097ff1a9 2 KB
        index.dat         8325e4c8bab8455e924303dc2a9a8c04 32 KB


        Traffic:
        no traffic





        To be continued...

        Share this post


        Favicon DeepEnd Research: List of malware pcaps, samples, and indicators for the Library of Malware Traffic Patterns
        9 Aug 2013, 4:34 pm

        The library of malware traffic patterns have been popular. We found it very useful as well ourselves and we encourage you to send your contributions. I know at some point the spreadsheet will become unwieldy but I personally find it the most easy way (easy sort, search etc)

        Currently, most of the samples described have the corresponding samples and pcaps available for download (email Mila @contagio for the password)
        such as you see in the links below
        http://bit.ly/crimesamples | http://bit.ly/crimepcaps
        http://bit.ly/aptsamples | http://bit.ly/aptpcaps

        >>>> VIEW OR DOWNLOAD "MALWARE TRAFFIC PATTERNS"   <<<<

        Email us at mila [a t ] Deependresearch.org or adimino [a t] deependresearch.org

        The current list of malware described (as of Aug. 9, 2013)

        Read more at >>> DeepEnd Research 

        #APTCRIME and HACKTIVISM
        19002Adware Hotbar
        29002 POSTAndromeda
        3Banechant 1ArcomRat / Dokstormac
        4Banechant payload dl 2Ardamax keylogger
        5BeebusAsprox Checkin
        6Beebus C2 checkinAsproxGET list of C2s
        7Beebus data sendAsproxGETs spam template
        8Comfoo / Vinself / MspubAvatar Rootkit
        9Cookies /Cookiebag / DalbotBeebone downloader
        10CoswidBitcoinminer
        11CVE-2012-0754 SWF in DOCBlackhole 2
        12CVE-2012-0779Blackhole v2
        13DepyotBlazebot
        14Destory Rat / Sogu / ThoperCarberp
        15Disttrack / ShamoonCitadel
        16DNSWatch / ProtuxCutwail / Pushdo
        17Downloader BMPDarkmegi
        18EinsteinDarkness DDos v8g
        19Einstein data sendDirtJumper DDoS
        20Enfal / LuridDNSChanger
        21FavoritesEK - Blackhole 2 landing
        22FoxyEK Blackhole 1
        23Foxy CheckinEK Neutrino
        24Gh0stEK Phoenix
        25Gh0st ASP verFakeAV var (via Kuluoz - Asprox botnet)
        26Gh0st PHP verFlashback OSX
        27Gh0st v2000 varGameThief
        28Gh0st varGapz C&C request
        29GlassesGuntior - CN bootkit
        30GoogleAdC2Gypthoy
        31GoogleAdC2 2nd stageHiloti
        32GooglesHOIC DDoS
        33GreencatHorst Proxy
        34GtalkImaut
        35Hangover Smackdown MinaproIRCbot
        36Hupigon / GraybirdJBOSS worm
        37icon.js - system info sendKaragany Loader
        38IEXPLORE Rat / C0D0S0 /Briba / Cimuz / SharkyRATKuluoz.B downloader
        39IXESHEMatsnu - MBR wiping ransomware
        40IXESHE AESMedfos
        41KoreanBanker DLMoney loader
        42Letsgo / TabMsgSQLMutopy Downloader
        43Letsgo / TabMsgSQL downloaderMutopy Downloader initial callback
        44LikseputPassAlert
        45Lingbo (?)Pony loader
        46Luckycat - WIMMIEPowerLoader
        47LURKRanbyus / Triton (Spy, Banking, smart cards)
        48Mediana ProxyReedum
        49MiniASPShiz / Rohimafo DDoS
        50MinidukeSrizbi
        51MiniflameStabuniq
        52MirageSweet Orange EK
        53Mirage - later varSymmi Remote File Injector
        54MongalTbot tor
        55MSWab /YayihTinba aka Zusy
        56MurcyUrausy (Ransomware)
        57NetravlerUSteal.D
        58NfLogVobfus
        59NTESSESSXpaj
        60Pitty TigerZeroAccess / Sirefef
        61PlugxZeroAccess / Sirefef - Counter site checkin
        62PNG trojanZeroAccess / Sirefef ppc fraud - redirect
        63Poison IvyZeus
        64QuarianZeus Gameover
        65RedOctober AuthInfo
        66RedOctober Sysinfo
        67RegSubDat
        68RssFeeder
        69Sanny / Win32.Daws
        70Seasalt
        71Sofacy
        72Surtr 2nd Stage DL
        73Surtr Initial GET
        74Swami
        75Sykipot / Wyksol
        76Taidoor
        77Taleret
        78Tapaoux
        79Tarsip Eclipse
        80Tarsip Moon
        81Variant Letsgo / TabMsgSQL downloader (comment crew)
        82Vinself
        83WEBC2_RAVE
        84WEBC2-Bolid
        85WEBC2-Clover
        86WEBC2-CSON
        87WEBC2-CSON Response to commands
        88WEBC2-HEAD
        89WEBC2-Table
        90Xtreme Rat




        Share this post


        Favicon Defcon 21 Archives Speaker Materials
        7 Aug 2013, 6:42 pm

        Hope it is not a copyright violation and won't cause too much hate. I know Defcon will post better and complete data soon but many / most attendees did not receive the presentation CDs to their great sadness because there were not enough CDs available for all. Many authors and attendees published Defcon and Blackhat presentations online as well -you can track them via Twitter

        You can download it here for now. Check Defcon website often, they will post it soon. The list of files of the speaker materials is below. The zip file also includes short stories. Please note that some presentations submitted for the DVD were somewhat / significantly different from what was presented. But better this than nothing, right?


        SPEAKER MATERIALS - LIST OF PRESENTATIONS



        DEFCON 21 DOWNLOAD HERE - 394MB Zip

        Las Vegas BSides 2013 - materials are here BSides Las Vegas 2013


        Abraham Kang and Dinis Cruz
        DEFCON-21-Kang-Cruz-RESTing-On-Your-Laurels-Will-Get-You-Pwned.pdf

        Alejandro Caceres
        DEFCON-21-Caceres-Massive-Attacks-With-Distributed-Computing.pdf

        Alexandre Pinto
        DEFCON-21-Pinto-Defending-Networks-Machine-Learning-WP.pdf
        DEFCON-21-Pinto-Defending-Networks-Machine-Learning.pdf

        Amber Baldet
        DEFCON-21-Baldet-Suicide-Intervention-Risk-Assessment-Tactics.pdf
         
        Andy Davis
        DEFCON-21-Davis-Revealing-Embedded-Fingerprints.pdf

        Balint Seeber
        DEFCON-21-Balint-Seeber-All-Your-RFz-Are-Belong-to-Me.pdf

        Bogdan Alecu
        DEFCON-21-Bogdan-Alecu-Attacking-SIM-Toolkit-with-SMS-WP.pdf
        DEFCON-21-Bogdan-Alecu-Business-Logic-Flaws-in-MO.pdf

        Brendan O'Connor
        DEFCON-21-OConnor-Stalking-a-City-for-Fun-and-Frivolity.pdf

        Brian Gorenc and Jasiel Spelman
        DEFCON-21-Gorenc-Spelman-Java-Every-days-WP.pdf
        DEFCON-21-Gorenc-Spelman-Java-Every-days.pdf

        Chris John Riley
        DEFCON-21-Riley-Defense-by-Numbers.pdf

        Chris Sumner and Randall Wald
        DEFCON-21-Sumner-Wald-Prediciting-Susceptibility-To-Social-Bots-On-Twitter.pdf

        Christine Dudley
        DEFCON-21-Dudley-Privacy-In-DSRC-Connected-Vehicles.pdf

        Craig Young
        DEFCON-21-Young-Google-Skeleton-Key.pdf

        ---Extras
            DEFCON-21-Craig-Young-Android-PoC-StockView-with-SSL.apk
            DEFCON-21-Craig-Young-Android-PoC-StockView.apk
            DEFCON-21-Craig-Young-Android-PoC-TubeApp.apk
            DEFCON-21-Craig-Young-StockView-ExampleCode.java
         
        Crowley and Panel
        DEFCON-21-Crowley-Savage-Bryan-Home-Invasion-2.0-WP.pdf
        DEFCON-21-Crowley-Savage-Bryan-Home-Invasion-2.0.pdf

        |   ---Extras
        ---upnp_request_gen
                LICENSE.txt
                readme.txt
                upnp_request_gen.php
             
        Dan Griffin
        DEFCON-21-Dan-Griffin-Protecting-Data.pdf

        Daniel Chechik
        DEFCON-21-Chechik-Utilizing-Popular-Websites-for-Malicious-Purposes-Using-RDI.pdf

        Daniel Selifonov
        DEFCON-21-Selifonov-A-Password-is-Not-Enough-Why-Disk-Encryption-is-Broken.pdf

        Eric Fulton and Daniel Zolnikov
        DEFCON-21-Fulton-Zolnikov-The-Politics-of-Privacy-and-Technology.pdf

        Eric Milam
        DEFCON-21-Milam-Getting-The-Goods-With-smbexec.pdf

        Eric Robi and Michael Perklin
        DEFCON-21-Robi-Perklin-Forensic-Fails.txt

        Etemadieh and Panel
        DEFCON-21-Etemadieh-Panel-Google-TV-Secure-Boot-Exploit-GTVHacker.pdf

        Fatih Ozavci
        DEFCON-21-Ozavci-VoIP-Wars-Return-of-the-SIP.pdf

        |   ---Extras
            DEFCON-21-viproy-voipkit.tgz
         
        Flipper
        DEFCON-21-Flipper-10000-Yen.pdf

        |   ---Extras
        |   Defcon 21 - 10000 Yen Source Code.txt
        |   OpenGlider BoM.pdf
        |   OpenGlider V0.1.x_t.txt
        |   x35 coordinates.sldcrv.txt
        |
        ---OpenGlider IGES Files
             
        Franz Payer
        DEFCON-21-Payer-Exploiting-Music-Streaming-with-JavaScript.pdf

        Gregory Pickett
        DEFCON-21-Pickett-Lets-Screw-With-NMAP.pdf

        |   ---Extras
            DEFCON-21-Pickett-Lets-Screw-With-NMAP-Specifications.pdf
            DEFCON-21-Pickett-Lets-Screw-With-NMAP-Transformations.pdf
            platform.zip
            scans.zip
         
        Hunter Scott
        DEFCON-21-Scott-Security-in-Cognitive-Radio-Networks.pdf

        Jacob Thompson
        DEFCON-21-Thompson-CREAM-Cache-Rules-Evidently-Ambiguous-Misunderstood.pdf

        Jaeson Schultz
        DEFCON-21-Schultz-Examining-the-Bitsquatting-Attack-Surface-WP.pdf

        Jason Staggs
        DEFCON-21-Staggs-How-to-Hack-Your-Mini-Cooper-WP.pdf
        DEFCON-21-Staggs-How-to-Hack-Your-Mini-Cooper.pdf

        |   ---Extras
            DEFCON-21-CANClockProof-of-ConceptDemo.wmv
            DEFCON-21-CANClockSource.pde
            DEFCON-21-MINI-Cooper-Crash-Test.wmv
         
        Jim Denaro
        DEFCON-21-Denaro-How-to-Disclose-or-Sell-an-Exploit.pdf

        Joe Bialek
        DEFCON-21-Bialek-PowerPwning-Post-Exploiting-by-Overpowering-Powershell.pdf

        |   ---Extras
            DEFCON-21-Invoke-ReflectivePEInjection.ps1.txt
         
        Joe Grand
        DEFCON-21-Grand-JTAGulator.pdf

        |   ---Extras
        |   DEFCON-21-jtagulatorassembly.pdf
        |   DEFCON-21-jtagulatorblockdiagram.pdf
        |   DEFCON-21-jtagulatorbom.pdf
        |   DEFCON-21-jtagulatorschematic.pdf
        |   DEFCON-21-jtagulatortestproc.pdf
        |
        Firmware 1.1 (b9b49b3)
        ---Gerbers B
             
        John Ortiz
        DEFCON-21-Ortiz-Fast-Forensics-Using-Simple-Statistics-and-Cool-Tools.pdf

        |   ---Extras
            DEFCON-21-Ortiz-TOOLSCustom.zip
            DEFCON-21-Ortiz-TOOLSFreeDownload.zip
         
        Joseph Paul Cohen
        |   ---Extras
        |   DEFCON-21-blucat.base64
        |
        ---blucat-r50
                 
        Justin Engler and Paul Vines
        DEFCON-21-Engler-Vines-Electromechanical-PIN-Cracking-WP.pdf
        DEFCON-21-Engler-Vines-Electromechanical-PIN-Cracking.pdf

        |   ---Extras
            DEFCON-21-Codepartslistinstructions.zip
         
        Justin Hendricks
        DEFCON-21-Justin-Hendricks-So-You-Think-Your-Domain-Controller-Is-Secure.pdf

        Karl Koscher and Eric Butler
        DEFCON-21-Koscher-Butler-The-Secret-Life-of-SIM-Cards.pdf

        Lawrence and Panel
        DEFCON-21-Lawrence-Johnson-Karpman-Key-Decoding-and-Duplication-Schlage.pdf

        |   ---Extras
            DEFCON-21-config.scad
            DEFCON-21-key.scad
         
        Marc Weber Tobias and Tobias Bluzmanis
        DEFCON-21-Tobias-Bluzmanis-Insecurity-A-Failure-of-Imagination.pdf

        Marion Marschalek
        DEFCON-21-Marschalek-Thorny-Malware.pdf

        |   ---Extras
            DEFCON-21-Marschalek-MalwareBase64.txt
            DEFCON-21-Marschalek-Thorny-Malware-Analysis-Report.pdf
         
        Melissa Elliott
        DEFCON-21-Elliott-noisefloor-URLS-reference.txt

        Michael Perklin
        DEFCON-21-Perklin-ACL-Steganography.pdf.pdf

        |   ---Extras
        |   ACLEncode.sln
        |   README.txt
        |
        Michael Schrenk
        DEFCON-21-Schrenk-How-my-Botnet-Defeated-Russian-Hackers.pdf

        Ming Chow
        DEFCON-21-Chow-Abusing-NoSQL-Databases.pdf

        Neil Sikka
        DEFCON-21-Sikka-EMET-4.0-PKI-Mitigation.pdf

        Nicolas Oberli
        DEFCON-21-Oberli-Please-Insert-Inject-More-Coins.pdf

        Nikhil Mittal
        DEFCON-21-Mittal-Powerpreter-Post-Exploitation-Like-a-Boss.pdf

        |   ---Extras
            Nikhil_Mittal_Powerpreter_Code.psm1
         
        Pau Oliva Fora
        DEFCON-21-Fora-Defeating-SEAndroid.pdf

        Philip Polstra
        DEFCON-21-Polstra-We-are-Legion-Pentesting.pdf

        |   ---Extras
            DEFCON-21-Philip-Polstra-code.py.txt
            
        Phorkus and Evilrob
        DEFCON-21-Phorkus-Evilrob-Hacking-Embedded-Devices-Bad-things-to-Good-hardware.pdf

        Piotr Duszynski
        DEFCON-21-Duszynski-Cyber-Offenders.pdf

        Pukingmonkey
        DEFCON-21-Pukingmonkey-The-Road-Less-Surreptitiously-Traveled.pdf

        |   ---Extras
            01_ALPR_detector_proof_of_concept.mp4
            02_ezpass_detector_of_open_road_tolling.mp4
            03_ezpass_detector_of_hidden_reader.mp4
            04_ezpass_detector_of_hidden_reader_with_toll_tag_sensor.mp4
            DEFCON-21-05ezpassdetectortimessquaretomsgin90seconds-(1).mp4
            DEFCON-21-05ezpassdetectortimessquaretomsgin90seconds.mp4
            arduino-micro
         
        Remy Baumgarten
        DEFCON-21-Baumgarten-Mach-O-Viz-WP.pdf
        DEFCON-21-Baumgarten-Mach-O-Viz.pdf

        Richard Thieme
        DEFCON-21-Richard-Thieme-UFOs-and-Govt.pdf

        |   ---Extras
            DEFCON-21-Richard Thieme-UFOs-and-Govt-Resources.txt
         
        Ricky HIll
        DEFCON-21-Ricky-Hill-Phantom-Drone.pdf

        Robert Clark
        DEFCON-21-Clark-Legal-Aspects-of-Full-Spectrum-Computer-Network-Active-Defense.pdf

        Robert Stucke
        DEFCON-21-Stucke-DNS-Hazards.pdf

        Runa A Sandvik
        DEFCON-21-Sandvik-Safety-of-the-Tor-Network.pdf

        Ryan Holeman
        DEFCON-21-Holeman-The-Bluetooth-Device-Database.pdf

        ---Extras
        ---src
            analytics
               
        Sam Bowne
        DEFCON-21-Bowne-SSD-Data-Evap.pdf

        Sam Bowne and Matthew Prince
        DEFCON-21-Bowne-Prince-Evil-DoS-Attacks-and-Strong-Defenses.pdf

        Scott Behrens and Brent Bandelgar
        DEFCON-21-Behrens-Bandelgar-MITM-All-The-IPv6-Things.pdf

        Teal Rogers and Alejandro Caceres
        DEFCON-21-Rogers-Caceres-The-Dawn-of-Web-30.pdf

        Tom Keenan
        DEFCON-21-Tom-Keenan-Torturing-Open-Government-Systems-for-Fun.pdf

        Tom Steele and Dan Kottman
        DEFCON-21-Steele-Kottman-Collaborative-Penetration-Testing-With-Lair.pdf

        Tony Mui and Wai-leng
        DEFCON-21-Miu-Lee-Kill-em-All-DDoS-Protection-Total-Annihilation.pdf

        |   ---Extras

        Vaagn Toukharian and Tigran Gevorgyan
        DEFCON-21-Toukharian-Gevorgyan-HTTP-Time-Bandit.pdf

        Wesley McGrew
        DEFCON-21-McGrew-Pwn-The-Pwn-Plug .pdf
        DEFCON-21-McGrew-Pwn-The-Pwn-Plug-WP.pdf

        |   ---Extras
            DEFCON-21-community1.1vswireless1.1.txt
            DEFCON-21-exploitpacketpayload.dat
            DEFCON-21-originalubootenv.txt
            DEFCON-21-ubi.py
         
        WiK and Mubix
        DEFCON-21-WiK-Mubix-gitDigger.pdf

        Zak Blacher
        DEFCON-21-Blacher-Transcending-Cloud-Limitations.pdf

        |   ---Extras
            DEFCON-21-Scripted-Demo.tar
            DEFCON-21-source-Code-dpk-master.zip
         
        Zoz
        DEFCON-21-Zoz-Hacking-Driverless-Vehicles.pdf

        bughardy and Eagle1753
        DEFCON-21-bughardy-Eagle1753-OPT-circumventing-in-MIFARE-ULTRALIGHT-WP.pdf
        DEFCON-21-bughardy-Eagle1753-OPT-circumventing-in-MIFARE-ULTRALIGHT.pdf

        m0nk
        DEFCON-21-m0nk-BoutiqueKit.pdf

        soen
                DEFCON-21-soen-Evolving-Exploits-Through-Genetic-Algorithms.pdf
             

        Share this post


        Favicon DeepEnd Research: Under this rock... Vulnerable Wordpress/Joomla sites... Overview of the RFI botnet malware arsenal
        1 Jun 2013, 7:19 am

        Exploits directed at Wordpress and/or Joomla content management systems(CMS) have been increasing at a dramatic rate over the past year. Internet blogs and forums are flooded with posts about hacked CMS installations. Popular jargon refers to the attackers as "hackers", but it is generally understood that these mass compromises are being performed via automated scanners and tools. However, we believe that there is not enough coverage of the actual malware involved.

        One such infection scheme is essentially the following:

        A downloader trojan  (Mutopy  - Win32) (20a6ebf61243b760dd65f897236b6ad3 Virustotal) instructs the infected host to download:
        1) Remote File Injector "Symmi" (Win32) 7958f73daf4b84e3b00e008258ea2e7a Virustotal 
        2) SDbot (Win32) - aaee52bfb589f6534c4b51e3b144dc08 Virustotal 
        3) PHP scripts for injecting into compromised Wordpress sites. Among them a PHP spambot (victimized site owners often get alerted about copious amount of meds and spam porn emanating from their sites). This is also the source of varied links for spam using thousands of various links redirecting to the same sites (e.g. weightloss, work at home scams, or porn sites)

        Read more at DeepEnd Research>>>

        Download files (see below)



        Download the nalware files (Email me if you need the password)
        Download the pcap files (Email me if you need the password)


        Wordpress_PHP_1FFD37807740EBCB7DAD044ACF866100_up.php 1ffd37807740ebcb7dad044acf866100
        Wordpress_PHP_5F0BB0851B3A2838C34CF21400F22A7E_copy.php 5f0bb0851b3a2838c34cf21400f22a7e
        Wordpress_PHP_7CCDCC3FF09262CAFE5DC953C0552254_seek.cgi 7ccdcc3ff09262cafe5dc953c0552254
        Wordpress_PHP_9B6D87C50B58104E204481C580E630F1_sm14e.php 9b6d87c50b58104e204481c580e630f1
        Wordpress_PHP_35DBB397351622B86E421EE8ABA095DE_fu.php 35dbb397351622b86e421ee8aba095de
        Wordpress_PHP_45B02538063124A0FECC0987410B1A65_ru.php 45b02538063124a0fecc0987410b1a65
        Wordpress_PHP_821BB092136A73EAA2CA803E6DBB658A_del.php 821bb092136a73eaa2ca803e6dbb658a

        Wordpress-Mutopy_20A6EBF61243B760DD65F897236B6AD3.exe_ 20a6ebf61243b760dd65f897236b6ad3
        Wordpress_DroppedbyMutopy_93F2D4ED74F7CCBF8E41F4D9D0B3BF98_Twain002.Mtx_ 93f2d4ed74f7ccbf8e41f4d9d0b3bf98
        Wordpress_SDbot_AAEE52BFB589F6534C4B51E3B144DC08_svchost.exe_ aaee52bfb589f6534c4b51e3b144dc08
        Worpress_Symmi_7958F73DAF4B84E3B00E008258EA2E7A_conhost.exe_ 7958f73daf4b84e3b00e008258ea2e7a

        Share this post


        Favicon DeepEnd Research - Library of Malware Traffic Patterns
        6 May 2013, 12:17 pm

        Update May 6, 2013 We added ability to download corresponding samples and pcaps (when available)

        Traffic analysis has been the primary method of malware identification and thousands of IDS signatures developed are the daily proof. Signatures definitely help but ability to visually recognize  malware traffic patterns and see the trends when they change has been always an important skill for anyone tasked with network defense. The number of malware analysis blogs and papers is overwhelming and it is difficult to keep track of malware features if you don't have access to a well designed and constantly updated malware database. This started as "personal notes" spreadsheet with GET and   POST requests for different malware families with information from open sources. We decided others might find it useful too.

        >>  read more on DeepEnd Research

        Share this post


        Favicon CVE-2013-0640 samples listing
        24 Apr 2013, 6:42 am

        This is a detailed MD5 listing of CVE-2013-0640 pdf files that were posted earlier. I got a few requests for samples that were already posted as a pack in this post ( 16,800 clean and 11,960 malicious files for signature testing and research.)  Now you can see them  in all their glory below.
        I can post listings for other malware from that large post if there is need and interest.

        PDF
        MALWARE PDF NEW -170 FILES MALWARE PDF PRE_04-2011_10982_files






        0CDF55626E56FFBF1B198BEB4F6ED559    report.pdf2
        151ADD98EEC006F532C635EA3FC205CE    action_plan.pdf_
        2A42BF17393C3CAAA663A6D1DADE9C93    Mandiant.pdf_
        3119ABBA449D16355CEB385FD778B525    mousikomi.pdf_
        3668B018B4BB080D1875AEE346E3650A    action_plan.pdf_
        37A9C45B78F4DEE9DA8FD8019F66005A    sample.pdf_
        3F301758AA3D5D123A9DDBAD1890853B    EUAG_report.pdf_
        6945E1FBEF586468A6D4F0C4F184AF8B    report.pdf_
        7005E9EE9F673EDAD5130B3341BF5E5F    2013-Yilliq Noruz Bayram Merikisige Teklip.pdf_
        701E3F3973E8A8A7FCEC5F8902ECBFD9    701E3F3973E8A8A7FCEC5F8902ECBFD9
        88292D7181514FDA5390292D73DA28D4    ASEM_Seminar.pdf_
        8E3B08A46502C5C4C45D3E47CEB38D5A    cc08_v143.pdf_
        9C572606A22A756A1FCC76924570E92A    pdf.pdf_
        A7C89D433F737B3FDC45B9FFBC947C4D    A7C89D433F737B3FDC45B9FFBC947C4D
        AD668992E15806812DD9A1514CFC065B    arp.pdf_
        AE52908370DCDF6C150B6E2AD3D8B11B    AE52908370DCDF6C150B6E2AD3D8B11B
        AF061F8C63CD1D4AD83DC2BF81F36AF8    readme.pdf_
        C03BCB0CDE62B3F45B4D772AB635E2B0    The 2013 Armenian Economic Association.pdf_
        D00E4AC94F1E4FF67E0E0DFCF900C1A8    ???.pdf_
        EF90F2927421D61875751A7FE3C7A131    action_plan.pdf3
        F3B9663A01A73C5ECA9D6B2A0519049E    Visaform Turkey.pdf_

        Share this post

        © 2014 Frêney, S.r.l. - V.A.T. ID IT03001860166