Fynloski dropper and .NET PWS (pass stealer) Analysis

September 29th, 2014 6 comments

Hey,
Again the malware sample came to me via spam camp, and caught in corporate network’s honeypot.

If you want sample: Comment and request it ;)

This time, the camp’s spread was not so wide.
In this post in detail:

  • Recognition of the Fynloski dropper
  • ..recognizing the type of protection of the dropper
  • ..some details on the dropper’s encryption scheme
  • Dumping the main malware process using OllyDbg (PWS in .NET)
  • ..analysing the stealer.. Decompilation via ILSpy
  • ..analysis of the operator’s credential encryption scheme with OllyDbg
  • ..pwning the operator’s credentials revealing victim’s logs and not only..

..Let’s go.. :)
Read more…

AutoIT Malware. A detailed analysis

September 20th, 2014 21 comments

 

This is a sample that came to my hands by a spam campaign, and caught in a corporate honeypot. Make a comment under this post with your email if you want a sample.

Sorry for some false positive AV alarms while browsing this post.. It was due to some code listings. I removed the AutoIT script, but it can be found here: https://www.dropbox.com/s/xu1ra236lx8n5dc/clean.au3?dl=0 .

~ Due to big amount of requests, I uploaded the sample here too. Pass is “malware” ~
Here is an overview of what you’re going to see in this post:

1) First malware file: .exe
- recognition of the executable’s type (WinRAR SFX)

2) Drops: update.exe + 3 files
- recognition of the dropped PE (AutoIT), and obfuscated AutoIT script
- making a custom python script of script de-obfuscation
- Clear AutoIT script analysis, methods and some thoughts about it.

3) LoadPE method (by the AutoIT script) using an encrypted drop
- making a custom script to decrypt the drop (RC2 encrypted usign CryptoAPI)
- analysis of the final malware. What data does it collect, which format, how does it send them and where.
- reveal some console log messages of the app by just changing it’s IMAGE_SUBSYSTEM byte from PE Header

..so let’s go..
Read more…

Setup Maltego Transforms on BT5r3

January 9th, 2013 2 comments

Aloha,

It’s been a while….:)

One friend of mine ask me to show him how to setup the transforms in Maltego and I said that I will create a fast screen cast . The video has no sound so you don’t have to turn on the volume ;)

Maltego is an open source intelligence and forensics application.
Read more here http://www.paterva.com/web6/products/maltego.php

Read more…

Categories: General Tags:

Microsoft, Adobe Start 2013 with Security Updates

January 9th, 2013 No comments

See on Scoop.itLatest malware information


To jumpstart the new year, both Microsoft and Adobe release their security updates today. Microsoft, in particular, releases seven bulletins to address 12 vulnerabilities while Adobe issues its fix for Adobe Reader and Acrobat.


See on blog.trendmicro.com

Categories: Uncategorized Tags:

cPanel and WHM Multiple Cross Site Scripting … – The Hacker News

January 8th, 2013 No comments

See on Scoop.itPenetration Testing
Product: Cpanel & WHM; Security-Risk: High; Remote-Exploit: yes; Vendor-URL: http://www.cpanel.net; Affected Products: Cpanel’s Latest Version; Solution: Proper input sanitisation. Discovered by: …
See on thehackernews.com

Categories: Uncategorized Tags:

So Soon? Malware Attacks on Windows 8 – Midsize Insider

January 8th, 2013 No comments

See on Scoop.itLatest malware information
So Soon? Malware Attacks on Windows 8Midsize InsiderFor Windows 8, the latest malware takes on the disguise of antivirus protection. According to the TrendMicro’s …
See on midsizeinsider.com

Categories: Uncategorized Tags:

How cyber-criminals are planning to attack in 2013 – Moneyweb.co.za

January 8th, 2013 No comments

See on Scoop.itLatest malware information

How cyber-criminals are planning to attack in 2013Moneyweb.co.zaMicrosoft’s latest operating system, along with all of its predecessors, will also suffer attacks.
See on www.moneyweb.co.za

Categories: Uncategorized Tags:

Vulnerabilities In Java And Adobe Will Be Main Targets For Cybercriminals In 2013 – Dark Reading

January 8th, 2013 No comments

See on Scoop.itLatest malware information

Vulnerabilities In Java And Adobe Will Be Main Targets For Cybercriminals In 2013 Dark Reading Windows 8: Microsoft’s latest operating system, along with all of its predecessors, will also suffer attacks.
See on www.darkreading.com

Categories: Uncategorized Tags:

Ubuntu/Backtrack: Read only filesystem fix

November 2nd, 2012 No comments

Long long time same prob with VMs..
forgot to take a snapshot, it didn’t shutdown correctly, and in next boot stucks in fsck check..
It is a huge problem having lot of ppl with VMs..
Finaly i came to a solution reading lot of forums.. I combined them to a single solution..

Most ppl say that you’ll solve your prob doing this
mount -o remount,rw /

But that didn’t work in my case..

 

I fixed my issue in the followng steps..:

- First of all, while you are in the read-only filesystem, check your boot errors with [code]dmesg |grep mount[/code]
and you may see some msg saying that it remounted your system in read-only mode (like “remount-ro”)
Remember this.. we’ll compare it to the next dmesg after following these steps:

1. Boot with a ubuntu/backtrack live iso

2. Mount the filesystem
mkdir /root/test
mount /dev/sda1 /root/test

3. And edit /etc/fstab of the mounted drive in /root/test/etc/fstab nano /root/test/etc/fstab and change to zero all counters..
Also if there is an error status writing “error=…” and “remount-ro” delete it and replace with “defaults” save the file and exit..

4. Type the following inline bash script to fix all drive errors:
for i in $(ls /dev/sd*);do e2fsck $i -C0;done

..and reboot..
After reboot check errors dmesg |grep mount
If the remount-ro message is missing, you are ok.. :p

That’s it..

[remote exploits] – Poison Ivy 2.3.2 C&C Server Buffer Overflow …

July 23rd, 2012 No comments

See on Scoop.itMetasploit
redistribution and commercial restrictions. Please see the Metasploit # web site for more information on licensing and terms of use. # http://metasploit.com/ ##. require ‘msf/core’. class Metasploit3 < Msf::Exploit::Remote Rank = …
See on www.allinfosec.com

Categories: Uncategorized Tags: