A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #13750  by rkhunter
 Wed Jun 06, 2012 4:53 am
Signed infector that was mentioned here http://www.securelist.com/en/blog/20819 ... identified
And here http://www.symantec.com/connect/blogs/w ... man-middle

MD5: 1f61d280067e2564999cac20e386041c
SHA1: d36fad73c6aeff98906008f3eb5a16812cc3188a
File size: 29928 bytes
Name: WuSetupV.exe
signers..................: MS
Microsoft LSRA PA
Microsoft Enforced Licensing Registration Authority CA
Microsoft Enforced Licensing Intermediate PCA
Microsoft Root Authority
signing date.............: 3:54 PM 12/28/2010
Certificate already was revoked and update was released:
Microsoft Security Advisory (2718704) Unauthorized Digital Certificates Could Allow Spoofing
http://technet.microsoft.com/en-us/secu ... ry/2718704
http://support.microsoft.com/kb/2718704
Attachments
pass:infected
(16.26 KiB) Downloaded 114 times
 #13753  by EP_X0FF
 Wed Jun 06, 2012 7:10 am
I hope marketing division of Kaspersky Lab finally setup addon that will make them able to attach hashes of investigated components to their articles.
 #13758  by rkhunter
 Wed Jun 06, 2012 9:14 am
EP_X0FF wrote:I hope marketing division of Kaspersky Lab finally setup addon that will make them able to attach hashes of investigated components to their articles.
seems impossible in Flamer case...
I published hashes to Gostev-article.
 #13763  by EP_X0FF
 Wed Jun 06, 2012 9:48 am
dumb110 wrote:
EP_X0FF wrote:
dumb110 wrote:Can somebody help with decryption of attached sample please..
http://www.kernelmode.info/forum/viewto ... 699#p13699
u mean they are the same?
https://www.virustotal.com/file/5f6b60f ... /analysis/
https://www.virustotal.com/file/b2c6a70 ... /analysis/
same ones?
Hash you posted is the same as hash of mscrypt file in this archive http://www.kernelmode.info/forum/viewto ... 698#p13698. Decrypted attached next. Compare two originals.
 #13770  by rkhunter
 Wed Jun 06, 2012 12:30 pm
Late last week, some Flamer command-and-control (C&C) servers sent an updated command to several compromised computers. This command was designed to completely remove Flamer from the compromised computer. The Flamer attackers were still in control of at least a few C&C servers, which allowed them to communicate with a specific set of compromised computers. They had retained control of their domain registration accounts, which allowed them to host these domains with a new hosting provider.

Compromised computers regularly contact their pre-configured control server to acquire additional commands. Following the request, the C&C server shipped them a file named browse32.ocx. This file can be summarized as the module responsible for removing Flamer from the compromised computer. One could also call it the "uninstaller".
http://www.symantec.com/connect/blogs/f ... nt-suicide
 #13773  by kareldjag/michk
 Wed Jun 06, 2012 4:26 pm
hi
Somes files hashes here (no direct link as i do not remember if it is out of the TOS
http://www.google.com/search?client=ope ... 33&bih=646
And a few http://solerablog.files.wordpress.com/2 ... hashes.png
File dump http://blog.didierstevens.com/2012/06/0 ... kb2718704/

The AV induastry have failed...but what great marketing for taking advantage of this spy toolkit...
A funny summary of the AV industry since a few years http://research.pandasecurity.com/blogs ... ikarus.jpg
A contest of MIKKO statement http://attrition.org/security/rebuttal/ ... nd_av.html
And a contest of the contest by an av evangelist http://anti-virus-rants.blogspot.ca/201 ... uttal.html

If the way to spread and exfiltrate data is interesting, armoring techniques are very soft in comparison to some recent evil rootkits.
And there can be no doubt about its goal and origin.

rgds
 #13774  by rkhunter
 Wed Jun 06, 2012 4:30 pm
kareldjag/michk wrote:hi
Somes files hashes here (no direct link as i do not remember if it is out of the TOS
http://www.google.com/search?client=ope ... 33&bih=646
And a few http://solerablog.files.wordpress.com/2 ... hashes.png
File dump http://blog.didierstevens.com/2012/06/0 ... kb2718704/
Seems nothing new...
would be great if anyone published browse32.ocx hash :!:
  • 1
  • 7
  • 8
  • 9
  • 10
  • 11
  • 14