A forum for reverse engineering, OS internals and malware analysis 

Discussion on reverse-engineering and debugging.
 #25394  by NoSense
 Thu Mar 05, 2015 9:04 am
Hi to all,
I want to share with you guys this piece of code RCEd from the chinese APT known as "NetTraveler" or "TravNet". Hope this knowledge will somehow be useful and interesting to you. The code isn't very complicated nor advanced, it is basically C code with a few C++ implementations.

Image

Google Code project:
https://code.google.com/p/open-nettraveler/

GIT command:
Code: Select all
git clone https://code.google.com/p/open-nettraveler/
Kaspersky reports:
http://kasperskycontenthub.com/wp-conte ... -final.pdf
http://securelist.com/blog/research/359 ... e-victims/
http://www.kaspersky.com/about/news/vir ... new_tricks

Kaspersky victims map:
Image

Malware samples:
http://www.kernelmode.info/forum/viewto ... =16&t=2757

More about CVE-2012-0158:
https://securelist.com/analysis/publica ... 8-exploit/

More about CVE-2010-3333:
http://blogs.technet.com/b/mmpc/archive ... 0-087.aspx

Good luck!
 #25435  by EP_X0FF
 Wed Mar 11, 2015 11:50 am
SomeUnusedName wrote:
// Copyright 2015 Christian Roggia. All rights reserved.
on reverse-engineered malware
Why not? I doubt even 50% of this C++ is copy-paste from IDA.