A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #12767  by leeno
 Tue Apr 17, 2012 8:47 pm
m55: 3aacd24db6804515b992147924ed3811


Hi ,

sample of the Backdoor:MacOS_X/SabPab.A is attached . if any body can help me with the pcap as i lack mac vm/system
(11.48 KiB) Downloaded 49 times
 #12770  by EP_X0FF
 Wed Apr 18, 2012 2:18 am
leeno wrote:m55: 3aacd24db6804515b992147924ed3811


Hi ,

sample of the Backdoor:MacOS_X/SabPab.A is attached . if any body can help me with the pcap as i lack mac vm/system
SabPab.rar
What exactly you interested? It generates requests encrypted by something primitive (see _encode_buf_internal)

rtx556.onedumb.com is down.
 #12773  by leeno
 Wed Apr 18, 2012 5:15 am
EP_X0FF wrote:
leeno wrote:m55: 3aacd24db6804515b992147924ed3811


Hi ,

sample of the Backdoor:MacOS_X/SabPab.A is attached . if any body can help me with the pcap as i lack mac vm/system
SabPab.rar
What exactly you interested? It generates requests encrypted by something primitive (see _encode_buf_internal)

rtx556.onedumb.com is down.

Thanks Man for the information It tries following http header request but i need pcap for snort sig generation . How did you find the rtx556.onedumb.com domain

POST /update.aspx HTTP/1.1
Accept: */*
Referer: %s
Content-Type: multipart/form-data; boundary=---------------------
------%x
Accept-Encoding: base64,gzip
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en) AppleWebKit/419 (KHTML, like Gecko) Safari/419.3
Host: %s
Content-Length: %d
Connection: Keep-Alive
Cache-Control: no-cache
 #12774  by EP_X0FF
 Wed Apr 18, 2012 5:37 am
leeno wrote: How did you find the rtx556.onedumb.com domain
It is stored inside as encrypted base64 encoded text (e3SCNUA2Om97ZXJ1fGI+Y4Bt).