Attachments
pass:infected
(230.03 KiB) Downloaded 91 times
(230.03 KiB) Downloaded 91 times
A forum for reverse engineering, OS internals and malware analysis
HackJack wrote:New ZeroAccess InstallerThis is rootkit version. Posts moved.
https://www.virustotal.com/file/b6904f2 ... /analysis/
Peter Kleissner wrote:Attached all the possible domains for 2011/2012. I used the algorithm from the Prevx document (which dates to 7/20/2011).I don't think they are use the same algorithm in current version. Brief looking at current versions attached in this thread didn't revealed any equal to Prevx article code in both user mode and rootkit Sirefef versions. Probably it was changed long time ago and since Sirefef is growing botnet, likely number of old infected machines not so significant compared to new. Correct me if I wrong of course.
It might be interesting sinkholing it and checking how many zombies still use that DGA. Though it's kinda stupid they are using the .cn extension, difficult to register and expensive.
markusg wrote:https://www.virustotal.com/file/f0dc6e3 ... /analysis/x86 rootkit and x64 backdoor