[shaheen]

Just wonder if there are any digitally signed malware( digitally signed executables, not just drivers) in the wild. I know about stuxnet already.

Thanks

[EP_X0FF]

http://www.f-secure.com/weblog/archives ... signed.pdf

If you have specific request then format it and post in Malware Requests thread.

[shaheen]

Thanks, interesting read.

Yes, I posted there as well.

[markusg]

looks like this one is signed, in the signature details i see comodo

[EP_X0FF]

looks like this one is signed, in the signature details i see comodo

Both certs are invalid and non trustful. Injects payload dll into explorer.exe and from it in every starting process via CreateProcessW hook. Due to bugs in trojan explorer crashes every time when new program is launched by it.

Some sensitive self-explaining strings from the inside

KeyStore NewDomain UpLoad UpdateLoader BlockUrl BlockDomain UpdateAppConf32 MainProcess DeleteMutex SearchDomain SvUpdateLdr

PAVSHOOK.dll zwhoocklib.dll a2handler.dll ISWSHEX.dll iexplore.exe firefox.exe chrome.exe opera.exe msimn.exe reader_sl.exe skype.exe java.exe outlook.exe WinMail.exe system smss.exe csrss.exe winlogon.exe lsass.exe srss.exe services.exe K7Sysmon.exe verder32.exe Mcvsshld.exe usrreq.exe avgtray.exe bdagent.exe mcvsshld.exe npfuser.exe niguser.exe AVKTray.exe AVKTray.exe ONLINENT.EXE ONLINENT.EXE FSM32.exe %s_%08X%08X %04d.%02d.%02d % I s \ x m l d m \ % I s _ 4 . 9 _ % 0 8 X % 0 8 X . c f g %s\xmldm\%s_UAs%03d.dat %s\UAs\%s_UAs%03d.dat %snetbanke_%s_%s %s\ffc_%s%d@%s.ffx \srvblck2.tmp bankchangehost: none ActivateProxy \TSTheme.exe Software\Microsoft\Windows\CurrentVersion\Ext\Settings\ -extoff SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall DisplayName Software\Microsoft\Internet Explorer\TypedURLs http://www.google.de &do= &ver= &id=XXX_xxxxxxxxxxxxxxxxxxxxxxxxxxxx &q= &data= &data_type= &data_content= &GUID= &check=chek &ch= &action= &task= &file= le4 new lo url re A B D DS W u2 gt2 du2 pe Block BlockDomain apps Personal check Content-Type: multipart/form-data; boundary= Content-Type: application/x-www-form-urlencoded
Content-Disposition: form-data; name=" -- "

Content-Disposition: form-data; name=" ";filename=" "
Content-Type: text/plain
GetLastError \explorer.exe \iexplore.exe Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders Cookies \kock Cookie: \Low Software\Mozilla\Firefox\extensions Software\Microsoft\Internet Explorer\Main Software\Microsoft\Internet Explorer\MAO Settings AddonLoadTimeThreshold SuppressPerfBarUntil $‘:Q¤ч%s\%s_%08d.mpst %s\%s_%08d.lkey yyyy.MM.dd. hhmmss %02X %03d %d %08X %s%08X%02X %08X%04X%08X \ x m l d m \ F r o m % s % s A c t i v e X % 0 8 X % 0 8 X _ % 0 8 d _ % s % I s % s J a v a % 0 8 X % 0 8 X _ % 0 8 d _ % I s .tmp [1] \Mozilla Firefox\sqlite3.dll \Mozilla Firefox\mozsqlite3.dll \Mozilla Firefox\firefox.exe \extensions.sqlite \Mozilla\Firefox\Profiles \cookies.sqlite .dat CREATE TABLE IF NOT EXISTS moz_cookies (id INTEGER PRIMARY KEY, name TEXT, value TEXT, host TEXT, path TEXT,expiry INTEGER, lastAccessed INTEGER, isSecure INTEGER, isHttpOnly INTEGER) SELECT id, name, value, host, path, expiry, lastAccessed, isSecure, isHttpOnly FROM moz_cookies INSERT or REPLACE INTO xoz_cookies VALUES (%I64d,'%s','%s','%s','%s',%I64d,%I64d,%Id,%Id) UPDATE addon SET visible=0,active=1,userDisabled=0 WHERE id='%s' AND location='winreg-app-user' UPDATE addon SET visible=0,userDisabled=0 WHERE id='%s' AND location='winreg-app-global' EnableBHOFF8 % I s \ x m l d m \ % I s . c f g X : \ P R O G R A ~ 1 \ J a v a ACTIVE~1.OCX java IEFrame ieframe.dll ComboBox Edit SunAwtCanvas [ D e l ] [ B a c k ] [ T a b ] [ E n t e r ] % 0 2 d : % 0 2 d % 0 2 d . % 0 2 d . % 0 4 d
[ R C L I C K ] [ L C L I C K ] [ L C L I C K D B L ] [ M C L I C K ]
Disk=X : \ P r o g r a m F i l e s \ J a v a . s t o r e \urhtps.tmp loaupdt.jpg Opera/11.1 (Windows NT 5.1: U: en) \blck2.wav \blckdom.res \*.* \*.txt \ e-Safekey EBJSecurity_4 RegOpenKeyExW DllRegisterServer DllUnregisterServer nspr4.dll PR_GetAddrInfoByName %d.%d Build %d
\\.\PhysicalDrive0 \UAs \xmldm\* \xmldm \task time \appconf32.exe Software\Microsoft\Windows\CurrentVersion\Run Userinit SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ Software\Microsoft\Windows\CurrentVersion\Internet Settings NoProtectedModeBanner zones\3 2500 WithProxy nerproxy \proxy.txt socks= CheckBlocks ChkProxy filesize filename id check content version2 fi 579 vendor data_type q do loaderlogs delete del w8 ver tst date net prh ins hist prd TASK URL GUID VERS FILE PATH OLD PAL .aaw.bin.bmp.cab.cac.cat.doc.evt.gz .htm.jag.jpe.mov.mp3.mpe.avi.mpg.png.wav.wma.xml.bat.zip.log.txt.ini.eta.lnk.exe.dll.ico.idx.dat.tmp.hst.ttf.jpg.gif.jar.avc.cla.pro.bfc.7en.js .css GET POST http://guugtomvader.com /index.php

[markusg]

what about this:

[EP_X0FF]

what about this:

Malware BHO dll spying on user pressed keys.

[cjbi]

Very interesting Korean "legal" fraud/rogue AV sample.

Two files are signed with the same digital certificate. But, only one is revoked.

anycopsetup.exe.vir http://www.virustotal.com/file-scan/rep ... 1322951522
MainBoan_setup.exe.vir http://www.virustotal.com/file-scan/rep ... 1322951869

[Cody Johnston]

I found this article today:

http://www.securelist.com/en/blog/682/M ... e#page_top

[rkhunter]

I found this article today:

http://www.securelist.com/en/blog/682/M ... e#page_top

http://www.kernelmode.info/forum/viewto ... =16&t=1535