Excuse me for the late answer, I had too many research projects. Now finally I had some time to revisit this.
I believe Xylitol's requierements were more or less satisfied.
Please find the two malware here:
Citadel:
https://malwr.com/analysis/Y2M4Zjc4OWE0 ... liNmI0MTY/
Atrax:
https://malwr.com/analysis/YTc4Zjg0YTM0 ... EzODM0YWQ/
MD5 (both):
1a879d77275055df2e90a180337a8afa
Size (both):
1313920 bytes
I used the hashclash project (https://code.google.com/p/hashclash/) on an Amazon c3.4xlarge instance having 16 cores for 1 day to find the collision.
Because of the way hashclash works, the size of the binaries are the same, although the initial size was different.
Many thanks for Marc Stevens for his research, publishing his code, and some help made during the collision finding.
PS: When I uploaded the files, I incorrectly named the two malware in the filename. The one connecting to http://www.xylibox.com is the Citadel.
I believe Xylitol's requierements were more or less satisfied.
Please find the two malware here:
Citadel:
https://malwr.com/analysis/Y2M4Zjc4OWE0 ... liNmI0MTY/
Atrax:
https://malwr.com/analysis/YTc4Zjg0YTM0 ... EzODM0YWQ/
MD5 (both):
1a879d77275055df2e90a180337a8afa
Size (both):
1313920 bytes
I used the hashclash project (https://code.google.com/p/hashclash/) on an Amazon c3.4xlarge instance having 16 cores for 1 day to find the collision.
Because of the way hashclash works, the size of the binaries are the same, although the initial size was different.
Many thanks for Marc Stevens for his research, publishing his code, and some help made during the collision finding.
PS: When I uploaded the files, I incorrectly named the two malware in the filename. The one connecting to http://www.xylibox.com is the Citadel.
