rkhunter wrote:why? i thought everybody has same hashes and samples from maher/crysys no?EP_X0FF wrote:Hehe dr.web fails again.I'm not surprised, think you too.
A forum for reverse engineering, OS internals and malware analysis
kmd wrote:I think they got initial pack (maybe incomplete, based on crysys hashes) - created detection, and then did not even bothered to do any kind of dynamic analysis ("it is not interested" - lolwut, AV company not interested in malware, facepalm) and successfully forgot about the rest.rkhunter wrote:why? i thought everybody has same hashes and samples from maher/crysys no?EP_X0FF wrote:Hehe dr.web fails again.I'm not surprised, think you too.
In attach both dat files decrypted (if something failed - decrypt yourself, algo on previous page)
Attachments
pass: malware
(2.71 MiB) Downloaded 105 times
(2.71 MiB) Downloaded 105 times
Ring0 - the source of inspiration
ok
mscrypt contains
4 files inside. 2 well detected and 2 not so good.
1 unknown service module
1 unknown dll
rpcns4.ocx
indsvc32.ocx (c:\Projects\Jimmy\jimmydll_v2.0\JimmyForClan\Jimmy\bin\srelease\jimmydll\indsvc32.pdb)
mscrypt contains
4 files inside. 2 well detected and 2 not so good.
1 unknown service module
1 unknown dll
rpcns4.ocx
indsvc32.ocx (c:\Projects\Jimmy\jimmydll_v2.0\JimmyForClan\Jimmy\bin\srelease\jimmydll\indsvc32.pdb)
EP_X0FF wrote:In attach both dat files decryptedIn attach cutted pe.
https://www.virustotal.com/file/04c84a3 ... /analysis/
https://www.virustotal.com/file/333875e ... 338538419/
https://www.virustotal.com/file/7d2c220 ... 338538426/
https://www.virustotal.com/file/d3b0e0d ... /analysis/
Just saw, 2.piece and 3.piece with file align 0x200, last section a little more in result, so it easy for correct; does not affect to correct detection
Attachments
pass:infected
(514.5 KiB) Downloaded 91 times
(514.5 KiB) Downloaded 91 times
Last edited by rkhunter on Fri Jun 01, 2012 9:03 am, edited 1 time in total.
1.piece with hash bddbc6974eb8279613b833804eda12f9 is a service and timestamp - 2008.
As CrySys said, it patches shell32.dll in memory of infected processes and performs some manipulations with PEB (insert faked items).
Just for fun - another apocalypse from Hypponen http://www.wired.com/threatlevel/2012/0 ... rity-fail/
hi
Like Natasha Morozova with the Borodines Polovtsian Dances, it is a sexy remix of a known chorus...
Even if the size and the use of an exotic scripting language are quite unusual for such attack toolkit.
Perhaps a cyberweapon made in Israel...or perhaps not... http://hackmageddon.com/2012/05/29/isra ... ddle-east/
Legal cyberweapons already exists; the Spyworld site ( http://www.spyfiles.org/ )provides an idea of that statement, the Hackinteam from Italy sells a law enforcement Rat http://www.hackingteam.it/index.php/rem ... rol-system
The time stamp is not reliable as it can easily be faked by anti-forensics techniques and tools
http://www.anti-forensics.com/modify-nt ... -timestomp
Well...interesting in all cases...
rgds
Like Natasha Morozova with the Borodines Polovtsian Dances, it is a sexy remix of a known chorus...
Even if the size and the use of an exotic scripting language are quite unusual for such attack toolkit.
Perhaps a cyberweapon made in Israel...or perhaps not... http://hackmageddon.com/2012/05/29/isra ... ddle-east/
Legal cyberweapons already exists; the Spyworld site ( http://www.spyfiles.org/ )provides an idea of that statement, the Hackinteam from Italy sells a law enforcement Rat http://www.hackingteam.it/index.php/rem ... rol-system
The time stamp is not reliable as it can easily be faked by anti-forensics techniques and tools
http://www.anti-forensics.com/modify-nt ... -timestomp
Well...interesting in all cases...
rgds
Security? Yeah But Well: http://www.ouaismaisbon.ch/ )
rkhunter wrote:Just for fun - another apocalypse from Hypponen http://www.wired.com/threatlevel/2012/0 ... rity-fail/I seems to be missed something in time perspective. When did this guy turned into full of hysterics little girl? Is it global trend out there?
Main goal of this blahblahblah "article".
We really should have been able to do better. But we didn’t.So I have advice for author - how about start doing better right now by stopping publishing such idiotic summaries? :)
Ring0 - the source of inspiration