Several security firms recently discovered TOR based malware on android platform. As we received the sample, we make some quick analysis on it.
The sample has been reported to have C&C capability which is using unusual top level domain name (.onion). This TLD is usually used by TOR. The use of Orbot TOR Client on this […]
Just couple of days ago, we discovered a certain Maybank Phishing kit that limits access to only IP address from Malaysia. The phishing kit is hosted in a server in the US. This is basically done via the .htaccess file.
Directory of C:\temp\xyz\xyz\m2u\abc
07/04/2011 12:43 PM .
07/04/2011 12:43 PM ..
27/01/2011 01:12 AM 8,701 HTACCE~1 .htaccess
26/01/2011 03:44 PM 877 acc.php
27/01/2011 04:51 PM 870 favicon.jpg
15/01/2011 09:00 AM 16,372 M2ULOG~1.PHP M2ULogin.do.php
26/08/2010 11:21 AM 14,745 MAYBAN~1.PHP Maybanksecure.php
26/08/2010 11:50 AM 14,632 RE-ACT~1.PHP re-activate.php
04/10/2010 12:44 PM 518 SSLACT~1.PHP sslactivate.php
26/01/2011 03:41 PM 572 SSLVER~1.PHP sslverify.php
27/07/2010 09:32 PM 2,530 TACREQ~1.PHP tacrequested.php
26/01/2011 03:41 PM 543 VALIDA~1.PHP validating.php
26/01/2011 03:41 PM 21,301 VERIFY~1.PHP verifydetails.php
11 File(s) 81,661 bytes
There is about 300 network addresses listed in the .htaccess file and makes other […]
On Sunday, the 28th of November 2010 around 20:00 UTC the main distribution server of the ProFTPD project was compromised. The attackers most likely used an unpatched security issue in the FTP daemon to gain access to the server and used their privileges to replace the source files for ProFTPD 1.3.3c with a version which […]
I was playing with a piece of malware with Jun Yee and we came across an obfuscated string in the VB code. The malware itself was written in Microsoft Visual Basic 6. It has a feature that allows the malware to overwrite itself after execution just to make it a bit stealthier. Additionally, the virus […]
In analyzing malicious PDF documents, being able to understand the format of its object structure is definitely useful. In order to look for malicious content inside the file, we might need to go through some of the process that’ll include interpreting the PDF object structure. The PDF object is enclosed with “obj” and “endobj”. Between […]
MyCERT has developed a tool to detect and restore changed address of API made by rootkit. MyX1 SSDT Detector and Remover is a part of our Malware Tracking project. Figure 1: Screenshot showing MyX1 SSDT The application relies on two two (2) files will be use upon execution: 1. ssdt.sys is used to list all […]
CVE-2010-2568 will need to have a LNK file with a malicious dll to cause harm. Feeling the urgency of parsing the LNK file to trace any present dll, we modified a small portion of the code from metasploit’s project to make it run independently from the metasploit framework. The original code is here. The main […]
One of the challenges in analyzing malicious PDF document is stream filtering. Malicious contents in PDF file are usually compressed with stream filtering thus making analysis a bit complicated. In a PDF document , stream object consists of stream dictionary, stream keyword, a sequence of bytes, and endstream keyword. A malicious content inside PDF file […]
Take a look at the following phishing website: Just another phishing website? Think again.. Take a look at the page source
<table class="pageformgrid bottomspacer2" cellpadding="0" width="559">
<td width="553" height="169">
<form action="a.php" method="post">
<table id="form1:panelGrid2" class="subgrid1 registeruserform" cellpadding="0" width="322">
<td class="aaaass" width="133"></td>
<table id="pula" class="subgrid3" cellpadding="0">
The phisher is using image instead of HTML. And YES, this technique can bypass DontPhishMe. I’ve worked on new method to solve this problem and now, DontPhishMe v0.3.1 are able to detect this […]