TOR Based APK Trojan

Several security firms recently discovered TOR based malware on android platform. As we received the sample, we make some quick analysis on it.

The sample has been reported to have C&C capability which is using unusual top level domain name (.onion). This TLD is usually used by TOR. The use of Orbot TOR Client on this […]

From Facebook App to Botnet

MyCERT had received a couple of  reports of on a  new variant of Facebook malware spreading in the wild. It propagates through an FB application. The malware also is targetting users with messages on Facebook, which then link through to a fake Facebook photo page. The site is designed to appear that the user is […]

Forensic Challenge 2010/6 – Analyzing Malicious Portable Destructive Files is now live

Another challenge is ready to be tackled by forensic analysts, students, hackers and alike. This time, we present you with an attack vector that has become quite successful: malicious PDF files! For challenge 6 of our series (provided by Mahmud Ab Rahman and Ahmad Azizan Idris from the Malaysia Honeynet Project Chapter) we present you […]

Antaramuka Pengaturcaraan Aplikasi untuk VirusTotal

Virustotal telah menjadi salah sebuah tempat rujukan yang sangat berguna dalam memastikan sesebuah fail itu berbahaya atau tidak. Jika dilihat dari sisi hadapan, virustotal telah mengumpulkan antivirus-antivirus yang terkenal sebagai enjin untuk memberitahu tentang status sesebuah fail yang ingin dikesan. Ini ketara keberkesanannya dari sudut keutuhan sesebuah keputusan, yang mana, rujukan silang (cross-reference) diantara kesemua […]

(Yet Another) Quick Botnet Analysis

Botnets are network of malware-infected machines that are controlled by an adversary. Our approach to in studying this botnet is to perform active analysis by using an actual malware sample, infecting the machine and observe its activities. As we probe deeper into the network traffic collected by Wireshark, we find very detailed IRC functionality, attack […]

Update for Gallus Nov 3, 2010

Here are some of the major changes in the recent Gallus: Improved extraction of malform PDF object structure Added CAPTCHA functionality within sample submission Integrate virustotal API as ‘two-factor verification’ of sample analysis Added support for Adobe LibTIFF exploit analysis and detection If you happen to come across with error/bugs while using Gallus, feel free […]

No endstream, no endobj, no worries

In analyzing malicious PDF documents, being able to understand the format of its object structure is definitely useful. In order to look for malicious content inside the file, we might need to go through some of the process that’ll include interpreting the PDF object structure. The PDF object is enclosed with “obj” and “endobj”. Between […]

Gallus, yet another PDF analyzer (alpha)

Introducing Gallus Gallus is a web-based malware detection service specifically to extract and analyze suspected malicious PDF documents. It is a free service designed to help security researchers and public to detect exploits and extract other useful information contained in PDF documents. How Gallus Works Gallus is designed to extract and analyze the malicious components […]

From Adobe Reader exploit to Foxit Reader exploit

Today, Gallus received a PDF sample submission with md5 hash 37b98d28762ceeaa5146e2e0fc0a3fdd. Marked as malicious, I was compelled to investigate further on this sample after looking at the potential malware URL produced by Gallus report. The PDF sample contains URLDownloadToFile payload that points to hxxp://77.x.y.Z/webmail/inc/web/load.php?stat=3DWindows. Traversing the URL at hxxp://77.x.y.Z/webmail/inc/web/, I managed to retrieve the HTML […]