Thursday, May 28, 2009

bulkbin.cn - russian business network related. it may be - part 0.3

It's been found that 174.133.202.181 (bulkbin.cn) it may be related to RBN. The following screen shot shown the rbn detection rules from emerginthreats.net updated list:



http://www.emergingthreats.net/rules/emerging-rbn.rules

Tuesday, May 26, 2009

bulkbin.cn - name server - part 0.2

The following pictures shown the name server for bulkbin and others (xgguys.com...):




whois 174.133.202.178

%rwhois V-1.5:003eff:00 whois.theplanet.com (by Network Solutions, Inc. V-1.5.9.5)
network:Class-Name:network
network:ID:NETBLK-THEPLANET-BLK-15
network:Auth-Area:174.132.0.0/15
network:Network-Name:TPIS-BLK-174-133-202-0
network:IP-Network:174.133.202.176/28
network:IP-Network-Block:174.133.202.176 - 174.133.202.191
network:Organization-Name:Anton Pershin
network:Organization-City:Moscow
network:Organization-State:vv
network:Organization-Zip:127254
network:Organization-Country:RUS
network:Description-Usage:customer
network:Server-Pri:ns1.theplanet.com
network:Server-Sec:ns2.theplanet.com
network:Tech-Contact;I:abuse@theplanet.com
network:Admin-Contact;I:abuse@theplanet.com
network:Created:20080623
network:Updated:20080624

%ok

generic unpacking of self-modifying, aggressive, packed binary programs

a good paper from Piotr Bania
http://piotrbania.com/all/articles/pbania-dbi-unpacking2009.pdf

from the paper It's been found the follwing excelent malware analysis web site:
https://aerie.cs.berkeley.edu

Sunday, May 24, 2009

bulkbin.cn - strange AS - part 0.1

Hi there,

looking around It's was found some URLS that are related to bulkbin.cn

It was found the following malicious url (replace \ with / if you are interested):

http:\\azure.rr.nu\
http:\\adolas.passingg.as\
http:\\cemuryje.byinter.net\
http:\\costens.byinter.net\
http:\\colifit.redirect.hm\

For each of the URL above, there is a common point: a javascript redirector.

Specifically the following code, reports an abstract of the redirector code, the key for obtain clear HTML code and name of javascript redirector:

http:\\azure.rr.nu\
javascript redirector:
yfoqklmcoxthgybyu.js
abstract of array that contains HTML redirector:
var str = ["206", "217", "205", "223", "215", "207", "216", "222", "152", "225", "220", "211", "222", "207", "146", "145", "166", "206", "211", "224", "138", "221", "222", "227", "214", "207", "167", "140", "217", "224", "207", "220", "208", "214", "217", "225", "164", "203", "223", "222", "217", "165", "138", "210", "207", "211", "209", "210", "222", "164", "138", "155", "218", "226", "165", "138", "225", "211", "206", "222", "210", "164", "138", "160", "154", "154", "218", "226", "165", "140", "168", "145", "147", "165", "119", "116", "206", "217", "205", "223", "215", "207", "216", "222", "152", "225", "220", "211", "222", "207", "146", "145", "166", "222", "203", "204", "214", "207", "138", "225", "211", "206", "222", "210", "167", "140", "155", "154", "154", "143", "140", "168", "145", "147", "165", "119", "116", "206", "217", "205", "223", "215", "207", "216", "222", "152", "225", "220", "211", "222", "207", "146", "145", "166", "222", "220", "168", "145", "147", "165", "119", "116", "206", "217", "205", "223", "215", "207", "216", "222", "152", "225", "220", "211", "222", "207", "146", "145", "166", "222", "206", "138", "211", "206", "167", "140", "208", "211", "220", "221", "222", "140", "168", "190", "210", "211", "221", "138", "211", "221"....
decoder key: ss =
str[i] - 106;

http:\\adolas.passingg.as\
javascript redirector:
tqewcmvdltvtunbrozlo.js
abstract of array that contains HTML redirector:
var str = ["713", "724", "712", "730", "722", "714", "723", "729", "659", "732", "727", "718", "729", "714", "653", "652", "673", "713", "718", "731", "645", "728", "729", "734", "721", "714", "674", "647", "724", "731", "714", "727", "715", "721", "724", "732", "671", "710", "730", "729", "724", "672", "645", "717", "714", "718", "716", "717", "729", "671", "645", "662", "725", "733", "672", "645", "732", "718", "713", "729", "717", "671", "645", "667", "661", "661", "725", "733", "672", "647", "675", "652", "654", "672", "626", "623", "713", "724", "712", "730", "722", "714", "723", "729", "659", "732", "727", "718", "729", "714", "653", "652", "673", "729", "710", "711", "721", "714", "645", "732", "718", "713", "729", "717", "674", "647", "662", "661", "661", "650", "647", "675", "652", "654", "672", "626", "623", "713", "724", "712", "730", "722", "714", "723", "729", "659", "732", "727", "718", "729", "714", "653", "652", "673", "729", "727", "675", "652", "654", "672", "626", "623", "713", "724", "712", "730", "722", "714", "723", "729", "659", "732", "727", "718", "729", "714", "653", "652", "673", "729", "713", "645", "718", "713", "674", "647", "715", "718", "727", "728", "729", "647", "675", "697", "717", "718", "728", "645", "718", "728",....
decoder key:
ss = str[i] - 613;

http:\\cemuryje.byinter.net\
javascript redirector:
iddcvesism.js
abstract of array that contains HTML redirector:
var str = ["558", "569", "557", "575", "567", "559", "568", "574", "504", "577", "572", "563", "574", "559", "498", "497", "518", "558", "563", "576", "490", "573", "574", "579", "566", "559", "519", "492", "569", "576", "559", "572", "560", "566", "569", "577", "516", "555", "575", "574", "569", "517", "490", "562", "559", "563", "561", "562", "574", "516", "490", "507", "570", "578", "517", "490", "577", "563", "558", "574", "562", "516", "490", "512", "506", "506", "570", "578", "517", "492", "520", "497", "499", "517", "471", "468", "558", "569", "557", "575", "567", "559", "568", "574", "504", "577", "572", "563", "574", "559", "498", "497", "518", "574", "555", "556", "566", "559", "490", "577", "563", "558", "574", "562", "519", "492", "507", "506", "506", "495", "492", "520", "497", "499", "517", "471", "468", "558", "569", "557", "575", "567", "559", "568", "574", "504", "577", "572", "563", "574", "559", "498", "497", "518", "574", "572", "520", "497", "499", "517", "471", "468", "558", "569", "557", "575", "567", "559", "568", "574", "504", "577", "572", "563", "574", "559", "498", "497", "518", "574", "558", "490", "563", "558", "519", "492", "560", "563", "572", "573", "574", "492", "520", "542", "562", "563", "573", "490", "563", "573",
decoder key:
ss = str[i] - 458;

http:\\costens.byinter.net\
javascript redirector:
dmozgpkfxiusbwf.js
abstract of array that contains HTML redirector:
var str = ["990", "1001", "989", "1007", "999", "991", "1000", "1006", "936", "1009", "1004", "995", "1006", "991", "930", "929", "950", "990", "995", "1008", "922", "1005", "1006", "1011", "998", "991", "951", "924", "1001", "1008", "991", "1004", "992", "998", "1001", "1009", "948", "987", "1007", "1006", "1001", "949", "922", "994", "991", "995", "993", "994", "1006", "948", "922", "939", "1002", "1010", "949", "922", "1009", "995", "990", "1006", "994", "948", "922", "944", "938", "938", "1002", "1010", "949", "924", "952", "929", "931", "949", "903", "900", "990", "1001", "989", "1007", "999", "991", "1000", "1006", "936", "1009", "1004", "995", "1006", "991", "930", "929", "950", "1006", "987", "988", "998", "991", "922", "1009", "995", "990", "1006", "994", "951", "924", "939", "938", "938", "927", "924", "952", "929", "931", "949", "903", "900", "990", "1001", "989", "1007", "999", "991", "1000", "1006", "936", "1009", "1004", "995", "1006", "991", "930", "929", "950", "1006", "1004", "952", "929", "931", "949", "903", "900", "990", "1001", "989", "1007", "999", "991", "1000", "1006", "936", "1009", "1004", "995", "1006", "991", "930", "929", "950", "1006", "990", ...
decoder key:
ss = str[i] - 890;

http:\\colifit.redirect.hm\
javascript redirector:
cajhrwljjnwerpvjrriw.js
abstract of array that contains HTML redirector:
var str = ["882", "893", "881", "899", "891", "883", "892", "898", "828", "901", "896", "887", "898", "883", "822", "821", "842", "882", "887", "900", "814", "897", "898", "903", "890", "883", "843", "816", "893", "900", "883", "896", "884", "890", "893", "901", "840", "879", "899", "898", "893", "841", "814", "886", "883", "887", "885", "886", "898", "840", "814", "831", "894", "902", "841", "814", "901", "887", "882", "898", "886", "840", "814", "836", "830", "830", "894", "902", "841", "816", "844", "821", "823", "841", "795", "792", "882", "893", "881", "899", "891", "883", "892", "898", "828", "901", "896", "887", "898", "883", "822", "821", "842", "898", "879", "880", "890", "883", "814", "901", "887", "882", "898", "886", "843", "816", "831", "830", "830", "819", "816", "844", "821", "823", "841", "795", "792", "882", "893", "881", "899", "891", "883", "892", "898", "828", "901", "896", "887", "898", "883", "822", "821", "842", "898", "896", "844", "821", "823", "841", "795", "792", "882", "893", "881", "899", "891", "883", "892", "898", "828", "901", "896", "887", "898", "883", "822", "821", "842", "898", "882", "814", "887", "882", "843", "816", "884", "887", "896", "897", "898", "816", "844", "866", "886", "887", "897",
decoder key:
ss = str[i] - 782;

The following screen shot shown the full decoded html redirector, common to all URLs above:



As shownthere is a spreading web site based on (IMHO) fake cgi script. Trying with malzilla to retrieve the malicious URL using only one "CGI" parameter it was discovered another redirection stage:



Making the GET HTTP request for simulate the redirection for the URL http:\\agentival.info\scan\download.php?said=10&ver=1.0.6 it appear a souspicious "install.exe" file.

From my submission to Threatexpert there wasn't info about binary:

http://www.threatexpert.com/report.aspx?md5=14077ad65fc28afa12b0f1b13c373f96

Only McAfee recognize the binary as" new malware".

A firt look about it with IDA shown some URL:



The ip address 174.133.202.181 is the DNS A record for bulkbin.cn

Some net info:
robtex response for
174.133.202.181:



robtex response for bulkbin.cn:


"AS? ???"


whois xgguy.com.theplanet.host ?
AS? it may be generated for the following reason:
the existence within the dns records of a host resolved only "in zone" like xgguy.com.theplanet.host.

A strange behavior is the following:
The only AS (AS21844) detected in the picture above for the 24 of April 2009 was been linked to the rest of the world in this manner:




While on 6th of May 2009, there was a route withdrawal with all others so:



Some notes:
- I know that may depend by a misconfiguration or a leak routing sources data used by BGPlay.
- AS21844 THEPLANET-AS2 ThePlanet.com Internet Services, Inc. it may be a backup AS.

Feedback are welcome.

Friday, May 22, 2009

an irc server - part 0.1

Hi there,
during a survey activities it was been found the following irc server:

main.updateserver.cn (67.202.89.34)

Searching by google the only infornatuib about is from threatexpert.com:
http://www.threatexpert.com/report.aspx?md5=f699946ecde2c669adfbbaf4f019fc03
it seems related to pushbot.

The following mirc screen shots show the irc server banner:




whois:

$ whois 67.202.89.34

OrgName: NoZone, Inc.
OrgID: NOZON
Address: 350 E. Cermak Rd.
Address: Suite 240
City: Chicago
StateProv: IL
PostalCode: 60616
Country: US
ReferralServer: rwhois://rwhois.steadfast.net:4321
NetRange: 67.202.64.0 - 67.202.127.255
CIDR: 67.202.64.0/18
OriginAS: AS32748
NetName: STEADFAST-3
NetHandle: NET-67-202-64-0-1
Parent: NET-67-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.STEADFAST.NET
NameServer: NS2.STEADFAST.NET
NameServer: NS3.STEADFAST.NET
NameServer: NS4.STEADFAST.NET
Comment: Please submit all reports of abuse to
Comment: abuse@steadfast.net. Reports sent to other
Comment: addresses will not be processed.
RegDate: 2007-08-09
Updated: 2008-07-15
RAbuseHandle: ABUSE959-ARIN
RAbuseName: Steadfast Networks Abuse Department
RAbusePhone: +1-312-602-2689
RAbuseEmail: abuse@steadfast.net
RNOCHandle: NOG3-ARIN
RNOCName: Steadfast Networks Network Operations Center
RNOCPhone: +1-312-602-2689
RNOCEmail: noc@steadfast.net
RTechHandle: NOG3-ARIN
RTechName: Steadfast Networks Network Operations Center
RTechPhone: +1-312-602-2689
RTechEmail: noc@steadfast.net
OrgAbuseHandle: ABUSE959-ARIN
OrgAbuseName: Steadfast Networks Abuse Department
OrgAbusePhone: +1-312-602-2689
OrgAbuseEmail: abuse@steadfast.net
OrgNOCHandle: NOG3-ARIN
OrgNOCName: Steadfast Networks Network Operations Center
OrgNOCPhone: +1-312-602-2689
OrgNOCEmail: noc@steadfast.net
OrgTechHandle: NOG3-ARIN
OrgTechName: Steadfast Networks Network Operations Center
OrgTechPhone: +1-312-602-2689
OrgTechEmail: noc@steadfast.net
# ARIN WHOIS database, last updated 2009-05-21 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.
Found a referral to rwhois.steadfast.net:4321.
%rwhois V-1.0,V-1.5:00090h:00 manage.steadfast.net (Ubersmith RWhois Server V-1.0)
autharea=67.202.64.0/18
xautharea=67.202.64.0/18
network:Class-Name:network
network:Auth-Area:67.202.64.0/18
network:ID:NET-3622.67.202.88.0/22
network:Network-Name:IP Pool
network:IP-Network:67.202.88.0/22
network:IP-Network-Block:67.202.88.0 - 67.202.91.255
network:Org-Name:Verity LLC
network:Street-Address:8622 Merlin Dr.
network:City:Houston
network:State:TX
network:Postal-Code:77055
network:Country-Code:US
network:Tech-Contact:MAINT-3622.67.202.88.0/22
network:Created:20080714202141000
network:Updated:20080714202141000
network:Updated-By:admin@steadfast.net
network:POC-Name:Steadfast Networks
network:POC-Email:admin@steadfast.net
network:POC-Phone:312-602-2689
network:Tech-Name:Steadfast Networks
network:Tech-Email:admin@steadfast.net
network:Tech-Phone:312-602-2689


Cymru whois:

AS |IP |BGPPrefix |CC |Allocated|ASName
32748 |67.202.89.34 |67.202.64.0/19 |US |2007-08-09|STEADFAST-NoZone,Inc.

Thursday, May 21, 2009

another approach - trying to analyze mebroot (torpig) - part 0.6

Starting from x53d03e99cfbfaa0df3695c27b2b5f364 it was been detect a pedantic anti debugging technique (IMHO). Specifically in this case the authors has used a pushf/popf tricks. Since the pushf popf anti debugging technique it seem require the writing of a custom exception handler for handling the ONE_STEP exception, and since I don't want use this approach for a trojan that is yet fully documented on the net, I decide to start with a classical analysis tools such as filemon (sysinternals.com). The following screen shots shown the creation of two file (one .exe and one .dll) named as 31.tmp and 32.tmp:


creation of 31.tmp (.exe component)
md5: 0x4c57e1af6d0dff3a64c3f31a1646fb2a

http://www.threatexpert.com/report.aspx?md5=4c57e1af6d0dff3a64c3f31a1646fb2a



creation of 32.tmp (.dll component)
md5:0xfee2385af796a198a7822ad7d0d7ad88
http://www.threatexpert.com/report.aspx?md5=fee2385af796a198a7822ad7d0d7ad88


During analysis with fmon, it was shown that the .exe, (created and launched by spreader) component drop the .dll component. The dll, as usually, is used by svchost.exe.



gumblar.cn and martuz.cn are dead

robtex for gumblar.cn:



robtex for martuz.cn:



Wednesday, May 20, 2009

afcore - trying to analyze coreflood - part 0

md5:0x9054ce104254794fb0511d18bbe40ef5

VirusTotal:
http://www.virustotal.com/reanalisis.html?caf6f942e79dcaea76c2792959d52768

ThreatExpert:
http://www.threatexpert.com/report.aspx?md5=9054ce104254794fb0511d18bbe40ef5


Some net related info:

threatexpert analysis has detected HTTP requests for the following URL:
http://secure.termobite.ws/forum/f7810f/44513dd/7c2891f/4/22b332c


robtex:

whois:



netcraft:


Some notes:

At this time the URL appears as not more active. Searching with Google the URL seems active from 2008 and is present within some reports about other afcore variants.

Carrying out some tests using
URL has been identified a redirection as shown in the following (note that the following behavior is the same for browser and wget as well curl. the user-agent is not impotant):

$ wget http://secure.termobite.ws/forum/

--xx:xx:xx-- http://secure.termobite.ws/forum
=> `forum'
Resolving secure.termobite.ws... 209.85.100.7
Connecting to secure.termobite.ws|209.85.100.7|:80..
HTTP request sent, awaiting response... 301 Moved Permanently
Location: http://node3.border.znet/forum/ [following
--xx:xx:xx-- http://node3.border.znet/forum/
=> `index.html'
Resolving node3.border.znet... failed: Unknown host.

Is node3.border.znet an "internal" coreflood node
? Trying to joke with domain name and tld it's been found this: node3.border.znet obviously doesn't exist. but node3.borderz.net exist. So what about ?

An HTTP GET request for node3.borderz.net redirect at the following web site:
http://sedoparking.com/search/registrar.php?domain=borderz.net&registrar=sedopark

The log of wget:

$ wget node3.borderz.net
--xx:xx:xx-- http://node3.borderz.net/
=> `index.html'
Resolving node3.borderz.net... 82.98.86.177
Connecting to node3.borderz.net|82.98.86.177|:80... connected.
HTTP request sent, awaiting response... 302 Moved Temporarily
Location: http://sedoparking.com/search/registrar.php?domain=borderz.net&registrar=sedopark [following]
--xx:xx:xx-- http://sedoparking.com/search/registrar.php?domain=borderz.net&registrar=sedopark
=> `registrar.php@domain=borderz.net&registrar=sedopark'
Resolving sedoparking.com... 82.98.86.180
Connecting to sedoparking.com|82.98.86.180|:80... connected.
HTTP request sent, awaiting response... 200 OK
Cookie coming from sedoparking.com attempted to set domain to borderz.net
Length: unspecified [text/html]

[ <=> ] 81,810 53.44K/s

xx:xx:xx (53.34 KB/s) - `registrar.php@domain=borderz.net&registrar=sedopark' saved [81810]

sedoparking.com\search\registrar.php?domain=borderz.net&registrar=sedopark




Is coreflood related to financial stuff ? YES.
in the screen shot above we can see scam links about financial services.

too many strange coincidences. but it may be a coincidence and nothing more

feedback are welcome.

Thursday, May 14, 2009

first look - trying to analyze mebroot (torpig) - part 0.5

My submission to threatexpert.com for md5:0x53d03e99cfbfaa0df3695c27b2b5f364 (sinowal/mebroot and i hope torpig related):
http://www.threatexpert.com/report.aspx?md5:0x53d03e99cfbfaa0df3695c27b2b5f364

How virustotal.com detect
0x53d03e99cfbfaa0df3695c27b2b5f364:
http://www.virustotal.com/analisis/65ccef31523490ed798110dab5bf884e

What's shown with ArmInline for 0x53d03e99cfbfaa0df3695c27b2b5f364 run by ollydbg:




It seems packed but not UPXed. It may been used Armadillo o something like. As showed there are a lot of int 3 (usually is an anti debugging technique marker)

got it ? - trying to analyze mebroot (torpig) - part 0.4

It's been discovered using an alias for mebroot (sinowal) as search keyword.
So trying to retrieve one of the latest it was been discovered the following:

md5: 0xba1f006b05e898c0e4a61458cd981870
or
md5: 0x53d03e99cfbfaa0df3695c27b2b5f364

URL:hxxp://----------.----/cgi-bin/index.cgi?ECVCEzzEZzZZsZrZZMzClEkuuMZEZZZZZZZZZMMkVkuukZZZZzZkZlZZZZZZZZzOZ

At this time the URL , like a fast bulk place, doesn't provide anything.

Feedback are welcome.

Wednesday, May 13, 2009

AS whois (cymru whois service) script

This is a simple POC bash script for retrieving AS info (ASn and prefix) from team-cymru whois service for a given IP address. It's created for work in separated folder and the input file is a simple IP address list file. For each IP, the script creates a separated files (named with IP) and global unique log file where are saved all responses.

So for a faster and better using following this steps:

- create a directory
- create a file that contains your activity ip addresses
- copy the script and ip list within the directory
- run the script



Output example:





Monday, May 11, 2009

a "capture-server" night - a different night without IDA

This is the first step of the installation for capture-client/server project by hpc project. Tank you very much to "security watch" owner for his suggestions.

After a couple of hours for install and finding stuff needed, this is the time for "yet another" screen shots:




Behind the scene a good starting guide web site for installing and using HPC Capture Server: http://www.emre.de/wiki/Capture-HPC

Sunday, May 10, 2009

still attempts for binaries retriving - trying to analyze mebroot (torpig) - part 0.3

I'm still search for URL with a sort of binary to analyze. I'm evaluating to looking for another URL for get mebroot binaries. From the URL reported by malwaredomainlist.com I can't get anything then strange URL.
I get a Symantec report related to 15min.it where are shown URL for download binaries stuff. But seems not more available.

http://safeweb.norton.com/report/show?name=15min.it

Feedback are welcome.

LSASS.exe process

Some useful info and other interesting readings for this kind of activities:

How to debug LSASS.exe process
http://blogs.msdn.com/alejacma/archive/2007/11/13/how-to-debug-lsass-exe-process.aspx

Thursday, May 7, 2009

javascript-analytics.com: correlation between an increase in HTTP requests and the change of routes - trying to analyze mebroot (torpig) - part 0.2

Using alexa.com the result for javascript-analytics.com in the latest days is the following:

As it's shown in the screen shots above, from the start of May 2009, there is a increase of HTTP traffic for javascripts-analytics.com

Analyzing with bgplay the last month BGP behaviour of the ASn (AS36351) where javascript-analytics.com live it's possibile view a clear increasing "interest" for once of the biggest AS: AS174 (Cogent).


27-04-2009



07-05-2009


Are theese two factors coorelable ? it seems

who is javascript-analytics.com ? - trying to analyze mebroot (torpig) - part 0.1

Related to previous post mebroot It's shown some info about javascipt-analytics.com

what NETCRAFT says about:

what WOT says about:

http://www.mywot.com/en/scorecard/javascript-analytics.com

Wednesday, May 6, 2009

wepawet information disclosure vulnerability?

The night thinking.
I've discovery a worst method to probe wepawet.com object and plugin versioning (is this intended as information disclosure vulnerability?) . From their result about my post for analyse the url 15mm.it, I've seen some variable ,used by the exploiter (j.js from previous post) , with value that usually are not sandbox related.

Can an attacker use this info for, theoretically
, exploiting wepawet ? I hope no


Feedback are welcome.

trying to analyze mebroot (torpig) - part 0

This post is intended as an attempt to analyze mebroot (torpig botnet related). So some info at this time may be incorrect or not fully explained.

Let to start from malwaredomainlist.com where it's been found the following malicious URL indicated as once of mebroot spreading site :


With malzilla the result it's a not so bad javascript obfuscated code:

After a smart code analysis it was noted the following code:


For avoid boring deobfuscation task It was used the following line of code and pasted it within a html page:

Opening the HTML page the result is:


Some info (thanks to robtex.com) about the URL called by the obfuscated script:


Calling the url gdq4hevif.com/ld/ment/ it's executed the exploiter (contained in j.js file). The following screen shot show the URL related:


This spreading stage it's seem user driven so automatic analysis tool suck.

The exploiter (j.js) contains checking method for a good number of object potentially
vulnerable such as web browser plugins, Microsoft Office and PDF reader version installed on the probed system and other stuff.
The info are sent via HTTP POST, to javascript-analytics.com.

The following dump is the HTTP traffic logged with HTTPHeader Firefox plug in:



Some decoded info passed to javascript-analytics.com:

For now it's all. I think that for obtaining the malware binary it's necessary a web browser user driven session. It may be that the info grabbed by exploiter are used by malware site for ad hoc web page generation so the user web browser may be exploited with correct issues.

Passing the starting URL to wepawetaet are obtained some more info (but not so more): http://wepawet.cs.ucsb.edu/view.php?hash=80f9d23ca8855e09a91fbd2ac13dc207&t=1241617911&type=js

Tuesday, May 5, 2009

torpig botnet

A good paper:

"Your Botnet is My Botnet: Analysis of a Botnet Takeover"
http://www.cs.ucsb.edu/~seclab/projects/torpig/torpig.pdf

Saturday, May 2, 2009

conficker.e analysis (.exe component) - part 0.9 - the 3rd of may

These screen shots show what happen on 3rd of may. In a few words is called the "MoveFileEx" Win32 API function. The file name is the ".exe" component name. I have a sort of doubts about this "idle and destroy" method.