Quotes from Successful People

Albert Einstein

• Imagination is more important than knowledge.
• Insanity: doing the same thing over and over again and expecting different results.
• No problem can be solved from the same level of consciousness that created it.
• The important thing is not to stop questioning. Curiosity has its own reason for existing.
• Life is like riding a bicycle. To keep your balance you must keep moving.
• Two things are infinite: the universe and human stupidity; and I'm not sure about the universe.
• Look deep into nature, and then you will understand everything better.
• Try not to become a man of success, but rather try to become a man of value.
• I have no special talents. I am only passionately curious.
• Everything should be made as simple as possible, but not simpler.

Bill Gates

• Life is not fair, get used to it (quite honest)
• Success is a lousy teacher. It seduces smart people into thinking they can't lose.
• If you can't make it good, at least make it look good.
• I believe that if you show people the problems and you show them the solutions they will be moved to act.

Steve Jobs

• Your time is limited, so don’t waste it living someone else’s life.
• I want to put a ding in the universe.
• We hire people who want to make the best things in the world.
• Sometimes life is going to hit you in the head with a brick. Don't lose faith.
• Being the richest man in the cemetery doesn't matter to me. Going to bed at night saying we've done something wonderful, that's what matters to me.
• Sometimes when you innovate, you make mistakes. It is best to admit them quickly, and get on with improving your other innovations.
• Design is not just what it looks like and feels like. Design is how it works.
• Innovation distinguishes between a leader and a follower.

Mark ZuckerBerg

• Done is better than perfect.
• I think a simple rule of business is, if you do the things that are easier first, then you can actually make a lot of progress.

Jack Ma

See beyond your circumstances. No matter what your current condition, how or where you grew up, or what education or training you feel you lack, you can be successful in your chosen endeavour.

Henry Ford

• Failure is the only opportunity to begin again more intelligently.
• If you think you can do a thing or think you can't do a thing, you're right.
• A business that makes nothing but money is a poor business.
• Don't find fault, find a remedy.

Michael Jordan

Accept failure, but keep trying.


Walt Disney

Keep moving forward.


Muhammad Ali

• I hated every minute of training, but I said, 'Don't quit. Suffer now and live the rest of your life as a champion.'
• Don't count the days, make the days count.
• He who is not courageous enough to take risks will accomplish nothing in life.
• I am the greatest, I said that even before I knew I was.
• If you even dream of beating me you'd better wake up and apologize.
• I'm so fast that last night I turned off the light switch in my hotel room and was in bed before the room was dark.
• The fight is won or lost far away from witnesses - behind the lines, in the gym, and out there on the road, long before I dance under those lights.

And success tips from Arnold Schwarzenegger

Post created for inspiring billions
by
newWorld

Analysis of recent linux malware:

Today we received a linux malware sample for analysis.
MD5: 26413FD652A4ABB3FCA4A936DE6A4736

remnux@remnux:~/Downloads$ file ntpd
ntpd: ELF 32-bit MSB  executable, MIPS, MIPS-I version 1 (SYSV), statically linked, not stripped

This sample appears to be attacking bot. Let's look at the strings:

IOC details

• hxxp://majestic12(.)co(.)uk/bot.php
• hxxp://89.38.96(.)67/tftp
• 89.38.96(.)67
• hxxp://94.177.172(.)221/John.sh
• 94.177.172(.)221

Post made by

newWorld

Analysis of Brazilian Banker malware

Executive summary

Brazilian banker malware is one of the popular banking malware which targets South America and referred by malware researchers as SA-Banker or Brazilian Banker. Many campaigns were used by malware actors to reach the victim and lure them to give their credentials in the application. Once the fake application get the banking credentials which will be acquired by the malware authors. Last week, we got the attention of banking malware which uses campaigns using Facebook’s content delivery network (CDN).

Campaign using FB CDN:

Security researchers worried on the latest campaign using Facebook’s CDN so it makes harder for the security products to block.

Figure 1 CDN used in Brazilian banking malware

The last week data from malware hunter team says that around 200 thousand people opened the email from Brazil. Refer the following image from malware hunter team:

Figure 2 Email Infection stats

Our researchers dig deeper and get the malware samples for analysis. This is purely targeted on Brazil banking customers.

Analysis

File MD5: 76E3E02AD689AF06699205D5BE956894

Size of the file: 752 KB

Figure 3 File submission

This sample was submitted to the system, two days back only and like we said the origin or source of the submission is Brazil. And the file type is dll.

Figure 4 Banker detection

We load the sample to PEid for checking the export details.

Figure 5 Export details of the malware sample

Further analysis will be published in the next post.

Post by

newWorld researchers

Locky download links for analysis (Pastebin link)

In our last post, Locky Ransomware Latest Infection - Indicator of Compromise: (http://www.edison-newworld.com/2017/09/locky-ransomware-latest-infection.html) we posted the details of IOC - indicator of compromise of famous Locky ransomware. Security researchers added few more details in the following pastebin link:

https://pastebin.com/8esSAWFD

You can visit and get the links. But we copied those links as image.

Note: This is purely for research purpose and malware analysis purpose - Not for abusing this.

https://www.virustotal.com/en/file/907f65e8a56dbd6328175c924987218d1d5e2eb144222f5fe5d1c52ad2647773/analysis/1504691819/
https://www.virustotal.com/en/file/045d4930f2d37a12d9a3b5725c777cd7b4ecdeffa2f6138809d2a12e42570f9f/analysis/1504691826/
https://www.virustotal.com/en/file/e75e5d374f20c386b1114252647cca7bd407190cafb26c6cfbd42c5f9223fe6c/analysis/1504691837/
https://www.virustotal.com/en/file/3ac9ab7ddd73531c3d5b7438f6bb74a7711c7f523770d61c338da4664993e7b1/analysis/1504691850/
https://www.virustotal.com/en/file/e6ddca65b517362123dfab0961f0735d738b7b3309568d021c533f1b19073666/analysis/150469188

                                                                          Locky urls                                                                                                                                                            

Raw links locky

Post made by
newWorld researchers

Locky Ransomware Latest Infection - Indicator of Compromise:

IOC for latest locky ransomware infection:

Locky Infection URL:

hxxp://konferencjaora[.]pl/w/523f.php
hxxp://autonikos[.]pl/w/6dty.php
hxxp://oxfordschoolkotputli[.]com/w/vait.php
hxxp://j3[.]rodolfogn[.]com/w/qn0b.php
hxxp://martinagebhardt[.]hu/w/uol4.php

Regex created for this php file is \/w\/[0-9a-z]{4}\.php.

Fake Dropbox landing page which serve locky ransomware:

Fake Dropbox link in the mail

hxxp://albion-cx22.co[.]uk/dropbox.html
hxxp://ambrogiauto[.]com/dropbox.html
hxxp://arthurdenniswilliams[.]com/dropbox.html
hxxp://autoecoleathena[.]com/dropbox.html
hxxp://autoecoleboisdesroches[.]com/dropbox.html
hxxp://autoecoledufrene[.]com/dropbox.html
hxxp://avtokhim[.]ru/dropbox.html
hxxp://bayimpex[.]be/dropbox.html
hxxp://binarycousins[.]com/dropbox.html
hxxp://charleskeener[.]com/dropbox.html
hxxp://campusvoltaire[.]com/dropbox.html
hxxp://dar-alataa[.]com/dropbox.html
hxxp://flooringforyou.co[.]uk/dropbox.html
hxxp://gestionale-orbit[.]it/dropbox.html
hxxp://griffithphoto[.]com/dropbox.html
hxxp://jakuboweb[.]com/dropbox.html
hxxp://jaysonmorrison[.]com/dropbox.html
hxxp://patrickreeves[.]com/dropbox.html
hxxp://potamitis[.]gr/dropbox.html
hxxp://tasgetiren[.]com/dropbox.html
hxxp://willemshoeck[.]nl/dropbox.html

Fake Dropbox landing page

It is advised to block these malicious url in the firewall, if you find any of these urls in your proxy logs or firewall that it is an indication of your system has been infected.

Post made by
newWorld researchers

Linux/Tsunami Malware Captured from honeypot

Today we got a shell file which was captured from honeypot and submitted to VT. We checked the detection for that file and flagged as Linux/Tsunami.NJH. We directly look in to the contents of shell script and it is generic downloader as it seem.

Figure 1 Linux/Tsunami.NJH

 The script contains same IP address throughout the file: 46.218.149(.)85. We checked this IP address with those file directories in VT and it actually download malicious ELF file. We moved to the detection page and it got similar hits where Eset detects it as a variant of Linux/Tsunami.NCD. The family description for this variant says that it is a backdoor and can be controlled remotely. The main purpose of this malware is to download other malware files from the server, DDoS attack and shell command execution.

Downloaded files - analysis

Based on the details, we manually downloaded the important files and started our analysis. We started with the string analysis of these file to get any idea. All the three files which we downloaded have junk strings. And there is two line of strings which at least look like a Japanese words. Refer the below snapshot:

Figure 2 Strings of all the three files

·         0000000A5069   0000000A5069    nandemo shiranai wa yo,

·         0000000A5084   0000000A5084                    shitteru koto dake

String analysis – Based on Google search results

When we read that string it spell like Japanese words, we need to check in google. Yes it is Japanese word and it means “I don’t know anything” and “only I know”. But the plain google search leads to some interesting posts like funtime ninja codes and DDoS router malware.

Figure 3 Funtimes Ninja Malware

TFTP is a protocol for transferring data servers use to boot diskless workstations, X-terminals, and routers by using User Data Protocol (UDP). TFTP was primarily designed to read or write files by using a remote server. Here busybox is found in all the loops. It giving a hint that it could attack on limited resource linux machine (aka linux on embedded systems).

Let’s move on to the next one DDoS router malware article where we found the following yara rule to detect the presence of router DDoS malware:

import “elf”

rule STD

{

 meta:

 author = “Akamai SIRT”

 description = “Kaiten/STD DDoS malware”

 strings:

 $s0 = “shitteru koto dake”

 $s1 = “nandemo wa shiranai wa yo,”

 condition:

 elf.number_of_sections == 0 and

 elf.number_of_segments == 2 and

 $s0 and $s1

}

This yara rule was created by researchers from Akamai for Kaiten/STD router DDoS malware.

Figure 4 DDoS Campaign

The above graph is from Akamai on the DDoS campaign from different locations across the globe.

Static analysis of the downloaded files

We ran the file command to check the file properties of these files, and resulted as valid elf file.

Figure 5 File command elf

Figure 6 ELF Header

When we try to disassemble these files we are facing following warnings:

·         Warning: read (shdr) at 0xffff

·         Warning: Cannot initialize section headers

·         Warning: Cannot initialize strings table

Using the initial script, tweaked few lines related to download, now it’s throwing error as exec format error.

Figure 7 Execution error

Conclusion

Based on the AV detection and string analysis, these files are found to be backdoor with DDoS functionalities. It is highly recommended to block the malicious IP address in the firewall and proxy. A good SOC with better threat intelligence feed will minimise the attack and even stop the attack before it creates any damage.

Research done by

newWorld security researchers