Wednesday, August 6, 2014

Analysis of malicious VBscript:

Yesterday, AntiVir detects a vbscript as :VBS/Dldr.Agent.sver

I try had a hand with that and try to find what it is actually doing:

Malicious script

Formatted script using malzilla

If you look at the script, it set the site name as nosensetoblock and temp folder location as tfolder. It loads a cmd file in temp location as follows:

 var genesis is equal to "%TEMP%\\keybtc.cmd", autorotatedomain="images";

 Use the Try catch method for auto reply (refer the image).

 Its good detect these kind of scripts :).

Post made by

Tuesday, August 5, 2014

Trojan: Wonton

VT Information about a malicious sample:

imphash a49926a7e80581b917867c2bd8cfdf8f
Size416.5 KB (426496 bytes)
TypeWin32 EXE
MagicPE32 executable for MS Windows (GUI) Intel 80386 32-bit
TrIDWin32 Executable MS Visual C++ (generic) (64.5%) Win32 Dynamic Link Library (generic) (13.6%) Win32 Executable (generic) (9.3%) Clipper DOS Executable (4.1%) Generic Win/DOS Executable (4.1%)

 This malware through an error message when you execute:
But if you observe the changes in the system through process explorer and process monitoring tools, you will find some process with random character as process name which points to the %Application data%. This is obviously wired. And give one hundred percent confirmation to the user that we are executed a malware. If you use inctrl, it will log all the changes made in the files, folders and registries.                                              

Leading Antivirus such as Sophos detecting these set of malwares with the name :                                        


And Eset-Nod32 detect the same malwares with the name:

a variant of Win32/Agent.VNC

sophos write up
The above snap says what sophos says about the behavior of the samples. Sophos is pretty good AV.

Stay protected. Enjoy the cyber world.

Post made by 

Monday, August 4, 2014

Today's email scam:

Today i got a mail from BHC (as it claims like British High Commission) which i never heard. There is no message part in the mail and only an attachment (a pdf file) found. I downloaded it scan with my local exploit scanner. Nothing found.

snap of the mail

I checked what that pdf claims... it is same old 419 scams aka Nigerian scam...

snap of the pdf
It looks pretty legit and colorful... But people need to understand one thing, no one will give you million dollars without you doing nothing. 
So, my humble advice to delete these mails without read it. Also, educate your relatives and friends by creating awareness. Please check my blog for other Nigerian scams Aka 419 scams.

Post made by

Enhancing Embedded Device Security with MITRE EMB3D™

In today's interconnected world, the security of embedded devices has become crucial. Embedded devices, integral to various industries, ...