Clik here to view.
Win32/Spy.POSCardStealer.O and unknown POS Sniffer
Finally some new stuff (hmm, no)Let's talk about Win32/Spy.POSCardStealer.O identified by ESET.It's pretty lame but let's see it anyway.On the first procedure the malware will register a reg key in...
View ArticleClik here to view.
Win32/Atrax.A
Atrax is a TOR botnet, you can read about it on the excellent post of Aleksandr.Someone on kernelmode.info posted recently a fresh sample:MD5: 44a6a7d4a039f7cc2db6e85601f6d8c1Fun things also, the coder...
View ArticleClik here to view.
Win32/BruteForce.WP
DrWeb released a news about this malware in August, they know it as 'Trojan.WPCracker.1'And more recently ~ 1e8cd0f0f1702820c870302520bc0176.This executable communicate with a C&C at...
View ArticleClik here to view.
How the protection of Citadel got cracked
Recently on a forum someone requested cbcs.exe (Citadel Backconnect Server)If you want to read more about the Backconnect on Citadel, the link that g4m372 shared is cool:...
View ArticleClik here to view.
Jolly Roger Stealer
Friend Kafeine have already do a post on it, although someone recently sent me a url on my cybercrime tracker.. i give a f%$k• dns: 1 ›› ip: 178.162.193.24 - adresse: LOADER.ISTMEIN.DEBot statistic:CPU...
View ArticleClik here to view.
Troj/WowSpy-A
Recently a malware who target World of Warcraft got identified.This threat is known as Disker, Mal/DllHook-A or Trojan.Siggen5.64266 and can steal player accounts even if they use a Battle.net...
View ArticleClik here to view.
Decoding Zeus 2.9.6.1 dynamic config
I got a look on the zeus builder who was released by the MMBB guy on exploit.in, finally i'm decided to write something about it, so let's talk about the change in the config encryption.MD5:...
View ArticleClik here to view.
Plasma HTTP
Advert:Login:Online bot:offline bots:Commands:Statistics:Logs:Yeah take this lame article to second degree, i just talk about Plasma because i've promised to write something today on irc.I'm not dead...
View ArticleClik here to view.
Zeus 1.1.3.4
RSA FirstWatch throw me recently a sample of a 'new' Zeus variant.I didn't really check all the changes that were made but seem it's nothing more than just a standard Zeus v2.But wait, it communicates...
View ArticleClik here to view.
ZeusVM and steganography
Months ago, researchers observed an evolution of ZeusVM, time to get back on this family.For informations,The first ZeusVM sample i've seen using steganography was the 21 November 2013.The IP of the...
View ArticleClik here to view.
Android/FakeToken.A
OTP forwarder dumped months ago.Login:Statistics:Bots:Bot:Passwords:Send a command:Commands sent:Apps:Apps...
View ArticleClik here to view.
Lame scareware
I've found a sample yesterday downloaded via this url: skyways.co/play.exe, console application, and ugly code + scareware and third party FakeAV call center.All the following was so lame that i need...
View ArticleClik here to view.
Android.Trojan.Rubobi.A (SmsPiratBot)
Another Android botnet dumped recently.This malware can send and intercept sms from bots.Like most of android botnets, they are used mainly to target mobile banks like Sberbank (www.sberbank.ru - the...
View ArticleClik here to view.
ATSEngine
ATSEngine injects can be found oftenly inside Zeus configs, it makes the webinjects more dynamic because most of the content is located remotely and can be updated much easily instead of sending new...
View ArticleClik here to view.
Install service for Malware affiliates and individuals
This install service was running since a long time but the server recently died.People targeted are from Russia, Ukraine, Belarus, Kazakhstan, and Uzbekistan.Login:Statistics by days:(Date, Unique...
View ArticleClik here to view.
i/o
Wow, it's been a awhile since i haven't written anything new here...So to answer many questions.. no i'm not dead, and will try to get active again a bit next year.I'm not writing this due to...
View ArticleClik here to view.
iBanking
iBanking is an android malware made to intercept voice and text informations.The panel is poorly coded.Login:Projects:Phone list:SMS List:All SMS (Incomming)All SMS (Outgoing):Call list...
View ArticleClik here to view.
Neutrino bot
Neutrino bot is a malware who appeared and vanished quickly like Phase.not worth the look anyway. Advert:Login:Task:Statistics:Clients:Files:Logs:Settings:
View ArticleClik here to view.
Phase (Win32/PhaseBot-A)
Small write-up about 'Phase' a malware who appeared and vanished very rapidly.I had a look on it with MalwareTech who wrote several stories, it was shown that Phase is in reality a 'new' version of...
View ArticleClik here to view.
Captain Barbarossa
Captain Barbarossa, is used for Paypal phishing and sold as phishing kit, the kit include an admin panel.User is tricked with a fake Paypal login asking for details, here in German:Once infos are...
View ArticleClik here to view.
Cryptorbit locker
When Cryptorbit ransomware was targeting people i've visited themSQL database:Bad guy...
View ArticleClik here to view.
Tiberium/Consuella USPS money laundering service
Consuella was a 'USPS drop service' run by one of the Lampeduza administrator.This type of service is used to help credit card thieves to "cash out" by sending carded labels service overseas (or not)...
View ArticleClik here to view.
Alina 'sparks' source code review
I got on my hands recently the source code of Alina "sparks", the main 'improvement' that everyone is talking about and make the price of this malware rise is the rootkit feature.Josh Grunzweig did...
View ArticleClik here to view.
Betabot retrospective
Some of you know Betabot.. if you don't: http://www.ic3.gov/media/2013/130918.aspx1.0.2.5 panel:Dashboard:extended information:Search options:Tasks:Remove bot:Terminate bot till next...
View ArticleClik here to view.
Citadel 0.0.1.1 (Atmos)
Guys of JPCERT, 有難う御座います!Released an update to their Citadel decrypter to make it compatible with 0.0.1.1 sample.Citadel 0.0.1.1 don't have a lot of documentation, so time as come to talk about...
View Article