MMD-0010-2013 - Wordpress Hack Case: Site's Credential Stealer with New ASCII Obfuscation in POST Destination URL Background Yes, it is not a new news to hear about the Wordpress or etc PHP-base CMS got hacked with malicious injected codes. The hacked sites was injected with codes scattered inside of Wordpress PHP files, that obviously a hard-to-find quest, with the (mostly) targeting on (1)compro
Intelligence report. Beware: Trojan7sec, A wolf in sheep's skin In reversing malware we have to deal with codes and its behavior, thinking backwards. connecting logic on the collected data to go figure how the malicious scheme works.This case is rather unusual, we reverse the social engineering malicious act. Which is way much complicated than reversing a malware code. The concept is the same but
MMD-0007-2013 - KINS? No! PowerZeuS, yes! Source Code for View & Download Background Finally announced publicly in social engineering media TODAY that the leaked source code of (updated) what we thought was KINS (/updated) was publicly exposed. We found out later on in the codes that there is no link to any current alive CnC with destination and/or pattern used by the known "realKINS", apart from
...And (again!) ZeroAccess/Sirefef is NOT Dead (yet!) Is a straight to the point post, for ZeroAccess reference there was posted previously- in --> HERE and--> HERE. Please bear for I will not include the previous exposed details. Background Again, do not believe on what you read without checking, like this AV marketing issue-->HERE The post is without any technical analysis background specificall
MMD-0000-2013 - Malware Infection Alert on Plesk/Apache Remote Code Execution zeroday vulnerability Summary: This zeroday PoC (thank to KingCope for announcing the zeroday, a great share!) is bringing a huge impact in the worse timing of malware web infection trends, which the botnet via file injection already ITW & spotted (salute to RepoCERT) so we find it necessary to quick posting the vulnerab
A mistery of Malware URL "cnt.php" Redirection Method with Apache's mod_rewrite.c's RewriteCond in .htaccess Summary To be honest, since knowing that most of linux malware are blocking my IP & and my country's access, I changed my strategy to invite and trap them with the honeypot method for a dummy server to let them come and attack. (I think) I was preparing it good.. but after some time without
Case of Pony downloading ZeuS via Passworded Zip Attachment of Malvertisement Campaign Is a workdays so I can not post much so please bear with the below short analysis. But today I can't get rid of my curiosity when reading Mr. Conrad Longmore's newest post on Dynamoo Blog (nice report!) about the malvertisement with encrypted/passworded zip attachment (here's the link -->>[Dynamoo Blog]). I got
CNC analysis of Citadel Trojan Bot-Agent - Part 2: Understanding its stealer functionalities by decoding the configs Following the previous Citadel Analysis we wrote-->>[HERE], we received so many requests & questions like: What encryption was used? What is actually written in the config? What has been downloaded? and sent? And most of all, where's the CnC? Friends, thank you very much for asking
(Peeling + Exposal) Kelihos via Redkit, mass-infection threat following unfortnate US disaster news.. We all know about what had happened in US recently, it is a very sad & unfortunate situation. People died during the accident and the malware scums used this for their opportunity, we just can't tolerate it. Dropping the previous tasks, we started to investigate this infection right away. By the g
#Howto - Analysis infection of RedKit sourced at 91.206.200.199 via OS X/Mountain Lion It's been a while since I post report in this blog. Now we are posting a RedKit infection we traced sourced to the Ukrainian hosting server at 91.206.200.199. The report is pointing us to the suspicion of an IP which is used by RedKit for source infection, suspected payload's server is there in some used dommain
リリース、障害情報などのサービスのお知らせ
最新の人気エントリーの配信
処理を実行中です
j次のブックマーク
k前のブックマーク
lあとで読む
eコメント一覧を開く
oページを開く