MMD-0010-2013 - Wordpress Hack Case: Site's Credential Stealer with New ASCII Obfuscation in POST Destination URL
MMD-0010-2013 - Wordpress Hack Case: Site's Credential Stealer with New ASCII Obfuscation in POST Destination URL Background Yes, it is not a new news to hear about the Wordpress or etc PHP-base CMS got hacked with malicious injected codes. The hacked sites was injected with codes scattered inside of Wordpress PHP files, that obviously a hard-to-find quest, with the (mostly) targeting on (1)compro
Intelligence report. Beware: Trojan7sec, A wolf in sheep's skin
Intelligence report. Beware: Trojan7sec, A wolf in sheep's skin In reversing malware we have to deal with codes and its behavior, thinking backwards. connecting logic on the collected data to go figure how the malicious scheme works.This case is rather unusual, we reverse the social engineering malicious act. Which is way much complicated than reversing a malware code. The concept is the same but
MMD-0007-2013 - KINS? No! PowerZeuS, yes! Source Code for View & Download
MMD-0007-2013 - KINS? No! PowerZeuS, yes! Source Code for View & Download Background Finally announced publicly in social engineering media TODAY that the leaked source code of (updated) what we thought was KINS (/updated) was publicly exposed. We found out later on in the codes that there is no link to any current alive CnC with destination and/or pattern used by the known "realKINS", apart from
...And (again!) ZeroAccess/Sirefef is NOT Dead (yet!)
...And (again!) ZeroAccess/Sirefef is NOT Dead (yet!) Is a straight to the point post, for ZeroAccess reference there was posted previously- in --> HERE and--> HERE. Please bear for I will not include the previous exposed details. Background Again, do not believe on what you read without checking, like this AV marketing issue-->HERE The post is without any technical analysis background specificall
MMD-0000-2013 - Malware Infection Alert on Plesk/Apache Remote Code Execution zeroday vulnerability
MMD-0000-2013 - Malware Infection Alert on Plesk/Apache Remote Code Execution zeroday vulnerability Summary: This zeroday PoC (thank to KingCope for announcing the zeroday, a great share!) is bringing a huge impact in the worse timing of malware web infection trends, which the botnet via file injection already ITW & spotted (salute to RepoCERT) so we find it necessary to quick posting the vulnerab
A mistery of Malware URL "cnt.php" Redirection Method with Apache's mod_rewrite.c's RewriteCond in .htaccess
A mistery of Malware URL "cnt.php" Redirection Method with Apache's mod_rewrite.c's RewriteCond in .htaccess Summary To be honest, since knowing that most of linux malware are blocking my IP & and my country's access, I changed my strategy to invite and trap them with the honeypot method for a dummy server to let them come and attack. (I think) I was preparing it good.. but after some time without
Case of Pony downloading ZeuS via Passworded Zip Attachment of Malvertisement Campaign
Case of Pony downloading ZeuS via Passworded Zip Attachment of Malvertisement Campaign Is a workdays so I can not post much so please bear with the below short analysis. But today I can't get rid of my curiosity when reading Mr. Conrad Longmore's newest post on Dynamoo Blog (nice report!) about the malvertisement with encrypted/passworded zip attachment (here's the link -->>[Dynamoo Blog]). I got
CNC analysis of Citadel Trojan Bot-Agent - Part 2: Understanding its stealer functionalities by decoding the configs
CNC analysis of Citadel Trojan Bot-Agent - Part 2: Understanding its stealer functionalities by decoding the configs Following the previous Citadel Analysis we wrote-->>[HERE], we received so many requests & questions like: What encryption was used? What is actually written in the config? What has been downloaded? and sent? And most of all, where's the CnC? Friends, thank you very much for asking
(Peeling + Exposal) Kelihos via Redkit, mass-infection threat following unfortnate US disaster news..
(Peeling + Exposal) Kelihos via Redkit, mass-infection threat following unfortnate US disaster news.. We all know about what had happened in US recently, it is a very sad & unfortunate situation. People died during the accident and the malware scums used this for their opportunity, we just can't tolerate it. Dropping the previous tasks, we started to investigate this infection right away. By the g
#Howto - Analysis infection of RedKit sourced at 91.206.200.199 via OS X/Mountain Lion
#Howto - Analysis infection of RedKit sourced at 91.206.200.199 via OS X/Mountain Lion It's been a while since I post report in this blog. Now we are posting a RedKit infection we traced sourced to the Ukrainian hosting server at 91.206.200.199. The report is pointing us to the suspicion of an IP which is used by RedKit for source infection, suspected payload's server is there in some used dommain
リリース、障害情報などのサービスのお知らせ
最新の人気エントリーの配信
j次のブックマーク
k前のブックマーク
lあとで読む
eコメント一覧を開く
oページを開く
A Step by Step Decoding Guide for CookieBomb's (as Front-end) Latest Threat, with Evil ESD.PHP Redirection (as the Back-end)
MMD-0008-2013 - What's Behind the #w00tw00t Attack
MMD-0006-2013 - Rogue 302-Redirector "Cushion Attack", an attempt to evade IDS/IPS
What is behind #CookieBomb attack? (by @malm0u53)
The Evil Came Back: Darkleech's Apache Malware Module: Recent Infection, Reversing, Prevention & Source Details
Fake Adobe Flash Updater in 173.246.102.2 - Win32/Fareit downloads Win32/Medfos (to then download OTHER malware at Megaupload.com)
Blackhole NOW served Cridex combo with Ransomware rotated with GeoIP - Changes in credential crime scheme (powered by NAUNET.RU)
Blackhole of "/closest/" version with an infection of Trojan ZeroAccess (alias MaxPlus, Sirefef) w/Recycler Variant
The infection of Styx Exploit Kit (Landing page: painterinvoice.ru + Payload: PWS/Ursnif Variant)
Peeking at Anon JDB Exploit Kit infector (212.7.192.100/jdb/inf.php?id=xxx) with AV verdicted called "DarkKomet", but actually a NayraBOT/AryaNBot an IRC Backdoor USB Worm