Home   Blog   Twitter   Database  

NASA prepares for serious sysadmin work - reimaging Opportunity Rover out on MARS!

Ever sweated a bit on Patch Tuesday when it's time to reboot? Then spare a thought for NASA sysadmins - this month they'll be reimaging a computer 200,000,000km away...on Mars!

Posted: 1 Sep 2014 | 3:03 am

HP: NORKS' cyber spying efforts actually a credible cyberthreat

'Sophisticated' spies, DIY tech and a TROLL ARMY – report

North Korea is ramping up its cyber spying efforts to the point where it is becoming a credible threat against Western enterprises and government, security researchers at HP warn.…

Posted: 1 Sep 2014 | 2:36 am

“Salad Words” Spam Run Exploits Unlikely Resources

We recently reported about a large spike of commercial spam that employed micro-sized salad words or random gibberish words found in the email body to bypass spam filters. The content of these messages varied from hair loss cures to car sales to retailer coupons. Most of the samples contained links to websites they themselves advertise.

Aside from the tactic used, this particular spam run is notable because its two primary sources are hosting services providers and newly-registered domains that were not previously associated with known or detected spam activity. Service providers are often considered trustworthy but it now seems that they are being openly abused by spammers.

New Spam Sources

Majority of the spam-sending IPs were sourced from a company associated with a Canadian hosting service provider. The remaining IP addresses belong to US-based providers.

Newly-registered domains were another noteworthy spam source.  Spammers created these newly-born domains and wasted no time in using these new domains as the sender address and URL inside the mail body, as seen in the table below. They started spamming only minutes after registering the new domains. When unsuspecting users clicked these domains found in the email message, they are redirected to spam websites.

Spammers may have used new domains with no spam history because these may not arouse suspicion. Analysis from our engineers shows that all the domains were filed under the same registrar by one organization.


Figure 1. Time between domain registration and first known spamming activity

Figure 2 shows the peak spam volume associated with this campaign within a 24-hour period. Closer inspection reveals that the spam run was composed of multiple short burst of spamming activity, shown in Figure 3. Each burst came from one IP address, followed by another burst from another IP address, and so on. Such behavior is most likely an attempt to evade IP-based filtering solutions.


Figure 2. Peak spam volume within specific hours


Figure 3. Multiple IPs contribute to the spam runs

Based on our IP statistics, 85% of the affected victims came from the US. Other top affected countries include Germany, Canada, Great Britain, and New Zealand.

Countermeasures

As spam techniques continue to adapt and evolve, users are advised to be on guard when opening their emails. Never open messages, download attachments and click links from unknown senders. Security solutions, such as spam filtering, can help protect users from such threats.

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

“Salad Words” Spam Run Exploits Unlikely Resources

Posted: 29 Aug 2014 | 12:07 pm

Sinkholing the Backoff POS Trojan

There is currently a lot of buzz about the Backoff point-of-sale Trojan that is designed to steal credit card information from computers that have POS terminals attached.

Trustwave SpiderLab, which originally discovered this malware, posted a very thorough analysis in July.  The U.S. Secret Service, in partnership with DHS, followed up with an advisory.

Although very thorough, the existing public analyses of Backoff are missing a very relevant piece of information: the command-and-control (C&C) servers. However, if you have access to the samples it isn't hard to extract this information. At the end of this document, you can find a full list together with other IOCs (indicators of compromise).

backoffc2

Backoff malware configuration, with C&Cs

We sinkholed two C&C servers that Backoff samples used to communicate with their masters. These C&C servers are used by certain samples that were compiled from January - March 2014. Over the past few days, we observed over 100 victims in several countries connecting to the sinkhole.

Statistics:

backoffc2

There were several interesting victims among them:

There are also a lot of home user lines, mostly in the U.S. and Canada, connecting to the sinkhole. This is to be expected as many smaller businesses generally tend to run those rather than dedicated corporate connections.

Conclusions

The success of Backoff paints a very bleak picture of the state of point-of-sale security. Our sinkhole covers less than 5% of the C&C channels and the sinkholed domains only apply to certain Backoff samples that were created in the first quarter of this year. Yet, we've seen more than 85 victims connecting to our sinkhole.

Most of these victims are located in North America and some of them are high profile. Taking into account the U.S. Secret Service statement, it's a pretty safe bet that the number of Backoff infections at businesses in North America is well north of 1,000.

Since its appearance last year, Backoff has not changed dramatically. The author created both non-obfuscated and obfuscated samples. This was likely done to defeat the security controls on the targeted networks. However, the defenses running on a PoS terminal and/or network should not have been affected by this. This speaks volumes about the current state of PoS security, and other cybercriminals are sure to have taken note.

It's very clear that PoS networks are prime targets for malware attacks. This is especially true in the US, which still doesn't support EMV chip-enabled cards. Unlike magnetic strips, EMV chips on credit cards can't be easily cloned, making them more resilient. Unfortunately, the US is adopting chip and signature, rather than chip and PIN. This effectively negates some of the added security EMV can bring.

This may prove another costly mistake. Not adopting EMV along with the rest of the world is really haunting retail in the U.S. and the situation is not likely to change anytime soon.

IOCs / C&Cs:

Trojan file paths:

%APPDATA%\AdobeFlashPlayer\mswinsvc.exe
%APPDATA%\AdobeFlashPlayer\mswinhost.exe
%APPDATA%\AdobeFlashPlayer\Local.dat
%APPDATA%\AdobeFlashPlayer\Log.txt
%APPDATA%\mskrnl
%APPDATA%\nsskrnl
%APPDATA%\winserv.exe
%APPDATA%\OracleJava\javaw.exe
%APPDATA%\OracleJava\javaw.exe
%APPDATA%\OracleJava\Local.dat
%APPDATA%\OracleJava\Log.txt

Kaspersky names for the Trojans:

HEUR:Trojan.Win32.Invader
HEUR:Trojan.Win32.Generic
Backdoor.Win32.Backoff
Trojan.Win32.Agent.ahhia
Trojan.Win32.Agent.agvmh
Trojan.Win32.Agent.aeyfj
Trojan-Spy.Win32.Recam.qq
Trojan-Dropper.Win32.Sysn.ajci
Trojan.Win32.Bublik.covz
Trojan-Dropper.Win32.Dapato.dddq
Trojan.Win32.Agent.agufs
Trojan.Win32.Agent.ahbhh
Trojan.Win32.Agent.agigp
Trojan.Win32.Agent.aeqsu
Trojan.Win32.Agent.ahgxs
Trojan.Win32.Inject.mhjl
Trojan.Win32.Agent.ahbhh
Trojan.Win32.Agent.ahhee
Trojan.Win32.Agent.ahgxs

MD5s:

684e03daaffa02ffecd6c7747ffa030e
3ff0f444ef4196f2a47a16eeec506e93
12c9c0bc18fdf98189457a9d112eebfc
14cca3ad6365cb50751638d35bdb84ec
d0f3bf7abbe65b91434905b6955203fe
38e8ed887e725339615b28e60f3271e4
7b027599ae15512256bb5bc52e58e811
5cdc9d5998635e2b91c0324465c6018f
821ac2580843cb0c0f4baff57db8962e
b08d4847c370f79af006d113b3d8f6cf
17e1173f6fc7e920405f8dbde8c9ecac
874cd0b7b22ae1521fd0a7d405d6fa12
ea0c354f61ba0d88a422721caefad394
6a0e49c5e332df3af78823ca4a655ae8
8a019351b0b145ee3abe097922f0d4f6
337058dca8e6cbcb0bc02a85c823a003
842e903b955e134ae281d09a467e420a
d1d544dbf6b3867d758a5e7e7c3554bf
01f0d20a1a32e535b950428f5b5d6e72
fc041bda43a3067a0836dca2e6093c25
4956cf9ddd905ac3258f9605cf85332b
f5b4786c28ccf43e569cb21a6122a97e
cc640ad87befba89b440edca9ae5d235
0b464c9bebd10f02575b9d9d3a771db3
d0c74483f20c608a0a89c5ba05c2197f
b1661862db623e05a2694c483dce6e91
ffe53fb9280bf3a8ceb366997488486e
c0d0b7ffaec38de642bf6ff6971f4f9e
05f2c7675ff5cda1bee6a168bdbecac0
9ee4c29c95ed435644e6273b1ae3da58
0607ce9793eea0a42819957528d92b02
97fa64dfaa27d4b236e4a76417ab51c1
82d811a8a76df0cda3f34fdcd0e26e27
0b7732129b46ed15ff73f72886946220
30c5592a133137a84f61898993e513db
aa68ecf6f097ffb01c981f09a21aef32
bbe534abcc0a907f3c18cfe207a5dfca
29e0259b4ea971c72fd7fcad54a0f8d0

C&C domains and hostnames:

00000000000.888[.]ru
10000000000.888[.]ru
adobephotoshop11111[.]com
adobephotoshop22222[.]com
domain12827312[.]com
helloflashplayers12345[.]com
hellojavaplayers12345[.]com
ilovereservdom213ada2[.]ru
iownacarservice[.]ru
iownacarservice1[.]com
msframework1[.]com
msframework1[.]ru
msframeworkx64[.]com
msframeworkx86[.]com
msframeworkx86[.]ru
msoffice365net[.]com
nullllllllllll[.]com
ollygo030233[.]com
ollygo030233[.]ru
pop3smtp5imap2[.]com
pop3smtp5imap3[.]com
pop3smtp5imap4[.]ru
reservedomain12312[.]ru
total-updates[.]com

C&C IPs:

146.185.233.32
81.4.111.176
95.211.228.249
217.174.105.86

Posted: 29 Aug 2014 | 2:55 am

Connecting the Dots: Syrian Malware Team Uses BlackWorm for Attacks

The Syrian Electronic Army has made news for its recent attacks on major communications websites, Forbes, and an alleged attack on CENTCOM. While these attacks garnered public attention, the activities of another group – The Syrian Malware Team – have gone largely unnoticed. The group’s activities prompted us to take a closer look. We discovered this group using a .NET based RAT called BlackWorm to infiltrate their targets.

The Syrian Malware Team is largely pro-Syrian government, as seen in one of their banners featuring Syrian President Bashar al-Assad. Based on the sentiments publicly expressed by this group it is likely that they are either directly or indirectly involved with the Syrian government. Further certain members of the Syrian Malware Team have ties to the Syrian Electronic army (SEA) known to be linked to the Syrian government. This indicates that the Syrian Malware Team may also be possibly an offshoot or part of the SEA.

syria1

Banner used by the Syrian Malware Team

BlackWorm Authorship

We found at least two distinct versions of the BlackWorm tool, including an original/private version (v0.3.0) and the Dark Edition (v2.1). The original BlackWorm builder was co-authored by Naser Al Mutairi from Kuwait, better known by his online moniker ‘njq8′. He is also known to have coded njw0rm, njRAT/LV, and earlier versions of H-worm/Houdini. We found his code being used in a slew of other RATs such as Fallaga and Spygate. BlackWorm v0.3.0 was also co-authored by another actor, Black Mafia.

syria2

About section within the original version of BlackWorm builder

Within the underground development forums, it’s common for threat actors to collaborate on toolsets. Some write the base tools that other attackers can use; others modify and enhance existing tools.

The BlackWorm builder v2.1 is a prime example of actors modifying and enhancing current RATs. After njq8 and Black Mafia created the original builder, another author, Black.Hacker, enhanced its feature set.

syria3

About section within BlackWorm Dark Edition builder

syria4

Black.Hacker’s banner on social media

syria5

As an interesting side note, ‘njq8′ took down his blog in recent months and announced a cease in all malware development activity on his Twitter and Facebook account, urging others to stop as well. This is likely a direct result of the lawsuit filed against him by Microsoft.

BlackWorm RAT Features

The builder for BlackWorm v0.3.0 is fairly simple and allows for very quick payload, but doesn’t allow any configuration other than the IP address for command and control (C2).

syria6

Building binary through BlackWorm v0.3.0

syria7

BlackWorm v0.3.0 controller

BlackWorm v0.3.0 supports the following commands between the controller and the implant:

ping Checks if victim is online
closeserver Exits the implant
restartserver Restarts the implant
sendfile Transfer and run file from server
download Download and run file from URL
ddos Ping flood target
msgbox Message interaction with victim
down Kill critical windows processes
blocker Block specified website by pointing resolution to 127.0.0.1
logoff Logout out of windows
restart Restart system
shutdown Shutdown system
more Disable task manager, registry tools, system restore. Also blocks keyboard and mouse input
hror Displays a startling flash video

In addition to the features supported by the command structure, the payload can:

The Syrian Malware Team primarily uses another version of BlackWorm called the Dark Edition (v2.1). BlackWorm v2.1 was released on a prolific underground forum where information and code is often shared, traded and sold.

syria8

BlackWorm v2.1 has the same abilities as the original version and additional functionality, including bypassing UAC, disabling host firewalls and spreading over network shares. Unlike its predecessor, it also allows for granular control of the features available within the RAT. These additional controls allow the RAT user to enable and disable features as needed. Binary output can be also be generated in multiple formats, such as .exe, .src and .dll.

syria9

BlackWorm Dark Edition builder

Syrian Malware Team

We observed activity from the Syrian Malware Team going as far back as Jan. 1, 2011. Based on Facebook posts, they are allegedly directly or indirectly involved with the Syrian government. Their Facebook page shows they are still very active, with a post as recent as July 16th, 2014.

syria10

Syrian Malware Team’s Facebook page

The Syrian Malware Team has been involved in everything from profiling targets to orchestrating attacks themselves. There are seemingly multiple members, including:

https://www.facebook.com/syrian.lion.1610

https://www.facebook.com/syrian.wolverine

https://www.facebook.com/syrian.hawks.9

https://www.facebook.com/syrian.wolf.1023

https://www.facebook.com/syrian.tiger.161

https://www.facebook.com/ali.alsaied

https://www.facebook.com/Sesa.sy.1

https://www.facebook.com/ordetaleasmen

https://www.facebook.com/moony.elias

https://www.facebook.com/kays.syr

https://www.facebook.com/jano.thesun.5

https://www.facebook.com/syrian.malware1

Partial list of self-proclaimed Syrian Malware Team members

Some of these people have posted malware-related items on Facebook.

syria11

Facebook posting of virus scanning of files

While looking for Dark Edition samples, we discovered a binary named svchost.exe (MD5: 015c51e11e314ff99b1487d92a1ba09b). We quickly saw indicators that it was created by BlackWorm Dark Edition.

syria12

Configuration options within code

The malware communicated out to 178.44.115.196, over port 5050, with a command structure of:

!0/j|n\12121212_64F3BF1F/j|n\{Hostname}/j|n\{Username}/j|n\USA/j|n\Win 7 Professional SP1 x86/j|n\No/j|n\2.4.0 [ Dark Edition]/j|n\/j|n\{ActiveWindowName}/j|n\[endof]

When looking at samples of Dark Edition BlackWorm being used by the Syrian Malware Team, the strings “Syrian Malware,” or “Syrian Malware Team” are often used in the C2 communications or within the binary strings.

Additional pivoting off of svchost.exe brought us to three additional samples apparently built with BlackWorm Dark Edition. E.exe, (MD5: a8cf815c3800202d448d035300985dc7) a binary that drew our attention, looked to be a backdoor with the Syrian Malware strings within it.

syria13

When executed, the binary beacons to aliallosh.sytes.net on port 1177. This C2 has been seen in multiple malware runs often associated with Syria.  The command structure of the binary is:

!0/j|n\Syrian Malware/j|n\{Hostname}/j|n\{Username}/j|n\USA/j|n\Win 7 Professional SP1 x86/j|n\No/j|n
\0.1/j|n\/j|n\{ActiveWindowName}/j|n\[endof]

Finally, pivoting to another sample, 1gpj.srcRania (MD5:f99c15c62a5d981ffac5fdb611e13095), the same strings were present. The string “Rania” used as a lure was in Arabic and likely refers to the prolific Queen Rania of Jordan.

syria14

The traffic is nearly identical to the other samples we identified and tied to the Syrian Malware Team.

!1/j|n\C:\Documents and Settings\{Username}\Local Settings\Application DataldoDrZdpkK.jpg – Windows Internet Explorer[endof]!0/j|n\Syrian Malware/j|n\{Hostname}/j|n\{Username}/j|n\USA/j|n\Win XP ProfessionalSP2 x86/j|n\No/j|n\0.1/j|n\/j|n\C:\Documents and Settings\{Username}\Local Settings\Application DataldoDrZdpkK.jpg – {ActiveWindowName}/j|n\[endof]

Conclusion

Determining which groups use which malware is often very difficult. Connecting the dots between actors and malware typically involves looking at binary code, identifying related malware examples associated with those binaries, and reviewing infection vectors, among other things.

This blog presents a prime example of the process of attribution. We connected a builder with malware samples and the actors/developers behind these attacks. This type of attribution is key to creating actionable threat intelligence to help proactively protect organizations.

Posted: 29 Aug 2014 | 1:00 am

Pitou Q&A

What is Pitou?
A recently spotted spambot malware that shares many similarities from the notorious kernel-mode spambot Srizbi. After further analysis, we confirmed it is a revival of Srizbi. We named this latest malware Pitou. After some in-depth analysis, we found some other interesting technical features and wrote a whitepaper on it.

Why it is called Pitou?
The name Pitou came from our colleague's existing detection name for it. We decided to use this family name to avoid confusion. Another reason why we think this spambot deserves a new name (rather than continuing with the Srizbi moniker, that is) is because the malware code has been completely rewritten with more robust features, including now being equipped with a bootkit.

Where was it first discovered?
We first encountered the threat on a client machine that reported a suspicious system driver file to our automated analytical systems. After some manual analysis, we found it to be malicious and containing a payload that is highly obfuscated and protected by Virtual Machine (VM) code. This implied that there was something the malware was trying to hide from researchers. So naturally we decided to do an in-depth analysis.

When was it first seen?
The threat was first found in April 2014 based on the dates from our sample collection systems, though it may have existed in the wild at an earlier date. The whitepaper includes more timeline information.

Who should be concerned by this threat?
This threat could cause havoc or bring inconvenience to both corporate and home users. The spambot will utilize an infected machine to spread spam emails, which can lead to the spamming IP address being blacklisted in Realtime Black List (RBL) by an Internet Service Provider (ISP). A blacklisted IP address is blocked from sending (even legitimate) email via standard Simple Mail Transfer Protocol (SMTP), which is commonly configured in most corporate email servers. A regular home users meanwhile would be concerned if they use a non-Web based email client, for example Microsoft Outlook, that ends up having its IP address blacklisted by an ISP.

What are some of Pitou's indicators of compromise (IOC)?
The threat is not particularly stealthy compared to other modern rootkits. We list a couple of IOCs in our document for someone (reasonably technically astute) who is interested in quickly identifying if their machine is Pitou-infected.

Where can I get the Pitou whitepaper?
Click the image below, or visit the
technical papers section of our Labs site:

pitou_whitepaper_cover (96k image)


Post by - Wayne

----------
Updated to add: Whitepaper updated with a minor correction in a reference. Also, hattip to Karmina for assistance in writing this paper!

On 28/08/14 At 08:25 AM

Posted: 28 Aug 2014 | 9:48 pm

Scanbox: A Reconnaissance Framework Used with Watering Hole Attacks

A few days ago we detected a watering hole campaign in a website owned by one big industrial company.

The website is related to software used for simulation and system engineering in a wide range of industries, including automotive, aerospace, and manufacturing.

The attackers were able to compromise the website and include code that loaded a malicious Javascript file from a remote server. This Javascript file is a framework for reconnaissance that the attackers call "Scanbox" and includes some of the techniques we described in a previous blog post: Attackers abusing Internet Explorer to enumerate software and detect security products  

The Scanbox framework first configures the remote C&C server that it will use and collects a small amount of information about the victim that is visiting the compromised website including:

Resulting in something like this:

Before sending the information to the C&C server, Scanbox encodes and encrypts the data with the following function:

Producing the following request:

If we decrypt the data it translates to:

After the first request, the framework contains several plugins to extract different information from the victim.

Pluginid 1: Enumerates software installed in the system using the technique we explained before that affects Internet Explorer. It also checks if the system is running different versions of EMET (Enhanced Mitigation Experience Toolkit):

Producing the list of security software on the target

Pluginid 2: Enumerates Adobe Flash versions

Pluginid 5: Enumerates Microsoft Office versions

Pluginid 6: Enumerates Acrobat Reader versions

Pluginid 8: Enumerates Java versions

Pluginid 21: Implements a “keylogger” functionality trough Javascript that logs all the keystrokes the victim is typing inside the compromised website.

While the user is browsing the compromised website, all keystrokes are being recorded and sent to the C&C periodically. It will also send keystrokes when the user submits web forms that can potentially include passwords and other sensitive data.

As we have seen, this is a very powerful framework that gives attackers a lot of insight into the potential targets that will help them launching future attacks against them.

We have also seen several Metasploit-produced exploits that target different versions of Java in the same IP address that hosts the Scanbox framework (122.10.9[.]109).

We recommend you look for this type of activity against the following machines in your network:

       

Posted: 28 Aug 2014 | 2:27 pm

A Quick Peek at Network Injection

Like many of you, I’ve been looking at the various NSA document leaks to see what kind of tools and techniques are being used. I suppose these releases will give cybercriminals new ideas and we will see some of these put to nefarious use sooner than later.

This particular article was very interesting, especially the concept of network injectors. I’ve heard about EvilGrade but never played with it. It seems as though QUANTUMINSERT and FinFly ISP do something similar.

I wondered how I could use this for a pentest. Getting inline with my target would be the first challenge. There are several tools I could use to route wired and wireless network traffic to my computer but maybe an easier way is to setup a proxy server then push out a proxy.pac file.

Here’s a website with a link to a setup file for Revelo.

2014-08-20_01

When the user downloads the program, I can see their GET request and response. At this point the program gets downloaded. Here we see excerpts from Paros.

2014-08-20_02

The way QUANTUMINSERT is described to work, the download request gets silently redirected to another server where an implant gets downloaded. And according to the FinFisher documentation, there is a method called “INJECT-EXE” which “infects the downloaded EXE file in real time. The agent is installed when the target runs the EXE file.”

There’s not too much details so I can only infer how this is being done. Maybe they would have pre-downloaded popular programs, binded it with a backdoor, then sent the file over via a forged HTTP redirect. This would allow the user to install the real program with real certificates but have their program run too.

But how could you do this in real-time, with any download? If I can write a program that intercepts the GET request to any EXE program, bind it with a backdoor in real-time, update the Content-Length field in the response header, and send the file along…it *should* work. ;)

After some coding, I came up with “Interjector” – Interceptor and Injector (because of the nature of this program I won’t be making this available, sorry). There’s not much to look at I know.

2014-08-20_03

With Interjector off, when I download the file, it looks like this:

2014-08-20_04

However, when Interjector is running, the same download dialog box now looks like this (note the file size):

2014-08-20_05

What’s happening behind the scenes is that there is a specially-crafted EXE file that’s been added to Interjector as a resource. When the program sees a GET request to any EXE file, it loads the resource to a variable and gets ready. When the program sees the response, it reads in the Content-Length value, adds the length of the resource to it, and puts the updated value back into the header. Finally, it injects the variable containing the resource into the download stream.

The advantage of doing it this way is that I don’t need to redirect users to another server, I can intercept/inject any EXE file the user downloads, it’s very stealthy, and all of this happens in real time.

Here’s what it looks like when the downloaded file is executed:

2014-08-20_06

Ugh, the icon makes it look fake but I can fix that. This is going to be a challenge for those programs with unique icons. The best way is probably to use a generic icon like this and hope users don’t notice.

2014-08-20_07

What about the MD5/SHA hash? That’s the biggest hurdle to overcome. I could change the hash on the webpage to match the final file but only for the ones I know about by doing a global search and replace. Or I can search for any hash line and remove it from the webpage.

2014-08-20_08

What if it’s a compressed file download (e.g. ZIP)? I think I would have to rezip the file with a new EXE or rebuild the download which changes the ZIP file to an EXE. The real-time requirement makes this difficult to handle without the user taking notice.

So what’s a user to do?
- Use HTTPS to download programs
- Choose to download a compressed version (e.g. ZIP) instead of a bare EXE/MSI file
- Pay attention to any anomalies and inconsistencies; when in doubt, stop
- Verify the program’s hash before installing (for the paranoid, use an out-of-band device like your phone to view the hash on the webpage)

Posted: 20 Aug 2014 | 8:15 pm

CZ Solution Ltd. signed samples of Xtreme Rat, Zeus, Spy-Net, Gh0st, BozokRAT and other


Here are all samples (+ more) mentioned in this post by Fireeye : The Little Signature That Could: The Curious Case of CZ Solution"
All files are digitally signed with a "CZ Solutions" certificate making it easy to create a Yara or ClamAV signature.

A few Zeus samples seem to be still beaconing. Most are sinkholed.
The certificate is now revoked by VeriSign.

Enjoy




Download


Download. Email me if you need the password





File Information

Listed by Fireeye 
  1. Xtreme Rat_78CED3B6C04D372CE10B6B8606B3B747 78ced3b6c04d372ce10b6b8606b3b747
  2. Spy-Net 2.6_6A56F6735F4B16A60F39B18842FD97D0 6_6A56F6735F4B16A60F39B18842FD97D0
  3. Xtreme Rat_7C00BA0FCBFEE6186994A8988A864385.msg msg 7c00ba0fcbfee6186994a8988a864385
  4. XtremeRAT 3.5 Private _2E776E18DEC61CF6CCD68FBACD55FAB3 2e776e18dec61cf6ccd68fbacd55fab3
  5. XtremeRAT 3.5 Private _BD70A7CAE3EBF85CF1EDD9EE776D8364 bd70a7cae3ebf85cf1edd9ee776d8364
  6. XtremeRAT 3.5 Private_0BE3B0E296BE33903BF76B8CD9CF52CA 0be3b0e296be33903bf76b8cd9cf52ca
  7. XtremeRAT 3.5 Private_7416EC2889227F046F48C15C45C102DA 7416ec2889227f046f48c15c45c102da
  8. XtremeRAT 3.5 Private_BE47EC66D861C35784DA527BF0F2E03A be47ec66d861c35784da527bf0f2e03a
  9. XtremeRAT 3.5 Private_C27232691DACF4CFF24A4D04B3B2896B c27232691dacf4cff24a4d04b3b2896b
  10. XtremeRAT 3.5 Private_E79636E4C7418544D188A29481C100BB e79636e4c7418544d188a29481c100bb
  11. Zeus_9C11EF09131A3373EEF5C9D83802D56B 9c11ef09131a3373eef5c9d83802d56b
  12. Zeus_DCD3E45D40C8817061F716557E7A05B6 dcd3e45d40c8817061f716557e7a05b6


Additional (mix of RATs and Trojans)

  1. 2D186068153091927B26CD3A6831BE68 2d186068153091927b26cd3a6831be68
  2. 4A997E3395A8BB8D73193E158289F4CE 4a997e3395a8bb8d73193e158289f4ce
  3. 7E92A754AAAA0853469566D5DBF2E70C 7e92a754aaaa0853469566d5dbf2e70c
  4. 9CFD17C48FC0D300E4AA22E2C8C029D6 9cfd17c48fc0d300e4aa22e2c8c029d6
  5. 37FEE821695B664EBE66D55D8C0696F2 37fee821695b664ebe66d55d8c0696f2
  6. 445C22E94EAB61B3D4682824A19F8E92 445c22e94eab61b3d4682824a19f8e92
  7. 819B4C40F56F69C72E62EF06C85EA3E1 819b4c40f56f69c72e62ef06c85ea3e1
  8. 947C21CB8E28B854FF02C2241399A450 947c21cb8e28b854ff02c2241399a450
  9. 2859089CC3E31DA60C64D56C416175E2 2859089cc3e31da60c64d56c416175e2
  10. A9EE1BF62DEE532BE2BE217D3E4A8927 a9ee1bf62dee532be2be217d3e4a8927
  11. AC87BC7DD4B38FA3EBA23BF042B160CE ac87bc7dd4b38fa3eba23bf042b160ce
  12. B953FD2B3D5C10EC735681982D3C6352 b953fd2b3d5c10ec735681982d3c6352
  13. BD5188031BB8EB317FB58F0A49CCBF9C bd5188031bb8eb317fb58f0a49ccbf9c
  14. D7CF30E3DBFD32A1D1E38CEE464EC6A6 d7cf30e3dbfd32a1d1e38cee464ec6a6
  15. E1AFC706C8C96FACEDB6CB62E6CBFD2D e1afc706c8c96facedb6cb62e6cbfd2d
  16. Gh0stB_7A26BBD7B5942B49FC0A9CB7268BD030 7a26bbd7b5942b49fc0a9cb7268bd030
  17. SpyRat_E0B0BBA2F6399B0577C37E2A3BC3390A e0b0bba2f6399b0577c37e2a3bc3390a
  18. Zeus_0D8F9C5898596251233C3FD1DCB34161 0d8f9c5898596251233c3fd1dcb34161
  19. Zeus_7A6BBC32868A9F776452355F909F95D6 7a6bbc32868a9f776452355f909f95d6
  20. Zeus_7CD6C4A6103F23858C7ED047391F1D3B 7cd6c4a6103f23858c7ed047391f1d3b
  21. Zeus_52BE0408084F536E42FEB7C57F521592 52be0408084f536e42feb7c57f521592
  22. Zeus_5746DD569623431BA41A247FA64847D7 5746dd569623431ba41a247fa64847d7
  23. Zeus_A79089B5E6744C622D61BEFA40AF77D3 a79089b5e6744c622d61befa40af77d3
  24. Zeus_E2190F61B532BD51E585449BAAE31BC1 e2190f61b532bd51e585449baae31bc1
  25. Zeus_F76A509FEE28C5F65046D6DC072658B2 f76a509fee28c5f65046d6dc072658b2

Posted: 20 Jul 2014 | 9:59 pm

Cyber Engineering Services Announces the Cyber Red List

Cyber Engineering Services Announces the Cyber Red List, Industries That Have Been Cyber Walloped Since 2010

List Highlights Smaller Defense Supply Chain Partners, Legal Counsel and Public Relations/Advertising as Major Targets for Cyber Attacks

COLUMBIA, MD – May 7, 2013 – Based on its observation of thousands of cyber attacks over the 30 months since its founding, Cyber Engineering Services today announced the launch of the Cyber Red List. Developed using the company’s proprietary technology that enables Cyber Engineering Services to identify cyber attacks in progress, the Cyber Red List details the industries that have been hardest hit by cyber attacks since November 2010, and identifies accompanying environmental indicators that place organizations at a higher level of risk.

“Size doesn’t matter when you’re looking at cyber attack victim commonalities; the kind of data you have does,” commented Joseph Drissel, CEO of Cyber Engineering Services and former acting chief of the Department of Defense Computer Forensics Lab cyber intrusions section. “Based on what we’ve read in the news lately, it would be easy for companies with revenues of $1 billion and under to get the false impression that only the big contractors, the news organizations, and companies that are involved in Chinese diplomacy are targets. The Cyber Red List shows that what motivates the adversary is the kind of information you deal in and have access to – weapons, communications, energy, policy, and research – and often the smaller companies don’t have the resources in place to effectively seal their networks. We help them get the same level of data protection as the big guys.”

Cyber Engineering Services is an information security company with heavy experience in forensics analysis, reverse engineering and malware arenas focusing on what is known as the Advanced Persistent Threat (APT). Its proprietary technology, called Legal Non-Invasive Malware Exploitation technique (LNIME), provides the company substantial insight into the malicious activities of cyber adversaries. Cyber Engineering Services works on behalf of its clients to:
• Identify, in real time, when a cyber attack is happening,
• Stop an attack before critical data is lost,
• See live command-and-control keystrokes of the adversary, and
• Engage with the adversary to regain control of networks.
“A huge volume of our country’s intellectual property is owned by companies that supply or collaborate with large contractors or government agencies, yet what is most alarming is that many of these companies don’t have the cyber security infrastructure that their larger, better-funded counterparts do,” Drissel went on to say. “The smaller players not only have the most to lose in terms of IP and valuation, but the potential implications for national and international safety, security, health and well-being are vast. All it takes is one hole in the network to result in a massive data loss. We identify and then plug those holes to keep the bad guys out and seal data in.”
For media inquiries, contact: Media@CyberEngineeringServices.com.

The Cyber Red List

 
Cyber Engineering Services has observed cyber attacks in thousands of networks since the company’s inception in November 2010, many of which resulted in significant data losses for the compromised companies. The following is a snapshot of industries that were most targeted based on the data gathered through Cyber Engineering Services Legal Non-Invasive Malware Exploitation (LNIME) technique. The vast majority of compromises took place in organizations with revenues of less than $1 billion USD annually.

TOP TARGETED INDUSTRIES
1. Defense, Homeland Security, International Security including unmanned aerial vehicles (UAV), satellite communications, aerospace and military communications, rocket and propulsion systems, and radar systems.

2. Critical infrastructure including energy, oil, gas, transportation, banking, and telecommunications.

3. Sensitive data exchange environments including law firms, public relations and advertising agencies whose clients do business in energy, oil, transportation, communications, and defense.

4. Long-term policy information including from lawmakers, think tanks, diplomatic and policy organizations.

5. Research and Development-focused industries including laboratories, pharmaceutical and medical facilities.

ENVIRONMENTAL INDICATORS
Additionally, the following environmental indicators were present in cyber attacks among the targeted industries:

1. Where data is shared electronically via email, the internet, on a smartphone or other handheld device;
2. Where the Advanced Persistent Threat or competitor could degrade or otherwise manipulate data to source, duplicate, transport, purchase, sell, manufacture or supply a product or service through alternate means;
3. Where there is a global nexus.

DISCLOSURES
Due to the highly sensitive nature of the data that was breached in these attacks – inclusive of data protected under the International Traffic in Arms Regulations (ITAR) – Cyber Engineering Services does not disclose the names of the victims or the technical information that was stolen. Cyber Engineering Services has reported these incidents directly to the victims, as well as followed established protocols to report to the government agencies that oversee these functions.

ABOUT THE CYBER RED LIST
Cyber Engineering Services, an information security company with heavy experience in forensics analysis, reverse engineering and malware arenas focusing on what is known as the Advanced Persistent Threat (APT), compiled the Cyber Red List to raise awareness among victim organizations – especially smaller organizations often with fewer cyber security resources – for the need to protect mission and operation-critical data assets from cyber attacks. Cyber Engineering Services team of experts works with clients to control their networks and protect their most valued data assets using unrivaled technical skills, investigative curiosity and tenacity to prevail. For more information, contact Media@CyberEngineeringServices.com.

# # #

Posted: 6 May 2013 | 8:21 pm