To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
----------
Hi,
this is a very cool thread for me, i'm just starting building some
honeypot arrays in our network aimed to catch PE files on the live net
(honeytrap, PEhunter, nepenthess, ...).
Can anyone give me some tip to some materials on analysis of executables
i can learn from ??
bodik
Attila-Mihaly Balazs wrote:
> To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
> ----------
>
>
> ------------------------------------------------------------------------
>
> This is an other one from the Banker-trojan series (very popular in
> Brasil, aimed at stealing peoples online-banking passwords). The three
> components are:
> - A downloader / process killer (amor.com). The taskkill and file paths
> (which are files which it will try to delete) seem to be related to a
> security / anti-fraud product called "G-Buster Browser Defense"
> - The actual password stealer (derby.com), is compressed using the
> PKLITE executable compressor (hence the strings). It is so big, because
> it contains a lot of bitmaps, imitating the interfaces of the banks
> - A mass-mailer (javas.com)
>> To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
>> ----------
>> derby.com looks like an installer, given it's size (~ 1.8 MB). In
>> fact, if you take a look at section .pklstb (located at 0xa400), you
>> see:
>> 0f73000 688030f7 0068bec7 12016800 000000e8 h.0..h....h.....
>> 0f73010 aa971b00 e92fdc54 ff402823 29504b4c ...../.T.@(#)PKL
>> 0f73020 49544533 3220436f 70797269 67687420 ITE32 Copyright 0f73030
>> 31393938 20504b57 41524520 496e632e 1998 PKWARE Inc.
>> 0f73040 2c20416c 6c205269 67687473 20526573 , All Rights Res
>> 0f73050 65727665 64202824 52657669 73696f6e erved ($Revision
>> 0f73060 3a202429 00504b4c 54333200 00100100 : $).PKLT32.....
>>
>>
>> On Sun, Nov 25, 2007 at 05:03:41AM +0000, Paul Ferguson babbled thus:
>>
>>> To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
>>> ----------
>>> FYI.
>>>
>>> - ferg
>>>
>>> [forwarded message[
>>>
>>>
>>> Date: Sat, 24 Nov 2007 23:17:32 -0500
>>> From: jayjwa <[EMAIL PROTECTED]>
>>> To: Dshield Mail List <[EMAIL PROTECTED]>
>>>
>>>
>>> (Possibly) new trojans. These came from a link spammed out in email
>>> that ended up in my Hotmail inbox. The files are win32 PE's, with some
>>> interesting strings embedded in them. One of the files appears to be a
>>> server of some sort with smtp ability. There's also alot of calls to
>>> graphics routines, so maybe one of the files is a client or user
>>> interface of some type. Written in Delphi, downloaded from
>>> suspiroamor.land.ru, root directory.
>>>
>>> amor.com: The only file linked in the email. Probably downloads/exec
>>> others.
>>>
>>> Interesting strings:
>>>
>>> taskkill -f /im gbpsv.exe
>>> C:\Arquivos de programas\GbPlugin\gbieh.dll
>>> C:\Arquivos de programas\GbPlugin\gbieh.gmd
>>> C:\windows\Crime.exe
>>> C:\WINDOWS\system32\WormList.exe
>>> URLDownloadToFileA
>>> shell32.dll
>>> ShellExecuteA
>>>
>>> derby.com: Referenced in the above file.
>>>
>>> javas.com: Same. Contains an email template, lots of calls to Winsock.
>>>
>>> Interesting hardcoded strings:
>>>
>>> msnlist.txt
>>> [EMAIL PROTECTED]
>>> Lista MSN (
>>> gsmtp185.google.com
>>>
>>> hsResolving
>>> hsConnecting
>>> hsConnected
>>> hsDisconnecting
>>> hsDisconnected
>>> hsStatusText
>>> ftpTransfer
>>> ftpReady
>>> ftpAborted
>>> IdComponent
>>> TIdStatusEvent
>>> ASender
>>>
>>> Indy 9.00.10
>>> X-Library
>>>
>>> * About to connect() to suspiroamor.land.ru port 80 (#0)
>>> * Trying 82.204.219.223... connected
>>> * Connected to suspiroamor.land.ru (82.204.219.223) port 80 (#0)
>>>
>>>> GET /javas.com HTTP/1.1
>>>> User-Agent: from Russia with love?
>>>> Host: suspiroamor.land.ru
>>>> Accept: */*
>>>>
>>>>
>>> < HTTP/1.1 200 OK
>>> < Server: nginx/0.5.31
>>> < Date: Sun, 25 Nov 2007 03:09:45 GMT
>>> < Content-Type: application/octet-stream
>>> < Content-Length: 523264
>>> < Last-Modified: Fri, 23 Nov 2007 22:31:24 GMT
>>> < Connection: keep-alive
>>> < Accept-Ranges: bytes
>>> < { [data not shown]
>>>
>>>
>>> The signature/data files are a bit old (Nov. 9) but F-prot had this
>>> to say:
>>>
>>> amor.com Infection: Possibly a new variant of
>>> W32/NewMalware-LSU-based!Maximus
>>>
>>> Available as downloaded above, or local copies together in a zip for
>>> anyone that wants to look at them:
>>>
>>> https://atr2.ath.cx/vx_lab/specimens/unidentified/suspiroamor-land-ru/suspi
>>>
>>> roamor-land-ru-trojan.zip
>>>
>>> Useful tool to examine binaries:
>>> http://hte.sourceforge.net/
>>>
>>> _________________________________________
>>> SANS Network Security 2007 in Las Vegas September 22-30. 39 courses,
>>> SANS top instructors. http://www.sans.org/info/9346
>>>
>>> [end]
>>>
>>>
>>> --
>>> "Fergie", a.k.a. Paul Ferguson
>>> Engineering Architecture for the Internet
>>> fergdawg(at)netzero.net
>>> ferg's tech blog: http://fergdawg.blogspot.com/
_______________________________________________
To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
All list and server information are public and available to law enforcement
upon request.
http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
