The CrySyS Lab, Budapest has been notified by the Hungarian National Security Authority (www.nbf.hu) about the detection of an ongoing high profile targeted attack affecting our home country, Hungary. During our investigation of the incident, we discovered a number of C&C servers, and a large number of malware samples that have been used in multiple […]
Earlier in February 2013, FireEye announced the discovery of a new malware that exploited a 0-day vulnerability in Adobe Reader. Now, we announce another, as yet unknown malware that exploits the same Adobe Reader vulnerability (CVE-2013-0640).
This new malware was named Miniduke by Kaspersky Labs with whom we carried out its first analysis. Our participation […]
You remember the Duqu font related exploit and shell code in the dropper? Yes, that’s the exploit that was recently used in many exploit kits.
First of all, this is a kernel level exploit, it should be kept in mind while checking code.
The original dropper had a decryptor for the stage1 of shell […]
Some time ago, we rechecked some Stuxnet code. Guess what have we learned: Kasperksy already published Flame-Stuxnet relationship, but on the encryption level, there is another similarity. In fact, this was found by Norman back in June , but they compared with soapr32’s encryption which is slightly more different than 4069.dll’s encryption E2.
Just a short blog entry to save this info for the history.
We investigated originally two different pieces of duqu payload. One contained resource 302 with a compressed .zdata section, the other contained the to-be-injected code without compression. The injector-loader is the same for the two versions, then how does it find if .zdata […]
Iranian CERT Maher just posted http://www.certcc.ir/index.php?name=news&file=article&sid=2293
Latest investigation have been done by Maher center in cyber space identified a new targeted data wiping malware. Primitive analysis revealed that this malware wipes files on different drives in various predefined times. Despite its simplicity in design, the malware is efficient and can wipe disk […]
SPE/MiniFlame contains the same “main” encryption alg from ver 4.00-5.00
It looks like this:
.text:10007DDE Decrypt_str_10007DDE proc near ; CODE XREF: sub_10001223+5p
.text:10007DDE ; sub_10001223+16p …
.text:10007DDE arg_0 = dword ptr 4
.text:10007DDE mov ecx, [esp+arg_0]
.text:10007DE2 push esi
.text:10007DE3 cmp byte ptr [ecx+0Ch], 42h
It seems Gauss samples already started to float around, so some more info on Palida is not a surprise anymore.
Palida Narrow header info:
‘head’ Table – Font Header
Size = 54 bytes (expecting 54 bytes)
‘head’ version: 1.0
As you all know, Kaspersky Lab has just published a detailed tech report of the latest state-sponsored targeted threat named Gauss.
So the story of Stuxnet, Duqu (found and named by us, CrySyS Lab ), Flame (yes, we had a detailed tech report on that, but we called it […]
- March 2017
- January 2017
- August 2016
- July 2016
- October 2015
- July 2015
- June 2015
- December 2014
- November 2014
- September 2014
- August 2014
- July 2014
- February 2014
- November 2013
- August 2013
- March 2013
- February 2013
- January 2013
- December 2012
- October 2012
- August 2012
- July 2012
- June 2012
- January 2012
- December 2011
- July 2011