Some time ago, we rechecked some Stuxnet code. Guess what have we learned: Kasperksy already published Flame-Stuxnet relationship, but on the encryption level, there is another similarity. In fact, this was found by Norman back in June , but they compared with soapr32’s encryption which is slightly more different than 4069.dll’s encryption E2.
Just a short blog entry to save this info for the history.
We investigated originally two different pieces of duqu payload. One contained resource 302 with a compressed .zdata section, the other contained the to-be-injected code without compression. The injector-loader is the same for the two versions, then how does it find if .zdata […]
Iranian CERT Maher just posted http://www.certcc.ir/index.php?name=news&file=article&sid=2293
Latest investigation have been done by Maher center in cyber space identified a new targeted data wiping malware. Primitive analysis revealed that this malware wipes files on different drives in various predefined times. Despite its simplicity in design, the malware is efficient and can wipe disk […]
SPE/MiniFlame contains the same “main” encryption alg from ver 4.00-5.00
It looks like this:
.text:10007DDE Decrypt_str_10007DDE proc near ; CODE XREF: sub_10001223+5p
.text:10007DDE ; sub_10001223+16p …
.text:10007DDE arg_0 = dword ptr 4
.text:10007DDE mov ecx, [esp+arg_0]
.text:10007DE2 push esi
.text:10007DE3 cmp byte ptr [ecx+0Ch], 42h
It seems Gauss samples already started to float around, so some more info on Palida is not a surprise anymore.
Palida Narrow header info:
‘head’ Table – Font Header
Size = 54 bytes (expecting 54 bytes)
‘head’ version: 1.0
As you all know, Kaspersky Lab has just published a detailed tech report of the latest state-sponsored targeted threat named Gauss.
So the story of Stuxnet, Duqu (found and named by us, CrySyS Lab ), Flame (yes, we had a detailed tech report on that, but we called it […]
Authors: Boldi, Gábor Pék
Our latest post on 15/07 was about a trojan dropped by some Java applet that contains some Java exploit.
The dropped trojan is a fake antivirus software, here is some screenshot of it:
We found that the exploit in use was CVE-2012-1723, which is analyzed […]
We are investigating the report from one of our colleagues, reporting one website dropped malicious exe files by some java exploit, possibly an already known one. Of course, this is not “that” important, but keep in touch on this:
Inside the […]
Basically the main functionality of the WuSetupV.exe of Flame is to create a special URL, download the main component of Flame using the special URL, store it and install it on the victim computer.
The most interesting topic is what type of data is stored inside the URL created by WuSetupV as it […]
Finally we were able to do some tests, and we can confirm Bitdefender’s http://labs.bitdefender.com/2012/06/flame-the-story-of-leaked-data-carried-by-human-vector/ finding on USB file transfer of Flame. Again, please first read our original tech report first.
If started by rundll, Flame creates “.” file within minutes.
As the file name is very special, […]
- March 2017
- January 2017
- August 2016
- July 2016
- October 2015
- July 2015
- June 2015
- December 2014
- November 2014
- September 2014
- August 2014
- July 2014
- February 2014
- November 2013
- August 2013
- March 2013
- February 2013
- January 2013
- December 2012
- October 2012
- August 2012
- July 2012
- June 2012
- January 2012
- December 2011
- July 2011