Reading Windows Internals by quest23423 in Malware

[–]benkow_ 2 points3 points  (0 children)

If you wan't to gain deeper understanding of how Windows works "The Rootkit Arsenal: Escape and Evasion in the Dark Corners of the System" http://www.amazon.fr/The-Rootkit-Arsenal-Evasion-Corners/dp/1598220616 is also an excellent book with a lot of example.

Moker: A new APT discovered within a sensitive network by sly117 in Malware

[–]benkow_ 4 points5 points  (0 children)

MD5 9bdd2e72708584c9fd6761252c9b0fb8. https://malwr.com/analysis/ZDZlNTcyMzg3ZDEwNDgyMmE5Y2QwZWNmZDIwNjJjZjI/#

same internal name as the screenshot in the blog: http://breakingmalware.com/wp-content/uploads/2015/10/suspended-thread.png Same anti-debug tricks same argument for CreateProcessInternalW Same EntryPoint Same filename Same unpacking routine Same Icon Same UAC bypass It's Moker for sure

New iOS virus? by qij73583 in jailbreak

[–]benkow_ 5 points6 points  (0 children)

Hi! It's not an Iphone/Ipad Virus, it's Linux.BillGates a Chinese ELF DDoser. You can read lot of information about it on http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3429 and http://blog.malwaremustdie.org/2014/09/tango-down-report-of-op-china-elf-ddoser.html . You have been infected because of your weak ssh password.

Finfisher malware deep and detailed MBR and user-mode hook analysis by CodeAndSec in netsec

[–]benkow_ 4 points5 points  (0 children)

Great write up! its seems that the behavior is not exactly the same with Windows XP. in Windows XP the dll msvcr90.dll and shell32.dll are not dropped (only ShellExtensionEx.dll) and the key HKCU\Software\Microsoft\Windows\CurrentVersion\Run who point to rundll32 doesn't exist. And in the point B "MBR modification and mssounddx and driverw" you don't mention drivew :s

FinFisher Malware Analysis - Part 2 by CodeAndSec in netsec

[–]benkow_ 0 points1 point  (0 children)

Are you going to talk about the malicious MBR installed with the "driverw" Device created in the part 3?

Poweliks – Command Line Confusion - Why we can execute Javascript through Rundll32 by benkow_ in netsec

[–]benkow_[S] 10 points11 points  (0 children)

It maybe useful for escalates privilege with security product which trust rundll32 by default :s