This lovely morning saw the first Proof of Concept binaries targeting the English localized Windows OS’s that are vulnerable to the MS08-067. The exploit payload adds the guest account to the administrators group. Still no worm, but one step closer.
“ICANN received a response from EstDomains regarding the notice of termination. http://www.icann.org/correspondence/poltev-to-burnette-29oct08-en.pdf [PDF, 853K] To assess the merits of the claims made in EstDomains’ response, ICANN has stayed the termination process as ICANN analyzes these claims.”
Even though Tsastsin complained to Estonian supreme court and is “not guilty” until the verdict is finalized it’ll be fun to see what happens. ESTDomains delivered a document dated to July that Tsastsin is not the CEO anymore. Instead, Konstantin Poltev is marked to be the current CEO. Not sure how far ICANN appreciates the document since the sentence that the Estonian court passed earlier was amongst other thing, for document forgery.
Seems that ESTDomains responded to ICANN and are trying to find a way to stop the de-accreditation. (more…)
I ran into an interesting piece of malware. It basically comes in an .exe wrapper and drops a .bat file that’s about 25kb large. It’s really heavily obfuscated and it can be considered destructive since it deletes document files and does other evil things. (more…)
http://www.icann.org/correspondence/burnette-to-tsastsin-28oct08-en.pdf
Tears of joy :)
Just took a close look at the winbase.dll variants I have. 5 of them with the following compilation timestamps: (more…)
I decided to take a look at the timeline of Gimmiv trojan component sysmgr.dll. Some of the results were a bit surprising. (more…)
The DLL looks really interesting. Interesting in a sense that even though the code is reaaally easy to read, it’s a rare find since it’s riddled with bad programming. It’s a wonder these guys even managed to make a malware that actually compiles. (more…)
There’s a new malware on the loose, using the MS08-067 that was released out-of-band yesterday. Surprisingly, the malware isn’t packed. The common detection for this is Trojan:W32/Gimmiv.A, and the initial package is just a dropper. (more…)
As I mentioned in the previous blog post I’ve been working on a binary that contains various anti-debug/tracing/emulation/virtualization tricks. Even though there’d be an eternal list of tricks to be added to it I’m pretty satisfied with the ones it has currently. (more…)