MW-Blog

Unpacking the MaskPE packer

toni — Fri, 06 Jun 2008 06:57:21 +0000

MaskPE is a packer that seems to have originated from China. It’s not extremely common, but you can stumble to these every once in a while. It’s a pretty basic packer but it does have one nice trick that can crash the packer stub if it detects a debugger. (more…)

Java DDOS bot

toni — Sat, 10 May 2008 06:19:47 +0000

Just stumbled onto a DDOS bot written in java. Usually there aren’t too many malicious programs for java so I decided to take a closer look. The code quality is about as bad as in the previous entry that depicted the PHP DDoS Bot, but I think the java version has more potential to grow into a problem. (more…)

PHP DDOS Bot

toni — Sat, 10 May 2008 05:00:54 +0000

Every so often I run into some new evil that interests me enough to take a deeper peek. This time a DDOS bot written in PHP caught my eye. I haven’t seen this in the wild anywhere, but it’s still quite interesting. (more…)

Spammed downloader

toni — Sat, 22 Mar 2008 06:41:23 +0000

Getting spam with attached malware isn’t anything new. Usually I just dispose the junk mails but every now and then I see a spam message that looks interesting enough to dig further. Today’s example is a spam mail that claimed to be a reply to a message I allegedly sent. The body of the message was like this: (more…)

A bunch of trackback spam from the stash

toni — Tue, 12 Feb 2008 07:38:48 +0000

Running a blog means that the software is constantly under a barrage of exploit / spam attemps, as is the case with any webservice.

I have a few hooks and traps spread around to sniff out what’s coming in, especially in HTTP POSTs. So, without further ado the following items are from a trap that’s logging trackback spams:

(more…)

Are Nigerians Evolving From The 419 Letters?

toni — Tue, 12 Feb 2008 07:20:07 +0000

I was going through my access logs to see what nasties have been thrown at me since the last time.

Amongst the normal enter_your_RFI_exploit_here I saw this script being pushed onto the server:

(more…)

PHP based IRC botnet, fast-flux of course

toni — Wed, 30 Jan 2008 08:36:40 +0000

I was checking out the various RFI (Remote File Inclusion) exploits thrown at my site when I saw an exploit file that was heavily obfuscated. I meddled with the code a bit and got it to reveal the C&C servers:

(more…)

Wierd exploitation attempts

toni — Tue, 29 Jan 2008 05:59:02 +0000

I just noticed some weird HTTP requests on my site. It seems that someone is trying to exploit a remote file inclusion in some software. Normally I wouldn’t blink my eyes on these, but it seems that the vulnerability is in the PHPSESSID variable. I’ve got no idea which software these belong to though. Here are some examples:

(more…)

Tor-node stripping out TLS in SMTP conversations

toni — Mon, 28 Jan 2008 07:59:35 +0000

I spotted a nice incoming link regarding The Onion Router (TOR). This time an exit-node was caught modifying SMTP server capabilities, stripping out the TLS capability (encryption) so that connecting clients will be forced to send out everything as clear-text.

Here’s the link to the post.

It isn’t as if we didn’t see it coming

toni — Thu, 17 Jan 2008 13:25:47 +0000

The MBR rootkit has been in the news a bit lately. Packing ancient evil, the beast modifies the MBR (Master Boot Record) to bootstrap itself and to rootkit the whole Operating System. (more…)