MW-Blog

Unsubscribing for the worse

toni — Mon, 15 Jun 2009 16:41:25 +0000

Have you ever unsubscribed from various bulk mailing programs? Be them opt-out (fancy name for spam), coupons, market research or whatnot? (more…)

Unpacking NakedPacker

admin — Sat, 30 May 2009 04:38:52 +0000

NakedPacker is somewhat commonly seen in malware. Though its only a compressor I guess the name and the easy GUI make the teenage mutant wannabe-ninja herders come flocking to it. (more…)

Great loss for the RE community

toni — Fri, 08 May 2009 05:54:49 +0000

Just heard the news that Fjalar Ravia, better known as Fravia, passed away on Sunday, 3rd May 2009 after a long illness. (more…)

L0L at l0lw0rm

toni — Mon, 04 May 2009 06:54:02 +0000

I was looking through a repository of malware source codes the other day when I noticed a pretty small rar package, only 11kb in size and decided to take a closer look. The package was called l0lw0rm.rar. (more…)

Sour Marketing?

toni — Wed, 15 Apr 2009 05:14:17 +0000

I received an newsletter from eEye yesterday. Normally I just dismiss those without taking a second look but this time I actually got pretty pissed. (more…)

Some people just don’t learn

admin — Mon, 06 Apr 2009 17:25:11 +0000

For those who haven’t read or just don’t remember, read this first. (more…)

Breaking news: Conficker became self aware!

toni — Tue, 31 Mar 2009 22:01:57 +0000

This is what security experts around the world have feared for a long time. The conficker worm botnet grew big enough and 1 minute past midnight, on April 1st, it finally gained consciousness. (more…)

A /16 netblock banned from teamfurry.com

toni — Wed, 25 Mar 2009 12:25:27 +0000

I’m doing this with a bit mixed feelings since I know I might be blocking away valid users. But I feel this is the only way to start showing ISPs and other companies that they can’t go on doing whatever they like. (more…)

Scans for default Tomcat admin passwords

toni — Tue, 24 Mar 2009 06:01:19 +0000

I went through some sinkhole stats and spotted a few scans that looked like this: “GET/manager/html HTTP/1.1″. (more…)

Botnet running on MIPS CPU devices.

toni — Mon, 23 Mar 2009 20:05:13 +0000

Finally, something new :) An IRC capable bot has been making the rounds. Now, instead of infecting PC’s or servers this baby goes after DSL modems. (more…)

A little something that brightened my day

toni — Fri, 13 Mar 2009 14:21:00 +0000

So, I received a mail from “Peter Hu”, asking me to list him as a friend on Yahoo! IM. All the links in the mail led to yahoo.com so I figured what the heck, maybe someone want’s to congratulate me on my birthday. I’ve never used Yahoo! IM before so I figured ‘let’s see what’s behind this’. (more…)

Microsoft published a $250000 bounty on Downadup/Conficker

toni — Thu, 12 Feb 2009 20:46:20 +0000

The network worm known as Downadup or Conficker or Kido has been on the lips of the entire information security community for some while now and it has been keeping people busy, including myself. Microsoft published today $250000 bounty on tips/leads leading to arrest and conviction on the person(s) behind the worm. (more…)

Zeus/Wsnpoem/Zbot targets

admin — Tue, 04 Nov 2008 20:27:38 +0000

I ran into an interesting Zbot sample today. I haven’t peeked at them often and I was surprised to see a big bunch of various poker sites in the configuration as stealing targets. That prompted me to do a quick search on zbots seen in the last few days and I ended up downloading the encrypted configuration files from the C&C servers that I saw were online. 22 of them active :) (more…)

MS08-067 fun started

admin — Mon, 03 Nov 2008 17:20:38 +0000

Yup, took this long for someone to start properly abusing the MS08-067 vulnerability. There’s a worm now on the loose that uses the exploit. The worm component comes coupled with a kernel mode DDOS bot that’s been doing the rounds for a while now.
(more…)

First PoCs targeting english Windows OS’s on MS08-067

toni — Fri, 31 Oct 2008 12:13:34 +0000

This lovely morning saw the first Proof of Concept binaries targeting the English localized Windows OS’s that are vulnerable to the MS08-067. The exploit payload adds the guest account to the administrators group. Still no worm, but one step closer.

ICANN Delayed the de-accreditation of ESTDomains

toni — Thu, 30 Oct 2008 11:44:08 +0000

“ICANN received a response from EstDomains regarding the notice of termination. http://www.icann.org/correspondence/poltev-to-burnette-29oct08-en.pdf [PDF, 853K] To assess the merits of the claims made in EstDomains’ response, ICANN has stayed the termination process as ICANN analyzes these claims.”

Even though Tsastsin complained to Estonian supreme court and is “not guilty” until the verdict is finalized it’ll be fun to see what happens. ESTDomains delivered a document dated to July that Tsastsin is not the CEO anymore. Instead, Konstantin Poltev is marked to be the current CEO. Not sure how far ICANN appreciates the document since the sentence that the Estonian court passed earlier was amongst other thing, for document forgery.

ESTDomains responded to ICANN

toni — Thu, 30 Oct 2008 08:50:58 +0000

Seems that ESTDomains responded to ICANN and are trying to find a way to stop the de-accreditation. (more…)

The evil batch

toni — Wed, 29 Oct 2008 07:45:31 +0000

I ran into an interesting piece of malware. It basically comes in an .exe wrapper and drops a .bat file that’s about 25kb large. It’s really heavily obfuscated and it can be considered destructive since it deletes document files and does other evil things. (more…)

ESTDomains got canned by ICANN

toni — Wed, 29 Oct 2008 06:42:09 +0000

http://www.icann.org/correspondence/burnette-to-tsastsin-28oct08-en.pdf

Tears of joy :)

Gimmiv Trojan: Glimpse at winbase.dll

toni — Sat, 25 Oct 2008 21:53:52 +0000

Just took a close look at the winbase.dll variants I have. 5 of them with the following compilation timestamps: (more…)