Quantcast
Channel: Malware Must Die!
Browsing latest articles
Browse All 151 View Live

Image may be NSFW.
Clik here to view.

MMD-0047-2015 - SSHV: SSH bruter ELF botnet malware w/hidden process kernel...

BackgroundApparently Linux ELF malware is becoming an interesting attraction from several actors from People Republic of China(in short: PRC). This post is one good example about it. It explains also...

View Article


Image may be NSFW.
Clik here to view.

MMD-0048-2016 - DDOS.TF = (new) ELF & Win32 DDoS service and ASP +...

BackgroundLinux exploitation by bad actors from People Republic of China (in short: PRC) is not a new matter. Their attacks are coming everyday and their method is also improving by days. This post is...

View Article


Image may be NSFW.
Clik here to view.

MMD-0049-2016 - A case of java trojan (downloader/RCE) for remote minerd hack

BackgroundThis is a short post for supporting the takedown purpose. Warning: Sorry, this time there's nothing fancy nor "in-depth analysis" :-) Yet the current hacking & infecting scheme is so bad,...

View Article

Image may be NSFW.
Clik here to view.

MMD-0050-2016 - Incident report: ELF Linux/Torte infection (in Wordpress)

The indicator Several hours ago, it was detected a suspicious inbound access on a Wordpress site with the below log:(Thank's for the hard work from Y) It's an unusual traffic coming from the unusual...

View Article

Image may be NSFW.
Clik here to view.

MMD-0051-2016 - Debunking a tiny ELF remote backdoor (shellcode shellshock...

The backgroundIn September 2014 during the ShellShock exploitation was in the rush I analyzed a case (MMD-0027-2014) of an ELF dropped payload via ShellShock attack, with the details can be read...

View Article


MMD-0052-2016 - SkidDDOS ELF infection Jan-Feb 2016

BackgroundThese are the statistic comprehensional data for the infection of the ELF malware DDOS-er which its source codes we snagged and reported in previous MalwareMustDie blog post [MMD-0044-2015]....

View Article

Image may be NSFW.
Clik here to view.

MMD-0053-2016 - A bit about ELF/STD IRC Bot: x00's CBack aka xxx.pokemon(.)inc

Latest UPDATE incident of this threat is-->[link]BackgroundI received the report of the host in Google cloud network is serving ELF malware:{"ip": "130.211.127.186","hostname":...

View Article

Image may be NSFW.
Clik here to view.

[Slide] The Kelihos & Severa; the "All Out" version

Tag: Kelihos, Khelios, P2P, FastFlux, Botnet, CNC, C2, Clickfraud, Traffic Redirection, Spambot, DNS Poison, Botnet as Service, Affiliate, Severa, Peter Severa, Petrushakov, SaeverWarning: It's a...

View Article


Image may be NSFW.
Clik here to view.

MMD-0054-2016 - ATMOS botnet facts you should know

The backgroundThis post is about recent intelligence and sharing information of the currently emerged credential stealer and spying botnet named "Atmos", for the purpose of threat recognizing, incident...

View Article


Image may be NSFW.
Clik here to view.

MMD-0055-2016 - Linux/PnScan ; ELF worm that still circles around

BackgroundJust checked around internet and found an interesting ELF worm distribution that may help raising awareness for fellow sysadmins. As per shown in title, it's a known ELF malware threat, could...

View Article

Image may be NSFW.
Clik here to view.

MMD-0056-2016 - Linux/Mirai, how an old ELF malcode is recycled..

BackgroundFrom August 4th 2016 several sysadmin friends were helping us by uploading this malware files to our dropbox. The samples of this particular ELF malware ware not easy to retrieve, there are...

View Article

Image may be NSFW.
Clik here to view.

MMD-0057-2016 - New ELF botnet: Linux/LuaBot

BackgroundOn Mon, Aug 29, 2016 at 5:07 PM I received this ELF malware sample from a person (thank you!). There wasn't any detail or comment what so ever just one cute little ARM ELF stripped binary...

View Article

Image may be NSFW.
Clik here to view.

MMD-0058-2016 - ELF Linux/NyaDrop - a linux MIPS IoT bad news

Background Since the end of September 2016 I received a new type of attacks that aims the MIPS platform I provided to detect IoT attacks. I will call this threat as new ELF Linux/NyaDrop as per the...

View Article


Image may be NSFW.
Clik here to view.

MMD-0059-2016 - Linux/IRCTelnet (new Aidra) - A DDoS botnet aims IoT w/ IPv6...

It's a Kaiten/Tsunami? No.. STD?? No! It's a GayFgt/Torlus/Qbot? No!! Is it Mirai?? NO!!It's a Linux/IRCTelnet (new Aidra)! ..a new coded IoT DDoS botnet's Linux malware..SummaryThis post is a report...

View Article

Image may be NSFW.
Clik here to view.

MMD-0060-2016 - Linux/UDPfker and ChinaZ threat today

BackgroundChinaZ is the PRC (Public Rep of China) actor's made Linux ELF DDoS malware and its service. This threat has been covered several times in this blog post, several takedown efforts also had...

View Article


MMD-0061-2016 - EnergyMech 2.8 overkill mod

This is a new threat analysis report I wrote in MalwareMustDie blog (this) after we moved out from blogger, I hope you like the new blog system and design, and enjoy the post! An unattended or...

View Article

MMD-0062-2017 - Credential harvesting by SSH Direct TCP Forward attack via...

Sticky note: We call this threat as "Strudels Attack" 1. Background In this post there is no malicious software/malware analyzed, but this is one of the impact of the malware infecting IoT devices...

View Article


MMD-0063-2019 - Summarized report of three years MalwareMustDie research...

Hello, it's unixfreaxjp here. It has been a while since I wrote our own blog, and it is good to be back. Thank you for your patience for all of this time. The background It was after September 2016...

View Article

MMD-0064-2019 - Linux/AirDropBot

Prologue There are a lot of botnet aiming multiple architecture of Linux basis internet of thing, and this story is just one of them, but I haven't seen the one coded like this before. Like the most...

View Article

More About My 2019.HACK.LU Keynote Talk

As promised, this is my additional notes and review about my Keynote talk in 2019.HACK.LU (link) About 2019.HACK.LU HACK.LU is a great conference, thank you for having me this year, I could interact...

View Article

MMD-0065-2020 - Linux/Mirai-Fbot's new encryption explained

Prologue I setup a local brand new ARM base router I bought online around this new year 2020 to replace my old pots, and yesterday, it was soon pwned by malware and I had to reset it to the factory...

View Article


MMD-0066-2020 - Linux/Mirai-Fbot - A re-emerged IoT threat

Prologue A month ago I wrote about IoT malware for Linux operating system, a Mirai botnet's client variant dubbed as FBOT. The writing [link] was about reverse engineering Linux ELF ARM 32bit to...

View Article


MMD-067-2021 - Recent talks on Linux process injection and shellcode analysis...

The background of these research and talks After HACK.LU-2019's talk in 2019 [link], I was asked a lot of questions about Linux process injection that can trigger code execution and yes, one of...

View Article

MMD-068-2024 - "FHAPPI Campaign" (APT10) FreeHosting APT PowerSploit Poison Ivy

I am @unixfreaxjp of MalwareMustDie team. This is the English translation of APT overall analysis I made in Japanese at my Japan security blog: "#OCJP-136: 「FHAPPI」 Geocities.jpとPoison...

View Article

MMD-0069-2024 - An old ELF Ransomware pivoted crypto (OpenSSL to PolarSSL)...

This malware analysis was originally posted in 2015 on my-soon-to-be-closed Japanese blog and to avoid the research information disappearing I re-posted it as an English translation over here. During...

View Article

Browsing latest articles
Browse All 151 View Live