Clik here to view.
When hacker got hacked - A disclosure & share of xakep.biz evil tools
The BackgroundWith the thankfully good effort from our credited brothers, we MalwareMustDie, NPO (read: Malware Research Group & Anti Cyber Crime Workgroup) herewith disclose the existence of an...
View ArticleClik here to view.
Analysis of infection ELF shared .so (DYN) library malware via LD_PRELOAD
This is the analysis story based on the incident handling on the server side incident, caused by a hack to perform some malicious attack to a compromised server, so it is the server side malware...
View ArticleClik here to view.
Linux reversing is fun! Toying with an ELF (D)DoS + backdoor malware from...
Our friend was capturing this "attacker" in his trap (thank's wirehack7), and I found it interesting + attempted to make a video to analyze its binary and to write it down in this post. @MalwareMustDie...
View ArticleClik here to view.
Threat analysis: Zendran - Multi-Arc ELF DDoS scheme (lightaidra ircd base) -...
The backgroundThere are a lot of DDoS attacks performed each day. Our systems are also being abused by these, and maybe some of you have the same shares too. MalwareMustDie analysis is focusing on...
View ArticleVideo tutorial to extract, kill, debug & traffic capture ELF .so shared...
I post this Video tutorial as a continuation to analysis of recent ELF malware infection that intercepts Linux/FreeBSD system using LD_PRELOAD method (via ld.so API) that I wrote in here -->>[MMD...
View ArticleA "payback" to the SSH bruting crooks: Attacker's email disclosure.
For about 2 weeks I analyzed the SSH login brute attacks that came into my dummy service, as per shown in the report in this link-->[Pastebin], and compiled it to graphical report of source IP of...
View ArticleSample sharing for #MalwareMustDie recent ELF analysis
Samples is shared for research and raising the detection ratio purpose, not for usage for bad purpose. Password is the known "generic" one, so if you ask for these archives' password I will assume that...
View ArticleClik here to view.
A journey to abused FTP sites (story of: Shells, Malware, Bots, DDoS & Spam)...
This writing is dedicated to fellow sysadmins all over the networks in this globe, who work hard keeping internet services running smoothly and help to clean the bad stuff, you rocks! Respect!The...
View ArticleClik here to view.
A journey to abused FTP sites (story of: Shells, Malware, Bots, DDoS & Spam)...
This writing is dedicated to fellow sysadmins all over the networks in this globe, who work hard keeping internet services running smoothly and help to clean the bad stuff, you rocks! Respect! This is...
View ArticleClik here to view.
DDoS'er as Service - a camouflage of legit stresser/booter/etc
The background After visiting some hacked FTP sites as per reported in the previous posts, I figured out connection that some IRC scripts running leads to the group/individuals performing a DDoS'er...
View ArticleClik here to view.
Recent Incident Report of Linux ELF (LD_PRELOAD) libworker.so malware attack...
I haven't got enough time to write a beautiful report about this incident, please kindly bear with the textual paste format at the moment. This is an important incident report, progressing the the...
View ArticleClik here to view.
MMD-0025-2014 - ITW Infection of ELF .IptabLex & .IptabLes China #DDoS bots...
The backgroundI think some of Linux sysadmins and malware researchers already know this issue well by reading references in sysadmin/linux forums or reported incident in works, or maybe facing this...
View ArticleClik here to view.
A protest! What's BAD stays BAD. Legalized any badness then you ruined the...
I think all American friends know exactly what will InfoSec people react to this "search warrant" (see twitter embedded below). Like it or not, I am a part of InfoSec non-"AmericaIn" faction and...
View ArticleLong Talk "AV Tokyo 2013.5" - #Kelihos #CookieBomb #RedKit : Bad Actor's...
Sunday, February 16th 2014, on the presentation on AV Tokyo 2013.5, a prestigious security event in Japan (link), we (read: MalwareMustDie, an NPO of Anti Cyber Crime International Research Group)...
View ArticleClik here to view.
Another country-sponsored #malware: Vietnam APT Campaign
The background This is a team work analysis, we have at least 5 (five) members involved with this investigation. The case that is about to be explained here is an APT case. Until now, we were...
View ArticleClik here to view.
MMD-0026-2014 - Router Malware Warning | Reversing an ARM arch ELF AES.DDoS...
The background It is one of our active project to monitor the China origin ELF DDoS'er malware threat. The growth is very rapid nowadays, MMD detected 5 variants is active under almost 15 panels...
View ArticleClik here to view.
Tango down report of OP China ELF DDoS'er
This report is credited to the team work between MMD, CERT and fellow researchers involved.Tango OP Announcement:We are releasing the take-down (Tango OP) project information of our current on-going...
View ArticleClik here to view.
Linux ELF bash 0day: The fun has only just begun...
Background: CVE-2014-6271 + CVE-2014-7169During the mayhem of bash 0day remote execution vulnerability CVE-2014-6271 and CVE-2014-7169, not for bragging but as a FYI, I happened to be the first who...
View ArticleClik here to view.
MMD-0028-2014 - Fuzzy reversing a new China ELF "Linux/XOR.DDoS"
This research is detected & solved by a hard work of MMD Germany members. Credits are in the bottom of the post.The case is on and malware infrastructure is mostly up & alive, we don't want to...
View ArticleClik here to view.
MMD-0029-2014 - Warning of Mayhem shellshock attack
We afraid this wave will come during the "shellshock", and it did. The attack wave of "ELF .so malware library", an installer of a known botnet called as "Mayhem" just hit all of us. The attack came...
View Article