Clik here to view.
China ELF botnet malware infection & distribution scheme unleashed
The backgroundThere are so many ELF malware infection with the multiple type of backdoors and DDoS'ers originated from China. Our report in here -->[link] shows the known 6 (six) types of those...
View ArticleClik here to view.
MMD-0030-2015 New ELF malware on Shellshock: the ChinaZ
The backgroundThe bash Shellshock vulnerability (link) is still proven to be one of the fastest way to spread ELF malware infection to NIX boxes in internet, along with Linux systems which are still...
View ArticleClik here to view.
MMD-0031-2015 - What is NetWire (multi platform) RAT?
The backgroundIt has been a talk internally in our group about a RAT (Remote Access Trojans) that is commonly found and used by crooks called "NetWire RAT". The talks is about why this RAT was commonly...
View ArticleClik here to view.
MMD-0032-2015 - The ELF ChinaZ "reloaded"
The background and recent info of ELF ChinaZThe report and analysis of a new variant of Linux/ChinaZ ELF malware spotted in the wildThis post is written in a relax time, so please enjoy reading it in...
View ArticleClik here to view.
MMD-0033-2015 - Linux/XorDDoS infection incident report (CNC: HOSTASA.ORG)
BackgroundThis post is an actual malware infection incident of the"Linux/XOR.DDoS" malware (please see previous post as reference-->[LINK]) and malware was in attempt to infect a real Linux server....
View ArticleClik here to view.
MMD-0034-2015 - New ELF Linux/DES.Downloader on Elasticsearch CVE-2015-1427...
This is a tough writing, and will be many information will be added after the initial release. We are pushed to release this as alert of an on-going attack on Elasticsearch host(s), it is a real...
View ArticleClik here to view.
MMD-0035-2015 - .IptabLex or .IptabLes on shellshock.. sponsored by ChinaZ actor
The background.IptabLex&.IptabLes ELF DDoS malware is the malware made by China DDoSer crime group, designed to infect multiple architecture of Linux distribution, was aiming for Linux boxes in the...
View ArticleClik here to view.
MMD-0036-2015 - KINS (or ZeusVM) v2.0.0.0 tookit (builder & panel source...
The backgroundKINS (or ZeusVM to be precised) v2.0.0.0 tookit (builder & panel source code) was leaked and spread in all over the internet. On Jun 26th 2015 we were informed (thank you Xylit0l)...
View ArticleClik here to view.
MMD-0037-2015 - A bad Shellshock & Linux/XOR.DDoS CNC "under the hood"
The backgroundYesterday was a hectic day when we gathered to check all recent ELF threats cross-fired in the internet traffic when I was informed of a recent shellshock attack. Seeing the command...
View ArticleVideo tutorial to extract, kill, debug & traffic capture ELF .so shared...
I post this Video tutorial as a continuation to analysis of recent ELF malware infection that intercepts Linux/FreeBSD system using LD_PRELOAD method (via ld.so API) that I wrote in here -->>[MMD...
View ArticleMMD-0023-2014 - ELF "pscan"&"sshscan" SSH bruter malware: A payback with...
For about 2 weeks I analyzed the SSH login brute attacks that came into my dummy service, as per shown in the report in this link-->[Pastebin], and compiled it to graphical report of source IP of...
View ArticleSample sharing for #MalwareMustDie recent ELF analysis
Samples is shared for research and raising the detection ratio purpose, not for usage for bad purpose. Password is the known "generic" one, so if you ask for these archives' password I will assume that...
View ArticleClik here to view.
A journey to abused FTP sites (story of: Shells, Malware, Bots, DDoS & Spam)...
This writing is dedicated to fellow sysadmins all over the networks in this globe, who work hard keeping internet services running smoothly and help to clean the bad stuff, you rocks! Respect!If you...
View ArticleClik here to view.
A journey to abused FTP sites (story of: Shells, Malware, Bots, DDoS & Spam)...
This writing is dedicated to fellow sysadmins all over the networks in this globe, who work hard keeping internet services running smoothly and help to clean the bad stuff, you rocks! Respect! This is...
View ArticleClik here to view.
DDoS'er as Service - a camouflage of legit stresser/booter/etc
The background After visiting some hacked FTP sites as per reported in the previous posts [-1-] and [-2-] , I figured out connection that some IRC scripts running leads to the group/individuals...
View ArticleClik here to view.
MMD-0024-2014 - Recent Incident Report of Linux ELF (LD_PRELOAD) libworker.so...
I haven't got enough time to write a beautiful report about this incident, please kindly bear with the textual paste format at the moment. This is an important incident report, progressing the the...
View ArticleClik here to view.
MMD-0025-2014 - ITW Infection of ELF .IptabLex & .IptabLes China #DDoS bots...
The backgroundI think some of Linux sysadmins and malware researchers already know this issue well by reading references in sysadmin/linux forums or reported incident in works, or maybe facing this...
View ArticleClik here to view.
MMD-0038-2015 - ChinaZ and ddos123.xyz
BackgroundSorry to keep on saying this, previous posts about ChinaZ are in [-1-] [-2-]. A loy of effort was done to this threat, we grabbed its builder in some CNC we spotted, and we also PoC "a...
View ArticleClik here to view.
MMD-0039-2015 - ChinaZ made new malware: ELF Linux/BillGates.Lite
BackgroundThere are tweets I posted which are related to this topic. Our team spotted the sample a week ago. And this post is the promised details, I am sorry for the delay for limited resource that we...
View ArticleClik here to view.
MMD-0040-2015 - Learning about VBE Obfuscation & AutoIt Banco Trojan
The backgroundMalwareMustDie (MMD) today is having the third anniversary. due to this occasion, I wrote this post as the anniversary celebration :) The point is to introduce some methodology in...
View Article