Clik here to view.
MMD-0041-2015 - Reversing PE Mail-Grabber Spambot & its c99 Gate
I don't know about the origin of the infection, but when I talked with Mr. Christopher Lowson while examining the CNC of the threat, I guessed a PC was infected with this malware and the callback is...
View ArticleClik here to view.
MMD-0042-2015 - Hunting Mr. Black IDs via Zegost cracking
This is a short writing, Please bear the straight forward detail w/very few of explanation. During investigating ELF malware I met this Windows PE binary, it contains an important infrastructure...
View ArticleClik here to view.
MMD-0043-2015 - Polymorphic in ELF malware: Linux/Xor.DDOS
BackgroundA share of knowledge I have, hopefully to make internet safer - @unixfreaxjpThe threat of Linux/XOR.DDoS, a China-made ELF backdoor & ddoser malware, a rather specific threat compares to...
View ArticleClik here to view.
MMD-0044-2015 - Source code disclosure (part1) of bunch of ELF malware
MalwareMustDie,NPO is a white-hat non-profit security research workgroup launched in August 2012 for/by security professionals and malware researchers gathered to form a work-flow to reduce malware...
View ArticleClik here to view.
MMD-0045-2015 - KDefend: a new ELF threat with a disclaimer
BackgroundIt's been a while not writing new analysis in our blog & this timing is just perfect. On December 1st, 2015 this sample was detected by our ELF team member @benkow_..and our ELF Team...
View ArticleClik here to view.
MMD-0046-2015 - (Recent and new) Kelihos CNC activity XXXX(censored)
BackgroundNote: This is the modified post of the original post, sensitive data were censored for the "security reason". Please read "between the lines". I am sorry and thank you. - God bless them who...
View ArticleClik here to view.
MMD-0047-2015 - SSHV: SSH bruter ELF botnet malware w/hidden process kernel...
BackgroundApparently Linux ELF malware is becoming an interesting attraction from several actors from People Republic of China(in short: PRC). This post is one good example about it. It explains also...
View ArticleClik here to view.
MMD-0048-2016 - DDOS.TF = (new) ELF & Win32 DDoS service and ASP +...
BackgroundLinux exploitation by bad actors from People Republic of China (in short: PRC) is not a new matter. Their attacks are coming everyday and their method is also improving by days. This post is...
View ArticleClik here to view.
MMD-0049-2016 - A case of java trojan (downloader/RCE) for remote minerd hack
BackgroundThis is a short post for supporting the takedown purpose. Warning: Sorry, this time there's nothing fancy nor "in-depth analysis" :-) Yet the current hacking & infecting scheme is so bad,...
View ArticleClik here to view.
MMD-0050-2016 - Incident report: ELF Linux/Torte infection (in Wordpress)
The indicator Several hours ago, it was detected a suspicious inbound access on a Wordpress site with the below log:(Thank's for the hard work from Y) It's an unusual traffic coming from the unusual...
View ArticleClik here to view.
MMD-0051-2016 - Debunking a tiny ELF remote backdoor (shellcode shellshock...
The backgroundIn September 2014 during the ShellShock exploitation was in the rush I analyzed a case (MMD-0027-2014) of an ELF dropped payload via ShellShock attack, with the details can be read...
View ArticleMMD-0052-2016 - SkidDDOS ELF infection Jan-Feb 2016
BackgroundThese are the statistic comprehensional data for the infection of the ELF malware DDOS-er which its source codes we snagged and reported in previous MalwareMustDie blog post [MMD-0044-2015]....
View ArticleClik here to view.
MMD-0053-2016 - A bit about ELF/STD IRC Bot: x00's CBack aka xxx.pokemon(.)inc
Latest UPDATE incident of this threat is-->[link]BackgroundI received the report of the host in Google cloud network is serving ELF malware:{"ip": "130.211.127.186","hostname":...
View ArticleClik here to view.
[Slide] The Kelihos & Severa; the "All Out" version
Tag: Kelihos, Khelios, P2P, FastFlux, Botnet, CNC, C2, Clickfraud, Traffic Redirection, Spambot, DNS Poison, Botnet as Service, Affiliate, Severa, Peter Severa, Petrushakov, SaeverWarning: It's a...
View ArticleClik here to view.
MMD-0054-2016 - ATMOS botnet facts you should know
The backgroundThis post is about recent intelligence and sharing information of the currently emerged credential stealer and spying botnet named "Atmos", for the purpose of threat recognizing, incident...
View ArticleClik here to view.
MMD-0055-2016 - Linux/PnScan ; ELF worm that still circles around
BackgroundJust checked around internet and found an interesting ELF worm distribution that may help raising awareness for fellow sysadmins. As per shown in title, it's a known ELF malware threat, could...
View ArticleClik here to view.
MMD-0056-2016 - Linux/Mirai, how an old ELF malcode is recycled..
BackgroundFrom August 4th 2016 several sysadmin friends were helping us by uploading this malware files to our dropbox. The samples of this particular ELF malware ware not easy to retrieve, there are...
View ArticleClik here to view.
MMD-0057-2016 - New ELF botnet: Linux/LuaBot
BackgroundOn Mon, Aug 29, 2016 at 5:07 PM I received this ELF malware sample from a person (thank you!). There wasn't any detail or comment what so ever just one cute little ARM ELF stripped binary...
View ArticleClik here to view.
MMD-0058-2016 - ELF Linux/NyaDrop - a linux MIPS IoT bad news
Background Since the end of September 2016 I received a new type of attacks that aims the MIPS platform I provided to detect IoT attacks. I will call this threat as new ELF Linux/NyaDrop as per the...
View ArticleClik here to view.
MMD-0059-2016 - Linux/IRCTelnet (new Aidra) - A DDoS botnet aims IoT w/ IPv6...
It's a Kaiten/Tsunami? No.. STD?? No! It's a GayFgt/Torlus/Qbot? No!! Is it Mirai?? NO!!It's a Linux/IRCTelnet (new Aidra)! ..a new coded IoT DDoS botnet's Linux malware..SummaryThis post is a report...
View Article