Friday, July 18, 2014

Dyre banker aka Win32/Win64 Battdil - Inside a related web panel

What I have learned over the years as a hobby malware analyst is whenever you think you are the first who discovered a new malware family, you can be sure at least a dozen people are already working on the threat. And I am not speaking about what you can later see in public...

As in the case of the recently discovered banker named Dyre this is no exception. While cleaning up my malware collection yesterday, I stumbled upon a malware threat which Anton Cherepanov and I briefly analyzed 3 months ago. After a quick search on the Internet, I realized that this sample which was first discovered by ESET and named Win32/Battdil.A respectively Win64/Battdil.A is the recently publicated threat named Dyre or Dyreza banker. You can read about this malware here:

http://phishme.com/project-dyre-new-rat-slurps-bank-credentials-bypasses-ssl/
https://www.csis.dk/en/csis/news/4262/
https://www.csis.dk/en/csis/blog/4318/
http://stopmalvertising.com/malware-reports/introduction-to-dyreza-the-banker-that-bypasses-ssl.html
http://stopmalvertising.com/malware-reports/analysis-of-dyreza-changes-network-traffic.html

Share:

Monday, June 23, 2014

Malware spread over Facebook - TrojanDownloader:Java/Carastavona.E

Earlier today, I stumbled upon a blogpost by Bitdefender which describes a malware sample that spreads across Facebook users:

http://www.hotforsecurity.com/blog/its-not-funny-facebook-users-tricked-into-bitcoin-mining-9263.html

I thought to give it a shot, since I have realized in my last article that reversing Java malware is quite funny, probably because it is easier and not that exhausting as looking over hundreds/thousands of lines of disassembled code. Unfortunately, the article doesn't give any hashes, just the file name of the malware sample which is named IMAG00953.zip.

Share:

Friday, June 20, 2014

Blitzanalysis: Embassy of Greece Beijing - Compromise

It's friday afternoon, I had a bit of free time and stumbled across this tweet by PhysicalDrive0 (thx!) two hours ago and thought to give it a try to finally add a new article to this Blog (first of 2014):

https://twitter.com/PhysicalDrive0/status/479921770838102017

So, I went to Google to search for the domain of the Embassy of Greece Beijing and added the (allegedly) malicious java file package that was found by PhysicalDrive0:

Share: