Clik here to view.
"Shadow Logger" - New .NET's FUD Keylogger on the (MMD) bloG
BackgroundOur team found this threat and we decided to openly raise awareness about it. Is a Keylogger with bragging of being Fully Undetected (FUD), the sad part is, it is.. which causing the...
View ArticleClik here to view.
Threat Intelligence - New Locker: Prison Locker (aka: Power Locker ..or...
BackgroundMalware bad actors just keep on coding and developing new threats with the stupid dream to get rich soon in their stupid heads. It's a serious moral corruption generated by whatever...
View ArticleClik here to view.
..And another "detonating" method of CookieBomb 2.0 - Part 1
Note: 日本語版の調査方法を別途書いたのでアクセスはこちらーー>「BLOG.0DAY.JP」Note: For the step by step easy decoding using wireshark & browser (w/many screenshots, ps: different victim site) go to Japanese writing here (use...
View ArticleClik here to view.
..And another "detonating" method of CookieBomb 2.0 - Part 2
Background On the previous 1st part, I explained the first decoding of the new design in CookieBomb (version 2) threat with the easy decoding (read: "Detonating") for novices to get the quick URL...
View ArticleClik here to view.
One upon the time with American Express Phishing Session..
As you may know, MMD blog is focusing on malware/botnet related threat. But today I want to make an exception, my SMTP Honeypot is full with the American Express phishing scam emails so I dare my self...
View ArticleClik here to view.
Cyber Intelligence: The JackPOS Behind the Screen
The backgroundAs the credit for the current threat's awareness, a lot of you probably noticed the JackPOS malware's posted at: Xylit0l's post in Kernel Mode here -->>[kernelmode], in the...
View ArticleTango Down of Nuclear Pack's 174 Multiple Registered .PW Domains
To "some" fellow researchers: Don't mock for us taking down these bad domains. Think of the victims who get infected in hourly basis! Sorry if we blew your "tracking" objects away. Because of this...
View ArticleLong Talk "AV Tokyo 2013.5" - #Kelihos #CookieBomb #RedKit : Bad Actor's...
Sunday, February 16th 2014, on the presentation on AV Tokyo 2013.5, a prestigious security event in Japan (link), we (read: MalwareMustDie, an NPO of Anti Cyber Crime International Research Group)...
View ArticleClik here to view.
How public services like Amazon AWS, DropBox, Google Project/Code & Google...
Today, I almost went to bed when bumping into this threat. Please kindly bear the sleepy eyes on writing these. I am combining the screenshot and log/details in texts, hopefully there will be no...
View ArticleTango Down: The takedown of 209,306 .IN.NET Nuclear Pack DGA domains
This post is the tribute to the hard working invidivuals and professionals who made the impossible happened.The ReportAs one of the result of a persistent collaboration between security researchers and...
View ArticleClik here to view.
A post to sting Zeus P2P/Gameover crooks :))
The BackgroundThis end of week, Zeus P2P Gameover (in short: GMO) is having a large campaign by utilizing Upatre (with using latest version to download encrypted ZZP file w/many extensions) which are...
View ArticleClik here to view.
Daily analysis note: "Upatre" is back to SSL?
Latest Progress/Changes/Updates:#Malware Info - #Upatre changed its USER-AGENT header (pic) /cc: @node5@EmergingThreatspic.twitter.com/uCOGmP1EIQ— MalwareMustDie, NPO (@MalwareMustDie) April 24,...
View ArticleClik here to view.
When hacker got hacked - A disclosure & share of xakep.biz evil tools
The BackgroundWith the thankfully good effort from our credited brothers, we MalwareMustDie, NPO (read: Malware Research Group & Anti Cyber Crime Workgroup) herewith disclose the existence of an...
View ArticleClik here to view.
MMD-0020-2014 - Analysis of infection ELF malware: libworker.so - A shared...
This is the analysis story based on the incident handling on the server side incident, caused by a hack to perform some malicious attack to a compromised server, so it is the server side malware...
View ArticleClik here to view.
MMD-0021-2014 - China's ELF (D)DoS + backdoor malware
Our friend was capturing this "attacker" in his trap (thank's wirehack7), and I found it interesting + attempted to make a video to analyze its binary and to write it down in this post. @MalwareMustDie...
View ArticleClik here to view.
MMD-0022-2014 - Zendran, Multi-Arc ELF DDoS (lightaidra ircd base) - Part 1:...
The backgroundThere are a lot of DDoS attacks performed each day. Our systems are also being abused by these, and maybe some of you have the same shares too. MalwareMustDie analysis is focusing on...
View ArticleVideo tutorial to extract, kill, debug & traffic capture ELF .so shared...
I post this Video tutorial as a continuation to analysis of recent ELF malware infection that intercepts Linux/FreeBSD system using LD_PRELOAD method (via ld.so API) that I wrote in here -->>[MMD...
View ArticleMMD-0023-2014 - ELF "pscan"&"sshscan" SSH bruter malware: A payback with...
For about 2 weeks I analyzed the SSH login brute attacks that came into my dummy service, as per shown in the report in this link-->[Pastebin], and compiled it to graphical report of source IP of...
View ArticleSample sharing for #MalwareMustDie recent ELF analysis
Samples is shared for research and raising the detection ratio purpose, not for usage for bad purpose. Password is the known "generic" one, so if you ask for these archives' password I will assume that...
View ArticleClik here to view.
A journey to abused FTP sites (story of: Shells, Malware, Bots, DDoS & Spam)...
This writing is dedicated to fellow sysadmins all over the networks in this globe, who work hard keeping internet services running smoothly and help to clean the bad stuff, you rocks! Respect!If you...
View Article
