Re: Viral sample (October 9, 2014) BBCUZ / Wonton-G

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

Quoted text here. Click to load it

I couldn't help but notice you didn't respond to my reply concerning  
your unncessary attack and attempted (yet failed miserably) education  
on basic emailing concepts... but

I didn't get the chance to ask why you dodged the analysis of the  
website url you decided to place the malware sample on? Nor did you  
have any comments concerning what anubis reported back (which is  
essentially the actions of a dropper file).  

The random named .exe sitting in your application folder is the  
'real' target, if you're goal is to seek out and destroy malware. The  
dropper file itself was a simple trojan. It's reason for existing is  
to drop and setup your machine to run the dropped file later.
I wrote random named because each time the dropper is run, I suspect  
it'll generate a new name for the file it's supposed to be creating  
as well as a new bogus named registry key to make sure it runs later.

It would take me all of ten seconds or less to acquire the real  
malware sample, inside the dropper. Without posing any risk to myself  
or equipment. Do you suppose you can send me the real malware sample?

I'd like to see if virustotal knows it well. I can do this myself,  
but i'm not the one who created this thread whining about the  
detection rate of a dropper;a  dropper! So I'm asking if you can  
extract the real exe inside the dropper and upload that to  
virustotal. I suspect the scan results will be different.

And I'm serious, why did you suggest I or others visit such a nasty  
site to obtain the file? It was only 11kilobytes rar'd..

Want me to send you a simple program that would let you post it right  
here? That way, I wouldn't have to surf to ... painful websites to  
get the sample.

  



--  
If you can read this, Thank a teacher.
If you're reading it in english, Thank a soldier!



Re: Viral sample (October 9, 2014) BBCUZ / Wonton-G

Dustin wrote:
  
Quoted text here. Click to load it

Many residential ISP's are blocking their customer's ability to
communicate beyond the ISP's network out to the internet on port 25.  

They can do that because:

1) they host their own mail server (possibly on port 25 but more
   likely on other higher ports like 465 or 587) within their own  
   network, so customers can communicate with those servers to
   send mail, but spammers can't send direct-to-mx from  
   infected PC's because of the block on port 25.

2) customers bypass their ISP's mail servers or MTA's entirely
   and access a third-party server (gmail, etc), again on a  
   higher port (like 465, etc).

3) customers are increasingly not even using a mail client, but
   instead experience mail through a web interface.

So as you can see, you bone head, many residential ISP's can easily
block outbound port 25 on their boundary with the internet for the vast,
vast majority of their customers, without these customers even knowing
such a block exists, because there really isin't any need or use by
those people for port-25 outbound in the first place.

Anyone running their own mail server at home probably needs to be using
(and paying for) a business-level internet connection from their ISP,
and there wouldn't (nessarily) be a block on port-25 for that.

Quoted text here. Click to load it

I download a fair amount of music, movies, magazines from filepost -
because it happens to be a primary file-locker used by uploaders that
use listing sites like avax.  So I'm somewhat familiar with filepost.

I also have about a dozen entries in my hosts file that block all the
junk that filepost throws at you.  I've had such a block in place for a
long time, so I don't even remember what gets thrown up.  I can only
recommend that people close any popups that get spawned while following
my links.  I wouldn't think that would be too hard for people using more
recent versions of IE or FF.  I use FF2 as my default browser, and I can
navigate filepost with ease.

I have tried to use other filelockers, but even with Opera 12.02 (my
most "advanced" browser) I haven't found a filelocker that I can
successfully perform file-uploading without some web-based or browser
incompatibility from preventing the interface from working properly.  

Quoted text here. Click to load it

When I submit files to anubis, it's mainly because I want to see if a
download URL is revealed.  Something I can access myself.  I've looked
through the various other sections of their reports (registry keys read,
modified, created, etc) but they are of little interest to me (what can
I do with them?).

But yes- I did find your discovery of a file being inserted into a run
key to be informative.  

Quoted text here. Click to load it

I didn't (I don't) run these files.  If I'm sufficiently interested,
I'll give them to anubis to run.

So what I put up on filepost is what I get via email (spam) attachment.

Quoted text here. Click to load it

Well, unless the internal binary can be extracted using 7-zip or maybe
"uniextract", then you're going to have to point me to a utility that
will extract them (so I can upload them to VT), or you're going to have
to continue downloading these dropper files from filepost, or you're
going to have to point me to an alternate file locker that I can fully
access with the browsers I have.
  
Quoted text here. Click to load it

Like I said, the stuff that I download is usually hosted on filepost,
and when I first started to access filepost a long time ago, I had no
problems deflecting or evading what-ever that site was throwing at me
until I had that crud blocked using hosts entries.  So I wasn't aware
that accessing the site and just focusing on and downloading the file of
interest wasn't safe - I wasn't aware that the site is attempting any
browser exploits (maybe you are, or are not saying it is - I'm not
sure).

Quoted text here. Click to load it

Even if I wanted to, AIOE doesn't allow posting attachments to usenet
posts.  The software I'm using now (Netscape Communicator 4.79) can
easily add attachments - that's not the problem.  I would need access to
an NNTP server that allows it.  Do any free usenet servers allow posting
of attached files?

Quoted text here. Click to load it

I'm open to a more friendly file-locker if you know of one.

Re: Viral sample (October 9, 2014) BBCUZ / Wonton-G

Virus Guy wrote:
  
Quoted text here. Click to load it

I suppose I could use uuencode and post that here as a block of text.  I
think AIOE has a limit of something like 20k per post.  Assuming AIOE
isin't configured to detect and block stuff like that.

Re: Viral sample (October 9, 2014) BBCUZ / Wonton-G

David Ritz wrote:
  
Quoted text here. Click to load it

No, I was thinking that if all the mime junk wasn't included, that AIOE
wouldn't trigger on "begin" or "end" in determining that a block of
ascii characters was a binary attachment.

Quoted text here. Click to load it

Why is Dustin suggesting I post the malware samples here then?

Quoted text here. Click to load it

I have already verfied that I can post the uuencoded text of a small
binary file to a (dormant / obscure) non-binary usenet group via the
AIOE server.

Cutting and pasting the uuencoded block did not work (even if the Begin
six-four-four line was put into brackets and moved into a paragraph of
conversational text).

What does work is adding a single character (such as a period) to the
start of each line.  The character can easily be removed and the
resulting block can be uudecoded.

Re: Viral sample (October 9, 2014) BBCUZ / Wonton-G

On Sun, 12 Oct 2014 20:59:48 -0400, Virus Guy wrote:

Quoted text here. Click to load it

OK, so you continue to post live links to malware. I thought we had been  
through this before (Note that's not a question)!  

Still forging, still insulting other posters. Still neither taking  
advice, nor learning. Your reputation lives on.

Thane

Re: Viral sample (October 9, 2014) BBCUZ / Wonton-G


Quoted text here. Click to load it

Mine isn't.
  
Quoted text here. Click to load it

I can see fine, thanks. You clearly ignored my previous response to  
you... There is no need for you to provide me an education on basic  
email principles. I already know this stuff, thanks anyhow.
  
Quoted text here. Click to load it

It still looks like shit though. Couldn't you find a friendlier site  
to host a malware sample?
  
Quoted text here. Click to load it

I'm not sure why you think anybody should have to be careful surfing  
your links when they only want the file at the end? That makes little  
sense to me. You either want people to examine the file or you don't.

Quoted text here. Click to load it

What do you mean what can you do with them? They give up the keys to  
the kingdom. They tell you what the rogue bastard is planning to do.  
They give you viable places to look if you run across a machine later  
that may have this thing.

A download url? You might be able to harvest that if you examine the  
dropper or the resulting dropped file closer.
  
Quoted text here. Click to load it

It's not my discovery. I was simply reading the report you provided  
and noticed it listed.
  
  
Quoted text here. Click to load it

AIOE wouldn't see it as an attachment. You'd copy/paste it from  
notepad. [g]
  


--  
If you can read this, Thank a teacher.
If you're reading it in english, Thank a soldier!



Site Timeline