Introduction
Inspired with one of the section about Advanced Persistent Threat (APT) and Botnet C&C server from Mr. Yung in Bot2010 2010[1] conference, I and Mars have worked out and tried to search live C&C servers to dig into more details in APT area. APT is defined as a kind of targeted attack against high value information with strong resources and authority supported.
With reference to the Shadow in the Cloud Report[2] published in April, in fact, we have experienced that Google has done some filtering itself, however, we have got some lucks and search out active C&C server successfully.
閱讀全文…
In recent days, the vulnerability of flash(CVE-2010-1297) has been used for drive-by download. Therefore, many websites are injected by malicious links such as (hxxp://2677.in/yahoo.js), and those comprised webistes are intruded by automatic mass injection tools.
TOMTOM WebSite is injected by Malicious link
In most cases, hackers are faster than vendors, so it gives them a great opportunity to build a strong BotNet and be able to control more victims. 
The following flow chart shows the attacking path of Zero-Day.
閱讀全文…
The new IE zero-day attacking is immediately used in targeted attacks.In the past few days, we have captured a number of samples derived from the version published on rec-sec website.
As you can see, the exploit uses a common heap spary method to build a memory that contains the shellcode. When the shellcode gets executed, a malware wll be downloaded from a compromised website.
The detailed analysis about this malware can be seen from our system.
閱讀全文…
Recently, we also found very frequent, targeted attacks, making use of the patched (not complete ) TIFF vulnerability (CVE-2010-0188). 
What is interesting is that these exploits insert the javascript as well as crafted TIFF(exploit.tif) into XML Form, and generate malicious PDF by Adobe livecycle ES. The javascript is embedded within the form, and there is not detected by AV.
The track of malicious PDF left by the hacker can be found, and it is likely that the hacker is "Yuange" (袁哥 in Chinese) and "panlab
(exploits lab ? If it is really, I also want to join too.. 
". However, in new version of exploit, we can’t find the string of Yuange.
As we know more features; more bugs. It is my belief that PDF Exploit will be increasing significantly and be used widely on targeted attacks.
Recently, we have captured many PDF files from Chinese hackers (Exploit CVE-2010-0188), and our private Automatic Malware Analysis System could inspect such exploit files and analyze Malware.
There are two case studies to share you guys:
閱讀全文…
https://www.openrce.org/blog/view/1532/BSWAP_+_66h_prefix_%28bochs,_QEMU_detection%29
http://gynvael.coldwind.pl/?id=268
The bswap reg16 instruction is in fact a bswap reg32 with the 66h prefix, also known as the operand-size override prefix (it switches the operands between 32 and 16 bits, where 32 is the default in PMODE of course). As one can read in the Intel manuals, using bswap with the 66h prefix will result in getting an undefined behavior .
http://www.pcworld.com/article/185122/good_guys_bring_down_the_megad_botnet.html
For two years as a researcher with security company FireEye, Atif Mushtaq worked to keep Mega-D bot malware from infecting clients’ networks. In the process, he learned how its controllers operated it. Last June, he began publishing his findings online. In November, he suddenly switched from defense to offense. And Mega-D–a powerful, resilient botnet that had forced 250,000 PCs to do its bidding–went down.
Shadowserver to Take Over as Mega-D Botnet Herder
