@c_APT_ure just wanted to have a little fun ;-) (couldn't sleep at first try) needed a shot of something... so a little malware must do for now ;-) opening urlquery.net and just opening a recent report: http://urlquery.net/report.php?id=240104 URL http://rxtraf25.ru/in.cgi?3 IP 46.165.206.16 ASN AS16265 LeaseWeb B.V. Location [Germany] Germany Report created 2012-10-20 00:13:24 CET Status Report complete. urlQuery Alerts Detected possible Sakura exploit kit HTTP GET request Detected SutraTDS HTTP GET request Suricata /w Emerging Threats Pro Timestamp Source IP Destination IP Severity Alert 2012-10-20 00:13:47 46.165.206.16 urlQuery Client 2 ET CURRENT_EVENTS TDS Sutra - redirect received 2012-10-20 00:13:32 urlQuery Client 46.165.206.16 2 ET CURRENT_EVENTS TDS Sutra - request in.cgi Snort /w Sourcefire VRT (Full license) Timestamp Source IP Destination IP Severity Alert 2012-10-20 00:13:32 urlQuery Client 46.165.206.16 1 MALWARE-CNC TDS Sutra - request in.cgi hmmm looks like fun ;-) so let's see what Wepawet can detect... http://wepawet.iseclab.org/view.php?hash=daeda320ae9e2ae5b09edfe264e8f817&t=1350687048&type=js result: benign - no exploits detected! well a little disappointing, but oh well... so let's just open the URL inside a VM and see what comes along... well the java applet didn't load (404 not found) but PDF and EXE came down ;-) submitting to VT... OK, wait, no previous reports, so it's new??? https://www.virustotal.com/file/5e8c73ad60440d3231aff9adf8f0a1f234db63eedd8066a78c1334b1a60b13f1/analysis/1350689394/ SHA256: 5e8c73ad60440d3231aff9adf8f0a1f234db63eedd8066a78c1334b1a60b13f1 SHA1: a23905a588b30e3f511b4c7a793a901e6e253164 MD5: 43b08664c1ec7e953ef65ffe8320cf87 File size: 5.9 KB ( 6026 bytes ) File name: exploit.pdf File type: PDF Detection ratio: 2 / 44 Analysis date: 2012-10-19 23:29:54 UTC ( 0 minutes ago ) Kaspersky HEUR:Exploit.Script.Generic 20121019 TrendMicro HEUR_PDFEXP.G 20121020 https://www.virustotal.com/file/2969f36f478a4e2a6d319c66c5448b28fbe631184a181340324e8a12bb35fb3f/analysis/1350689401/ SHA256: 2969f36f478a4e2a6d319c66c5448b28fbe631184a181340324e8a12bb35fb3f SHA1: 958b348f3b4f476c446bf1c0c365d16f2111f4ca MD5: f00c7d9bf70cb54edf678b0e675011c2 File size: 43.0 KB ( 44032 bytes ) File name: 153.exe File type: Win32 EXE Detection ratio: 1 / 44 Analysis date: 2012-10-19 23:30:01 UTC ( 0 minutes ago ) Kaspersky UDS:DangerousObject.Multi.Generic 20121019 GRRRRRREAT detection rates!!! so what does the EXE do...? because I'm lazy I just send it to Anubis http://anubis.iseclab.org/?action=result&task_id=1a04d0c91237a97643957ae9c62793cab&format=html 3.a) 153.exe - Registry Activities - Registry Values Modified: Key Name New Value HKLM\?SOFTWARE\?Microsoft\?Windows\?CurrentVersion\?Run info SunJavaUpdateSched C:\?Documents and Settings\?All Users\?svchost.exe 3.b) 153.exe - File Activities - Files Created: C:\Documents and Settings\All Users\svchost.exe 3.c) 153.exe - Network Activity - Opened Listening Ports: Port Type 8000 tcp so it copies itself to a user profile and creates a run registry entry to start after reboot. BUT what is it listening for on port 8000 ??? Screenshots of analysis are here: http://security-research.dyndns.org/pub/malware-analysis_2012-10-20/01.png ... http://security-research.dyndns.org/pub/malware-analysis_2012-10-20/07.png Samples (pwd infected) http://security-research.dyndns.org/pub/malware-analysis_2012-10-20/samples.zip #MalwareMustDie !!!! AV detections would be a nice start... over and out, good night, bye