[Tài liệu] Unpacking the “Unitrix” malware


The “Unitrix” exploit takes several Unicode features designed for right-to-left languages and uses them to mask malicious executables as safe text or video files. Here is a short list of the main options.
But, this is just the start of the detective work. Analysis of this exploit shows that the hackers do not directly takeover the infected computers. Instead, they have a “pay per installation” network that provides outsourced infection and malware distribution services for other cybergangs – apparently based in Russia and the Ukraine  – after giving each infected computer its own identification number. And, this gang has the ability to change the final payload thanks to its downloader: rootkit today, tomorrow something else.
We’ve titled this malware W32:Fivfrom. It’s a malware downloader which, after activation, connects to several distribution centers to download and install malware to the infected computer.  We analyzed over fifty separate files, all of which initially looked quite different. But when we looked inside, we found some similar patterns. All files were packed with UPX, and then there was a polymorphic loader which generated the final exe file. This means the malware contained two layers of protection – UPX as the first layer and a polymorphic loader for the second layer.

(Read more )


Source: https://blog.avast.com

Comments

Post a Comment

Để lại góp ý của bạn để blog của mình hoàn thiện hơn :))

Popular posts from this blog

[Hack crack] Tổng hợp Google Dork

Image
/includes/header.php?systempath= /Gallery/displayCategory.php?basepath= /index.inc.php?PATH_Includes= /nphp/nphpd.php?nphp_config[LangFile]= /include/db.php?GLOBALS[rootdp]= /ashnews.php?pathtoashnews= /ashheadlines.php?pathtoashnews= /modules/xgallery/upgrade_album.php?GALLERY_BASEDIR= /demo/includes/init.php?user_inc= /jaf/index.php?show= /inc/shows.inc.php?cutepath= /poll/admin/common.inc.php?base_path= /pollvote/pollvote.php?pollname= /sources/post.php?fil_config= /modules/My_eGallery/public/displayCategory.php?basepath= /bb_lib/checkdb.inc.php?libpach= /include/livre_include.php?no_connect=lol&chem_absolu= /index.php?from_market=Y&pageurl= /modules/mod_mainmenu.php?mosConfig_absolute_path= /pivot/modules/module_db.php?pivot_path= /modules/4nAlbum/public/displayCategory.php?basepath= /derniers_commentaires.php?rep= /modules/coppermine/themes/default/theme.php?THEME_DIR= /modules/coppermine/include/init.inc.php?CPG_M_DIR= /modules/coppermine/themes/c
Read more

[Security] Internet blackout scheduled in protest of SOPA

Last night I spent an inordinate amount of time on reddit looking at pictures of baby hedgehogs, reading a Q&A with a theoretical physicist, and catching up on the intended blackouts protesting the Stop Online Piracy Act (SOPA) and its sister bill, Protect IP Act (PIPA). Haven’t heard about SOPA? It’s no wonder, since the mainstream media has been curiously silent on the issue. Maybe it’s because most of the big news outlets are owned by companies supporting SOPA. Nonetheless, reddit and others, such as Tucows, Cheezburger, game developer Red 5 Studios, and hacktivist group Anonymous, hope to make the issue broadly known with a coordinated internet blackout scheduled for January 18th. Things will really get interesting if the “nuclear option” is implemented where the likes of Wikipedia, Google, Facebook, Ebay, Yahoo!, LinkedIn, Tumblr, Mozilla, Twitter, and PayPal “go simultaneously dark” to join them in protest of the bill. You may have heard a blip of a news story during the
Read more