Jul 25 Mac Olyx backdoor + Gh0st Backdoor in RAR archive related to July 2009 Ürümqi riots in China (Samples included)

The recently discovered Backdoor for Mac Olyx (Criminals gain control over Mac with BackDoor.Olyx)  was used for targeted attacks (or what it appears to be), which is not surprising. As Microsoft pointed out, in addition to malware, the package contains an html page and photos from a Wikipedia page for events dated July 5, 2009, however it appears that all photos relate to one event - July 2009 Ürümqi riots in China. 

"Government censors disabled keyword searches for "Urumqi", and blocked access to Facebook and Twitter as well as local alternatives Fanfou and Youku. Chinese news sites mainly fed from Xinhua news service for updates about the rioting in Urumqi, comments features on websites were disabled on some stories to prevent negative posts about the lack of news. Internet connections in Urumqi were reportedly down.Many unauthorized postings on local sites and Google were said to have been "harmonised" by government censors, and emails containing terms related to the riots were blocked or edited to prevent discord."

Perhaps the trojans found in the package Ghostnet backdoor as Backdoor:Win32/Remosh.A. and the new Backdoor:MacOS_X/Olyx.A were destined for a Chinese human rights activist, as he/she would be likely to be interested in this particular event update. In addition, it is known that many of the Gh0stnet targets were  human rights activists.

Jul 12 RTLO rar with trojan Taidoor - former President Lee Teng-hui seriously ill

 
I wanted to release this one as part of a pack (several semi related posts together) but seems like it takes too long, so I just post it. This one is not much different from what you saw before, just another taidoor trojan for your collection sent within RTLO rar archive. According to Microsoft Malware Protection Center Trojan Taidoor / Rubinurd is a bot capable to download and upload files to / from the attackers' server, and execute commands on the system. It is prevalent in Taiwan (at least 1/2 of all detections are there) and is relatively new - emerged in September 2010. This is a file sent in Taiwan from a Taiwan server.

Exploit Information

RTLO
More about RTLO is here Right to Left Override unicode can be used for multiple spoofing cases by Jordi Chancel:

"RTLO is a technique exploiting the RIGHT TO LEFT OVERRIDE unicode and than it will always cause the directional reverse reading order of others characters followed it including the extension-type of malicious file! This UNICODE of which we will simplify name by [RTLO] doesnt can see owing to the fact that its characters and its place are invisible. Use RTLO for reverse the direction of reading of the file names including the extension of concerned file while keeping same the types of execution.
Example: To use a syntax like “SexyPictureGirlAl[RTLO]gpj.exe” be read “SexyPictureGirlAlexe.jpg”

TROJAN TAIDOOR/ RUBINURD (as payload)

It produces traffic as below
http://someipordomain/qfgkt.php?id=030696111D308D0E8D
http://aaaaa/bbbbb.php?id=xxxxxxyyyyyyyyyyyy where
aaaaa is a host or domain
bbbbb is a 5 char string
xxxxxx is a 6 char changing string
yyyyyyyyyyyy - 12 char more or less constant string - which is encoded mac address of the system

Why contagio will never have ads

Navigating a mine field. I've seen worse.

Jul 13 CVE-2010-2883 PDF Meeting Agenda with more Poison Ivy www.adv138mail.com | 112.121.171.94

Here is one more for a full collection - same malware and sender as in the previous post.  This message, targeting experts on Japan, China, Taiwan / USA relationship, was sent on July 13,2011. The attached pdf exploits CVE-2010-2883 (2/43 VT, encrypted) with poison ivy (keylogging) payload, connecting to www.adv138mail.com. The domains serving PI and listed below were registered by DNS.com.cn, which has a poor reputation. These domains/IP have been CnC for poison ivy for a while, consider the posts below.

Other PI domains noted are:
web.adv138mail.com; -2011
dns.adv138mail.com - 2011 (thank you, John)

www.adv138mail.com  - 2011 - 112.121.171.94  
pu.flower-show.org - 2011 - 112.121.171.94

cecon.flower-show.org - 2010   
posere.flower-show.org - 2009

112.121.171.94  Nov.adv138mail.com, ftp.adv138mail.com and asm.adv138mail.com point to 112.121.171.94.

• Contagio | Jul 5 CVE-2010-2883 PDF invitation.pdf with Poison Ivy from 112.121.171.94 | pu.flower-show.org
• Contagio | More flowers with some poison ivy - Feb. 10, 2010
• F-secure | Watch Out for flower-show.org - Feb.10, 2010
• ISC | Sophisticated, targeted malicious PDF documents exploiting CVE-2009-4324 - Jan 4, 2010 

Jul 5 CVE-2010-2883 PDF invitation.pdf with Poison Ivy from 112.121.171.94 | pu.flower-show.org

Update Jul 13. Considering that this pdf is very low detection, I decided to post some of the target domains here in case it helps them to prevent or identify infections.

The non-gmail domains included:

usjapancouncil.org, spfusa.org, vanderbilt.edu, comdt.uscg.mil, miis.edu

If you work at one of those places and must know the actual recipient, you can contact me. ~ Mila

The message, targeting experts on Japan, China, Taiwan / USA relationship was sent on July 5. The attached pdf exploits CVE-2010-2883 (2/43 VT, encrypted) with poison ivy (keylogging) payload, connecting to pu.flower-show.org. This domain has been CnC for poison ivy for a while, consider these posts
Contagio | More flowers with some poison ivy - Feb. 10, 2010
F-secure | Watch Out for flower-show.org - Feb.10, 2010
ISC | Sophisticated, targeted malicious PDF documents exploiting CVE-2009-4324 - Jan 4, 2010 

Other PI domains noted are:
pu.flower-show.org - 2011
cecon.flower-show.org - 2010
posere.flower-show.org - 2009

New CONTAGIOminiDUMP - mobile malware is moving !!!

Please welcome the new section of Contagio - CONTAGIOminiDUMP.BLOGSPOT.COM
The old mobile malware Mini-dump (aka "Take a sample, leave a sample" ) grew too large and difficult to use. This section will allow better organization of all the mobile malware. There are not that many samples but it is steadily growing.

This is a work in progress and please send or post your comments regarding the design, hosting, organization and such.

Many thanks to Tim Strazzere for catalyzing the upgrade :)

You will be able to access the new location from contagio - it won't be too hard to find.

 ~ Mila

Take a sample, leave a sample. Mobile malware mini-dump - July 8 Update

This post and all mobile malware moved to contagiominidump.blogspot.com

I frequently get requests for already published on Contagio mobile malware and also new files that might be mentioned in the media and blogs. I do not really have a large collection of mobile malware but I welcome the submissions.
Here is a folder with the most recent files I have. If you use upload feature on the blog (see below) and send more mobile malware samples, they will be added to this folder for everyone to come and use.

Download

Download files from the mobile malware mini-dump (new link)
 use infected for the password

Current list (~50+ downloads = around 200 individual files as of June, 2011). Hyperlinks lead to Virustotal
Download from the dump link above or click on "download" link if present

1. Zitmo Android Edition (Zeus for mobile) ecbbce17053d6eaf9bf9cb7c71d0af8d  Download (thanks to anonymous, July 8, 2011)  Zitmo hits Android Axelle Apvrille- Fortinet
2. GoldDream.A  BloodvsZombie_com.gamelio.DrawSlasher_1_1.0.1.apk b87f2f3a927bf967736ed43ca2dbfb60 (many  thanks for the sample to oren@avg-mobilation July 6,2011) Download Read more:Security Alert: New Android Malware -- GoldDream -- Found in Alternative App Markets  Xuxian Jiang
3. GoldDream.B v1.0_com.GoldDream.pg_1_1.0.apk f66ee5b8625192d0c17c0736d208b0b (many  thanks for the sample to oren@avg-mobilation July 6,2011) Download Read more: Security Alert: New Android Malware -- GoldDream -- Found in Alternative App Markets  Xuxian Jiang
   
4. DroidKungFu2 -A _com.allen.txthej_1_1.0 F438ED38B59F772E03EB2CAB97FC7685 (many  thanks for the sample to oren@avg-mobilation July 3,2011) Download  Read more: Security Alert: New DroidKungFu Variants Found in Alternative Chinese Android Markets 
   
5. DroidKungFu2 -B __com.tutusw.onekeyvpn_7_1.1.6_54bc7a8fb184884a26e4cce74697d3a5 (many  thanks for the sample to oren@avg-mobilation July 3,2011) Download  Read more: Security Alert: New DroidKungFu Variants Found in Alternative Chinese Android Markets 
   

Rootkit TDL-4 (TDSS, Alureon.DX, Olmarik, TDL) 32-bit and 64-bit Sample + Analysis links - Update July 7

Old version 3 -  See August 27, 2010  TDL3 dropper (x86 compatible with x64 systems).

General File Information - April 2011

 This is an updated version of TDL4, which made a lot of news recently thanks to being named the ‘indestructible’ botnet. This is the last / current version and it is dated April 2011 (the previous version is from January 2011)

All the credits and many thanks for the files and comments go to @EP_X0FF @InsaneKaos @markusg @USForce from KernelMode.info. I am posting the files and their comments here because of the the large number of inquiries for the updated version.

KernelMode.info:
Version TDL4 (April 2011 edition)

1) Bypassed Microsoft patch (STATUS_INVALID_IMAGE_HASH error overwritten) to be able again to infect x64 OS
2) Bypasssed Microsoft patch to kdcom.dll (this version of TDL4 checks kdcom resource directory size on the x64 version of it, whether it is == 0x110 || 0xFA)
2) Improved disk minport filtering hook

Version history:

1. 0.01 firstly detected ITW in the end of July 2010
2. 0.02 August 2010, version with x64 support
3. 0.03 September 2010, small changes, new C&C library
4. In April 2011 Microsoft released KB2506014 targeting 0.03 version, exactly boot loader and kd dll - and it was able to successfully prevent TDL4 from working. However, the rootkit support strike back within two weeks releasing their update, which could bypass the MS patch. The rootkit version wasn't changed.

Related articles:

• The Evolution of TDL: Conquering x64 ESET Eugene Rodionov, Aleksandr Matrosov
• June 27, 2011 TDL4 – Top Bot - Kaspersky - Sergey Golovanov, Igor Soumenkov
• May 1, 2011  TDL4 rootkit is coming back stronger than before  - Prevx Marco Giuliani

List of samples included

File: TDL4.exe
Size: 146944
MD5:  4A052246C5551E83D2D55F80E72F03EB
http://www.virustotal.com/file-scan/report.html?id=b75fd580c29736abd11327eef949e449f6d466a05fb6fd343d3957684c8036e5-1305275113

File: dll (2).exe
Size: 140288
MD5:  D69B02C1ACD87B5A5C33B19693E24020
http://www.virustotal.com/file-scan/report.html?id=fe165840b709adb5b7765ea329c317f64d05a402873c8d8cea84873cbe192bf4-1304405700

File: DLL.exe
Size: 140288
MD5:  A1DE5B3607845F5C6597528BE02EBDA5
http://www.virustotal.com/file-scan/report.html?id=1aa5708519389ddcf96fa6206cf274844414c58bff6e3f8338188364449f4509-1304402425



Download TDL4 - April 2011 edition files listed above as a password protected archive (contact me if you need the password)