Saturday, September 21, 2019

MMD-0063-2019 - Summary of 3 years MMD research (Sept 2016-Sept 2019)

Hello, it's unixfreaxjp here. It has been a while since I wrote our own blog, and it is good to be back. Thank you for your patience for all of this time. If you want to see what we were doing during all of our silence time just click this link

The background / TLDR

It was in September 2016 when we decided to move our blog and since then myself and the team had a lot of fun in learning and experimenting with "Jekyll" (based on "Poole") and "BlackDoc", and I just convert all posts statically into "Markdown" and all syntax highlighter into "Rouge" highlighter with templates coded in "Liquid", and I was seriously dealing with Ruby codes on FreeBSD for it. Wasn't easy, but with helps from the community and the team, we did that, and I have learned about several blog systems a lot.
I assure you it absolutely need a great effort to move or convert a blog as big as this, but at that time, the reason why we had to move was principally way much more crucial than such resource matter. And now we have capability to move our blog to anywhere, at anytime we want too.

Then, during the process, the MMD research has been going on as usual. On posting my research I moved along to try out several platforms, it's good to actually know that we don't have to depend only into one platform, and 3 (three) fun years out there was making us learning a lot about other reliable services here and there. What myself and the mates have learned is, in using any services, either it's your own or other party's ones, they all are obviously having their pro's and con's. And frankly speaking, you won't know those con's unless you literally go there and try them yourself.

So, here we are, back to service where we first started to do MalwareMustDie blog. And I met with several cool guys found that the Blogger environment is way nicer and more in privacy efforts than before, thank you Google for doing the hard work in satisfying and securing blog users. So I just set it up and switched all access to HTTPS and hopefully the broken-links effect are minimum. For the unnoticed broken links occurs during this transition please adjust the URL's subdomain from to, this should fix that up. For those who previously had problem with broken RSS this HTTPS effort may be a good news for you. And, you can still access the MMD (MalwareMustDie) blog under sub-domain of "blog2" with HTTP, yet I won't add more posts in there though, and I will minimize its service.

The flip side of all of these 3years of adventure is, now I have my research materials scattering around all over the internet(smile). Oh yes, the activity has been actively going on as usual and we're learning a better OpSec too. The security awareness is also blooming better than before, which is happy things to see..not like what we had before in 2012, Even now I am still hanging out with our friends and we're still on to dissecting cyber threat or malware.. Linux or not.. Intel CPU or not, and to be noted: I am still a great fan of radare2 and FreeBSD!

I think some followers may not know what we've been doing all of these three years, or maybe they can't track well our activities on our security research, so I decided to list some links for you to catch up with for the public related threat only. Some of those reports are just screenshots with comments (security related pictures really paint thousand words), some are just text posts or analysis comments, but all contains important information.
Does this means I am posting analysis blog again? Well, you're going to find that out too :)

Here's the list of what's been done during these three years, enjoy:
(For the previous Linux Malware Research list can be seen in here [link])

1. Windows related malware posts

Raccoon stealer infection in the wild

Dissecting on memory post exploitation powershell beacon w/ radare2

Intel POPSS Vulnerability PoC Reversed




"FHAPPI attack" : FreeHosting APT PowerSploit Poison Ivy

2. Linux related malware posts

Honda Car's Panel's Rootkit from China




Linux/DDoSTF today

GoARM.Bot + static strip ARM ELF by ChinaZ

Linux/ChinaZ Edition 2


Linux/Haiduc (bruter/memo)






Linux/Mandibule (Process Injector)

So Many Mirai..Mirai on the wall)

Today's Kaiten and PerlDDoS

Linux/STD bot

Linux/Kaiten (modded ver) in Google clouds

Linux/Qbot or GafGyt Kansas city?

ChinaZ gang is back to shellshock drops Elknot abuses USA networks

3. Mac OSX related malware posts


OSX/MachO-PUP (a quickie)

4. Other malware reports

Webshell/r57shell, and..

I also posted either in VirusTotal comments, or previously posted some on kernelmode(not anymore), or sometimes making several posts or notes in reddit.

We also has opened the public twitter with handle of @MalwareMustD1e, a lot of analysis screenshots as awareness are posted in there too along with several news of forensics tools for education and development matters, feel free to follow or check the time line. Again, the previous Linux Malware Research list is also available.

5. My talks on security conference

About my presentation of: "Unpacking the non-unpackable" (ELF packers talk) in R2CON2018


I may edit/change my posts to adjust or brush up their contents along with this post on transitioning the services, so there will be addition or changes.

Please stay safe, don't code/use bad stuff, and enjoy the summary!