Saturday, September 21, 2019

MMD-0063-2019 - Summarized report of all three years MalwareMustDie research (Sept 2016-Sept 2019)

Hello, it's unixfreaxjp here. It has been a while since I wrote our own blog, and it is good to be back. Thank you for your patience for all of this time.

The background

It was after September 2016 when we decided to move our blog and since then I had a lot of fun in learning and experimenting much with "Jekyll" (based on "Poole") and "BlackDoc", and I just convert all posts statically into "Markdown" and all syntax highlighter into "Rouge" highlighter with templates coded in "Liquid", and I was seriously dealing with coding in Ruby on FreeBSD for it. Wasn't easy, but with help from the team, we did that, and I learned a lot.

Then on posting my research I moved along to try out several platforms, it's good to actually know that we don't have to depend only into a platform, and 3 (three) years out there was making us learning a lot about other reliable services in here and there. What me and the mates have learned is, in using any media services, either it's your own or other's party ones, they all are having their pro's and con's points. And frankly speaking, you won't know for sure about each one of those con's unless you go out there and try them yourself.

So, here we are, back to service where we first started to do MalwareMustDie blog. And I found that the environment is way nicer than before, thank you Google for doing the hard work in satisfying and securing bloggers. So I just set it up and switched all access to HTTPS and hopefully the broken-links effect are minimum. For the unnoticed broken links occurs during this transition please adjust the URL's subdomain from blog.malwemustdie.org to blog2.malwaremustdie.org, this should fix that up. For those who previously had problem with broken RSS this HTTPS effort may be a good news for you. And, you can still access the MMD (MalwareMustDie) blog under sub-domain of "blog2" with HTTP, yet I won't add more posts in there though, and I will minimize its service.

The flip side of all of these adventure is, now I have my research materials scattering around all over the internet during these past three years (smile). Oh yes, the research and its activity has been actively going on as usual, yet now we're happy that we don't need to make much voice anymore (and also we're practicing a better OpSec), the security awareness is also blooming..not like we had before in 2012, I am still hanging out with our friends and we're still on to dissecting malware.. Linux or not.. Intel CPU ones or not, and to be noted: I am still a great fan of radare2 and FreeBSD!

I think some followers may not know what we've been doing all of these three years, or maybe they can't track well our activities on our security research, so I decided to list some links for you to catch up with for the public related threat only. Some of those reports are just screenshots with comments (security related pictures really paint thousand words), some are just text posts or analysis comments, but all contains important information.
Does this means I am posting analysis blog again? Well, you're going to find that out too :)

Here's the list of what's been done during these three years, enjoy:
(For the previous Linux Malware Research list can be seen in here [link])

1. Windows related malware posts

Raccoon stealer infection in the wild

Dissecting on memory post exploitation powershell beacon w/ radare2

Intel POPSS Vulnerability PoC Reversed

Win32/TelegramSpyBot

Win32/WaRAT

Win32/Bayrob

"FHAPPI attack" : FreeHosting APT PowerSploit Poison Ivy

2. Linux related malware posts

Honda Car's Panel's Rootkit from China

Linux/SystemTen

Linux/Httpsd

Linux/SS(Shark)

Linux/DDoSTF today

GoARM.Bot + static strip ARM ELF by ChinaZ

Linux/ChinaZ Edition 2

Linux/CarpeDiem

Linux/Haiduc (bruter/memo)

Linux/Vulcan

Linux/HelloBot

Linux/Cayosin

Linux/DDoSMan

Linux/Mirai-Miori

Linux/Mandibule (Process Injector)

So Many Mirai..Mirai on the wall)

Today's Kaiten and PerlDDoS

Linux/STD bot

Linux/Kaiten (modded ver) in Google clouds

Linux/Qbot or GafGyt ..in Kansas city?

ChinaZ gang is back to shellshock drops Elknot abuses USA networks

3. Mac OSX related malware posts

OSX/MugTheSec

OSX/MachO-PUP (a quickie)

4. Other malware reports

Webshell/r57shell, and..

I also posted either in VirusTotal comments, or previously posted some on kernelmode(not anymore), or sometimes making several posts or notes in reddit. We also has opened the public twitter with handle of @MalwareMustD1e, a lot of analysis screenshots as awareness are posted in there too along with several news of forensics tools development matters, feel free to follow or check the time line. Again, the previous Linux Malware Research list is also available.

5. My talks on security conference

About my presentation of: "Unpacking the non-unpackable" (ELF packers talk) in R2CON2018

Epilogue

I may edit/change my posts to adjust or brush up their contents along with this post on transitioning the services, so there will be addition or changes.

Please stay safe, don't code/use bad stuff, and enjoy the summary!

#MalwareMustDie!

No comments:

Post a Comment