Malware Must Die!

The MalwareMustDie Blog (blog.malwaremustdie.org)

Wednesday, May 29, 2013

A story of a Spam Botnet Cutwail Trojan - Via fake Paypal's spam link w/redirector (92.38.227.2) backboned by BHEK2 (80.78.247.227)

This summary is not available. Please click here to view the post.
Posted by unixfreaxjp at Wednesday, May 29, 2013
Email ThisBlogThis!Share to XShare to FacebookShare to Pinterest
Newer Posts Older Posts Home
Subscribe to: Posts (Atom)

About #MalwareMustDie!

Launched in August 2012, MalwareMustDie(or MMD), is a registered Non-profit Whitehat Organization, as a Blue-Teaming media to form work-flow activities to reduce malware in the internet ..[Read More]

Search keyword

Links

  • RSS Feed
  • Home Page
  • Send Sample
  • News Search
  • Web Search
  • Linux Malware
  • Github Repository
  • Video News, Demo, Reports
  • "Tango down!" project (Archive)
  • Disclaimer & Sharing Guide

Recommended reading

MMD-0059-2016 - Linux/IRCTelnet (new Aidra) - A DDoS botnet aims IoT w/ IPv6 ready

It's a Kaiten/Tsunami? No.. STD?? No! It's a GayFgt/Torlus/Qbot? No!! Is it Mirai?? NO!! It's a Linux/IRCTelnet (new Aidra) ! ....

Malware Analysis / Threat Reports (Indexed)

  • MMD-0069-2024 - An old ELF Ransomware pivoted crypto (OpenSSL to PolarSSL) Linux/Encoder.1-2
  • MMD-0068-2024 - "FHAPPI Campaign" (APT10) FreeHosting APT "PSploit" Poison Ivy
  • MMD-0067-2021 - Recent talks on Linux process injection and shellcode analysis series (ROOTCON-2020, R2CON-2020 ++)
  • MMD-0066-2020 - Linux/Mirai-Fbot - A re-emerged IoT threat
  • MMD-0065-2020 - Linux/Mirai-Fbot's new encryption explained
  • MMD-0064-2019 - Linux/AirDropBot
  • MMD-0063-2019 - Summary of three years research (Sept 2016-Sept 2019)
  • MMD-0062-2017 - IoT/Studels SSH-TCP Forward Threat
  • MMD-0061-2016 - EnergyMech 2.8 overkill mod
  • MMD-0060-2016 - Linux/UDPfker and ChinaZ threat today
  • MMD-0059-2016 - Linux/IRCTelnet (new Aidra)
  • MMD-0058-2016 - Linux/NyaDrop - MIPS IoT bad news
  • MMD-0057-2016 - Linux/LuaBot - IoT botnet as service
  • MMD-0056-2016 - Linux/Mirai, how an old ELF malcode is recycled
  • MMD-0055-2016 - Linux/PnScan ; A worm that still circles around
  • MMD-0054-2016 - ATMOS botnet facts you should know
  • MMD-0053-2016 - Linux/STD IRC Botnet: x00's CBack aka xxx.pokemon.inc
  • MMD-0052-2016 - Overview of Overall "SkidDDoS" Linux Botnet
  • MMD-0051-2016 - Debunking a Tiny Shellhock's ELF backdoor
  • MMD-0050-2016 - Linux/Torte infection (in Wordpress)
  • MMD-0049-2016 - Java Trojan Downloader/RCE) for minerd
  • MMD-0048-2016 - DDOS.TF = ELF & Win32 DDoS service with ASP + PHP/MySQL MOF webshells
  • MMD-0047-2015 - SSHV: SSH bruter Linux botnet w/hidden process rootkit
  • MMD-0046-2015 - Kelihos 10 nodes C2 / CNC on NJIIX (US) and its actor(Severa)
  • MMD-0045-2015 - Linux/KDefend: a new China origin Linux threat w/disclaimer
  • MMD-0044-2015 - Code disclosure of SkiDDoS threat
  • MMD-0043-2015 - Linux/Xor.DDOS Polymorphic feature
  • MMD-0042-2015 - Geting to Linux/Mr.Black actor via Zegost
  • MMD-0041-2015 - PE Mail-grabber Spambot & its C99 WebShell
  • MMD-0040-2015 - VBE Obfuscation & AutoIt Banco Trojan
  • MMD-0039-2015 - ChinaZ Linux/BillGates.Lite Edition
  • MMD-0038-2015 - ChinaZ's Ddos123.xyz
  • MMD-0037-2015 - Shellshock & Linux/XOR.DDoS C2
  • MMD-0036-2015 - KINS (ZeusVM)v2.0.0. builder & panel leaks
  • MMD-0035-2015 - Linux/.IptabLex or .IptabLes on Shellshock(by: ChinaZ)
  • MMD-0034-2015 - Linux/DES.Downloader on Elasticsearch
  • MMD-0033-2015 - Linux/XorDDoS case CNC:HOSTASA.ORG
  • MMD-0032-2015 - The ELF ChinaZ "reloaded"
  • MMD-0031-2015 - What is NetWire (multi platform) RAT
  • MMD-0030-2015 - New malware on Shellshock: Linux/ChinaZ
  • MMD-0029-2014 - Warning of Linux/Mayhem attack in Shellshock
  • MMD-0028-2014 - Linux/XOR.DDoS
  • MMD-0027-2014 - Linux/Bashdoor(GafGyt) & Small ELF Backdoor at shellshock
  • MMD-0026-2014 - Linux/AES.DDoS: Router Malware
  • MMD-0025-2014 - Linux/.IptabLex or .IptabLes - China/PRC origin DDoS bot
  • MMD-0024-2014 - Incident Report of Linux/Mayhem (LD_PRELOAD libworker.so)
  • MMD-0023-2014 - Linux/pscan & Linux/sshscan: SSH bruter malware
  • MMD-0022-2014 - Zendran, multi-arch Linux/Llightaidra - Part 1: background, installation, reversing & C2 access
  • MMD-0021-2014 - Linux/Elknot: China's origin ELF DDoS+backdoor
  • MMD-0020-2014 - Analysis of Linux/Mayhem infection: A shared libs ELF
  • MMD-0019-2014 - "Xakep.biz" evil tools
  • MMD-0018-2014 - Analysis note: "Upatre" is back to SSL?
  • MMD-0017-2014 - A post to sting Zeus P2P/Gameover
  • MMD-0016-2014 - The JackPOS Behind the Screen
  • MMD-0015-2014 - One upon the time with Phishing Session..
  • MMD-0014-2014 - New Locker: Prison Locker (aka: Power Locker)
  • MMD-0013-2014 - "Shadow Logger" - .NET's FUD Keylogger
  • MMD-0012-2013 - ARP Spoofing Malware
  • MMD-0011-2013 - Linux/Elknot - Let's be more serious about (mitigating) DNS Amp
  • MMD-0010-2013 - Wordpress Hack Case: Site's Credential Stealer
  • MMD-0009-2013 - JS/RunForrestRun DGA "Comeback" with new obfuscation
  • MMD-0008-2013 - What's Behind the #w00tw00t (PHP) Attack
  • MMD-0007-2013 - KINS? No! PowerZeuS, yes!
  • MMD-0006-2013 - Rogue 302-Redirector "Cushion Attack"
  • MMD-0005-2013 - A Leaked Malvertisement, Cutwail+BHEK & Triple Payloads of "Syria Campaign"
  • MMD-0004-2013 - "You hacked.. we cracked" - "WP Super Cache" & Glazunov EK
  • MMD-0003-2013 - First "comeback" of the .RU RunForrestRun's DGA
  • MMD-0002-2013 - How Cutwail and other SpamBot can fool (spoof) us?
  • MMD-0001-2013 - Proof of Concept of "CookieBomb" code injection attack
  • MMD-0000-2013 - Malware Infection Alert on Plesk/Apache Remote Code Execution zeroday

Presentation and Special Threat Reports

  • ROOTCON 2020 - Deeper diving into shellcode (advanced users)
  • R2CON 2020 - So you don't like shellcode too? (for r2 RE beginners)
  • HACK.LU 2019 Keynote talk: "Fileless Malware Infection and Linux Process Injection"
  • R2CON 2018 talk of: "Unpacking the non-unpackable ELF malware"
  • AVTOKYO 2013.5 - Threats of Kelihos, CookieBomb, RedKit's and its Bad Actor
  • BOTCONF 2013 - Kelihos: Botnet, Takedown, Mule Actor
  • CVE-2013-0634 This "Lady" Boyle is not a nice Lady at all
  • MMD-068-2024 - "FHAPPI Campaign" (APT10) FreeHosting APT PowerSploit Poison Ivy
  • APT-32 - The Vietnam Journalist Spy Campaign
  • Targeted attack of "Operation Torpedo"
  • Protest against usage of NSA malware spytool PITCHIMPAIR & INNOVATION on friendly countries
  • China/PRC origin Linux botnet's malware infection and its distribution scheme unleashed
  • Full disclosure of 309 Bots/Botnet Source Codes Found via Germany Torrent
  • The Evil Came Back: Linux/Darkleech's Apache Malware Module
  • DDoS in a Bruter Service - A camouflage of Stresser/Booter
  • How EVIL the PHP/C99Shell can be? From SQL Dumper, Hacktools, to Trojan Distributor Future?
  • A journey to abused FTP sites (story of: Shells, Malware, Bots, DDoS & Spam) - Part 2
  • A journey to abused FTP sites (story of: Shells, Malware, Bots, DDoS & Spam) - Part 1
  • Case Study: How legitimate internet services like Amazon AWS, DropBox, Google Project/Code & ShortURL got abused to infect malware
  • Just another story of UNIX Trojan Tsunami/Kaiten.c (IRC/Bot) w/ Flooder, Backdoor at a hacked xBSD case
  • Discontinuation of "Malware Crusader" public forum
  • Hall of Shame
  • more..

Non-indexed (older) Analysis

  • Decoding Guide for CookieBomb's (as Front-end) Latest Threat, with Evil ESD.PHP Redirection (as the Back-end)
  • Some Decoding note(s) on modified #CookieBomb attack's obfuscated injection code
  • What is behind #CookieBomb attack? (by @malm0u53)
  • ..And another "detonating" method of CookieBomb 2.0 - Part 2
  • ..And another "detonating" method of CookieBomb 2.0 - Part 1
  • New PseudoRandom (JS/runforestrun?xxx=)
  • JS/RunForrestRun Infection ComeBack
  • CNC analysis of Citadel Trojan Bot-Agent - Part 2
  • CNC analysis of Citadel Trojan Bot-Agent - Part 1
  • Cracking of Strong Encrypted PHP / IRC Bot (PBOT)
  • more..

Loading...

Subscribe To

Posts
Atom
Posts
All Comments
Atom
All Comments
(c)MalwareMustDie, 2012-2021. Read LEGAL DISCLAIMER before quoting or copying our contents. Powered by Blogger.