Snorre Fagerland
Latests Posts by Snorre Fagerland
The Shiqiang Gang
In a series of blog posts our colleagues at Trend and AlienVault have detailed recent attacks on NGO’s, and how trojanized RTF files have been used as vehicles to plant various remote access trojans on unsuspecting users using the CVE-2012-0158 vulnerability. In addition, they both mention that apparently stolen digital … Read More
Unusual cyber attack targets continue: This time Ethiopia
Despite reports that digitally signed malware is becoming more common, it still calls for a bit of attention when a new stolen certificate is found. Much signed malware is either signed with a certificate which is known to be on the loose, signed with a self-signed (and thus untrusted) certificate, … Read More
Trojan moves its configuration to Twitter, LinkedIn, MSDN and Baidu
Sogu (alias Thoper, TVT, Destory Rat etc) is a large remote access trojan that has been used in a number of intrusions and targeted attacks. One of these was the large scale intrusion into servers owned by SK Communications in South Korea July 2011, where personal information of up to … Read More
The Syrian spyware
In an article yesterday, CNN mentions two malicious programs used to target the Syrian opposition; one which displays message about downloading a free security program, and one which showed no action when executed. We have seen more of these. Most of the ones we’ve seen come as selfextracting RAR executables … Read More
LessNet: Revisiting the Nobelpeaceprize.org Intrusion
October 26th, 2010 the homepage of the Norwegian Nobel Peace Prize Committee was compromized with a 0-day exploit designed for Mozilla Firefox. The Norwegian telecommunications company Telenor discovered this, and notified NorCERT and us. How the Nobel site was compromized is not known. However, the details around the installed malware … Read More
Signed malware: Snooping on Chinese students?
Between the holidays I found a very simple but digitally signed malcode. It basically does one single thing: It overwrites the hosts file. The modification is as follows: 175.41.21.11 www.chsi.com.cn The hosts file modification has the effect of overriding any DNS queries for chsi.com.cn so that it points to a … Read More
Palebot trojan harvests Palestinian online credentials
I sometimes sample the stream of files that come from VirusTotal, so as not to lose touch with what malware is actually floating around. Of special interest are the files where few or only we have detection, because there is a higher probability that such files are false positives that … Read More
Invisible YNK, a Code Signing Conundrum
This story starts with a compromized code signing certificate. It belongs to YNK Japan Inc, a subsidiary of YNK Korea. YNK makes online games such as “R.O.H.A.N : Blood Feud” and “Seal Online : Eternal Destiny”. The certificate has the following data: Serial Number: 046931BF57EBC5947D3DC4EE7A236E Common Name: YNK JAPAN Inc … Read More
The Nitro attacks and W32/Odivy
Odivy is a family of backdoor trojans, reportedly used in attacks against the chemical industry, the so-called Nitro attacks. Most of the ones mentioned in this attack are structured as WinRAR selfextracting (SFX) archives, typically containing two files; one executable and one data file with a *.TXT extension. This may … Read More
NtQueryInformationProcess & NtSetInformationProcess cheat sheet
Reversing Windows code requires knowledge of a lot of internal Windows structures, or at least know where to find information about them. So I thought I would compile some of the known information into cheat sheets. Today’s entry covers the structures returned or set by the NtQueryInformationProcess or NtSetInformationProcess calls. … Read More
Norman Blog Archive
- May 2012 (10)
- April 2012 (17)
- March 2012 (16)
- February 2012 (20)
- January 2012 (19)