featured image: dga_roll.jpg

Looking through the most recent reports on malwr.com, a sample sparked my interest because it suits my current interest in domain generation algorithms (DGA). Virus scanners label the sample as Symmi, other names for the same or similar malware family are MewsSpy and Graftor. The sample is very noisy. It tries to resolve many domains in a short period of time — only limited by the response time of the DNS server: There are hardly any samples online that match the above DGA pattern; I only...read more

featured image: dga_laptop.jpg

The Shiotob malware family steals user credentials - most notably information related to banking. The malware injects itself into legitimate processes, for instances explorer.exe. To contact its C&C servers Shiotob uses a Domain Generation Algorithm (DGA), for example: 02:31:53 HTTP connection, method: GET, URL: http://www.google.com/ 02:31:53 HTTPS connection, method: POST, URL: https://wtipubctwiekhir.net/gnu/ 02:31:53 HTTPS connection, method: POST, URL: https://rwmu35avqo12tqc.com/gnu...read more

featured image: dga_piling.jpg

Ramnit is a Zeus-like malware from 2010 used to spy on infected users. Although the malware isn’t as prevalent as it used to be, there are many recent submissions still. Ramnit uses a Domain Generation Algorithm (DGA) to contact its C2-server. Upon infection, the sample starts to make DNS queries for many different domains in rapid succession: I reverse engineered the underlying DGA as a sunday afternoon RCE exercise. I used a fairly recent Ramnit sample from Malware-Traffic-Analysis. DGA...read more

The DGA of newGOZthe algorithm behind the domains of the ZeuS Gameover variant newGOZ

featured image: dga_barrow.jpg

Gameover Zeus (also known as Peer-to-Peer ZeuS) is a variant of ZeuS from 2012. It uses a Domain Generation Algorithm (DGA) to contact the C2-servers – a feature that traditional ZeuS doesn’t have. The excellent report “ZeuS-P2P: monitoring and analysis” by the CERT Polska analyses many aspect of Gameover including the DGA. Since the report was published in 2013, a mutation of the original Gamover appeared dubbed newGOZ. One of the first articles on the variant was written by Malcovery Securityread more

featured image: crackme_huskies.jpg

This crackme was published December 7th, 2014. It is rated “3 – Getting harder”. The description reads: First, sorry for my bad English my main language is German I have been created a keygenme, called Crackme#1 It is not so hard,but nothing for newbies. The difficulty is your choice. The Goal: Create a working keygen In the first part of this solution I show how to reverse engineer the underlying math equation of this crackme. The second part then is all about solving the equation, this...read more