tag:blogger.com,1999:blog-606282676955748155.post4144530068701304165..comments2024-02-28T04:06:30.612+01:00Comments on Blaze's Security Blog: Latest UPS spam runs include exploitsBarthttp://www.blogger.com/profile/18326761248866196755noreply@blogger.comBlogger7125tag:blogger.com,1999:blog-606282676955748155.post-45190769855111372652013-11-22T10:40:18.890+01:002013-11-22T10:40:18.890+01:00Hi Harlan,
You're right, obviously this must ...Hi Harlan,<br /><br />You're right, obviously this must have been the Run key for the currently logged on user:<br />HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run<br /><br />Thanks, I have changed it in the article.Barthttps://www.blogger.com/profile/18326761248866196755noreply@blogger.comtag:blogger.com,1999:blog-606282676955748155.post-76937723153749139812013-11-22T10:32:50.851+01:002013-11-22T10:32:50.851+01:00Hey! You first need to extract OLE objects from th...Hey! You first need to extract OLE objects from the file using RTFscan for example. Then you can use hachoir or hexdump to take a look and dump the .bin file you extracted from the OLE object... That's how I found it.<br /><br />There are 2 great posts on SANS about this subject:<br />https://isc.sans.edu/diary/Getting+the+EXE+out+of+the+RTF+again/8506<br />https://isc.sans.edu/diary/Analyzing+Malicious+RTF+Files+Using+OfficeMalScanner%27s+RTFScan/14092<br /><br />Let me know if you have any other questions!Barthttps://www.blogger.com/profile/18326761248866196755noreply@blogger.comtag:blogger.com,1999:blog-606282676955748155.post-84728709024688737392013-11-13T15:01:53.163+01:002013-11-13T15:01:53.163+01:00Also, if the malware uses the key that you mention...Also, if the malware uses the key that you mention for persistence, how does the recommendation of "Look for suspicious Run keys..." help disinfect the system? <br /><br />I'm just curious...thanks.H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-606282676955748155.post-53496106220108741932013-11-13T14:59:16.901+01:002013-11-13T14:59:16.901+01:00> The malware creates persistence by:
> inje...> The malware creates persistence by:<br />> injecting into explorer.exe<br />> Creating a key as follows: HKU\%S-ID-User%\SOFTWARE\eccbcffbaaedfcsacfsfdsf <br /><br />Creating a Registry key as you describe does not make the malware persistent...Windows does not automatically load/run the contents of random keys.H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-606282676955748155.post-2494445868400679762013-11-11T15:35:52.283+01:002013-11-11T15:35:52.283+01:00Hey!
How did you get the shellcode manually?
Reall...Hey!<br />How did you get the shellcode manually?<br />Really good post btw!<br />Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-606282676955748155.post-79032828978392397822013-11-11T07:51:01.211+01:002013-11-11T07:51:01.211+01:00Spammers are luring victims through well-crafted e...Spammers are luring victims through well-crafted emails that appear to be legitimate that ask the recipient to click on a link which leads them to a hacked website. Code that has been inserted on that website by hackers then redirects them to a landing page which houses the exploit and drops the malware. Often times there is more than one level of redirection involved, so a hacked site will forward to another hacked site, which will then redirect to the actual exploit site.Social Cubix Reviewshttp://www.ripoffreport.com/r/social-cubix/washington-dc-20036/social-cubix-undelivered-project-after-more-than-a-year-and-inexistent-communications-on-1097602noreply@blogger.comtag:blogger.com,1999:blog-606282676955748155.post-15427429507795210632013-11-07T11:07:57.914+01:002013-11-07T11:07:57.914+01:00In my examples the two files dropped were the same...In my examples the two files dropped were the same, i.e. <br />\Local Settings\Temp\WINWORD.EXE<br />\All Users\Application Data\baebadcaacbfcbcdsacfsfdsf.exe<br /><br />Were two copies of the same file.<br /><br />Anonymousnoreply@blogger.com