Actus Sécurité Confirmé 2012 S29

Une recherche Google, un ‘ping’, un ‘trackback’ vous ont amené jusqu’ici ? Qu’est-ce que c’est que cette liste de liens fourre-tout ? Gnan ! Je ne suis pas un spam, je ne suis pas un ‘planet’ ! :D Je vous invite à consulter le post d’introduction de cette ‘brève’ -veille perso- pour voir de quoi il s’agit. 


=> The Flame: Questions and Answers. 28/05/2012. «Duqu and Stuxnet raised the stakes in the cyber battles being fought in the Middle East – but now we’ve found what might be the most sophisticated cyber weapon yet unleashed. The ‘Flame’ cyber espionage worm came to the attention of our experts at Kaspersky Lab after the UN’s International Telecommunication Union came to us for help in finding an unknown piece of malware which was deleting sensitive information across the Middle East. While searching for that code – nicknamed Wiper – we discovered a new malware codenamed Worm.Win32.Flame (…).»
Source :
Billets en relation :
28/05/2012. Identification of a New Targeted Cyber-Attack :
28/05/2012. Flame malware – more details of targeted cyber attack in Middle East :
29/05/2012. Cuckoo in Flame :
29/05/2012. Flamer: Highly Sophisticated and Discreet Threat Targets the Middle East :
29/05/2012. Flame: Bunny, Frog, Munch and BeetleJuice… :
30/05/2012. Flamer worm :
30/05/2012. Flame: Component soapr32.ocx :
30/05/2012. Flamer/sKyWIper Malware: Analysis :
30/05/2012. How old is Flame? :
31/05/2012. CrySyS Lab sKyWIper (a.k.a. Flame a.k.a. Flamer):A complex malware for targeted attacks [pdf] :
31/05/2012. Flame: msglu32.ocx, Component That Can Track Location :
01/06/2012. W32.Flamer: Spreading Mechanism Tricks and Exploits :
01/06/2012. Flamer aka skywiper :
01/06/2012. Defeating Flame String Obfuscation with IDAPython :
01/06/2012. Flamer /SkyWiper Samples :
04/06/2012. ‘Gadget’ in the middle: Flame malware spreading vector identified :
04/06/2012. The Roof Is on Fire: Tackling Flame’s C&C Servers :
04/06/2012. Flame, certificates, collisions. Oh my. :
06/06/2012. Flame: Replication via Windows Update MITM proxy server :
11/06/2012. Back to Stuxnet: the missing link :
12/06/2012. Flame USB dot file confirmed :
12/06/2012. Flamer string decoder :
18/06/2012. Analysis of Flame WuSetupV.exe URL parameters :
21/06/2012. Analysis of functions used to encode strings in Flame (GDB script) :
25/06/2012. The Day The Stuxnet Died :
20/07/2012. Flame, Duqu and Stuxnet: in-depth code analysis of mssecmgr.ocx :

=> Ransomware ‘Holds Up’ Victims. 30/05/2012. «The current “ransomware” campaign uses a novel approach to extort money from naive Internet users. Malware from cybercriminals infects personal computers by claiming to be a genuine Windows update (…).»
Source :

=> Moteur générique d’accrochage de Duqu. 30/05/2012. «Après ennuyeux stage 1, ce fut difficile de se motiver pour la deuxième étape. Mais ça valait la peine, je pensai que ce sample était un keylogger, comme documenté sur le net mais ce n’est pas le cas. C’est un moteur générique de hooking assez sympa. Les hooks sont placé sur (…).» Les publications de
Source :
Billets en relation :
29/05/2012. Presentation & example of our ASM ripper :
30/05/2012. Generic hooking engine from Duqu :
30/05/2012. Dionaea auto-submit configuration :
08/07/2012. AutoIT ransomware :

=> Is a new Zsone Under Development? #Android. 31/05/2012. «Android malware news: a year after Zsone’s discovery, we’ve come across a new variant. Or at least a sample that causes us to ask, is a new variant under development? This new Zsone uses a native component for its SMS sending routine (…).»
Source :

=> Inside the Attacker’s Toolbox: Botnet Credit Card Validation Scripts. 31/05/2012. «In our previous blog post « Inside the Attacker’s Toolbox: Botnet Web Attack Scripts » we analyzed some botnet scripts that SpiderLabs Research team had captured that are used to conduct massive attack scanning traffic. In this installment, we will take a look at a php script that is used by Botnet owners to validate credit card data that has been illegally obtained (…).»
Source :

=> Major shift in strategy for ZeroAccess rootkit malware, as it shifts to user-mode. 06/06/2012. «SophosLabs has been monitoring a new strain of the infamous ZeroAccess rootkit that has been hitting the internet over the last few weeks (…).»
Source :
Billets en relation :
13/06/2012. ZeroAccess’s Way of Self-Deletion :
22/06/2012. ZeroAccess – new steps in evolution :
28/06/2012. Malware Analysis: New C&C Protocol for ZeroAccess/Sirefef :
28/06/2012. ZeroAccess: code injection chronicles :

=> ‘Bioskits’ Join Ranks of Stealth Malware. 07/06/2012. «We have seen many discussions of the MyBios “Bioskit” discovered at the end of 2011. MyBios was the first malware to successfully infect the Award BIOS and survive the reboot. It was first discovered by a Chinese security company; many other security vendors published detailed analyses after that. We have seen a lot of samples targeting the master boot record (MBR) to survive a reboot and reinfect a system. We found a sample in our collection that infected the MBR. Further investigation showed that the next variant of the malware was a Bioskit. The first variant of the malware was an executable that infected the MBR; the second was a DLL with the Bioskit component. We will discuss the second variant in this blog (…).»
Source :

=> MP-DDoser: A rapidly improving DDoS threat. 07/06/2012. «This blog post is the fifth installment in our ongoing series of articles surveying the crypto systems used by different DDoS-capable malware families. Today’s topic is MP-DDoser, also known as “IP-Killer” (…).»
Source :

=> MBR Malware Analysis . 08/06/2012. «So i’ve read a few articles lately on the return of MBR malware so I figured I would take a look at a sample (…).»
Source :

=> NGR Rootkit. 13/06/2012. «NGR Bot (also known as Dorkbot) was examined to be a user-mode rootkit that could be remotely controlled via Internet-Relay-Chat (IRC) protocol. It was designed with the intention to steal digital identity, perform denial of service, and manipulate the domain name resolution (…).»
Source :
Billets en relation :
08/06/2012. NGR Bot Analysis – Virus Bulletin Paper [Download] :

=> How to infiltrate affiliate programs. 19/06/2012. «Starting into affiliate infiltration is not a easy thing when you have no start point, i got alot of help requests regarding this via e-mail. Firstly… where can i find affiliate programs.. ? (…).» Je n’ai pas indiqué tous les liens de Xylt0l sur la période couverte par la brève, mais il y a de la lecture intéressante :)
Source :

=> XPAJ: Reversing a Windows x64 Bootkit. 19/06/2012. «The number of bootkits is steadily growing. All kinds of new bootkits are appearing: sophisticated and simple, serving different purposes (such as rootkits or ransomware Trojans). Malware writers are not above analyzing their competitors’ malicious code (…).»
Source :
Billets en relation :
19/07/2012. XPAJ. Étude d’un bootkit sous Windows x64 :

=> German Trojans 2. 20/06/2012. «In the last article, I discussed in quite some detail how exactly the dropper for Bundestrojaner worked. In my next article what I’d been planning to do was to reverse the DLL and then the driver. There’s a slight change to those plans though (…).»
Source :

=> Some shellcode de-mystified. 21/06/2012. «The shellcode described in this post was obtained from the Eleonore v1.2 exploit kit. High-level details about that kit are mentioned in my April 2012 blog post. This post is a technical view of the actual shellcode and is intended to be instructive to the inquisitive reader. Since this code is relatively old, the main techniques (hashing API lookups, rol decryption, kernel32 address lookup) have been discussed before (…).»
Source :

=> ACAD/Medre.A Technical Analysis. 22/06/2012. «For the story behind the suspected industrial espionage, where ACAD/Medre.A was used, refer to Righard Zwienenberg’s blog post. For technical details from analysing the worm’s source code, read on (…).»
Source :
Billets en relation :
21/06/2012. ACAD/Medre.A :
22/06/2012. ACAD/Medre.A [pdf] :
22/06/2012. ACAD/Medre.A – 10000?s of AutoCAD files leaked in suspected industrial espionage :

=> Win32/Gataka: a banking Trojan ready to take off?. 03/07/2012. «We have been following the development of the Win32/Gataka banking Trojan for several months and can now share some details of its operation which includes facilitating fraudulent bank transfers. This first post will highlight some of its key features, while the second will detail several interesting, more technical aspects of this malware (…).»
Source :

=> Rovnix bootkit framework updated. 14/07/2012. «We have been tracking the activity of the Rovnix bootkit family since April 2011. Rovnix was the first bookit family to use VBR (Volume Boot Record) infection (NTFS bootstrap code) for loading unsigned kernel-mode drivers on x64 (64 bit) platforms (…).»
Source :

=> The Madi Campaign – Part I. 17/07/2012. «For almost a year, an ongoing campaign to infiltrate computer systems throughout the Middle East has targeted individuals across Iran, Israel, Afghanistan and others scattered across the globe. Together with our partner, Seculert, we’ve thoroughly investigated this operation and named it the “Madi”, based on certain strings and handles used by the attackers (…).»
Source :
Billets en relation :
17/07/2012. Mahdi – The Cyberwar Savior? :
19/07/2012. List of samples available on about Mahdi aka Madi :

=> Analysis of Cridex . 18/07/2012. «On the 12th of June the payload delivered by a Blackhole Exploit Kit was Cridex. Cridex is part of the malware family that steals banking information from the victim’s computer. Social media sites are also the target of Cridex. Similar to ZeuS, Cridex is able to inject code into HTML pages on websites contained in the configuration file and capable of monitoring & manipulating cookies. The stolen data is saved into a file and send back to a C&C server. Additional malware may be downloaded by Cridex (…).»
Source :

=> Guntior. 18/07/2012. «Guntior – detailed analysis of the Chinese bootkit (…).»
Source :


6 commentaires sur “Actus Sécurité Confirmé 2012 S29

  1. Oui, je sais, toujours pas fini de lire tout ^^

    par contre :
    => Moteur générique d’accrochage de Duqu. 30/05/2012. «Après ennuyeux stage 1, ce fut difficile de se motiver pour la deuxième étape. Mais ça valait la peine, je pensai que ce sample était un keylogger, comme documenté sur le net mais ce n’est pas le cas. C’est un moteur générique de hooking assez sympa. Les hooks sont placé sur (…).» Les publications de

    N’y aurait-il pas un problème de mise en page ?

    • Salut Nono, je ne suis peut-être pas bien éveillé, mais je ne saisis pas ta remarque :)

      • Je m’exprime mal surtout, pas encore pris mon café :)

        Les hooks sont placé sur (…).» Les publications de

        Ca me semblait bizzare de finir ta quote sur « sont placé sur (…). »

        Et du coup, je comprend pas ton commentaire « Les publications de »

        Donc, je me demandait si c’etait pas le » qui était mal placé :) Voilà tout.

  2. Ah d’accord. Ce sont effectivement les analyses de Malware-lu qui sont indiquées là, hébergées sur Google Code. J’ai repris leur ‘chapeau’ d’entête d’article dans la citation, et ils enchaînaient sur des éléments techniques après. Pas d’erreur de mise en page donc, c’est juste l’accroche de leur ‘papier’ pour inciter à aller les lire :)

Laisser un commentaire

Votre adresse de messagerie ne sera pas publiée. Les champs obligatoires sont indiqués avec *

Vous pouvez utiliser ces balises et attributs HTML : <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Notifiez-moi les commentaires à venir via email. Vous pouvez aussi vous abonner sans commenter.