Reversing as an Art

Notes on RCE fun.

Malware Reports

Special Targeting


Stuxnet
2010 W32.Stuxnet Dossier Symantec
2010 Myrtus and Guava, Episode 1 Kaspersky
2010 Myrtus and Guava, Episode 2 Kaspersky
2010 Myrtus and Guava, Episode 3 Kaspersky
2010 Myrtus and Guava, Episode 4 Kaspersky
2010 Myrtus and Guava, Episode 5 Kaspersky
2010 Myrtus and Guava: the epidemic, the trends, the numbers Kaspersky
2011 Stuxnet Under the Microscope ESET
2013 Stuxnet 0.5: The missing link Symantec
2013 To Kill a Centrifuge Langner
2013 More on Stuxnet Schneier on Security
2013 Stuxnet: Infecting Industrial Control Systems VB

Flame
2012 sKyWIper: A complex malware for targeted attacks CrySyS
2012 The Flame: Questions and Answers Kaspersky

Narilam
2012 W32.Narilam – Business Database Sabotage Symantec
2012 Narilam: A ‘New’ Destructive Malware Used In the Middle East Kaspersky

Gauss
2012 Gauss: Abnormal Distribution Kaspersky
2012 Gauss: Nation-state cyber-surveillance meets banking Trojan Kaspersky
2012 Online detection of Gauss Kaspersky

Duqu
2011 W32.Duqu: The precursor to the next Stuxnet Symantec
2011 Duqu – Stuxnet 2 F-Secure
2011 Keeping Tabs on the Next STUXNET TrendMicro
2011 The Mystery of Duqu: Part One Kaspersky
2011 The Mystery of Duqu: Part Two Kaspersky
2011 The Mystery of Duqu: Part Three Kaspersky
2011 The Duqu Saga Continues Kaspersky
2011 The Mystery of Duqu: Part Five Kaspersky
2011 The Mystery of Duqu: Part Six (CnC) Kaspersky
2011 Duqu First Spotted as ‘Stars’ Malware in Iran Kaspersky
2011 Stuxnet/Duqu: The Evolution of Drivers Kaspersky
2011 The Mystery of Duqu: Part Seven (Back to Stuxnet) Kaspersky
2012 The Mystery of the Duqu Framework Kaspersky
2012 The Mystery of the Duqu Framework solved Kaspersky
2012 The Mystery of the Duqu: Part Ten Kaspersky
2012 The Day The Stuxnet Died Kaspersky
2011 Duqu: Status Updates Including Installer with Zero-Day Exploit Found Symantec
2012 New method of injection, Duqu based w4kfu.com
2012 Duqu Analysis & Detection Tool NSS Labs
2011 Duqu: A Stuxnet-like malware found in the wild CrySyS

Turla/Snake/Uroburos/Agent.btz
2014 Uroburos – highly complex espionage software with Russian roots GData
2014 SNAKE CAMPAIGN BAE
2014 Uroburos ArtemOnSecurity
2014 Turla: Spying tool targets governments and diplomats Symantec
2014 Agent.btz: a Source of Inspiration? Kaspersky
2014 Turla Rootkit: A Look Under the Hood AVG
2014 Snake Campaign: A few words about the Uroburos Rootkit VRT
2014 Anatomy of Turla exploits F-Secure
2014 TR-25 Analysis circl.lu
2014 Analyzing the Uroburos PatchGuard Bypass McAfee

Windigo
2014 Operation Windigo ESET
2014 Windigo Linux Analysis – Ebury and Cdorked Sucuri

Careto/Mask
2013 Unveiling “Careto” – The Masked APT Kaspersky

Red October
2013 “Red October” Diplomatic Cyber Attacks Investigation Kaspersky

NetTraveler/TravNet
2014 NetTraveler Is Back: The ‘Red Star’ APT Returns With New Tricks Kaspersky
2012 The NeTTraveler Kaspersky

Kimsuki
2014 The “Kimsuky” Operation: A North Korean APT? Kaspersky

Winnti
2013 Winnti: More than just a game Kaspersky

IXESHE
2012 IXESHE: An APT Campaign TrendMicro

CosmicDuke/TinyBaron/Miniduke
2014 Cosmu with a twist of MiniDuke F-Secure
2014 Miniduke is back: Nemesis Gemina and the Botgen Studio Kaspersky
2014 Analysis of a stage 3 Miniduke sample circl.lu
2013 The MiniDuke Mystery Kaspersky
2013 Miniduke: Indicators CrySyS
2013 Miniduke CrySyS

TeamSpy
2013 TeamSpy: Backdoor to the Viewer Symantec
2013 The TeamSpy Crew Attacks Kaspersky
2013 The ‘TeamSpy’ Story Abusing TeamViewer in Cyberespionage Kaspersky
2013 TeamSpy: Obshie manevri (pdf) CrySyS

RATs



PlugX

PlugX
2012 Unplugging PlugX Capabilities TrendMicro
2013 New Wave of PlugX Targets Legitimate Apps TrendMicro
2013 PlugX – Payload Extraction Context
2014 PlugX – Payload Extraction Sophos

Bankers



Shylock/Caphaw
2011 Shylock In-Depth Malware Analysis malwarereversing
2012 Evading Malware Researchers: Shylock’s New Trick Trusteer
2013 Caphaw attacking major European banks using webinject plugin ESET
2013 SHYLOCK – BANKING MALWARE EVOLUTION OR REVOLUTION? BAE
2013 In depth analysis of Caphaw/Shylock quequero.org
2014 Hunting Shylock InfoSec Institute
2014 Shylock/Caphaw malware Trojan: the overview Kaspersky

Bootkits



Gapz
2012 Mind the Gapz ESET
2012 Win32/Gapz: New Bootkit Technique ESET
2012 Win32/Gapz: steps of evolution ESET
2013 Reconstructing Gapz Recon
2013 Win32/Gapz family ring0 payload InResearching_Blog

Rootkits



Avatar
2013 Mysterious Avatar rootkit ESET
2013 Avatar rootkit: the continuing saga ESET

Click-fraud



Viknok/Zekos/Pigeon
2014 Sophisticated Viknok Malware Symantec
2014 Win32/64:Blackbeard & Pigeon part I part II Symantec

Ransom



Urausy
2013 Urausy Lock-screen Avast

Other

Sality
—– Sality Wikipedia
2013 Sality: a router’s primary DNS changer named Win32/RBrute ESET
2013 Sality rootkit analysis ArtemOnSecurity