How the protection of Citadel got cracked

Recently on a forum someone requested cbcs.exe (Citadel Backconnect Server)If you want to read more about the Backconnect on Citadel, the link that g4m372 shared is cool: http://laboratoriomalware.blogspot.de/2012/12/troyan-citadel-backconnect-windows.htmlI've searched this file thought downloading a random mirror of the Citadel leaked package in hope to find it inside.Finally the file wasn't…

How the protection of Citadel got cracked

Recently on a forum someone requested cbcs.exe (Citadel Backconnect Server)If you want to read more about the Backconnect on Citadel, the link that g4m372 shared is cool: http://laboratoriomalware.blogspot.de/2012/12/troyan-citadel-backconnect-windows.htmlI've searched this file thought downloading a random mirror of the Citadel leaked package in hope to find it inside.Finally the file wasn't…

How the protection of Citadel got cracked

Recently on a forum someone requested cbcs.exe (Citadel Backconnect Server)If you want to read more about the Backconnect on Citadel, the link that g4m372 shared is cool: http://laboratoriomalware.blogspot.de/2012/12/troyan-citadel-backconnect-windows.htmlI've searched this file thought downloading a random mirror of the Citadel leaked package in hope to find it inside.Finally the file wasn't…

How the protection of Citadel got cracked

Recently on a forum someone requested cbcs.exe (Citadel Backconnect Server)If you want to read more about the Backconnect on Citadel, the link that g4m372 shared is cool: http://laboratoriomalware.blogspot.de/2012/12/troyan-citadel-backconnect-windows.htmlI've searched this file thought downloading a random mirror of the Citadel leaked package in hope to find it inside.Finally the file wasn't…

Codes, What Are They Good For?

What is a Secure Communication? The goals of secure communications are the following. Some of these are surprisingly difficult to achieve: Make the content of a message unreadable to parties other than the intended one(s) Make the meaning of a message inaccessible to parties other than the intended one(s) Avoid…

In Search of OPSEC Magic Sauce

Of Bomb Threats and Tor Recently (December 16th, 2013) there was a bomb threat at Harvard University, during finals week. The threat was a hoax, and the FBI got their man that very night. The affidavit is here. This post will look at the tools and techniques the operative used…

Win32/BruteForce.WP

DrWeb released a news about this malware in August, they know it as 'Trojan.WPCracker.1'And more recently ~ 1e8cd0f0f1702820c870302520bc0176.This executable communicate with a C&C at dorblu99.netLet's have a closer look.Login:Main:Bot info:Broken wordpress:Statistics:Add domains:Add admin panels:Add logins:Add passwords:Add module for jm(zip):Add module for wp(zip):Add shell jm(php):Cron brute:Ban list:Logs:Domains list (downloaded by the…

Win32/BruteForce.WP

DrWeb released a news about this malware in August, they know it as 'Trojan.WPCracker.1'And more recently ~ 1e8cd0f0f1702820c870302520bc0176.This executable communicate with a C&C at dorblu99.netLet's have a closer look.Login:Main:Bot info:Broken wordpress:Statistics:Add domains:Add admin panels:Add logins:Add passwords:Add module for jm(zip):Add module for wp(zip):Add shell jm(php):Cron brute:Ban list:Logs:Domains list (downloaded by the…

Win32/BruteForce.WP

DrWeb released a news about this malware in August, they know it as 'Trojan.WPCracker.1'And more recently ~ 1e8cd0f0f1702820c870302520bc0176.This executable communicate with a C&C at dorblu99.netLet's have a closer look.Login:Main:Bot info:Broken wordpress:Statistics:Add domains:Add admin panels:Add logins:Add passwords:Add module for jm(zip):Add module for wp(zip):Add shell jm(php):Cron brute:Ban list:Logs:Domains list (downloaded by the…

Win32/BruteForce.WP

DrWeb released a news about this malware in August, they know it as 'Trojan.WPCracker.1'And more recently ~ 1e8cd0f0f1702820c870302520bc0176.This executable communicate with a C&C at dorblu99.netLet's have a closer look.Login:Main:Bot info:Broken wordpress:Statistics:Add domains:Add admin panels:Add logins:Add passwords:Add module for jm(zip):Add module for wp(zip):Add shell jm(php):Cron brute:Ban list:Logs:Domains list (downloaded by the…

Win32/Atrax.A

Atrax is a TOR botnet, you can read about it on the excellent post of Aleksandr.Someone on kernelmode.info posted recently a fresh sample:MD5: 44a6a7d4a039f7cc2db6e85601f6d8c1Fun things also, the coder leaved a message:"Nice blog post ESET 2013/07/24 Greetz to KernelMode.info"Atrax advertising:Programming language: C (No C++!)OS: Win XP - 8.1 (all x86/x64)Admin rights…

Win32/Atrax.A

Atrax is a TOR botnet, you can read about it on the excellent post of Aleksandr.Someone on kernelmode.info posted recently a fresh sample:MD5: 44a6a7d4a039f7cc2db6e85601f6d8c1Fun things also, the coder leaved a message:"Nice blog post ESET 2013/07/24 Greetz to KernelMode.info"Atrax advertising:Programming language: C (No C++!)OS: Win XP - 8.1 (all x86/x64)Admin rights…

Win32/Atrax.A

Atrax is a TOR botnet, you can read about it on the excellent post of Aleksandr.Someone on kernelmode.info posted recently a fresh sample:MD5: 44a6a7d4a039f7cc2db6e85601f6d8c1Fun things also, the coder leaved a message:"Nice blog post ESET 2013/07/24 Greetz to KernelMode.info"Atrax advertising:Programming language: C (No C++!)OS: Win XP - 8.1 (all x86/x64)Admin rights…

Win32/Atrax.A

Atrax is a TOR botnet, you can read about it on the excellent post of Aleksandr.Someone on kernelmode.info posted recently a fresh sample:MD5: 44a6a7d4a039f7cc2db6e85601f6d8c1Fun things also, the coder leaved a message:"Nice blog post ESET 2013/07/24 Greetz to KernelMode.info"Atrax advertising:Programming language: C (No C++!)OS: Win XP - 8.1 (all x86/x64)Admin rights…