MMD-0054-2016 – ATMOS botnet facts you should know

The background This post is about recent intelligence and sharing information of the currently emerged credential stealer and spying botnet named “Atmos”, for the purpose of threat recognizing, incident response and may help reverse engineering. This report is the third coverage of online crime toolkit analysis series that we disclose in MalwareMustDie blog, on previous posts we disclosed about

[Slide|Video] Kelihos & Peter Severa; the “All Out” version

Tag: Kelihos, Khelios, P2P, FastFlux, Botnet, CNC, C2, Clickfraud, Traffic Redirection, Spambot, DNS Poison, Botnet as Service, Affiliate, Severa, Peter Severa, Petrushakov, Saever, Saushkin We yanked this page off along with the slides & its video links from public view to support cyber crime investigation to stop the botnet for good. It’s a good will from our investigation team and…

MMD-0053-2016 – A bit about ELF/STD IRC Bot: x00’s CBack aka xxx.pokemon(.)inc

Latest UPDATE incident of this threat is–>[link] Background I received the report of the host in Google cloud network is serving ELF malware: { “ip”: “”, “hostname”: “”, “prefix”: “”, “org”: “AS15169 Google Inc.”, “city”: “Mountain View”, “region”: “California”, “country”: “USA”, “loc”: “37.4192,

MMD-0052-2016 – Overview of “SkidDDoS” ELF++ IRC Botnet

Tag: kaiten, ktx, tsunami, STD, stdbot, torlus, Qbot, gayfgt, lizard, lizkebab, sinden, sdn, $dn, bossaline, bossabot, dtool, aidra, lightaidra, zendran, styx, Code, Robert, cod, unixcod, styxcod, irc, ircbot, ddos, elfbot, ddoser, nix, elf, linux, unix. backdoor, syn flood, ack flood, ntp flood, udp flood, dns amp, xmas attack, pan flood, x00, cback, LiGhT, Proxseas, BLJ, KaitenBot, fairy, Alex,

MMD-0051-2016 – Debunking a tiny ELF remote backdoor (shellcode shellshock part 2)

The background In September 2014 during the ShellShock exploitation incidents was in the rush, one of them is the case MMD-0027-2014 of two ELF malware dropped payloads via ShellShock attack, a new malware and a backconnect ELF, with the details can be read in–>[here] Today I found another interesting ELF x86-32 sample that was reported several hours back, the infection…

MMD-0050-2016 – Incident report: ELF Linux/Torte infection (in WordPress)

The indicator Several hours ago, it was detected a suspicious inbound access on a WordPress site with the below log: (Thank’s for the hard work from Y) It’s an unusual traffic coming from the unusual source of ip address:|37-139-47-183.clodo.ru.|56534 | | PIRIX-INET | RU | comfortel.pro | Comfortel Ltd. |62-76-41-190.clodo.ru. |57010 | |

MMD-0049-2016 – A case of java trojan (downloader/RCE) for remote minerd hack

Background This is a short post for supporting the takedown purpose. Warning: Sorry, this time there’s nothing fancy nor “in-depth analysis” 🙂 Yet the current hacking & infecting scheme is so bad, so I think it’s best for all of us (fellow sysadmins in particular) to know this information for mitigation and hardening purpose. In this case, a bad actor…