Medijski sadržaj
- Tweetovi
- Tweetovi i odgovori
- Medijski sadržaj, trenutna stranica.
-
OSX InstallCore used vm_allocate, vm_copy, NSCreateObjectFileImageFromMemory & NSLinkModule on MH_BUNDLE almost 3 years ago https://www.virustotal.com/gui/file/2048b591e6785c8eeee3605f62524cb66cb5d6e8bafae28e2db616ee22c49d1c/detection … not that I remember too much about it ;-) https://twitter.com/objective_see/status/1201969466780704768 …pic.twitter.com/FmQQFO3VGJ
-
Linux Coinminer https://www.virustotal.com/gui/file/2f017cc9500c59f8d628a3eb9ea992f98421d7edd1329878a7f46f6278d03e78/detection … < Downloads components from rapid7cpfqnwxodo[.{tor2web[.io,onion[.glass,d2web[.org,onion[.mn,onion[.to,onion[.in[.net,onion[.ws,onion[.sh}/{cron[.sh,systemd-resolve,systemd-analyze,systemd[.sh} most likely related to LSD coinminerpic.twitter.com/Lihvzg5LIY
-
Here is a x64 sample of Tsunami that first XORs 2046 bytes from EP and then returns to it. It has 3 (unusual) LOAD segments, first one is RWX (unusual) and the 3rd one is not in sequence with the other 2 (unusual). Not the first sample like this. https://www.virustotal.com/gui/file/bd4b814a97d838d12a9e9f6e9764acecf9c02a651292393b59c4b3e43e1e952c/detection …pic.twitter.com/EgGVYmEpUt
Prikaži ovu nit -
-
Have you seen this part of it? 0aa89fdd2957c49604a0ab16490748a07f82f9ea -- it uploads a .jar via Apache Flink. The .jar executes the identical command that you show in your last screenshotpic.twitter.com/i6ifXJc4Mo
-
-
pub fn read_var<T>(&self, offset: u64, var: &mut T) => if `var` is a member of `self`, you can't borrow `var` mutably because you borrowed `self` immutably => if you borrow `self` mutably, you can't borrow `var` mutably, because you are now borrowing twice Thanks, I hate itpic.twitter.com/uWr2tIoAZd
Prikaži ovu nit -
-
Artefacts from one of the Gates files (syn, 2a9bf4ee7d437ae0bc67d2da1e711aaa0d1aa302) - vpn.to0ls[.]com:443 - 115.231.218[.]64:8226pic.twitter.com/5R0Wd8sgPg
Prikaži ovu nit -
- It periodically tries to detect a running miner and kill it (it can also kill itself & Gates malware - to update) - Brootkit is "installed" to /etc/profile.d/emacs.sh - this confirms that EMACS is indeed a rootkit - The remote host is auth.to0ls[.]compic.twitter.com/mxDbxYycMG
Prikaži ovu nit -
Very nasty Linux backdoor with multiple components https://www.virustotal.com/gui/file/c69ee0f12a900adc654d93aef9ad23ea56bdfae8513e534e1a11dca6666d10aa/detection … - Kills & uninstalls AV: clamav, avast, avg, drweb, esets - Very persistent - Uses Gates malware - Uses Brootkit - Uses CVE-2016-5195 to get root - Infects other systems from known_hosts, .bash_historypic.twitter.com/gLnuUfgJUl
Prikaži ovu nit -
The file is messed up btw. First is with USE PHT + USE SHT in IDA, second only USE PHT.pic.twitter.com/3lTIfgmPRd
Prikaži ovu nit -
Is this the first Mirai with XOR-looping through its code? https://www.virustotal.com/en/file/e66300626fe5fdceb965187f47f546dcc238305b6d0366f5d1995a310d02f9a9/analysis/ …pic.twitter.com/zf8wR88XMh
Prikaži ovu nit -
Well, that'd explain why only the arm5 files are dynamically linkedpic.twitter.com/ACljxeN58n
-
4/n Oh, and if you modify the DYN segment offset to e.g. 0, leave the VA be, load it in IDA and tell it to ignore the sections (i.e. not sue .dynamic, it has same info as DYN segment when unmodified), it sees no imports.pic.twitter.com/aXdaM7ExHe
Prikaži ovu nit
Čini se da učitavanje traje već neko vrijeme.
Twitter je možda preopterećen ili ima kratkotrajnih poteškoća u radu. Pokušajte ponovno ili potražite dodatne informacije u odjeljku Status Twittera.