2 October 2015 Łukasz Siewierski
Recently, we obtained a sample of a new Android banking trojan, named GMBot, which tries to be self-contained (i.e. does not need Windows counterpart) and uses application overlay as a poor man’s webinjects substitute. This malware uses known and common techniques, but implements them in a way similar to the webinject-based malware known from Windows OS. This bot’s old source code, written in Java, was also available on a Google-indexed Russian file sharing website. While we want to stress out that GMBot does not do Android webinjects, it is hard not to draw a parallel between webinjects infrastructure and what GMbot does. Is this a glimpse in the future of mobile banking trojans?
1 October 2015 piotrb
Domain Generation Algorithms are used in botnets to make it harder to block connections to Command & Control servers and to make it difficult to takeover botnet infrastructure. The main objective of these algorithms is to generate a big number of different domain names which usually look random, like
pkjdgjwzcr.pl. Only some of them are registered by a botmaster, however compromised hosts tend to query all of them until they find a working domain. As a result bots can receive a big number of non-existent domain name responses (in short: NXDomain). In this entry we will show how such behavior can be utilized to detect DGA botnets using examples of different detection methods.
9 September 2015 Maciej Kotowicz
Recently we ran across a quite an interesting sample, which used an interesting obfuscation technique that was beautiful in its simplicity.