SYMBOLCOMMON_NAMEaka. SYNONYMS
win.alureon (Back to overview)

Alureon

aka: Olmarik, Pihar, TDL, TDSS, wowlik
URLhaus    

There is no description at this point.

References
2020-07-21YouTube ( OPCDE with Matt Suiche)Mohamad Mokbel
@online{mokbel:20200721:vopcde:26d48d0, author = {Mohamad Mokbel}, title = {{vOPCDE #9 - A Journey into Malware HTTP Communication Channels Spectacles (Mohamad Mokbel)}}, date = {2020-07-21}, organization = {YouTube ( OPCDE with Matt Suiche)}, url = {https://www.youtube.com/watch?v=FttiysUZmDw}, language = {English}, urldate = {2021-09-22} } vOPCDE #9 - A Journey into Malware HTTP Communication Channels Spectacles (Mohamad Mokbel)
Alureon Cobra Carbon System CROSSWALK danbot Mevade ProtonBot Silence
2016-01-10Johannes Bader
@online{bader:20160110:dga:cb8a5e5, author = {Johannes Bader}, title = {{The DGA in Alureon/DNSChanger}}, date = {2016-01-10}, url = {https://www.johannesbader.ch/2016/01/the-dga-in-alureon-dnschanger/}, language = {English}, urldate = {2019-12-17} } The DGA in Alureon/DNSChanger
Alureon DNSChanger
2016-01-01Virus BulletinPeter Kálnai, Jaromír Hořejší
@online{klnai:20160101:notes:100f4d8, author = {Peter Kálnai and Jaromír Hořejší}, title = {{Notes on click fraud: American story}}, date = {2016-01-01}, organization = {Virus Bulletin}, url = {https://www.virusbulletin.com/virusbulletin/2016/01/paper-notes-click-fraud-american-story/}, language = {English}, urldate = {2020-03-04} } Notes on click fraud: American story
Alureon ZeroAccess
2014-04-18Trend MicroAlvin John Nieto
@online{nieto:20140418:troj64wowlikvt:a785d3a, author = {Alvin John Nieto}, title = {{TROJ64_WOWLIK.VT}}, date = {2014-04-18}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/troj64_wowlik.vt}, language = {English}, urldate = {2020-01-13} } TROJ64_WOWLIK.VT
Alureon
2012-02-01Contagio DumpMila Parkour
@online{parkour:20120201:tdl4:e13618a, author = {Mila Parkour}, title = {{TDL4 - Purple Haze (Pihar) Variant - sample and analysis}}, date = {2012-02-01}, organization = {Contagio Dump}, url = {http://contagiodump.blogspot.com/2012/02/purple-haze-bootkit.html}, language = {English}, urldate = {2019-12-20} } TDL4 - Purple Haze (Pihar) Variant - sample and analysis
Alureon
2011-07-07Contagio DumpMila Parkour
@online{parkour:20110707:rootkit:501fe3d, author = {Mila Parkour}, title = {{Rootkit TDL-4 (TDSS, Alureon.DX, Olmarik, TDL) 32-bit and 64-bit Sample + Analysis links - Update July 7}}, date = {2011-07-07}, organization = {Contagio Dump}, url = {http://contagiodump.blogspot.com/2011/02/tdss-tdl-4-alureon-32-bit-and-64-bit.html}, language = {English}, urldate = {2019-12-18} } Rootkit TDL-4 (TDSS, Alureon.DX, Olmarik, TDL) 32-bit and 64-bit Sample + Analysis links - Update July 7
Alureon
2010-02-08Contagio DumpMila Parkour
@online{parkour:20100208:list:95ec809, author = {Mila Parkour}, title = {{List of Aurora / Hydraq / Roarur files}}, date = {2010-02-08}, organization = {Contagio Dump}, url = {http://contagiodump.blogspot.com/2010/02/list-of-aurora-hydraq-roarur-files.html}, language = {English}, urldate = {2019-11-17} } List of Aurora / Hydraq / Roarur files
Alureon
Yara Rules
[TLP:WHITE] win_alureon_auto (20210616 | Detects win.alureon.)
rule win_alureon_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-06-10"
        version = "1"
        description = "Detects win.alureon."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.alureon"
        malpedia_rule_date = "20210604"
        malpedia_hash = "be09d5d71e77373c0f538068be31a2ad4c69cfbd"
        malpedia_version = "20210616"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 660fbec9 66390a 750b 46 }
            // n = 4, score = 200
            //   660fbec9             | movsx               cx, cl
            //   66390a               | cmp                 word ptr [edx], cx
            //   750b                 | jne                 0xd
            //   46                   | inc                 esi

        $sequence_1 = { 895d14 7439 49 d1e9 41 894df8 8b4d14 }
            // n = 7, score = 200
            //   895d14               | mov                 dword ptr [ebp + 0x14], ebx
            //   7439                 | je                  0x3b
            //   49                   | dec                 ecx
            //   d1e9                 | shr                 ecx, 1
            //   41                   | inc                 ecx
            //   894df8               | mov                 dword ptr [ebp - 8], ecx
            //   8b4d14               | mov                 ecx, dword ptr [ebp + 0x14]

        $sequence_2 = { 03d8 0fb74314 8b7350 57 56 }
            // n = 5, score = 200
            //   03d8                 | add                 ebx, eax
            //   0fb74314             | movzx               eax, word ptr [ebx + 0x14]
            //   8b7350               | mov                 esi, dword ptr [ebx + 0x50]
            //   57                   | push                edi
            //   56                   | push                esi

        $sequence_3 = { c745d818000000 895ddc c745e440000000 895de8 895dec ffd7 }
            // n = 6, score = 200
            //   c745d818000000       | mov                 dword ptr [ebp - 0x28], 0x18
            //   895ddc               | mov                 dword ptr [ebp - 0x24], ebx
            //   c745e440000000       | mov                 dword ptr [ebp - 0x1c], 0x40
            //   895de8               | mov                 dword ptr [ebp - 0x18], ebx
            //   895dec               | mov                 dword ptr [ebp - 0x14], ebx
            //   ffd7                 | call                edi

        $sequence_4 = { 53 53 6800005600 8d45d0 50 }
            // n = 5, score = 200
            //   53                   | push                ebx
            //   53                   | push                ebx
            //   6800005600           | push                0x560000
            //   8d45d0               | lea                 eax, dword ptr [ebp - 0x30]
            //   50                   | push                eax

        $sequence_5 = { c1e810 8844243f 8bc3 c1e808 88442440 8954242c }
            // n = 6, score = 200
            //   c1e810               | shr                 eax, 0x10
            //   8844243f             | mov                 byte ptr [esp + 0x3f], al
            //   8bc3                 | mov                 eax, ebx
            //   c1e808               | shr                 eax, 8
            //   88442440             | mov                 byte ptr [esp + 0x40], al
            //   8954242c             | mov                 dword ptr [esp + 0x2c], edx

        $sequence_6 = { f3aa 58 6689442420 8b4514 89442434 }
            // n = 5, score = 200
            //   f3aa                 | rep stosb           byte ptr es:[edi], al
            //   58                   | pop                 eax
            //   6689442420           | mov                 word ptr [esp + 0x20], ax
            //   8b4514               | mov                 eax, dword ptr [ebp + 0x14]
            //   89442434             | mov                 dword ptr [esp + 0x34], eax

        $sequence_7 = { c20800 8b4018 ebf5 55 8bec }
            // n = 5, score = 200
            //   c20800               | ret                 8
            //   8b4018               | mov                 eax, dword ptr [eax + 0x18]
            //   ebf5                 | jmp                 0xfffffff7
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp

        $sequence_8 = { 53 53 ff15???????? 6830750000 }
            // n = 4, score = 100
            //   53                   | push                ebx
            //   53                   | push                ebx
            //   ff15????????         |                     
            //   6830750000           | push                0x7530

        $sequence_9 = { 7409 39b424c8000000 75cf 53 53 }
            // n = 5, score = 100
            //   7409                 | je                  0xb
            //   39b424c8000000       | cmp                 dword ptr [esp + 0xc8], esi
            //   75cf                 | jne                 0xffffffd1
            //   53                   | push                ebx
            //   53                   | push                ebx

        $sequence_10 = { 6880000000 6a02 53 6a01 68bf011200 8d842408030000 }
            // n = 6, score = 100
            //   6880000000           | push                0x80
            //   6a02                 | push                2
            //   53                   | push                ebx
            //   6a01                 | push                1
            //   68bf011200           | push                0x1201bf
            //   8d842408030000       | lea                 eax, dword ptr [esp + 0x308]

        $sequence_11 = { c7442468e4214000 ff15???????? 8d842400070000 50 8d8424a8000000 50 ff15???????? }
            // n = 7, score = 100
            //   c7442468e4214000     | mov                 dword ptr [esp + 0x68], 0x4021e4
            //   ff15????????         |                     
            //   8d842400070000       | lea                 eax, dword ptr [esp + 0x700]
            //   50                   | push                eax
            //   8d8424a8000000       | lea                 eax, dword ptr [esp + 0xa8]
            //   50                   | push                eax
            //   ff15????????         |                     

        $sequence_12 = { 56 33f6 85c9 57 761c 8b500c }
            // n = 6, score = 100
            //   56                   | push                esi
            //   33f6                 | xor                 esi, esi
            //   85c9                 | test                ecx, ecx
            //   57                   | push                edi
            //   761c                 | jbe                 0x1e
            //   8b500c               | mov                 edx, dword ptr [eax + 0xc]

        $sequence_13 = { 50 6a24 8d8424cc000000 50 53 57 }
            // n = 6, score = 100
            //   50                   | push                eax
            //   6a24                 | push                0x24
            //   8d8424cc000000       | lea                 eax, dword ptr [esp + 0xcc]
            //   50                   | push                eax
            //   53                   | push                ebx
            //   57                   | push                edi

        $sequence_14 = { c645e61f c645e709 c645e80f c645e914 c645ea11 c645eb11 }
            // n = 6, score = 100
            //   c645e61f             | mov                 byte ptr [ebp - 0x1a], 0x1f
            //   c645e709             | mov                 byte ptr [ebp - 0x19], 9
            //   c645e80f             | mov                 byte ptr [ebp - 0x18], 0xf
            //   c645e914             | mov                 byte ptr [ebp - 0x17], 0x14
            //   c645ea11             | mov                 byte ptr [ebp - 0x16], 0x11
            //   c645eb11             | mov                 byte ptr [ebp - 0x15], 0x11

        $sequence_15 = { 50 53 8d442458 50 }
            // n = 4, score = 100
            //   50                   | push                eax
            //   53                   | push                ebx
            //   8d442458             | lea                 eax, dword ptr [esp + 0x58]
            //   50                   | push                eax

    condition:
        7 of them and filesize < 278528
}
Download all Yara Rules