The Stratosphere IPS Project officially started around January 2015 with a huge effort of development and planning. We are glad to see that after these two months we were able to start the project website and social relationships, to boost the collaboration with others and to develop the first part of the project: The Stratosphere Testing Framework.
Analysis of the traffic of an APK malware
This is an analysis of the traffic generated by the APK sample 46a2468a6ee9a7740191747d1b7b16a5 that was downloaded from the CopperDroid project. Virus Total detects this sample as a malware called Kaishi (probably related with banks attacks) and although the malware is from May 2014, in Mar 12, 2015 only two Antivirus engines detect it.
How to install and run Argus sniffer in your Raspberry Pi
This is an install guide to run the Argus Sniffer in the Raspberry PI using Raspbian for use in the Stratosphere Project.
MALWARE USES MULTIPLE WEB SERVERS TO HAVE A PERIODIC HTTP C&C CONNECTION WHILE ITS NETFLOWS ARE NOT PERIODIC
While analyzing our capture CTU-Malware-Capture-Botnet-89-1 we found out that there were some strange issues with the periodicity of the C&C channels. In this capture there were a lot of HTTP connections, but few of them were periodic. During the analysis of the network capture we usually start looking at the NetFlows and then we move to the payload data. What we found is that several periodic HTTP connections had non-periodic NetFlows. This was strange for us so we took a deeper look.
MALWARE STARTED TO RANDOMIZE THE REQUEST TIMES IN RELATION WITH THEIR C&C CHANNELS
Yesterday we found out a malware that uses a DGA algorithm to find out the domains of their C&C servers. It become interesting when we noted that the DGA communication is not using periodic requests on purpose. In fact it seems to be specifically generating the requests times of its DGA packets in order to avoid being periodic.
Example of Using STF for Detecting C&C channels. An analysis of a Pushdo Malware
ANALISIS OF CTU-MALWARE-CAPTURE-1 (ZBOT.OOWO)
CTU-MALWARE-CAPTURE-1 (ZBOT.OOWO)
This capture was done between Thu Sep 5 15:40:07 CEST 2013 and Tue Oct 1 13:38:29 CEST 2013, having a total of 25 days and 21 hours. It corresponds to a binary with the MD5 46b3df3eaf1312f80788abd43343a9d2 of and that was classified by Kaspersky in VirusTotal as Trojan-Spy.Win32.Zbot.oowo. However we are not sure of the name.