Thursday, November 20, 2014

Hunting Bunnies

A month ago I gave a talk titled TS/NOFORN at an exquisite boutique conference named in Luxembourg. Some people also named it keynote. I had been talking about a set of extravangant malware samples, which all seemed to be related yet different in the deep of their dark souls. One of these samples stuck out, namely the fourth sample of the analyzed species; thus entitled suspect #4. Suspect #4 is a huge evil beast, sophisticated, if one does not take the typos in its string constants into account. The malware presents itself as 'bunny', invades the system, evades sandboxes and presents an execution platform for Lua scripts a C&C would inject to the malware.

As I have promised to various fellow researchers, I sat down to document this very same miscreant. Having typed my fingers wound throughout numerous long nights, I can now happily present you with the final version of the bunny report. Beloved bunny, this way you will live forever.

My deepest gratitude to all who helped with technical insights, binary input, mental support, coffee or rum. To beware the best interest of all contributors the report is published under a CreativeCommons license.

EvilBunny: Suspect #4 - Enjoy.