Author Topic: Found Malware contacted ocsp.comodoca4.com  (Read 241 times)

Offline pio

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 343
  • I like CIS , Kali Linux and IDA Pro ! ;)
Found Malware contacted ocsp.comodoca4.com
« on: July 08, 2017, 12:27:42 PM »
hey guys ,

I've found a lot of malicious, interesting unsigned stuff , that sends dns requests and get`s http traffic from ocsp.comodoca4.com .

If somebody needs the samples , please send me a PM !!!


Examples :

regsvr32 whitelisting bypass attempt >>>>> https://www.virustotal.com/de/file/0e22f81ecc193f9bdd0142d8689ced4e1bbd19c0fba8b919dd70d39066e27bdb/analysis

Trojan.script >>>>> https://www.virustotal.com/de/file/e58d7d1a85c32656fb9bf7fb6c06407f496aa1d0974eecca347f3cabcae7d2c3/analysis/

regsvr32 whitelisting bypass attempt >>>>> https://www.virustotal.com/de/file/6be3c175b2481a60b6e7c80b9fc117c86e76a9e867ecd2918b23bdc193d0e283/analysis/

Obfuscated RTF Exploit >>>>> https://www.virustotal.com/de/file/24810df5d721d105f373ae62eb6ebeae864766a85325496fa81a956953b53f6e/analysis/

and many , many more  ............

i`ve found this article in french and i translate it via googletranslate ! Is that the reason for the connection attempts ? Can someone please explain this to me ? Thx !!!

https://www.comment-supprimer.com/ocsp-comodoca-com/

"If you notice that your PC makes regular access to the url ocsp.comodoca.com it is possible that you are infected by an adware.The ocsp.comodoca.com url is registered by Comodo, and is normally used to verify the validity of certificates using the OCSP protocol. It is likely that an unwanted program is blocking the Comodo certificates and that the certificate validity checking system tries to verify them through the ocsp.comodoca.com url."

Right ? But especially in case of the files above , i don´t understand this behaviour complete . Were these files a part of malware or of  a Pua, which comodo removed the certificates ? Or as example , for whatever reason contacts the "DOC" File the OCSP Server ?

Ecit : Not ALL , but nearly all Sampels are available . I have mostly 20 of them ......
« Last Edit: July 08, 2017, 05:02:01 PM by pio »
*** Paranoid Bastard since CIS 3.5 ! Independent - NON Profit Malware Analyst ***

Offline fatih.orhan

  • Global Moderator
  • Comodo Loves me
  • *****
  • Posts: 153
Re: Found Malware contacted ocsp.comodoca4.com
« Reply #1 on: July 08, 2017, 06:18:49 PM »
Hi pio

Can you please send me the samples? We'll analyze in detail

Thanks

Offline pio

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 343
  • I like CIS , Kali Linux and IDA Pro ! ;)
Re: Found Malware contacted ocsp.comodoca4.com
« Reply #2 on: July 08, 2017, 09:21:09 PM »
Hi Fatih ,

nice to see you and to hear from you !!!  ;)

Of course , i will send you a PM with a download link ! The 20 Files were packed in a ZIP archive with NO PW ( upload is set to private ) ! Mostly different file types with different types of malware inside .

And as i say above , two Files from my post were not available ! I send you two others as alternative !!! And one File have a positive signature detection from CAV !!! But that should not disturb your analyzes ?!  ;)

Best Regards !!!
« Last Edit: July 08, 2017, 09:35:54 PM by pio »
*** Paranoid Bastard since CIS 3.5 ! Independent - NON Profit Malware Analyst ***

 

Seo4Smf 2.0 © SmfMod.Com Smf Destek