MMD-0063-2019 – Summarize report of three years MalwareMustDie research (Sept 2016-Sept 2019)

Hello, it’s unixfreaxjp here. It has been a while since I wrote our own blog, and it is good to be back. Thank you for your patience for all of this time.

The background

It was after September 2016 when we decided to move our blog and since then I had a lot of fun in learning and experimenting much with “Jekyll” (based on “Poole”) and “BlackDoc”, and I just convert all posts statically into “Markdown” and all syntax highlighter into “Rouge” highlighter with templates coded in “Liquid”, and I was seriously dealing with coding in Ruby on FreeBSD for it. Wasn’t easy, but with help from the team, we did that, and I learned a lot.

Then on posting my research I moved along to try out several platforms, it’s good to actually know that we don’t have to depend only into a platform, and 3 (three) years out there was making us learning a lot about other reliable services in here and there. What me and the mates have learned is, in using any media services, either it’s your own or other’s party ones, they all are having their pro’s and con’s points. And frankly speaking, you won’t know for sure about each one of those con’s unless you go out there and try them yourself.

So, here we are, back to service where we first started to do MalwareMustDie blog. And I found that this environment is nicer than before, thank you Google for doing the hard work in satisfying and securing bloggers. So I just set it up and switched all access to HTTPS and hopefully the dead-links effect are minimum. For those who had problem with broken RSS this effort may be a good news to you. You can still access the MMD (MalwareMustDie) blog under sub-domain of “blog2” with HTTP but I won’t add more posts on those servers and I will minimize its service.

The bad side of all of these adventure is, now I have my research materials scattering around all over the internet during these past three years (smile). Oh yes, the research and its activity is still active as usual, yet now we’re happy that we don’t need to make much voice anymore, the security awareness are blooming..not like we had before in 2012, I am still hanging out with our friends and we’re still on to dissecting malware.. Linux or not.. Intel CPU ones or not, and to be noted: I am still a great fan of radare2 and FreeBSD!

I think some followers may not know what we’ve been doing all of these three years, or maybe they can’t track well our activities on our security research, so I decided to list some links for you to catch up with. Some of those reports are just screenshots with comments (security related pictures really paint thousand words), some are just posts in reddit or others, but all contains important information.Does this means I am posting analysis blog again? Well, you’re going to find that out too

Here’s the list of what’s been done during these three years, enjoy:

1. Windows related malware posts

Raccoon stealer infection in the wild

Dissecting on memory post exploitation powershell beacon w/ radare2

Intel POPSS Vulnerability PoC Reversed




“FHAPPI attack” : FreeHosting APT PowerSploit Poison Ivy

2. Linux related malware posts

Honda Car’s Panel’s Rootkit from China




Linux/DDoSTF today

GoARM.Bot + static strip ARM ELF by ChinaZ

Linux/ChinaZ Edition 2


Linux/Haiduc (bruter/memo)






Linux/Mandibule (Process Injector)

So Many Mirai..Mirai on the wall)

Today’s Kaiten and PerlDDoS

Linux/STD bot

Linux/Kaiten (modded ver) in Google clouds

Linux/Qbot or GafGyt Kansas city?

ChinaZ gang is back to shellshock drops Elknot abuses USA networks

3. Mac OSX related malware posts


OSX/MachO-PUP (a quickie)

4. Other malware reports

Webshell/r57shell, and..

I also posted either in VirusTotal comments, or previously posted some on kernelmode(not anymore), or sometimes making several posts or notes in reddit.

5. My talks on security conference

About my presentation of: “Unpacking the non-unpackable” (ELF packers talk) in R2CON2018


I may edit/change my posts to adjust or brush up their contents along with this post on transitioning the services, so there will be addition or changes.

Please stay safe, don’t code/use bad stuff, and enjoy the summary!


Original Post:

window._mNHandle = window._mNHandle || {};
window._mNHandle.queue = window._mNHandle.queue || [];
medianet_versionId = “3121199”;

try {
window._mNHandle.queue.push(function () {
window._mNDetails.loadTag(“762221962”, “300×250”, “762221962”);
catch (error) {}

Pierluigi Paganini

(SecurityAffairs – MalwareMustDie, malware)

The post MMD-0063-2019 – Summarize report of three years MalwareMustDie research (Sept 2016-Sept 2019) appeared first on Security Affairs.