Madi is back – New Tricks and a New Command&Control Server

Last night, we received a new version of the #Madi malware, which we previously covered in our blog.

Following the shutdown of the Madi command and control servers last week, we thought the operation is now dead. Looks like we were wrong.

The new version appears to have been compiled on July 25th as it can be seen from its header:

It contains many interesting improvements and new features. It now has the ability to monitor VKontakte, together with Jabber conversations. It is also looking for people who visit pages containing “USA” and “gov” in their titles. In such cases, the malware makes screenshots and uploads them to the C2.

Here’s a full list of monitored keywords:

“gmail”, “hotmail”, “yahoo! mail” , “google+”, “msn messenger”, “blogger”, “massenger”, “profile”, “icq” , “paltalk”, “yahoo! messenger for the web”,”skype”, “facebook” ,”imo”, “meebo”, “state” , “usa” , “u.s”,”contact” ,”chat” ,”gov”, “aol”,”hush”,”live”,”oovoo”,”aim”,”msn”,”talk”,”steam”,”vkontakte”,”hyves”, “myspace”,”jabber”,”share”,”outlook”,”lotus”,”career”

Read more: Madi is back – New Tricks and a New Command&Control Server

Story added 25. July 2012, content source with full text you can find at link above.