MALWARETECH

Tracking the Hide and Seek Botnet. Hide and Seek (HNS) is a malicious worm which mainly infects Linux based IoT devices and routers. The malware spreads via bruteforcing SSH/Telnet credentials, as well as some old CVEs. What makes HNS unique is there’s no command and control server; instead, it receives updates using a custom

peer-to-peer

MALWARETECH

Mapping Mirai: A Botnet Case Study. Mirai is a piece of malware designed to hijack busybox systems (commonly used on IoT devices) in order to perform DDoS attacks, it’s also the bot used in the 620 Gbps DDoS attack on Brian Kreb’s blog and the 1.1 Tbps attack on INLINE HOOKING FOR PROGRAMMERS (PART 1: INTRODUCTION Inline hooking is a method of intercepting calls to target functions,which is mainly used by antiviruses, sandboxes, and malware. The general idea is to redirect a function to our own, so that we can perform processing before and/or after the function does its; this could include: checking parameters, shimming, logging, spoofing returned data, and filtering calls. HARD DISK FIRMWARE HACKING (PART 1) Hard Disk Firmware Hacking (Part 1) I’ve not been doing much in the windows malware world for a while now, because quite frankly I’ve run out of ideas and I’m totally bored. Recently I decided to take the jump into electronics / hardware hacking and people have suggested I post some of that here. A couple of years ago I started looking WRITING ASSEMBLY CODE TO AN ARDUINO WITH AVRDUDE INVESTIGATING COMMAND AND CONTROL INFRASTRUCTURE (EMOTET Investigating Command and Control Infrastructure (Emotet) Although the majority of botnets still use a basic client-server model, with most relying on HTTP servers to receive commands, many prominent threats now use more advanced infrastructure to evade endpoint blacklisting and be resilient to take-down. In this article I will go through and LET'S UNPACK: DRIDEX LOADER A few people have been having problems with unpacking the initial loader for Dridex (the one dropped by the macro), so I’m going to show you an easy way to do it. One of the other problems people have, which i can’t fix, is the fact the Dridex infection chains have A FEW REASON FOR MAXIMUM PASSWORD LENGTH A lot of people have recently been wondering the reason behind maximum password lengths, after it was revealed that eBay limited passwords to 20 characters. Many people see this as a security flaw (and in some cases it is), but often there are reasons behind it. I should also

mention

WINDOWS 10 SYSTEM CALL STUB CHANGES Windows 10 x64 (WOW64) Native function no longer call FS: , instead they call a pointer in the same way x86 used to call KiFastSystemCall. Wow64SystemServiceCall is not a fixed address like SharedUserData!SystemCallStub, instead it’s the absolute address of a function within the wow64 ntdll.dll. The code simply checks a flag

in the PEB

THE 0X33 SEGMENT SELECTOR (HEAVENS GATE) A segment descriptor uses a ridiculous layout for backwards compatibility reasons. There is a 4 byte segment base address which is stored at bytes 3,4,5 and 8; The segment limit is 2 and a half bytes and stored at bytes 1, 2 and half of 7; The descriptor flags are the other half of the 7th byte, and the Access flags are byte 6.

MALWARETECH

Tracking the Hide and Seek Botnet. Hide and Seek (HNS) is a malicious worm which mainly infects Linux based IoT devices and routers. The malware spreads via bruteforcing SSH/Telnet credentials, as well as some old CVEs. What makes HNS unique is there’s no command and control server; instead, it receives updates using a custom

peer-to-peer

MALWARETECH

Mapping Mirai: A Botnet Case Study. Mirai is a piece of malware designed to hijack busybox systems (commonly used on IoT devices) in order to perform DDoS attacks, it’s also the bot used in the 620 Gbps DDoS attack on Brian Kreb’s blog and the 1.1 Tbps attack on INLINE HOOKING FOR PROGRAMMERS (PART 1: INTRODUCTION Inline hooking is a method of intercepting calls to target functions,which is mainly used by antiviruses, sandboxes, and malware. The general idea is to redirect a function to our own, so that we can perform processing before and/or after the function does its; this could include: checking parameters, shimming, logging, spoofing returned data, and filtering calls. HARD DISK FIRMWARE HACKING (PART 1) Hard Disk Firmware Hacking (Part 1) I’ve not been doing much in the windows malware world for a while now, because quite frankly I’ve run out of ideas and I’m totally bored. Recently I decided to take the jump into electronics / hardware hacking and people have suggested I post some of that here. A couple of years ago I started looking WRITING ASSEMBLY CODE TO AN ARDUINO WITH AVRDUDE INVESTIGATING COMMAND AND CONTROL INFRASTRUCTURE (EMOTET Investigating Command and Control Infrastructure (Emotet) Although the majority of botnets still use a basic client-server model, with most relying on HTTP servers to receive commands, many prominent threats now use more advanced infrastructure to evade endpoint blacklisting and be resilient to take-down. In this article I will go through and LET'S UNPACK: DRIDEX LOADER A few people have been having problems with unpacking the initial loader for Dridex (the one dropped by the macro), so I’m going to show you an easy way to do it. One of the other problems people have, which i can’t fix, is the fact the Dridex infection chains have A FEW REASON FOR MAXIMUM PASSWORD LENGTH A lot of people have recently been wondering the reason behind maximum password lengths, after it was revealed that eBay limited passwords to 20 characters. Many people see this as a security flaw (and in some cases it is), but often there are reasons behind it. I should also

mention

WINDOWS 10 SYSTEM CALL STUB CHANGES Windows 10 x64 (WOW64) Native function no longer call FS: , instead they call a pointer in the same way x86 used to call KiFastSystemCall. Wow64SystemServiceCall is not a fixed address like SharedUserData!SystemCallStub, instead it’s the absolute address of a function within the wow64 ntdll.dll. The code simply checks a flag

in the PEB

THE 0X33 SEGMENT SELECTOR (HEAVENS GATE) A segment descriptor uses a ridiculous layout for backwards compatibility reasons. There is a 4 byte segment base address which is stored at bytes 3,4,5 and 8; The segment limit is 2 and a half bytes and stored at bytes 1, 2 and half of 7; The descriptor flags are the other half of the 7th byte, and the Access flags are byte 6. BEST LANGUAGES TO LEARN FOR MALWARE ANALYSIS One of the most common questions I’m asked is “what programming language(s) should I learn to get into malware analysis/reverse engineering”, to answer this question I’m going to write about the top 3 languages which I’ve personally found most useful. I’ll focus on native malware (malware which does not require HARD DISK FIRMWARE HACKING (PART 1) Hard Disk Firmware Hacking (Part 1) I’ve not been doing much in the windows malware world for a while now, because quite frankly I’ve run out of ideas and I’m totally bored. Recently I decided to take the jump into electronics / hardware hacking and people have suggested I post some of that here. A couple of years ago I started looking PORTABLE EXECUTABLE INJECTION FOR BEGINNERS Process Injection Process injection is an age old technique used by malware for 3 main reasons: Running without a process, placing user-mode hooks for a rootkit or formgrabber, and bypassing antivirus / firewalls by injecting whitelisted processes. The most common method of process injection is DLL Injection, which is popular

MALWARETECH

Backdoored Ransomware for Educational Purposes. Here is an interesting article I found this week, it’s about how A researcher released two pieces of ‘educational’ ransomware which were secretly backdoored in order to own some advanced and prolific cyber-criminals a small number of scriptkiddies. There two pieces were HiddenTear (a WEBINJECTS - THE BASICS - MALWARETECH Webinjects – The Basics. It’s not uncommon for malware to use a technique known as formgrabbing; this is done by hooking browser functions responsible for encrypting and sending data to a webpage. By intercepting data before it is encrypted with SSL the malware can read the HTTP header and steal usernames and passwords from post data being WHY OPEN SOURCE RANSOMWARE IS SUCH A PROBLEM A while back 2sec4u posted a poll asking if people considered open source ransomware helpful to detection and prevention, with 46% voting yes. Although the poll wasn’t limited to people working in the antimalware industry, 46% is scarily high. Trying to prove a point, help me out Twitter. Is open source ransomware helping TRACKING THE HIDE AND SEEK BOTNET Tracking the Hide and Seek Botnet - MalwareTech. Hide and Seek (HNS) is a malicious worm which mainly infects Linux based IoT devices and routers. The malware spreads via bruteforcing SSH/Telnet credentials, as well as some old CVEs. What makes HNS unique is there’s no command and control server; instead, it receives updates using a

custom

A FEW REASON FOR MAXIMUM PASSWORD LENGTH A lot of people have recently been wondering the reason behind maximum password lengths, after it was revealed that eBay limited passwords to 20 characters. Many people see this as a security flaw (and in some cases it is), but often there are reasons behind it. I should also

mention

ADVANCED DESKTOP APPLICATION SANDBOXING VIA APPCONTAINER This post is kind of a follow on from my previous article Usermode Sandboxing, so if you’ve not yet read that you should do so first.. AppContainer was a fairly quietly introduced feature in Windows 8, which is a shame as it provides some great features which can be used for desktop application security too (Few people are aware that it’s not just used for Apps as the name might suggest). THE 0X33 SEGMENT SELECTOR (HEAVENS GATE) A segment descriptor uses a ridiculous layout for backwards compatibility reasons. There is a 4 byte segment base address which is stored at bytes 3,4,5 and 8; The segment limit is 2 and a half bytes and stored at bytes 1, 2 and half of 7; The descriptor flags are the other half of the 7th byte, and the Access flags are byte 6.

MALWARETECH

Tracking the Hide and Seek Botnet. Hide and Seek (HNS) is a malicious worm which mainly infects Linux based IoT devices and routers. The malware spreads via bruteforcing SSH/Telnet credentials, as well as some old CVEs. What makes HNS unique is there’s no command and control server; instead, it receives updates using a custom

peer-to-peer

MALWARETECH

Mapping Mirai: A Botnet Case Study. Mirai is a piece of malware designed to hijack busybox systems (commonly used on IoT devices) in order to perform DDoS attacks, it’s also the bot used in the 620 Gbps DDoS attack on Brian Kreb’s blog and the 1.1 Tbps attack on INLINE HOOKING FOR PROGRAMMERS (PART 1: INTRODUCTION Inline hooking is a method of intercepting calls to target functions,which is mainly used by antiviruses, sandboxes, and malware. The general idea is to redirect a function to our own, so that we can perform processing before and/or after the function does its; this could include: checking parameters, shimming, logging, spoofing returned data, and filtering calls. HARD DISK FIRMWARE HACKING (PART 1) Hard Disk Firmware Hacking (Part 1) I’ve not been doing much in the windows malware world for a while now, because quite frankly I’ve run out of ideas and I’m totally bored. Recently I decided to take the jump into electronics / hardware hacking and people have suggested I post some of that here. A couple of years ago I started looking WRITING ASSEMBLY CODE TO AN ARDUINO WITH AVRDUDE INVESTIGATING COMMAND AND CONTROL INFRASTRUCTURE (EMOTET Investigating Command and Control Infrastructure (Emotet) Although the majority of botnets still use a basic client-server model, with most relying on HTTP servers to receive commands, many prominent threats now use more advanced infrastructure to evade endpoint blacklisting and be resilient to take-down. In this article I will go through and LET'S UNPACK: DRIDEX LOADER A few people have been having problems with unpacking the initial loader for Dridex (the one dropped by the macro), so I’m going to show you an easy way to do it. One of the other problems people have, which i can’t fix, is the fact the Dridex infection chains have

DEVICE GUARD

Conclusion. If properly implemented, Device Guard can be used to create a system which is highly resilient to common malware (assuming UMCI, KMCI, and VBPCI are enabled and well configured). UMCI prevents an adversary social engineering the victim into running malware (unless they can get hold of a whitelisted certificate). WINDOWS 10 SYSTEM CALL STUB CHANGES Windows 10 x64 (WOW64) Native function no longer call FS: , instead they call a pointer in the same way x86 used to call KiFastSystemCall. Wow64SystemServiceCall is not a fixed address like SharedUserData!SystemCallStub, instead it’s the absolute address of a function within the wow64 ntdll.dll. The code simply checks a flag

in the PEB

THE 0X33 SEGMENT SELECTOR (HEAVENS GATE) A segment descriptor uses a ridiculous layout for backwards compatibility reasons. There is a 4 byte segment base address which is stored at bytes 3,4,5 and 8; The segment limit is 2 and a half bytes and stored at bytes 1, 2 and half of 7; The descriptor flags are the other half of the 7th byte, and the Access flags are byte 6.

MALWARETECH

Tracking the Hide and Seek Botnet. Hide and Seek (HNS) is a malicious worm which mainly infects Linux based IoT devices and routers. The malware spreads via bruteforcing SSH/Telnet credentials, as well as some old CVEs. What makes HNS unique is there’s no command and control server; instead, it receives updates using a custom

peer-to-peer

MALWARETECH

Mapping Mirai: A Botnet Case Study. Mirai is a piece of malware designed to hijack busybox systems (commonly used on IoT devices) in order to perform DDoS attacks, it’s also the bot used in the 620 Gbps DDoS attack on Brian Kreb’s blog and the 1.1 Tbps attack on INLINE HOOKING FOR PROGRAMMERS (PART 1: INTRODUCTION Inline hooking is a method of intercepting calls to target functions,which is mainly used by antiviruses, sandboxes, and malware. The general idea is to redirect a function to our own, so that we can perform processing before and/or after the function does its; this could include: checking parameters, shimming, logging, spoofing returned data, and filtering calls. HARD DISK FIRMWARE HACKING (PART 1) Hard Disk Firmware Hacking (Part 1) I’ve not been doing much in the windows malware world for a while now, because quite frankly I’ve run out of ideas and I’m totally bored. Recently I decided to take the jump into electronics / hardware hacking and people have suggested I post some of that here. A couple of years ago I started looking WRITING ASSEMBLY CODE TO AN ARDUINO WITH AVRDUDE INVESTIGATING COMMAND AND CONTROL INFRASTRUCTURE (EMOTET Investigating Command and Control Infrastructure (Emotet) Although the majority of botnets still use a basic client-server model, with most relying on HTTP servers to receive commands, many prominent threats now use more advanced infrastructure to evade endpoint blacklisting and be resilient to take-down. In this article I will go through and LET'S UNPACK: DRIDEX LOADER A few people have been having problems with unpacking the initial loader for Dridex (the one dropped by the macro), so I’m going to show you an easy way to do it. One of the other problems people have, which i can’t fix, is the fact the Dridex infection chains have

DEVICE GUARD

Conclusion. If properly implemented, Device Guard can be used to create a system which is highly resilient to common malware (assuming UMCI, KMCI, and VBPCI are enabled and well configured). UMCI prevents an adversary social engineering the victim into running malware (unless they can get hold of a whitelisted certificate). WINDOWS 10 SYSTEM CALL STUB CHANGES Windows 10 x64 (WOW64) Native function no longer call FS: , instead they call a pointer in the same way x86 used to call KiFastSystemCall. Wow64SystemServiceCall is not a fixed address like SharedUserData!SystemCallStub, instead it’s the absolute address of a function within the wow64 ntdll.dll. The code simply checks a flag

in the PEB

THE 0X33 SEGMENT SELECTOR (HEAVENS GATE) A segment descriptor uses a ridiculous layout for backwards compatibility reasons. There is a 4 byte segment base address which is stored at bytes 3,4,5 and 8; The segment limit is 2 and a half bytes and stored at bytes 1, 2 and half of 7; The descriptor flags are the other half of the 7th byte, and the Access flags are byte 6. PORTABLE EXECUTABLE INJECTION FOR BEGINNERS Process Injection Process injection is an age old technique used by malware for 3 main reasons: Running without a process, placing user-mode hooks for a rootkit or formgrabber, and bypassing antivirus / firewalls by injecting whitelisted processes. The most common method of process injection is DLL Injection, which is popular BEST LANGUAGES TO LEARN FOR MALWARE ANALYSIS One of the most common questions I’m asked is “what programming language(s) should I learn to get into malware analysis/reverse engineering”, to answer this question I’m going to write about the top 3 languages which I’ve personally found most useful. I’ll focus on native malware (malware which does not require WEBINJECTS - THE BASICS - MALWARETECH Webinjects – The Basics. It’s not uncommon for malware to use a technique known as formgrabbing; this is done by hooking browser functions responsible for encrypting and sending data to a webpage. By intercepting data before it is encrypted with SSL the malware can read the HTTP header and steal usernames and passwords from post data being WHY OPEN SOURCE RANSOMWARE IS SUCH A PROBLEM A while back 2sec4u posted a poll asking if people considered open source ransomware helpful to detection and prevention, with 46% voting yes. Although the poll wasn’t limited to people working in the antimalware industry, 46% is scarily high. Trying to prove a point, help me out Twitter. Is open source ransomware helping HIDDEN VNC FOR BEGINNERS Hidden VNC for Beginners. Hidden VNC is a creative solution to a solution to a problem which stemmed from banking fraud. Back years ago when fraud was uncommon, most banks only had basic IP or Geo-location checks to flag or block accounts if someone logged in from another computer. To combat this, banking trojans would run a SOCKS proxy

server

TRACKING THE HIDE AND SEEK BOTNET Tracking the Hide and Seek Botnet - MalwareTech. Hide and Seek (HNS) is a malicious worm which mainly infects Linux based IoT devices and routers. The malware spreads via bruteforcing SSH/Telnet credentials, as well as some old CVEs. What makes HNS unique is there’s no command and control server; instead, it receives updates using a

custom

DEVICE GUARD

One of my favorite attacks against HIPS, firewalls, and software restriction policies is DLL hijacking. Simply put, when an application calls LoadLibrary(“somedll.dll”), the system first looks for the DLL in the KnowDlls registry key, followed by the applications working folder (where the application was run from), and finally system paths

like System32.

A FEW REASON FOR MAXIMUM PASSWORD LENGTH A lot of people have recently been wondering the reason behind maximum password lengths, after it was revealed that eBay limited passwords to 20 characters. Many people see this as a security flaw (and in some cases it is), but often there are reasons behind it. I should also

mention

ADVANCED DESKTOP APPLICATION SANDBOXING VIA APPCONTAINER This post is kind of a follow on from my previous article Usermode Sandboxing, so if you’ve not yet read that you should do so first.. AppContainer was a fairly quietly introduced feature in Windows 8, which is a shame as it provides some great features which can be used for desktop application security too (Few people are aware that it’s not just used for Apps as the name might suggest). THE 0X33 SEGMENT SELECTOR (HEAVENS GATE) A segment descriptor uses a ridiculous layout for backwards compatibility reasons. There is a 4 byte segment base address which is stored at bytes 3,4,5 and 8; The segment limit is 2 and a half bytes and stored at bytes 1, 2 and half of 7; The descriptor flags are the other half of the 7th byte, and the Access flags are byte 6.

MALWARETECH

Tracking the Hide and Seek Botnet. Hide and Seek (HNS) is a malicious worm which mainly infects Linux based IoT devices and routers. The malware spreads via bruteforcing SSH/Telnet credentials, as well as some old CVEs. What makes HNS unique is there’s no command and control server; instead, it receives updates using a custom

peer-to-peer

MALWARETECH

Mapping Mirai: A Botnet Case Study. Mirai is a piece of malware designed to hijack busybox systems (commonly used on IoT devices) in order to perform DDoS attacks, it’s also the bot used in the 620 Gbps DDoS attack on Brian Kreb’s blog and the 1.1 Tbps attack on BEGINNER MALWARE REVERSING CHALLENGES Beginner Malware Reversing Challenges - MalwareTech. The purpose of these challenges is to familiarize beginners with common malware techniques. Don’t worry if you can’t complete a challenge, I will soon be creating a video explaining each one in detail. The number of stars represents the challenge difficulty. HARD DISK FIRMWARE HACKING (PART 1) Hard Disk Firmware Hacking (Part 1) I’ve not been doing much in the windows malware world for a while now, because quite frankly I’ve run out of ideas and I’m totally bored. Recently I decided to take the jump into electronics / hardware hacking and people have suggested I post some of that here. A couple of years ago I started looking INLINE HOOKING FOR PROGRAMMERS (PART 1: INTRODUCTION Inline hooking is a method of intercepting calls to target functions,which is mainly used by antiviruses, sandboxes, and malware. The general idea is to redirect a function to our own, so that we can perform processing before and/or after the function does its; this could include: checking parameters, shimming, logging, spoofing returned data, and filtering calls. BEST LANGUAGES TO LEARN FOR MALWARE ANALYSIS AUTOMATIC TRANSFER SYSTEMS (ATS) FOR BEGINNERS Automatic Transfer System (ATS) Under the hood ATS are simply just webinjects wearing a different hat, the purpose is shifted from gathering credentials for use/sale to automatically initiating wire transfers from the victims own computer (all without needing to log their credentials, bypassing 2FA and all anti-fraud measures).

DEVICE GUARD

Conclusion. If properly implemented, Device Guard can be used to create a system which is highly resilient to common malware (assuming UMCI, KMCI, and VBPCI are enabled and well configured). UMCI prevents an adversary social engineering the victim into running malware (unless they can get hold of a whitelisted certificate). ADVANCED DESKTOP APPLICATION SANDBOXING VIA APPCONTAINER This post is kind of a follow on from my previous article Usermode Sandboxing, so if you’ve not yet read that you should do so first.. AppContainer was a fairly quietly introduced feature in Windows 8, which is a shame as it provides some great features which can be used for desktop application security too (Few people are aware that it’s not just used for Apps as the name might suggest). THE 0X33 SEGMENT SELECTOR (HEAVENS GATE) A segment descriptor uses a ridiculous layout for backwards compatibility reasons. There is a 4 byte segment base address which is stored at bytes 3,4,5 and 8; The segment limit is 2 and a half bytes and stored at bytes 1, 2 and half of 7; The descriptor flags are the other half of the 7th byte, and the Access flags are byte 6.

MALWARETECH

Tracking the Hide and Seek Botnet. Hide and Seek (HNS) is a malicious worm which mainly infects Linux based IoT devices and routers. The malware spreads via bruteforcing SSH/Telnet credentials, as well as some old CVEs. What makes HNS unique is there’s no command and control server; instead, it receives updates using a custom

peer-to-peer

MALWARETECH

Mapping Mirai: A Botnet Case Study. Mirai is a piece of malware designed to hijack busybox systems (commonly used on IoT devices) in order to perform DDoS attacks, it’s also the bot used in the 620 Gbps DDoS attack on Brian Kreb’s blog and the 1.1 Tbps attack on BEGINNER MALWARE REVERSING CHALLENGES Beginner Malware Reversing Challenges - MalwareTech. The purpose of these challenges is to familiarize beginners with common malware techniques. Don’t worry if you can’t complete a challenge, I will soon be creating a video explaining each one in detail. The number of stars represents the challenge difficulty. HARD DISK FIRMWARE HACKING (PART 1) Hard Disk Firmware Hacking (Part 1) I’ve not been doing much in the windows malware world for a while now, because quite frankly I’ve run out of ideas and I’m totally bored. Recently I decided to take the jump into electronics / hardware hacking and people have suggested I post some of that here. A couple of years ago I started looking INLINE HOOKING FOR PROGRAMMERS (PART 1: INTRODUCTION Inline hooking is a method of intercepting calls to target functions,which is mainly used by antiviruses, sandboxes, and malware. The general idea is to redirect a function to our own, so that we can perform processing before and/or after the function does its; this could include: checking parameters, shimming, logging, spoofing returned data, and filtering calls. BEST LANGUAGES TO LEARN FOR MALWARE ANALYSIS AUTOMATIC TRANSFER SYSTEMS (ATS) FOR BEGINNERS Automatic Transfer System (ATS) Under the hood ATS are simply just webinjects wearing a different hat, the purpose is shifted from gathering credentials for use/sale to automatically initiating wire transfers from the victims own computer (all without needing to log their credentials, bypassing 2FA and all anti-fraud measures).

DEVICE GUARD

Conclusion. If properly implemented, Device Guard can be used to create a system which is highly resilient to common malware (assuming UMCI, KMCI, and VBPCI are enabled and well configured). UMCI prevents an adversary social engineering the victim into running malware (unless they can get hold of a whitelisted certificate). ADVANCED DESKTOP APPLICATION SANDBOXING VIA APPCONTAINER This post is kind of a follow on from my previous article Usermode Sandboxing, so if you’ve not yet read that you should do so first.. AppContainer was a fairly quietly introduced feature in Windows 8, which is a shame as it provides some great features which can be used for desktop application security too (Few people are aware that it’s not just used for Apps as the name might suggest). THE 0X33 SEGMENT SELECTOR (HEAVENS GATE) A segment descriptor uses a ridiculous layout for backwards compatibility reasons. There is a 4 byte segment base address which is stored at bytes 3,4,5 and 8; The segment limit is 2 and a half bytes and stored at bytes 1, 2 and half of 7; The descriptor flags are the other half of the 7th byte, and the Access flags are byte 6.

TAG: MALWARE

Tracking the Hide and Seek Botnet. Hide and Seek (HNS) is a malicious worm which mainly infects Linux based IoT devices and routers. The malware spreads via bruteforcing SSH/Telnet credentials, as well as some old CVEs. What makes HNS unique is there’s no command and control server; instead, it receives updates using a custom

peer-to-peer

PORTABLE EXECUTABLE INJECTION FOR BEGINNERS Process Injection Process injection is an age old technique used by malware for 3 main reasons: Running without a process, placing user-mode hooks for a rootkit or formgrabber, and bypassing antivirus / firewalls by injecting whitelisted processes. The most common method of process injection is DLL Injection, which is popular WHY OPEN SOURCE RANSOMWARE IS SUCH A PROBLEM A while back 2sec4u posted a poll asking if people considered open source ransomware helpful to detection and prevention, with 46% voting yes. Although the poll wasn’t limited to people working in the antimalware industry, 46% is scarily high. Trying to prove a point, help me out Twitter. Is open source ransomware helping LET'S UNPACK: DRIDEX LOADER A few people have been having problems with unpacking the initial loader for Dridex (the one dropped by the macro), so I’m going to show you an easy way to do it. One of the other problems people have, which i can’t fix, is the fact the Dridex infection chains have PETYA RANSOMWARE ATTACK Petya The jury is still out on whether the malware is Petya or something that just looks like it (it messes with the Master Boot Record in a way which is very similar to Petya and not commonly used in other ransomware). Hasherzade who is a researcher well known for A FEW REASON FOR MAXIMUM PASSWORD LENGTH A lot of people have recently been wondering the reason behind maximum password lengths, after it was revealed that eBay limited passwords to 20 characters. Many people see this as a security flaw (and in some cases it is), but often there are reasons behind it. I should also

mention

HOW TO ACCIDENTALLY STOP A GLOBAL CYBER ATTACKS Our standard model goes something like this. Look for unregistered or expired C2 domains belonging to active botnets and point it to our sinkhole (a sinkhole is a server designed to capture malicious traffic and prevent control of infected computers by the criminals who infected them). Gather data on the geographical distribution and scale

of

WINDOWS 10 SYSTEM CALL STUB CHANGES Windows 10 x64 (WOW64) Native function no longer call FS: , instead they call a pointer in the same way x86 used to call KiFastSystemCall. Wow64SystemServiceCall is not a fixed address like SharedUserData!SystemCallStub, instead it’s the absolute address of a function within the wow64 ntdll.dll. The code simply checks a flag

in the PEB

THE KELIHOS BOTNET

A while ago I started writing a series of articles documenting the Kelihos Peer-to-Peer infrastructure but had to pull them due to an ongoing operation. As most of you have probably seen, the botnet operator was arrested a few days ago and the FBI have begun sinkholing the botnet (which will most likely make all my research null & void, as well as kill my Kelihos Tracker 🙁 ). INLINE HOOKING FOR PROGRAMMERS (PART 2: WRITING A HOOKING Inside the hooking function we will get the address of the target function, then use the “Hacker Dissasembler Engine (HDE32)” to dissasemble each instruction and get the length, until we have 5 or more bytes worth of whole instructions (hde32_disasm returns the length of the instruction pointed to by the first parameter).

MALWARETECH

In August 2019 Microsoft announced it had patched a collection of RDP bugs, two of which were wormable. The wormable bugs, CVE-2019-1181 & CVE-2019-1182 affect every OS from Windows 7

MALWARE ANALYSIS

One of the most common questions I’m asked is “what programming language(s) should I learn to get into malware analysis/reverse engineering”, to answer this question I’m going to write about the top 3 languages which I’ve personally found most useful.

MALWARETECH

A research blog by Marcus Hutchins. Topics include: malware analysis, threat intelligence, and vulnerability research. HARD DISK FIRMWARE HACKING (PART 1) I’ve not been doing much in the windows malware world for a while now, because quite frankly I’ve run out of ideas and I’m totally bored. Recently I decided to take the jump into electronics / hardware hacking and people have suggested I post some of that here. A couple BEGINNER MALWARE REVERSING CHALLENGES The purpose of these challenges is to familiarize beginners with common malware techniques. Don’t worry if you can’t complete a challenge, I will soon be creating a video explaining each one in detail. The number of stars represents the challenge difficulty. Different challenges require different skills, so BEST LANGUAGES TO LEARN FOR MALWARE ANALYSIS PORTABLE EXECUTABLE INJECTION FOR BEGINNERS Process Injection Process injection is an age old technique used by malware for 3 main reasons: Running without a process, placing user-mode hooks for a rootkit or formgrabber, and bypassing antivirus / firewalls by injecting whitelisted processes. The most common method of process injection is DLL Injection, which is popular INLINE HOOKING FOR PROGRAMMERS (PART 1: INTRODUCTION Inline hooking is a method of intercepting calls to target functions,which is mainly used by antiviruses, sandboxes, and malware. The general idea is to redirect a function to our own, so that we can perform processing before and/or after the function does its; this could include: checking parameters, shimming, logging, spoofing returned data, and filtering calls. TRACKING THE HIDE AND SEEK BOTNET Hide and Seek (HNS) is a malicious worm which mainly infects Linux based IoT devices and routers. The malware spreads via bruteforcing SSH/Telnet credentials, as well as some old CVEs. What makes HNS unique is there’s no command and control server; instead, it receives updates using a custom peer-to-peer network WINDOWS 10 SYSTEM CALL STUB CHANGES Recently I installed Windows 10 RTM and while I was digging around I happened to notice some changes to the user mode portion of the system call stub: these changes appear to break the current methods of user mode system call hooking on x86 and WOW64 (Recap: here). Windows 10

x86

MALWARETECH

In August 2019 Microsoft announced it had patched a collection of RDP bugs, two of which were wormable. The wormable bugs, CVE-2019-1181 & CVE-2019-1182 affect every OS from Windows 7

MALWARE ANALYSIS

One of the most common questions I’m asked is “what programming language(s) should I learn to get into malware analysis/reverse engineering”, to answer this question I’m going to write about the top 3 languages which I’ve personally found most useful.

MALWARETECH

A research blog by Marcus Hutchins. Topics include: malware analysis, threat intelligence, and vulnerability research. HARD DISK FIRMWARE HACKING (PART 1) I’ve not been doing much in the windows malware world for a while now, because quite frankly I’ve run out of ideas and I’m totally bored. Recently I decided to take the jump into electronics / hardware hacking and people have suggested I post some of that here. A couple BEGINNER MALWARE REVERSING CHALLENGES The purpose of these challenges is to familiarize beginners with common malware techniques. Don’t worry if you can’t complete a challenge, I will soon be creating a video explaining each one in detail. The number of stars represents the challenge difficulty. Different challenges require different skills, so BEST LANGUAGES TO LEARN FOR MALWARE ANALYSIS PORTABLE EXECUTABLE INJECTION FOR BEGINNERS Process Injection Process injection is an age old technique used by malware for 3 main reasons: Running without a process, placing user-mode hooks for a rootkit or formgrabber, and bypassing antivirus / firewalls by injecting whitelisted processes. The most common method of process injection is DLL Injection, which is popular INLINE HOOKING FOR PROGRAMMERS (PART 1: INTRODUCTION Inline hooking is a method of intercepting calls to target functions,which is mainly used by antiviruses, sandboxes, and malware. The general idea is to redirect a function to our own, so that we can perform processing before and/or after the function does its; this could include: checking parameters, shimming, logging, spoofing returned data, and filtering calls. TRACKING THE HIDE AND SEEK BOTNET Hide and Seek (HNS) is a malicious worm which mainly infects Linux based IoT devices and routers. The malware spreads via bruteforcing SSH/Telnet credentials, as well as some old CVEs. What makes HNS unique is there’s no command and control server; instead, it receives updates using a custom peer-to-peer network WINDOWS 10 SYSTEM CALL STUB CHANGES Recently I installed Windows 10 RTM and while I was digging around I happened to notice some changes to the user mode portion of the system call stub: these changes appear to break the current methods of user mode system call hooking on x86 and WOW64 (Recap: here). Windows 10

x86

MALWARETECH

Last week I received a tip about a sample displaying some indication that it could be peer-to-peer (a large amount of UDP traffic being sent to residential IPs), after a couple days of analysis I was able to confirm that not only was it peer-to-peer but also currently

active.

MALWARETECH

A few days ago someone made the following post which suggested the FBI were sending bitcoin from the wallet where all of the seized coins from Silkroad were sent to the ShadowBrokers acution address; furthermore, the explanation was given that they were trying to BEGINNER MALWARE REVERSING CHALLENGES The purpose of these challenges is to familiarize beginners with common malware techniques. Don’t worry if you can’t complete a challenge, I will soon be creating a video explaining each one in detail. The number of stars represents the challenge difficulty. Different challenges require different skills, so OPINIONS - MALWARETECH Here is an interesting article I found this week, it’s about how A researcher released two pieces of ‘educational’ ransomware which were secretly backdoored in order to own some advanced and prolific cyber-criminals a small number of scriptkiddies. CHALLENGES - MALWARETECH

Exploit Challenges:

https://www.malwaretech.com/windows-exploit-challenges Reversing

Challenges:

https://www.malwaretech.com/beginner-malware-reversing-challenges

MALWARETECH

Rovnix is an advanced VBR (Volume Boot Record) rootkit best known for being the bootkit component of Carberp. The kit operates in kernel mode, uses a custom TCP/IP stack to bypass firewalls, and stores components on a virtual filesystem outside of the partition.

MALWARETECH

Introduction It’s no secret that keeping your computer free from malware has become much harder. I remember about 12 years ago my friend showing me a CD and announcing that it was an antivirus, which would keep his computer free of all viruses. STRINGS1 - MALWARETECH strings1.exe contains an un-encrypted flag stored within the executable. When run, the program will output an MD5 hash of the flag but not the original. Can you extract the flag? Rules & Information You are not require to run strings1.exe, this challenge is static analysis only. Do not use a INVESTIGATING COMMAND AND CONTROL INFRASTRUCTURE (EMOTET Although the majority of botnets still use a basic client-server model, with most relying on HTTP servers to receive commands, many prominent threats now use more advanced infrastructure to evade endpoint blacklisting and be resilient to take-down. In this article I will go through and explain my process of identifying A FEW REASON FOR MAXIMUM PASSWORD LENGTH A lot of people have recently been wondering the reason behind maximum password lengths, after it was revealed that eBay limited passwords to 20 characters. Many people see this as a security flaw (and in some cases it is), but often there are reasons behind it. I should also

mention

MalwareTech Life of a Malware Analyst

* __

* Podcast

* Discord

* Challenges

* Contact

BLOG

Vulnerability Research BLUEKEEP: A JOURNEY FROM DOS TO RCE (CVE-2019-0708) Due to the serious risk of a BlueKeep based worm, I’ve held back this write-up to avoid advancing the timeline. Now that a proof-of-concept for RCE (remote code execution) has been release as part of Metasploit, i feel it’s now safe for me to post this. This

article will be …

Read More

Vulnerability Research DEJABLUE: ANALYZING A RDP HEAP OVERFLOW In August 2019 Microsoft announced it had patched a collection of RDP bugs, two of which were wormable. The wormable bugs, CVE-2019-1181 & CVE-2019-1182 affect every OS from Windows 7 to Windows 10. There is some confusion about which CVE is which, though it’s possible both refer to the same …

Read More

Opinions

YOUTUBE’S POLICY ON HACKING TUTORIALS IS PROBLEMATIC Recently YouTube changed its policy on “hacking” tutorials to an essential blanket ban. In the past, such content was occasionally removed under YouTube’s broad “Harmful and Dangerous Content” clause, which prohibited videos “encouraging illegal activity”. An updated policy now specifically targets instructional hacking videos. One major problem here is that …

Read More

Vulnerability Research ANALYSIS OF CVE-2019-0708 (BLUEKEEP) I held back this write-up until a proof of concept (PoC) was publicly available, as not to cause any harm. Now that there are multiple denial-of-service PoC on github, I’m posting my analysis. Binary Diffing As always, I started with a BinDiff of the binaries modified by the patch (in …

Read More

Vulnerability Research ANALYSIS OF A VB SCRIPT HEAP OVERFLOW (CVE-2019-0666) Anyone who uses RegEx knows how easy it is to shoot yourself in the foot; but, is it possible to write RegEx so badly that it can lead to RCE? With VB Script, the answer is yes! In this article I’ll be writing about what I assume to be CVE-2019-0666. …

Read More

Reverse Engineering

VIDEO: FIRST LOOK AT GHIDRA (NSA REVERSE ENGINEERING TOOL) Today during RSA Conference, the National Security Agency release their much hyped Ghidra reverse engineering toolkit. Described as “A software reverse engineering (SRE) suite of tools”, Ghidra sounded like some kind of disassembler framework.Prior to release, my expectation was something more than Binary Ninja, but lacking debugger integration. I figured …

Read More

Vulnerability Research ANALYZING A WINDOWS DHCP SERVER BUG (CVE-2019-0626) Today I’ll be doing an in-depth write up on CVE-2019-0626, and how to find it. Due to the fact this bug only exists on Windows Server, I’ll be using a Server 2016 VM (corresponding patch is KB4487026). Note: this bug was not found by me, I reverse engineered it from …

Read More

Malware Analysis

TRACKING THE HIDE AND SEEK BOTNET Hide and Seek (HNS) is a malicious worm which mainly infects Linux based IoT devices and routers. The malware spreads via bruteforcing SSH/Telnet credentials, as well as some old CVEs. What makes HNS unique is there’s no command and control server; instead, it receives updates using a custom peer-to-peer network …

Read More

Malware Analysis

__ 3

BEST LANGUAGES TO LEARN FOR MALWARE ANALYSIS One of the most common questions I’m asked is “what programming language(s) should I learn to get into malware analysis/reverse engineering”, to answer this question I’m going to write about the top 3 languages which I’ve personally found most useful. I’ll focus on native malware (malware which does not require …

Read More

Threat Intelligence

__ 2

INVESTIGATING COMMAND AND CONTROL INFRASTRUCTURE (EMOTET) Although the majority of botnets still use a basic client-server model, with most relying on HTTP servers to receive commands, many prominent threats now use more advanced infrastructure to evade endpoint blacklisting and be resilient to take-down. In this article I will go through and explain my process of identifying …

Read More

POSTS NAVIGATION

1 2 3

4

5

6

7

8

9

10

11

Next

__

STAY CONNECTED

DONATIONS

Donate

Donate

Donate

CATEGORIES

* Malware Analysis4

* Opinions3

* Personal Stories2

* Reverse Engineering1 * Threat Intelligence5

* Uncategorized83

* Vulnerability Research6

* __

* Podcast

* Discord

* Challenges

* Contact

CryptoDonate x