Are you over 18 and want to see adult content?
More Annotations
![A complete backup of crazyboots-sc.de](https://www.archivebay.com/archive/db554ef3-f138-4cd8-bd63-fd88628e4f29.png)
A complete backup of crazyboots-sc.de
Are you over 18 and want to see adult content?
![Drink Driving, Have You Been Caught? – Drinkdriving.org](https://www.archivebay.com/archive/49d733ee-a57a-4fd5-8840-0096d333ce2e.png)
Drink Driving, Have You Been Caught? – Drinkdriving.org
Are you over 18 and want to see adult content?
![Free Food Database Calorie Tracker and Calorie Calculator | www.CalForLife.com](https://www.archivebay.com/archive/0df6937d-1fc9-496b-8a1a-c044c5e5846f.png)
Free Food Database Calorie Tracker and Calorie Calculator | www.CalForLife.com
Are you over 18 and want to see adult content?
![A complete backup of z1motorsports.com](https://www.archivebay.com/archive/c7612772-1b55-4d99-9f6e-f101c0020d7e.png)
A complete backup of z1motorsports.com
Are you over 18 and want to see adult content?
![Today Match Prediction. Who Will Win, Live Cricket Score.](https://www.archivebay.com/archive/778fecbf-7f64-45c9-a5cd-99949150fd56.png)
Today Match Prediction. Who Will Win, Live Cricket Score.
Are you over 18 and want to see adult content?
![A complete backup of marvinpizzeria.se](https://www.archivebay.com/archive/a63313d3-f7c5-496d-b361-f74ceeab76be.png)
A complete backup of marvinpizzeria.se
Are you over 18 and want to see adult content?
Favourite Annotations
![A complete backup of simhoptuoi.com.vn](https://www.archivebay.com/archive/9b648f48-b167-4e89-8fad-6287bbce4c3a.png)
A complete backup of simhoptuoi.com.vn
Are you over 18 and want to see adult content?
![A complete backup of cozumelbienesraices.com](https://www.archivebay.com/archive/15a7f6d9-403a-4b05-b9f6-57f763dea4cb.png)
A complete backup of cozumelbienesraices.com
Are you over 18 and want to see adult content?
![A complete backup of meditierenlernen.com](https://www.archivebay.com/archive/c30bdb72-c577-42d8-a846-848ad2d23811.png)
A complete backup of meditierenlernen.com
Are you over 18 and want to see adult content?
![A complete backup of charmingbaker.com](https://www.archivebay.com/archive/20207e25-f24b-42a1-81dd-c6560a075a2b.png)
A complete backup of charmingbaker.com
Are you over 18 and want to see adult content?
Text
MALWARETECH
In August 2019 Microsoft announced it had patched a collection of RDP bugs, two of which were wormable. The wormable bugs, CVE-2019-1181 & CVE-2019-1182 affect every OS from Windows 7MALWARETECH
A research blog by Marcus Hutchins. Topics include: malware analysis, threat intelligence, and vulnerability research. BEGINNER MALWARE REVERSING CHALLENGES The purpose of these challenges is to familiarize beginners with common malware techniques. Don’t worry if you can’t complete a challenge, I will soon be creating a video explaining each one in detail. The number of stars represents the challenge difficulty. Different challenges require different skills, so HARD DISK FIRMWARE HACKING (PART 1) I’ve not been doing much in the windows malware world for a while now, because quite frankly I’ve run out of ideas and I’m totally bored. Recently I decided to take the jump into electronics / hardware hacking and people have suggested I post some of that here. A couple INLINE HOOKING FOR PROGRAMMERS (PART 1: INTRODUCTION Inline hooking is a method of intercepting calls to target functions,which is mainly used by antiviruses, sandboxes, and malware. The general idea is to redirect a function to our own, so that we can perform processing before and/or after the function does its; this could include: checking parameters, shimming, logging, spoofing returned data, and filtering calls. PHASE BOT - A FILELESS ROOTKIT (PART 1) - MALWARETECH Phase Bot is a fileless rootkit that went on sale during late October, the bot is fairly cheap ($200) and boasts features such as formgrabbing, ftp stealing, and of course the ability to run without a file. The bot has both a 32-bit binary (Win32/Phase) and a 64-bit binary (Win64/Phase), BEST LANGUAGES TO LEARN FOR MALWARE ANALYSIS ADVANCED DESKTOP APPLICATION SANDBOXING VIA APPCONTAINER This post is kind of a follow on from my previous article Usermode Sandboxing, so if you’ve not yet read that you should do so first.. AppContainer was a fairly quietly introduced feature in Windows 8, which is a shame as it provides some great features which can be used for desktop application security too (Few people are aware that it’s not just used for Apps as the name might suggest). A FEW REASON FOR MAXIMUM PASSWORD LENGTH A lot of people have recently been wondering the reason behind maximum password lengths, after it was revealed that eBay limited passwords to 20 characters. Many people see this as a security flaw (and in some cases it is), but often there are reasons behind it. I should alsomention
THE 0X33 SEGMENT SELECTOR (HEAVENS GATE) A segment descriptor uses a ridiculous layout for backwards compatibility reasons. There is a 4 byte segment base address which is stored at bytes 3,4,5 and 8; The segment limit is 2 and a half bytes and stored at bytes 1, 2 and half of 7; The descriptor flags are the other half of the 7th byte, and the Access flags are byte 6.MALWARETECH
In August 2019 Microsoft announced it had patched a collection of RDP bugs, two of which were wormable. The wormable bugs, CVE-2019-1181 & CVE-2019-1182 affect every OS from Windows 7MALWARETECH
A research blog by Marcus Hutchins. Topics include: malware analysis, threat intelligence, and vulnerability research. BEGINNER MALWARE REVERSING CHALLENGES The purpose of these challenges is to familiarize beginners with common malware techniques. Don’t worry if you can’t complete a challenge, I will soon be creating a video explaining each one in detail. The number of stars represents the challenge difficulty. Different challenges require different skills, so HARD DISK FIRMWARE HACKING (PART 1) I’ve not been doing much in the windows malware world for a while now, because quite frankly I’ve run out of ideas and I’m totally bored. Recently I decided to take the jump into electronics / hardware hacking and people have suggested I post some of that here. A couple INLINE HOOKING FOR PROGRAMMERS (PART 1: INTRODUCTION Inline hooking is a method of intercepting calls to target functions,which is mainly used by antiviruses, sandboxes, and malware. The general idea is to redirect a function to our own, so that we can perform processing before and/or after the function does its; this could include: checking parameters, shimming, logging, spoofing returned data, and filtering calls. PHASE BOT - A FILELESS ROOTKIT (PART 1) - MALWARETECH Phase Bot is a fileless rootkit that went on sale during late October, the bot is fairly cheap ($200) and boasts features such as formgrabbing, ftp stealing, and of course the ability to run without a file. The bot has both a 32-bit binary (Win32/Phase) and a 64-bit binary (Win64/Phase), BEST LANGUAGES TO LEARN FOR MALWARE ANALYSIS ADVANCED DESKTOP APPLICATION SANDBOXING VIA APPCONTAINER This post is kind of a follow on from my previous article Usermode Sandboxing, so if you’ve not yet read that you should do so first.. AppContainer was a fairly quietly introduced feature in Windows 8, which is a shame as it provides some great features which can be used for desktop application security too (Few people are aware that it’s not just used for Apps as the name might suggest). A FEW REASON FOR MAXIMUM PASSWORD LENGTH A lot of people have recently been wondering the reason behind maximum password lengths, after it was revealed that eBay limited passwords to 20 characters. Many people see this as a security flaw (and in some cases it is), but often there are reasons behind it. I should alsomention
THE 0X33 SEGMENT SELECTOR (HEAVENS GATE) A segment descriptor uses a ridiculous layout for backwards compatibility reasons. There is a 4 byte segment base address which is stored at bytes 3,4,5 and 8; The segment limit is 2 and a half bytes and stored at bytes 1, 2 and half of 7; The descriptor flags are the other half of the 7th byte, and the Access flags are byte 6.MALWARETECH
Although the majority of botnets still use a basic client-server model, with most relying on HTTP servers to receive commands, many prominent threats now use more advanced infrastructure to evade endpoint blacklisting and be resilient to take-down. PORTABLE EXECUTABLE INJECTION FOR BEGINNERS Process Injection Process injection is an age old technique used by malware for 3 main reasons: Running without a process, placing user-mode hooks for a rootkit or formgrabber, and bypassing antivirus / firewalls by injecting whitelisted processes. The most common method of process injection is DLL Injection, which is popular TRACKING THE HIDE AND SEEK BOTNET Hide and Seek (HNS) is a malicious worm which mainly infects Linux based IoT devices and routers. The malware spreads via bruteforcing SSH/Telnet credentials, as well as some old CVEs. What makes HNS unique is there’s no command and control server; instead, it receives updates using a custom peer-to-peer network INVESTIGATING COMMAND AND CONTROL INFRASTRUCTURE (EMOTET Although the majority of botnets still use a basic client-server model, with most relying on HTTP servers to receive commands, many prominent threats now use more advanced infrastructure to evade endpoint blacklisting and be resilient to take-down. In this article I will go through and explain my process of identifying HIDDEN VNC FOR BEGINNERS Hidden VNC is a creative solution to a solution to a problem which stemmed from banking fraud. Back years ago when fraud was uncommon, most banks only had basic IP or Geo-location checks to flag or block accounts if someone logged in from another computer. To combat this,banking trojans
BLUEKEEP: A JOURNEY FROM DOS TO RCE (CVE-2019-0708 In August 2019 Microsoft announced it had patched a collection of RDP bugs, two of which were wormable. The wormable bugs, CVE-2019-1181 & CVE-2019-1182 affect every OS from Windows 7 LET'S UNPACK: DRIDEX LOADER A few people have been having problems with unpacking the initial loader for Dridex (the one dropped by the macro), so I’m going to show you an easy way to do it. One of the other problems people have, which i can’t fix, is the fact the Dridex infection chains have PETYA RANSOMWARE ATTACK Petya The jury is still out on whether the malware is Petya or something that just looks like it (it messes with the Master Boot Record in a way which is very similar to Petya and not commonly used in other ransomware). Hasherzade who is a researcher well known for A FEW REASON FOR MAXIMUM PASSWORD LENGTH A lot of people have recently been wondering the reason behind maximum password lengths, after it was revealed that eBay limited passwords to 20 characters. Many people see this as a security flaw (and in some cases it is), but often there are reasons behind it. I should alsomention
DEVICE GUARD
One of my favorite attacks against HIPS, firewalls, and software restriction policies is DLL hijacking. Simply put, when an application calls LoadLibrary(“somedll.dll”), the system first looks for the DLL in the KnowDlls registry key, followed by the applications working folder (where the application was run from), and finally system pathslike System32.
MALWARETECH
In August 2019 Microsoft announced it had patched a collection of RDP bugs, two of which were wormable. The wormable bugs, CVE-2019-1181 & CVE-2019-1182 affect every OS from Windows 7MALWARETECH
A research blog by Marcus Hutchins. Topics include: malware analysis, threat intelligence, and vulnerability research. INLINE HOOKING FOR PROGRAMMERS (PART 1: INTRODUCTION Inline hooking is a method of intercepting calls to target functions,which is mainly used by antiviruses, sandboxes, and malware. The general idea is to redirect a function to our own, so that we can perform processing before and/or after the function does its; this could include: checking parameters, shimming, logging, spoofing returned data, and filtering calls. BEST LANGUAGES TO LEARN FOR MALWARE ANALYSIS HARD DISK FIRMWARE HACKING (PART 1) I’ve not been doing much in the windows malware world for a while now, because quite frankly I’ve run out of ideas and I’m totally bored. Recently I decided to take the jump into electronics / hardware hacking and people have suggested I post some of that here. A couple INVESTIGATING COMMAND AND CONTROL INFRASTRUCTURE (EMOTET Although the majority of botnets still use a basic client-server model, with most relying on HTTP servers to receive commands, many prominent threats now use more advanced infrastructure to evade endpoint blacklisting and be resilient to take-down. In this article I will go through and explain my process of identifying LET'S UNPACK: DRIDEX LOADER A few people have been having problems with unpacking the initial loader for Dridex (the one dropped by the macro), so I’m going to show you an easy way to do it. One of the other problems people have, which i can’t fix, is the fact the Dridex infection chains have THE 0X33 SEGMENT SELECTOR (HEAVENS GATE) A segment descriptor uses a ridiculous layout for backwards compatibility reasons. There is a 4 byte segment base address which is stored at bytes 3,4,5 and 8; The segment limit is 2 and a half bytes and stored at bytes 1, 2 and half of 7; The descriptor flags are the other half of the 7th byte, and the Access flags are byte 6. A FEW REASON FOR MAXIMUM PASSWORD LENGTH A lot of people have recently been wondering the reason behind maximum password lengths, after it was revealed that eBay limited passwords to 20 characters. Many people see this as a security flaw (and in some cases it is), but often there are reasons behind it. I should alsomention
WINDOWS 10 SYSTEM CALL STUB CHANGES Recently I installed Windows 10 RTM and while I was digging around I happened to notice some changes to the user mode portion of the system call stub: these changes appear to break the current methods of user mode system call hooking on x86 and WOW64 (Recap: here). Windows 10x86
MALWARETECH
In August 2019 Microsoft announced it had patched a collection of RDP bugs, two of which were wormable. The wormable bugs, CVE-2019-1181 & CVE-2019-1182 affect every OS from Windows 7MALWARETECH
A research blog by Marcus Hutchins. Topics include: malware analysis, threat intelligence, and vulnerability research. INLINE HOOKING FOR PROGRAMMERS (PART 1: INTRODUCTION Inline hooking is a method of intercepting calls to target functions,which is mainly used by antiviruses, sandboxes, and malware. The general idea is to redirect a function to our own, so that we can perform processing before and/or after the function does its; this could include: checking parameters, shimming, logging, spoofing returned data, and filtering calls. BEST LANGUAGES TO LEARN FOR MALWARE ANALYSIS HARD DISK FIRMWARE HACKING (PART 1) I’ve not been doing much in the windows malware world for a while now, because quite frankly I’ve run out of ideas and I’m totally bored. Recently I decided to take the jump into electronics / hardware hacking and people have suggested I post some of that here. A couple INVESTIGATING COMMAND AND CONTROL INFRASTRUCTURE (EMOTET Although the majority of botnets still use a basic client-server model, with most relying on HTTP servers to receive commands, many prominent threats now use more advanced infrastructure to evade endpoint blacklisting and be resilient to take-down. In this article I will go through and explain my process of identifying LET'S UNPACK: DRIDEX LOADER A few people have been having problems with unpacking the initial loader for Dridex (the one dropped by the macro), so I’m going to show you an easy way to do it. One of the other problems people have, which i can’t fix, is the fact the Dridex infection chains have THE 0X33 SEGMENT SELECTOR (HEAVENS GATE) A segment descriptor uses a ridiculous layout for backwards compatibility reasons. There is a 4 byte segment base address which is stored at bytes 3,4,5 and 8; The segment limit is 2 and a half bytes and stored at bytes 1, 2 and half of 7; The descriptor flags are the other half of the 7th byte, and the Access flags are byte 6. A FEW REASON FOR MAXIMUM PASSWORD LENGTH A lot of people have recently been wondering the reason behind maximum password lengths, after it was revealed that eBay limited passwords to 20 characters. Many people see this as a security flaw (and in some cases it is), but often there are reasons behind it. I should alsomention
WINDOWS 10 SYSTEM CALL STUB CHANGES Recently I installed Windows 10 RTM and while I was digging around I happened to notice some changes to the user mode portion of the system call stub: these changes appear to break the current methods of user mode system call hooking on x86 and WOW64 (Recap: here). Windows 10x86
WEBINJECTS - THE BASICS - MALWARETECH As well as the standard username and password, the user has a security pin number. During login the user is asked for their username, password, and 3 digits from their security pin: The digits required will be chosen at random (Eg. one time they might be asked for the 1st, 3rd, and 9th digit, another time they might be asked for the 2nd,5th and 8th digit).
BEST LANGUAGES TO LEARN FOR MALWARE ANALYSIS One of the most common questions I’m asked is “what programming language(s) should I learn to get into malware analysis/reverse engineering”, to answer this question I’m going to write about the top 3 languages which I’ve personally found most useful. I’ll focus on native malware (malware which does not require PORTABLE EXECUTABLE INJECTION FOR BEGINNERS Process Injection Process injection is an age old technique used by malware for 3 main reasons: Running without a process, placing user-mode hooks for a rootkit or formgrabber, and bypassing antivirus / firewalls by injecting whitelisted processes. The most common method of process injection is DLL Injection, which is popular HARD DISK FIRMWARE HACKING (PART 1) By setting this mode on the multimeter it will show us the resistance between two points, the ‘1’ means total resistance (the points likely aren’t even connected) and ‘0.01’ is a good connection.MALWARETECH
A research blog by Marcus Hutchins. Topics include: malware analysis, threat intelligence, and vulnerability research. HIDDEN VNC FOR BEGINNERS Hidden VNC is a creative solution to a solution to a problem which stemmed from banking fraud. Back years ago when fraud was uncommon, most banks only had basic IP or Geo-location checks to flag or block accounts if someone logged in from another computer. To combat this,banking trojans
WHY OPEN SOURCE RANSOMWARE IS SUCH A PROBLEM A while back 2sec4u posted a poll asking if people considered open source ransomware helpful to detection and prevention, with 46% voting yes. Although the poll wasn’t limited to people working in the antimalware industry, 46% is scarily high. Trying to prove a point, help me out Twitter. Is open source ransomware helping THE 0X33 SEGMENT SELECTOR (HEAVENS GATE) A segment descriptor uses a ridiculous layout for backwards compatibility reasons. There is a 4 byte segment base address which is stored at bytes 3,4,5 and 8; The segment limit is 2 and a half bytes and stored at bytes 1, 2 and half of 7; The descriptor flags are the other half of the 7th byte, and the Access flags are byte 6. A FEW REASON FOR MAXIMUM PASSWORD LENGTH A lot of people have recently been wondering the reason behind maximum password lengths, after it was revealed that eBay limited passwords to 20 characters. Many people see this as a security flaw (and in some cases it is), but often there are reasons behind it. I should alsomention
ADVANCED DESKTOP APPLICATION SANDBOXING VIA APPCONTAINER This post is kind of a follow on from my previous article Usermode Sandboxing, so if you’ve not yet read that you should do so first.. AppContainer was a fairly quietly introduced feature in Windows 8, which is a shame as it provides some great features which can be used for desktop application security too (Few people are aware that it’s not just used for Apps as the name might suggest).MALWARETECH
Tracking the Hide and Seek Botnet. Hide and Seek (HNS) is a malicious worm which mainly infects Linux based IoT devices and routers. The malware spreads via bruteforcing SSH/Telnet credentials, as well as some old CVEs. What makes HNS unique is there’s no command and control server; instead, it receives updates using a custompeer-to-peer
MALWARETECH
Mapping Mirai: A Botnet Case Study. Mirai is a piece of malware designed to hijack busybox systems (commonly used on IoT devices) in order to perform DDoS attacks, it’s also the bot used in the 620 Gbps DDoS attack on Brian Kreb’s blog and the 1.1 Tbps attack on INLINE HOOKING FOR PROGRAMMERS (PART 1: INTRODUCTION Inline hooking is a method of intercepting calls to target functions,which is mainly used by antiviruses, sandboxes, and malware. The general idea is to redirect a function to our own, so that we can perform processing before and/or after the function does its; this could include: checking parameters, shimming, logging, spoofing returned data, and filtering calls. HARD DISK FIRMWARE HACKING (PART 1) Hard Disk Firmware Hacking (Part 1) I’ve not been doing much in the windows malware world for a while now, because quite frankly I’ve run out of ideas and I’m totally bored. Recently I decided to take the jump into electronics / hardware hacking and people have suggested I post some of that here. A couple of years ago I started looking WRITING ASSEMBLY CODE TO AN ARDUINO WITH AVRDUDE INVESTIGATING COMMAND AND CONTROL INFRASTRUCTURE (EMOTET Investigating Command and Control Infrastructure (Emotet) Although the majority of botnets still use a basic client-server model, with most relying on HTTP servers to receive commands, many prominent threats now use more advanced infrastructure to evade endpoint blacklisting and be resilient to take-down. In this article I will go through and LET'S UNPACK: DRIDEX LOADER A few people have been having problems with unpacking the initial loader for Dridex (the one dropped by the macro), so I’m going to show you an easy way to do it. One of the other problems people have, which i can’t fix, is the fact the Dridex infection chains have A FEW REASON FOR MAXIMUM PASSWORD LENGTH A lot of people have recently been wondering the reason behind maximum password lengths, after it was revealed that eBay limited passwords to 20 characters. Many people see this as a security flaw (and in some cases it is), but often there are reasons behind it. I should alsomention
WINDOWS 10 SYSTEM CALL STUB CHANGES Windows 10 x64 (WOW64) Native function no longer call FS: , instead they call a pointer in the same way x86 used to call KiFastSystemCall. Wow64SystemServiceCall is not a fixed address like SharedUserData!SystemCallStub, instead it’s the absolute address of a function within the wow64 ntdll.dll. The code simply checks a flagin the PEB
THE 0X33 SEGMENT SELECTOR (HEAVENS GATE) A segment descriptor uses a ridiculous layout for backwards compatibility reasons. There is a 4 byte segment base address which is stored at bytes 3,4,5 and 8; The segment limit is 2 and a half bytes and stored at bytes 1, 2 and half of 7; The descriptor flags are the other half of the 7th byte, and the Access flags are byte 6.MALWARETECH
Tracking the Hide and Seek Botnet. Hide and Seek (HNS) is a malicious worm which mainly infects Linux based IoT devices and routers. The malware spreads via bruteforcing SSH/Telnet credentials, as well as some old CVEs. What makes HNS unique is there’s no command and control server; instead, it receives updates using a custompeer-to-peer
MALWARETECH
Mapping Mirai: A Botnet Case Study. Mirai is a piece of malware designed to hijack busybox systems (commonly used on IoT devices) in order to perform DDoS attacks, it’s also the bot used in the 620 Gbps DDoS attack on Brian Kreb’s blog and the 1.1 Tbps attack on INLINE HOOKING FOR PROGRAMMERS (PART 1: INTRODUCTION Inline hooking is a method of intercepting calls to target functions,which is mainly used by antiviruses, sandboxes, and malware. The general idea is to redirect a function to our own, so that we can perform processing before and/or after the function does its; this could include: checking parameters, shimming, logging, spoofing returned data, and filtering calls. HARD DISK FIRMWARE HACKING (PART 1) Hard Disk Firmware Hacking (Part 1) I’ve not been doing much in the windows malware world for a while now, because quite frankly I’ve run out of ideas and I’m totally bored. Recently I decided to take the jump into electronics / hardware hacking and people have suggested I post some of that here. A couple of years ago I started looking WRITING ASSEMBLY CODE TO AN ARDUINO WITH AVRDUDE INVESTIGATING COMMAND AND CONTROL INFRASTRUCTURE (EMOTET Investigating Command and Control Infrastructure (Emotet) Although the majority of botnets still use a basic client-server model, with most relying on HTTP servers to receive commands, many prominent threats now use more advanced infrastructure to evade endpoint blacklisting and be resilient to take-down. In this article I will go through and LET'S UNPACK: DRIDEX LOADER A few people have been having problems with unpacking the initial loader for Dridex (the one dropped by the macro), so I’m going to show you an easy way to do it. One of the other problems people have, which i can’t fix, is the fact the Dridex infection chains have A FEW REASON FOR MAXIMUM PASSWORD LENGTH A lot of people have recently been wondering the reason behind maximum password lengths, after it was revealed that eBay limited passwords to 20 characters. Many people see this as a security flaw (and in some cases it is), but often there are reasons behind it. I should alsomention
WINDOWS 10 SYSTEM CALL STUB CHANGES Windows 10 x64 (WOW64) Native function no longer call FS: , instead they call a pointer in the same way x86 used to call KiFastSystemCall. Wow64SystemServiceCall is not a fixed address like SharedUserData!SystemCallStub, instead it’s the absolute address of a function within the wow64 ntdll.dll. The code simply checks a flagin the PEB
THE 0X33 SEGMENT SELECTOR (HEAVENS GATE) A segment descriptor uses a ridiculous layout for backwards compatibility reasons. There is a 4 byte segment base address which is stored at bytes 3,4,5 and 8; The segment limit is 2 and a half bytes and stored at bytes 1, 2 and half of 7; The descriptor flags are the other half of the 7th byte, and the Access flags are byte 6. BEST LANGUAGES TO LEARN FOR MALWARE ANALYSIS One of the most common questions I’m asked is “what programming language(s) should I learn to get into malware analysis/reverse engineering”, to answer this question I’m going to write about the top 3 languages which I’ve personally found most useful. I’ll focus on native malware (malware which does not require HARD DISK FIRMWARE HACKING (PART 1) Hard Disk Firmware Hacking (Part 1) I’ve not been doing much in the windows malware world for a while now, because quite frankly I’ve run out of ideas and I’m totally bored. Recently I decided to take the jump into electronics / hardware hacking and people have suggested I post some of that here. A couple of years ago I started looking PORTABLE EXECUTABLE INJECTION FOR BEGINNERS Process Injection Process injection is an age old technique used by malware for 3 main reasons: Running without a process, placing user-mode hooks for a rootkit or formgrabber, and bypassing antivirus / firewalls by injecting whitelisted processes. The most common method of process injection is DLL Injection, which is popularMALWARETECH
Backdoored Ransomware for Educational Purposes. Here is an interesting article I found this week, it’s about how A researcher released two pieces of ‘educational’ ransomware which were secretly backdoored in order to own some advanced and prolific cyber-criminals a small number of scriptkiddies. There two pieces were HiddenTear (a WEBINJECTS - THE BASICS - MALWARETECH Webinjects – The Basics. It’s not uncommon for malware to use a technique known as formgrabbing; this is done by hooking browser functions responsible for encrypting and sending data to a webpage. By intercepting data before it is encrypted with SSL the malware can read the HTTP header and steal usernames and passwords from post data being WHY OPEN SOURCE RANSOMWARE IS SUCH A PROBLEM A while back 2sec4u posted a poll asking if people considered open source ransomware helpful to detection and prevention, with 46% voting yes. Although the poll wasn’t limited to people working in the antimalware industry, 46% is scarily high. Trying to prove a point, help me out Twitter. Is open source ransomware helping TRACKING THE HIDE AND SEEK BOTNET Tracking the Hide and Seek Botnet - MalwareTech. Hide and Seek (HNS) is a malicious worm which mainly infects Linux based IoT devices and routers. The malware spreads via bruteforcing SSH/Telnet credentials, as well as some old CVEs. What makes HNS unique is there’s no command and control server; instead, it receives updates using acustom
A FEW REASON FOR MAXIMUM PASSWORD LENGTH A lot of people have recently been wondering the reason behind maximum password lengths, after it was revealed that eBay limited passwords to 20 characters. Many people see this as a security flaw (and in some cases it is), but often there are reasons behind it. I should alsomention
ADVANCED DESKTOP APPLICATION SANDBOXING VIA APPCONTAINER This post is kind of a follow on from my previous article Usermode Sandboxing, so if you’ve not yet read that you should do so first.. AppContainer was a fairly quietly introduced feature in Windows 8, which is a shame as it provides some great features which can be used for desktop application security too (Few people are aware that it’s not just used for Apps as the name might suggest). THE 0X33 SEGMENT SELECTOR (HEAVENS GATE) A segment descriptor uses a ridiculous layout for backwards compatibility reasons. There is a 4 byte segment base address which is stored at bytes 3,4,5 and 8; The segment limit is 2 and a half bytes and stored at bytes 1, 2 and half of 7; The descriptor flags are the other half of the 7th byte, and the Access flags are byte 6.MALWARETECH
Tracking the Hide and Seek Botnet. Hide and Seek (HNS) is a malicious worm which mainly infects Linux based IoT devices and routers. The malware spreads via bruteforcing SSH/Telnet credentials, as well as some old CVEs. What makes HNS unique is there’s no command and control server; instead, it receives updates using a custompeer-to-peer
MALWARETECH
Mapping Mirai: A Botnet Case Study. Mirai is a piece of malware designed to hijack busybox systems (commonly used on IoT devices) in order to perform DDoS attacks, it’s also the bot used in the 620 Gbps DDoS attack on Brian Kreb’s blog and the 1.1 Tbps attack on INLINE HOOKING FOR PROGRAMMERS (PART 1: INTRODUCTION Inline hooking is a method of intercepting calls to target functions,which is mainly used by antiviruses, sandboxes, and malware. The general idea is to redirect a function to our own, so that we can perform processing before and/or after the function does its; this could include: checking parameters, shimming, logging, spoofing returned data, and filtering calls. HARD DISK FIRMWARE HACKING (PART 1) Hard Disk Firmware Hacking (Part 1) I’ve not been doing much in the windows malware world for a while now, because quite frankly I’ve run out of ideas and I’m totally bored. Recently I decided to take the jump into electronics / hardware hacking and people have suggested I post some of that here. A couple of years ago I started looking WRITING ASSEMBLY CODE TO AN ARDUINO WITH AVRDUDE INVESTIGATING COMMAND AND CONTROL INFRASTRUCTURE (EMOTET Investigating Command and Control Infrastructure (Emotet) Although the majority of botnets still use a basic client-server model, with most relying on HTTP servers to receive commands, many prominent threats now use more advanced infrastructure to evade endpoint blacklisting and be resilient to take-down. In this article I will go through and LET'S UNPACK: DRIDEX LOADER A few people have been having problems with unpacking the initial loader for Dridex (the one dropped by the macro), so I’m going to show you an easy way to do it. One of the other problems people have, which i can’t fix, is the fact the Dridex infection chains have A FEW REASON FOR MAXIMUM PASSWORD LENGTH A lot of people have recently been wondering the reason behind maximum password lengths, after it was revealed that eBay limited passwords to 20 characters. Many people see this as a security flaw (and in some cases it is), but often there are reasons behind it. I should alsomention
WINDOWS 10 SYSTEM CALL STUB CHANGES Windows 10 x64 (WOW64) Native function no longer call FS: , instead they call a pointer in the same way x86 used to call KiFastSystemCall. Wow64SystemServiceCall is not a fixed address like SharedUserData!SystemCallStub, instead it’s the absolute address of a function within the wow64 ntdll.dll. The code simply checks a flagin the PEB
THE 0X33 SEGMENT SELECTOR (HEAVENS GATE) A segment descriptor uses a ridiculous layout for backwards compatibility reasons. There is a 4 byte segment base address which is stored at bytes 3,4,5 and 8; The segment limit is 2 and a half bytes and stored at bytes 1, 2 and half of 7; The descriptor flags are the other half of the 7th byte, and the Access flags are byte 6.MALWARETECH
Tracking the Hide and Seek Botnet. Hide and Seek (HNS) is a malicious worm which mainly infects Linux based IoT devices and routers. The malware spreads via bruteforcing SSH/Telnet credentials, as well as some old CVEs. What makes HNS unique is there’s no command and control server; instead, it receives updates using a custompeer-to-peer
MALWARETECH
Mapping Mirai: A Botnet Case Study. Mirai is a piece of malware designed to hijack busybox systems (commonly used on IoT devices) in order to perform DDoS attacks, it’s also the bot used in the 620 Gbps DDoS attack on Brian Kreb’s blog and the 1.1 Tbps attack on INLINE HOOKING FOR PROGRAMMERS (PART 1: INTRODUCTION Inline hooking is a method of intercepting calls to target functions,which is mainly used by antiviruses, sandboxes, and malware. The general idea is to redirect a function to our own, so that we can perform processing before and/or after the function does its; this could include: checking parameters, shimming, logging, spoofing returned data, and filtering calls. HARD DISK FIRMWARE HACKING (PART 1) Hard Disk Firmware Hacking (Part 1) I’ve not been doing much in the windows malware world for a while now, because quite frankly I’ve run out of ideas and I’m totally bored. Recently I decided to take the jump into electronics / hardware hacking and people have suggested I post some of that here. A couple of years ago I started looking WRITING ASSEMBLY CODE TO AN ARDUINO WITH AVRDUDE INVESTIGATING COMMAND AND CONTROL INFRASTRUCTURE (EMOTET Investigating Command and Control Infrastructure (Emotet) Although the majority of botnets still use a basic client-server model, with most relying on HTTP servers to receive commands, many prominent threats now use more advanced infrastructure to evade endpoint blacklisting and be resilient to take-down. In this article I will go through and LET'S UNPACK: DRIDEX LOADER A few people have been having problems with unpacking the initial loader for Dridex (the one dropped by the macro), so I’m going to show you an easy way to do it. One of the other problems people have, which i can’t fix, is the fact the Dridex infection chains have A FEW REASON FOR MAXIMUM PASSWORD LENGTH A lot of people have recently been wondering the reason behind maximum password lengths, after it was revealed that eBay limited passwords to 20 characters. Many people see this as a security flaw (and in some cases it is), but often there are reasons behind it. I should alsomention
WINDOWS 10 SYSTEM CALL STUB CHANGES Windows 10 x64 (WOW64) Native function no longer call FS: , instead they call a pointer in the same way x86 used to call KiFastSystemCall. Wow64SystemServiceCall is not a fixed address like SharedUserData!SystemCallStub, instead it’s the absolute address of a function within the wow64 ntdll.dll. The code simply checks a flagin the PEB
THE 0X33 SEGMENT SELECTOR (HEAVENS GATE) A segment descriptor uses a ridiculous layout for backwards compatibility reasons. There is a 4 byte segment base address which is stored at bytes 3,4,5 and 8; The segment limit is 2 and a half bytes and stored at bytes 1, 2 and half of 7; The descriptor flags are the other half of the 7th byte, and the Access flags are byte 6. BEST LANGUAGES TO LEARN FOR MALWARE ANALYSIS One of the most common questions I’m asked is “what programming language(s) should I learn to get into malware analysis/reverse engineering”, to answer this question I’m going to write about the top 3 languages which I’ve personally found most useful. I’ll focus on native malware (malware which does not require HARD DISK FIRMWARE HACKING (PART 1) Hard Disk Firmware Hacking (Part 1) I’ve not been doing much in the windows malware world for a while now, because quite frankly I’ve run out of ideas and I’m totally bored. Recently I decided to take the jump into electronics / hardware hacking and people have suggested I post some of that here. A couple of years ago I started looking PORTABLE EXECUTABLE INJECTION FOR BEGINNERS Process Injection Process injection is an age old technique used by malware for 3 main reasons: Running without a process, placing user-mode hooks for a rootkit or formgrabber, and bypassing antivirus / firewalls by injecting whitelisted processes. The most common method of process injection is DLL Injection, which is popularMALWARETECH
Backdoored Ransomware for Educational Purposes. Here is an interesting article I found this week, it’s about how A researcher released two pieces of ‘educational’ ransomware which were secretly backdoored in order to own some advanced and prolific cyber-criminals a small number of scriptkiddies. There two pieces were HiddenTear (a WEBINJECTS - THE BASICS - MALWARETECH Webinjects – The Basics. It’s not uncommon for malware to use a technique known as formgrabbing; this is done by hooking browser functions responsible for encrypting and sending data to a webpage. By intercepting data before it is encrypted with SSL the malware can read the HTTP header and steal usernames and passwords from post data being WHY OPEN SOURCE RANSOMWARE IS SUCH A PROBLEM A while back 2sec4u posted a poll asking if people considered open source ransomware helpful to detection and prevention, with 46% voting yes. Although the poll wasn’t limited to people working in the antimalware industry, 46% is scarily high. Trying to prove a point, help me out Twitter. Is open source ransomware helping TRACKING THE HIDE AND SEEK BOTNET Tracking the Hide and Seek Botnet - MalwareTech. Hide and Seek (HNS) is a malicious worm which mainly infects Linux based IoT devices and routers. The malware spreads via bruteforcing SSH/Telnet credentials, as well as some old CVEs. What makes HNS unique is there’s no command and control server; instead, it receives updates using acustom
A FEW REASON FOR MAXIMUM PASSWORD LENGTH A lot of people have recently been wondering the reason behind maximum password lengths, after it was revealed that eBay limited passwords to 20 characters. Many people see this as a security flaw (and in some cases it is), but often there are reasons behind it. I should alsomention
ADVANCED DESKTOP APPLICATION SANDBOXING VIA APPCONTAINER This post is kind of a follow on from my previous article Usermode Sandboxing, so if you’ve not yet read that you should do so first.. AppContainer was a fairly quietly introduced feature in Windows 8, which is a shame as it provides some great features which can be used for desktop application security too (Few people are aware that it’s not just used for Apps as the name might suggest). THE 0X33 SEGMENT SELECTOR (HEAVENS GATE) A segment descriptor uses a ridiculous layout for backwards compatibility reasons. There is a 4 byte segment base address which is stored at bytes 3,4,5 and 8; The segment limit is 2 and a half bytes and stored at bytes 1, 2 and half of 7; The descriptor flags are the other half of the 7th byte, and the Access flags are byte 6.MALWARETECH
In August 2019 Microsoft announced it had patched a collection of RDP bugs, two of which were wormable. The wormable bugs, CVE-2019-1181 & CVE-2019-1182 affect every OS from Windows 7MALWARETECH
A research blog by Marcus Hutchins. Topics include: malware analysis, threat intelligence, and vulnerability research. BEGINNER MALWARE REVERSING CHALLENGES The purpose of these challenges is to familiarize beginners with common malware techniques. Don’t worry if you can’t complete a challenge, I will soon be creating a video explaining each one in detail. The number of stars represents the challenge difficulty. Different challenges require different skills, so HARD DISK FIRMWARE HACKING (PART 1) I’ve not been doing much in the windows malware world for a while now, because quite frankly I’ve run out of ideas and I’m totally bored. Recently I decided to take the jump into electronics / hardware hacking and people have suggested I post some of that here. A couple INLINE HOOKING FOR PROGRAMMERS (PART 1: INTRODUCTION Inline hooking is a method of intercepting calls to target functions,which is mainly used by antiviruses, sandboxes, and malware. The general idea is to redirect a function to our own, so that we can perform processing before and/or after the function does its; this could include: checking parameters, shimming, logging, spoofing returned data, and filtering calls. BEST LANGUAGES TO LEARN FOR MALWARE ANALYSIS AUTOMATIC TRANSFER SYSTEMS (ATS) FOR BEGINNERS Mirai is a piece of malware designed to hijack busybox systems (commonly used on IoT devices) in order to perform DDoS attacks, it’s also the bot used in the 620 Gbps DDoS attack on Brian Kreb’s blog and the 1.1 Tbps attack on OVH a few days later. ADVANCED DESKTOP APPLICATION SANDBOXING VIA APPCONTAINER This post is kind of a follow on from my previous article Usermode Sandboxing, so if you’ve not yet read that you should do so first.. AppContainer was a fairly quietly introduced feature in Windows 8, which is a shame as it provides some great features which can be used for desktop application security too (Few people are aware that it’s not just used for Apps as the name might suggest).DEVICE GUARD
One of my favorite attacks against HIPS, firewalls, and software restriction policies is DLL hijacking. Simply put, when an application calls LoadLibrary(“somedll.dll”), the system first looks for the DLL in the KnowDlls registry key, followed by the applications working folder (where the application was run from), and finally system pathslike System32.
THE 0X33 SEGMENT SELECTOR (HEAVENS GATE) A segment descriptor uses a ridiculous layout for backwards compatibility reasons. There is a 4 byte segment base address which is stored at bytes 3,4,5 and 8; The segment limit is 2 and a half bytes and stored at bytes 1, 2 and half of 7; The descriptor flags are the other half of the 7th byte, and the Access flags are byte 6.MALWARETECH
In August 2019 Microsoft announced it had patched a collection of RDP bugs, two of which were wormable. The wormable bugs, CVE-2019-1181 & CVE-2019-1182 affect every OS from Windows 7MALWARETECH
A research blog by Marcus Hutchins. Topics include: malware analysis, threat intelligence, and vulnerability research. BEGINNER MALWARE REVERSING CHALLENGES The purpose of these challenges is to familiarize beginners with common malware techniques. Don’t worry if you can’t complete a challenge, I will soon be creating a video explaining each one in detail. The number of stars represents the challenge difficulty. Different challenges require different skills, so HARD DISK FIRMWARE HACKING (PART 1) I’ve not been doing much in the windows malware world for a while now, because quite frankly I’ve run out of ideas and I’m totally bored. Recently I decided to take the jump into electronics / hardware hacking and people have suggested I post some of that here. A couple INLINE HOOKING FOR PROGRAMMERS (PART 1: INTRODUCTION Inline hooking is a method of intercepting calls to target functions,which is mainly used by antiviruses, sandboxes, and malware. The general idea is to redirect a function to our own, so that we can perform processing before and/or after the function does its; this could include: checking parameters, shimming, logging, spoofing returned data, and filtering calls. BEST LANGUAGES TO LEARN FOR MALWARE ANALYSIS AUTOMATIC TRANSFER SYSTEMS (ATS) FOR BEGINNERS Mirai is a piece of malware designed to hijack busybox systems (commonly used on IoT devices) in order to perform DDoS attacks, it’s also the bot used in the 620 Gbps DDoS attack on Brian Kreb’s blog and the 1.1 Tbps attack on OVH a few days later. ADVANCED DESKTOP APPLICATION SANDBOXING VIA APPCONTAINER This post is kind of a follow on from my previous article Usermode Sandboxing, so if you’ve not yet read that you should do so first.. AppContainer was a fairly quietly introduced feature in Windows 8, which is a shame as it provides some great features which can be used for desktop application security too (Few people are aware that it’s not just used for Apps as the name might suggest).DEVICE GUARD
One of my favorite attacks against HIPS, firewalls, and software restriction policies is DLL hijacking. Simply put, when an application calls LoadLibrary(“somedll.dll”), the system first looks for the DLL in the KnowDlls registry key, followed by the applications working folder (where the application was run from), and finally system pathslike System32.
THE 0X33 SEGMENT SELECTOR (HEAVENS GATE) A segment descriptor uses a ridiculous layout for backwards compatibility reasons. There is a 4 byte segment base address which is stored at bytes 3,4,5 and 8; The segment limit is 2 and a half bytes and stored at bytes 1, 2 and half of 7; The descriptor flags are the other half of the 7th byte, and the Access flags are byte 6.TAG: MALWARE
Hide and Seek (HNS) is a malicious worm which mainly infects Linux based IoT devices and routers. The malware spreads via bruteforcing SSH/Telnet credentials, as well as some old CVEs. PORTABLE EXECUTABLE INJECTION FOR BEGINNERS Process Injection Process injection is an age old technique used by malware for 3 main reasons: Running without a process, placing user-mode hooks for a rootkit or formgrabber, and bypassing antivirus / firewalls by injecting whitelisted processes. The most common method of process injection is DLL Injection, which is popular WHY OPEN SOURCE RANSOMWARE IS SUCH A PROBLEM A while back 2sec4u posted a poll asking if people considered open source ransomware helpful to detection and prevention, with 46% voting yes. Although the poll wasn’t limited to people working in the antimalware industry, 46% is scarily high. Trying to prove a point, help me out Twitter. Is open source ransomware helping LET'S UNPACK: DRIDEX LOADER A few people have been having problems with unpacking the initial loader for Dridex (the one dropped by the macro), so I’m going to show you an easy way to do it. One of the other problems people have, which i can’t fix, is the fact the Dridex infection chains have PETYA RANSOMWARE ATTACK Petya The jury is still out on whether the malware is Petya or something that just looks like it (it messes with the Master Boot Record in a way which is very similar to Petya and not commonly used in other ransomware). Hasherzade who is a researcher well known for HOW TO ACCIDENTALLY STOP A GLOBAL CYBER ATTACKS Around 6:23 PM (BST) I asked an employee to look into the worm code and verify the domain we registered would not change (some malware will periodically change the domain using an algorithm, so we needed to know if there would be new domains so we could register those too), meanwhile I performed some updated to the live map to deal with the rapid influx of new visitors. A FEW REASON FOR MAXIMUM PASSWORD LENGTH A lot of people have recently been wondering the reason behind maximum password lengths, after it was revealed that eBay limited passwords to 20 characters. Many people see this as a security flaw (and in some cases it is), but often there are reasons behind it. I should alsomention
INLINE HOOKING FOR PROGRAMMERS (PART 2: WRITING A HOOKING We’ll be writing a hooking engine using trampoline based hooks as explained in the previous article (we don’t handle relative instructions as they’re very rare, but we do use atomic write operations to prevent race conditions). First things first, we need to define the proxy functions which we will redirectTHE KELIHOS BOTNET
A while ago I started writing a series of articles documenting the Kelihos Peer-to-Peer infrastructure but had to pull them due to an ongoing operation. As most of you have probably seen, the botnet operator was arrested a few days ago and the FBI have begun sinkholing the botnet (which will most likely make all my research null & void, as well as kill my Kelihos Tracker 🙁 ). WINDOWS 10 SYSTEM CALL STUB CHANGES Recently I installed Windows 10 RTM and while I was digging around I happened to notice some changes to the user mode portion of the system call stub: these changes appear to break the current methods of user mode system call hooking on x86 and WOW64 (Recap: here). Windows 10x86
MALWARETECH
Tracking the Hide and Seek Botnet. Hide and Seek (HNS) is a malicious worm which mainly infects Linux based IoT devices and routers. The malware spreads via bruteforcing SSH/Telnet credentials, as well as some old CVEs. What makes HNS unique is there’s no command and control server; instead, it receives updates using a custompeer-to-peer
MALWARETECH
Mapping Mirai: A Botnet Case Study. Mirai is a piece of malware designed to hijack busybox systems (commonly used on IoT devices) in order to perform DDoS attacks, it’s also the bot used in the 620 Gbps DDoS attack on Brian Kreb’s blog and the 1.1 Tbps attack on HARD DISK FIRMWARE HACKING (PART 1) Hard Disk Firmware Hacking (Part 1) I’ve not been doing much in the windows malware world for a while now, because quite frankly I’ve run out of ideas and I’m totally bored. Recently I decided to take the jump into electronics / hardware hacking and people have suggested I post some of that here. A couple of years ago I started looking BEST LANGUAGES TO LEARN FOR MALWARE ANALYSIS INLINE HOOKING FOR PROGRAMMERS (PART 1: INTRODUCTION Inline hooking is a method of intercepting calls to target functions,which is mainly used by antiviruses, sandboxes, and malware. The general idea is to redirect a function to our own, so that we can perform processing before and/or after the function does its; this could include: checking parameters, shimming, logging, spoofing returned data, and filtering calls. LET'S UNPACK: DRIDEX LOADER A few people have been having problems with unpacking the initial loader for Dridex (the one dropped by the macro), so I’m going to show you an easy way to do it. One of the other problems people have, which i can’t fix, is the fact the Dridex infection chains haveDEVICE GUARD
Conclusion. If properly implemented, Device Guard can be used to create a system which is highly resilient to common malware (assuming UMCI, KMCI, and VBPCI are enabled and well configured). UMCI prevents an adversary social engineering the victim into running malware (unless they can get hold of a whitelisted certificate). INVESTIGATING COMMAND AND CONTROL INFRASTRUCTURE (EMOTET Investigating Command and Control Infrastructure (Emotet) Although the majority of botnets still use a basic client-server model, with most relying on HTTP servers to receive commands, many prominent threats now use more advanced infrastructure to evade endpoint blacklisting and be resilient to take-down. In this article I will go through and ADVANCED DESKTOP APPLICATION SANDBOXING VIA APPCONTAINER This post is kind of a follow on from my previous article Usermode Sandboxing, so if you’ve not yet read that you should do so first.. AppContainer was a fairly quietly introduced feature in Windows 8, which is a shame as it provides some great features which can be used for desktop application security too (Few people are aware that it’s not just used for Apps as the name might suggest). THE 0X33 SEGMENT SELECTOR (HEAVENS GATE) A segment descriptor uses a ridiculous layout for backwards compatibility reasons. There is a 4 byte segment base address which is stored at bytes 3,4,5 and 8; The segment limit is 2 and a half bytes and stored at bytes 1, 2 and half of 7; The descriptor flags are the other half of the 7th byte, and the Access flags are byte 6.MALWARETECH
Tracking the Hide and Seek Botnet. Hide and Seek (HNS) is a malicious worm which mainly infects Linux based IoT devices and routers. The malware spreads via bruteforcing SSH/Telnet credentials, as well as some old CVEs. What makes HNS unique is there’s no command and control server; instead, it receives updates using a custompeer-to-peer
MALWARETECH
Mapping Mirai: A Botnet Case Study. Mirai is a piece of malware designed to hijack busybox systems (commonly used on IoT devices) in order to perform DDoS attacks, it’s also the bot used in the 620 Gbps DDoS attack on Brian Kreb’s blog and the 1.1 Tbps attack on HARD DISK FIRMWARE HACKING (PART 1) Hard Disk Firmware Hacking (Part 1) I’ve not been doing much in the windows malware world for a while now, because quite frankly I’ve run out of ideas and I’m totally bored. Recently I decided to take the jump into electronics / hardware hacking and people have suggested I post some of that here. A couple of years ago I started looking BEST LANGUAGES TO LEARN FOR MALWARE ANALYSIS INLINE HOOKING FOR PROGRAMMERS (PART 1: INTRODUCTION Inline hooking is a method of intercepting calls to target functions,which is mainly used by antiviruses, sandboxes, and malware. The general idea is to redirect a function to our own, so that we can perform processing before and/or after the function does its; this could include: checking parameters, shimming, logging, spoofing returned data, and filtering calls. LET'S UNPACK: DRIDEX LOADER A few people have been having problems with unpacking the initial loader for Dridex (the one dropped by the macro), so I’m going to show you an easy way to do it. One of the other problems people have, which i can’t fix, is the fact the Dridex infection chains haveDEVICE GUARD
Conclusion. If properly implemented, Device Guard can be used to create a system which is highly resilient to common malware (assuming UMCI, KMCI, and VBPCI are enabled and well configured). UMCI prevents an adversary social engineering the victim into running malware (unless they can get hold of a whitelisted certificate). INVESTIGATING COMMAND AND CONTROL INFRASTRUCTURE (EMOTET Investigating Command and Control Infrastructure (Emotet) Although the majority of botnets still use a basic client-server model, with most relying on HTTP servers to receive commands, many prominent threats now use more advanced infrastructure to evade endpoint blacklisting and be resilient to take-down. In this article I will go through and ADVANCED DESKTOP APPLICATION SANDBOXING VIA APPCONTAINER This post is kind of a follow on from my previous article Usermode Sandboxing, so if you’ve not yet read that you should do so first.. AppContainer was a fairly quietly introduced feature in Windows 8, which is a shame as it provides some great features which can be used for desktop application security too (Few people are aware that it’s not just used for Apps as the name might suggest). THE 0X33 SEGMENT SELECTOR (HEAVENS GATE) A segment descriptor uses a ridiculous layout for backwards compatibility reasons. There is a 4 byte segment base address which is stored at bytes 3,4,5 and 8; The segment limit is 2 and a half bytes and stored at bytes 1, 2 and half of 7; The descriptor flags are the other half of the 7th byte, and the Access flags are byte 6.MALWARETECH
Backdoored Ransomware for Educational Purposes. Here is an interesting article I found this week, it’s about how A researcher released two pieces of ‘educational’ ransomware which were secretly backdoored in order to own some advanced and prolific cyber-criminals a small number of scriptkiddies. There two pieces were HiddenTear (a BEGINNER MALWARE REVERSING CHALLENGES Beginner Malware Reversing Challenges - MalwareTech. The purpose of these challenges is to familiarize beginners with common malware techniques. Don’t worry if you can’t complete a challenge, I will soon be creating a video explaining each one in detail. The number of PORTABLE EXECUTABLE INJECTION FOR BEGINNERS Process Injection Process injection is an age old technique used by malware for 3 main reasons: Running without a process, placing user-mode hooks for a rootkit or formgrabber, and bypassing antivirus / firewalls by injecting whitelisted processes. The most common method of process injection is DLL Injection, which is popular STRINGS2 - MALWARETECH strings2.exe contains an un-encrypted flag stored within the executable. When run, the program will output an MD5 hash of the flag but not the original. Can you extract the flag? Rules & Information You are not require to run strings2.exe, this challenge is static analysis only. Do not use a INVESTIGATING COMMAND AND CONTROL INFRASTRUCTURE (EMOTET Investigating Command and Control Infrastructure (Emotet) Although the majority of botnets still use a basic client-server model, with most relying on HTTP servers to receive commands, many prominent threats now use more advanced infrastructure to evade endpoint blacklisting and be resilient to take-down. In this article I will go through and WHY OPEN SOURCE RANSOMWARE IS SUCH A PROBLEM A while back 2sec4u posted a poll asking if people considered open source ransomware helpful to detection and prevention, with 46% voting yes. Although the poll wasn’t limited to people working in the antimalware industry, 46% is scarily high. Trying to prove a point, help me out Twitter. Is open source ransomware helping HIDDEN VNC FOR BEGINNERS Hidden VNC for Beginners. Hidden VNC is a creative solution to a solution to a problem which stemmed from banking fraud. Back years ago when fraud was uncommon, most banks only had basic IP or Geo-location checks to flag or block accounts if someone logged in from another computer. To combat this, banking trojans would run a SOCKS proxyserver
ADVANCED DESKTOP APPLICATION SANDBOXING VIA APPCONTAINER This post is kind of a follow on from my previous article Usermode Sandboxing, so if you’ve not yet read that you should do so first.. AppContainer was a fairly quietly introduced feature in Windows 8, which is a shame as it provides some great features which can be used for desktop application security too (Few people are aware that it’s not just used for Apps as the name might suggest). PHASE BOT - A FILELESS ROOTKIT (PART 1) - MALWARETECH Phase Bot – A Fileless Rootkit (Part 1) Phase Bot is a fileless rootkit that went on sale during late October, the bot is fairly cheap ($200) and boasts features such as formgrabbing, ftp stealing, and of course the ability to run without a file. The bot has both a 32-bit binary (Win32/Phase) and a 64-bit binary (Win64/Phase), despite the WINDOWS 10 SYSTEM CALL STUB CHANGES Windows 10 x64 (WOW64) Native function no longer call FS: , instead they call a pointer in the same way x86 used to call KiFastSystemCall. Wow64SystemServiceCall is not a fixed address like SharedUserData!SystemCallStub, instead it’s the absolute address of a function within the wow64 ntdll.dll. The code simply checks a flagin the PEB
MALWARETECH
In August 2019 Microsoft announced it had patched a collection of RDP bugs, two of which were wormable. The wormable bugs, CVE-2019-1181 & CVE-2019-1182 affect every OS from Windows 7MALWARE ANALYSIS
One of the most common questions I’m asked is “what programming language(s) should I learn to get into malware analysis/reverse engineering”, to answer this question I’m going to write about the top 3 languages which I’ve personally found most useful.MALWARETECH
A research blog by Marcus Hutchins. Topics include: malware analysis, threat intelligence, and vulnerability research. HARD DISK FIRMWARE HACKING (PART 1) I’ve not been doing much in the windows malware world for a while now, because quite frankly I’ve run out of ideas and I’m totally bored. Recently I decided to take the jump into electronics / hardware hacking and people have suggested I post some of that here. A couple BEGINNER MALWARE REVERSING CHALLENGES The purpose of these challenges is to familiarize beginners with common malware techniques. Don’t worry if you can’t complete a challenge, I will soon be creating a video explaining each one in detail. The number of stars represents the challenge difficulty. Different challenges require different skills, so BEST LANGUAGES TO LEARN FOR MALWARE ANALYSIS PORTABLE EXECUTABLE INJECTION FOR BEGINNERS Process Injection Process injection is an age old technique used by malware for 3 main reasons: Running without a process, placing user-mode hooks for a rootkit or formgrabber, and bypassing antivirus / firewalls by injecting whitelisted processes. The most common method of process injection is DLL Injection, which is popular INLINE HOOKING FOR PROGRAMMERS (PART 1: INTRODUCTIONINLINE REPLACEMENT SINGLE HOOKSINLINE FISH HOOKSINLINE CROCHET HOOKSINLINE SINGLE HOOKS FOR LURESINLINE SINGLE HOOK Inline hooking is a method of intercepting calls to target functions,which is mainly used by antiviruses, sandboxes, and malware. The general idea is to redirect a function to our own, so that we can perform processing before and/or after the function does its; this could include: checking parameters, shimming, logging, spoofing returned data, and filtering calls. TRACKING THE HIDE AND SEEK BOTNET Hide and Seek (HNS) is a malicious worm which mainly infects Linux based IoT devices and routers. The malware spreads via bruteforcing SSH/Telnet credentials, as well as some old CVEs. What makes HNS unique is there’s no command and control server; instead, it receives updates using a custom peer-to-peer network WINDOWS 10 SYSTEM CALL STUB CHANGES Recently I installed Windows 10 RTM and while I was digging around I happened to notice some changes to the user mode portion of the system call stub: these changes appear to break the current methods of user mode system call hooking on x86 and WOW64 (Recap: here). Windows 10x86
MALWARETECH
In August 2019 Microsoft announced it had patched a collection of RDP bugs, two of which were wormable. The wormable bugs, CVE-2019-1181 & CVE-2019-1182 affect every OS from Windows 7MALWARE ANALYSIS
One of the most common questions I’m asked is “what programming language(s) should I learn to get into malware analysis/reverse engineering”, to answer this question I’m going to write about the top 3 languages which I’ve personally found most useful.MALWARETECH
A research blog by Marcus Hutchins. Topics include: malware analysis, threat intelligence, and vulnerability research. HARD DISK FIRMWARE HACKING (PART 1) I’ve not been doing much in the windows malware world for a while now, because quite frankly I’ve run out of ideas and I’m totally bored. Recently I decided to take the jump into electronics / hardware hacking and people have suggested I post some of that here. A couple BEGINNER MALWARE REVERSING CHALLENGES The purpose of these challenges is to familiarize beginners with common malware techniques. Don’t worry if you can’t complete a challenge, I will soon be creating a video explaining each one in detail. The number of stars represents the challenge difficulty. Different challenges require different skills, so BEST LANGUAGES TO LEARN FOR MALWARE ANALYSIS PORTABLE EXECUTABLE INJECTION FOR BEGINNERS Process Injection Process injection is an age old technique used by malware for 3 main reasons: Running without a process, placing user-mode hooks for a rootkit or formgrabber, and bypassing antivirus / firewalls by injecting whitelisted processes. The most common method of process injection is DLL Injection, which is popular INLINE HOOKING FOR PROGRAMMERS (PART 1: INTRODUCTIONINLINE REPLACEMENT SINGLE HOOKSINLINE FISH HOOKSINLINE CROCHET HOOKSINLINE SINGLE HOOKS FOR LURESINLINE SINGLE HOOK Inline hooking is a method of intercepting calls to target functions,which is mainly used by antiviruses, sandboxes, and malware. The general idea is to redirect a function to our own, so that we can perform processing before and/or after the function does its; this could include: checking parameters, shimming, logging, spoofing returned data, and filtering calls. TRACKING THE HIDE AND SEEK BOTNET Hide and Seek (HNS) is a malicious worm which mainly infects Linux based IoT devices and routers. The malware spreads via bruteforcing SSH/Telnet credentials, as well as some old CVEs. What makes HNS unique is there’s no command and control server; instead, it receives updates using a custom peer-to-peer network WINDOWS 10 SYSTEM CALL STUB CHANGES Recently I installed Windows 10 RTM and while I was digging around I happened to notice some changes to the user mode portion of the system call stub: these changes appear to break the current methods of user mode system call hooking on x86 and WOW64 (Recap: here). Windows 10x86
BEGINNER MALWARE REVERSING CHALLENGES The purpose of these challenges is to familiarize beginners with common malware techniques. Don’t worry if you can’t complete a challenge, I will soon be creating a video explaining each one in detail. The number of stars represents the challenge difficulty. Different challenges require different skills, soMALWARETECH
Last week I received a tip about a sample displaying some indication that it could be peer-to-peer (a large amount of UDP traffic being sent to residential IPs), after a couple days of analysis I was able to confirm that not only was it peer-to-peer but also currentlyactive.
MALWARETECH
A few days ago someone made the following post which suggested the FBI were sending bitcoin from the wallet where all of the seized coins from Silkroad were sent to the ShadowBrokers acution address; furthermore, the explanation was given that they were trying to CHALLENGES - MALWARETECHExploit Challenges:
https://www.malwaretech.com/windows-exploit-challenges ReversingChallenges:
https://www.malwaretech.com/beginner-malware-reversing-challenges CONTACT - MALWARETECH Email – Twitter – @MalwareTechBlogMALWARETECH
Introduction It’s no secret that keeping your computer free from malware has become much harder. I remember about 12 years ago my friend showing me a CD and announcing that it was an antivirus, which would keep his computer free of all viruses. STRINGS1 - MALWARETECH strings1.exe contains an un-encrypted flag stored within the executable. When run, the program will output an MD5 hash of the flag but not the original. Can you extract the flag? Rules & Information You are not require to run strings1.exe, this challenge is static analysis only. Do not use aDEVICE GUARD
One of my favorite attacks against HIPS, firewalls, and software restriction policies is DLL hijacking. Simply put, when an application calls LoadLibrary(“somedll.dll”), the system first looks for the DLL in the KnowDlls registry key, followed by the applications working folder (where the application was run from), and finally system pathslike System32.
PHASE BOT - A FILELESS ROOTKIT (PART 1) - MALWARETECH Phase Bot is a fileless rootkit that went on sale during late October, the bot is fairly cheap ($200) and boasts features such as formgrabbing, ftp stealing, and of course the ability to run without a file. The bot has both a 32-bit binary (Win32/Phase) and a 64-bit binary (Win64/Phase), THE 0X33 SEGMENT SELECTOR (HEAVENS GATE) A segment descriptor uses a ridiculous layout for backwards compatibility reasons. There is a 4 byte segment base address which is stored at bytes 3,4,5 and 8; The segment limit is 2 and a half bytes and stored at bytes 1, 2 and half of 7; The descriptor flags are the other half of the 7th byte, and the Access flags are byte 6. MalwareTech Life of a Malware Analyst* __
* Podcast
* Discord
* Challenges
* Contact
BLOG
Vulnerability Research HOW I FOUND MY FIRST EVER ZERODAY (IN RDP) Up until recently, I’d never tried the bug hunting part of vulnerability research. I’ve been reverse engineering Windows malware for over a decade, and I’d done the occasional patch analysis, but I never saw a point in bug hunting on a major OS. After all, there are teams of vulnerability …Read More
Vulnerability Research BLUEKEEP: A JOURNEY FROM DOS TO RCE (CVE-2019-0708) Due to the serious risk of a BlueKeep based worm, I’ve held back this write-up to avoid advancing the timeline. Now that a proof-of-concept for RCE (remote code execution) has been release as part of Metasploit, i feel it’s now safe for me to post this. Thisarticle will be …
Read More
Vulnerability Research DEJABLUE: ANALYZING A RDP HEAP OVERFLOW In August 2019 Microsoft announced it had patched a collection of RDP bugs, two of which were wormable. The wormable bugs, CVE-2019-1181 & CVE-2019-1182 affect every OS from Windows 7 to Windows 10. There is some confusion about which CVE is which, though it’s possible both refer to the same …Read More
Opinions
YOUTUBE’S POLICY ON HACKING TUTORIALS IS PROBLEMATIC Recently YouTube changed its policy on “hacking” tutorials to an essential blanket ban. In the past, such content was occasionally removed under YouTube’s broad “Harmful and Dangerous Content” clause, which prohibited videos “encouraging illegal activity”. An updated policy now specifically targets instructional hacking videos. One major problem here is that …Read More
Vulnerability Research ANALYSIS OF CVE-2019-0708 (BLUEKEEP) I held back this write-up until a proof of concept (PoC) was publicly available, as not to cause any harm. Now that there are multiple denial-of-service PoC on github, I’m posting my analysis. Binary Diffing As always, I started with a BinDiff of the binaries modified by the patch (in …Read More
Vulnerability Research ANALYSIS OF A VB SCRIPT HEAP OVERFLOW (CVE-2019-0666) Anyone who uses RegEx knows how easy it is to shoot yourself in the foot; but, is it possible to write RegEx so badly that it can lead to RCE? With VB Script, the answer is yes! In this article I’ll be writing about what I assume to be CVE-2019-0666. …Read More
Reverse Engineering
VIDEO: FIRST LOOK AT GHIDRA (NSA REVERSE ENGINEERING TOOL) Today during RSA Conference, the National Security Agency release their much hyped Ghidra reverse engineering toolkit. Described as “A software reverse engineering (SRE) suite of tools”, Ghidra sounded like some kind of disassembler framework.Prior to release, my expectation was something more than Binary Ninja, but lacking debugger integration. I figured …Read More
Vulnerability Research ANALYZING A WINDOWS DHCP SERVER BUG (CVE-2019-0626) Today I’ll be doing an in-depth write up on CVE-2019-0626, and how to find it. Due to the fact this bug only exists on Windows Server, I’ll be using a Server 2016 VM (corresponding patch is KB4487026). Note: this bug was not found by me, I reverse engineered it from …Read More
Malware Analysis
TRACKING THE HIDE AND SEEK BOTNET Hide and Seek (HNS) is a malicious worm which mainly infects Linux based IoT devices and routers. The malware spreads via bruteforcing SSH/Telnet credentials, as well as some old CVEs. What makes HNS unique is there’s no command and control server; instead, it receives updates using a custom peer-to-peer network …Read More
Malware Analysis
__ 3
BEST LANGUAGES TO LEARN FOR MALWARE ANALYSIS One of the most common questions I’m asked is “what programming language(s) should I learn to get into malware analysis/reverse engineering”, to answer this question I’m going to write about the top 3 languages which I’ve personally found most useful. I’ll focus on native malware (malware which does not require …Read More
POSTS NAVIGATION
1 2 3
4
5
6
7
8
9
10
11
Next
__
STAY CONNECTED
DONATIONS
Donate
Donate
Donate
CATEGORIES
* Malware Analysis4
* Opinions3
* Personal Stories2
* Reverse Engineering1 * Threat Intelligence5* Uncategorized83
* Vulnerability Research7* __
* Podcast
* Discord
* Challenges
* Contact
CryptoDonate x
Details
Copyright © 2024 ArchiveBay.com. All rights reserved. Terms of Use | Privacy Policy | DMCA | 2021 | Feedback | Advertising | RSS 2.0