Malware RSS Feed

Email and Emotions

SANS Tip-of-the-Day - Tue, 07/07/2015 - 22:04
Never send an email when you are angry; you will most likely regret it later. Instead, when you are emotional and want to reply to someone, open up an email and write everything you feel, but do not send it. (Be sure there is no name in the TO field so that you do not accidently send it.) After you have vented, save the email and come back an hour later. You only want to reply to any type of emotional situation after you have had time to cool down.

You Are a Target

SANS Tip-of-the-Day - Sun, 07/05/2015 - 22:48
You may not realize it, but you are a target. Your computer, your work and personal accounts and your information are all highly valuable to cyber criminals. Be mindful that bad guys are out to get you.

Anti-Virus

SANS Tip-of-the-Day - Thu, 07/02/2015 - 23:59
Make sure you have anti-virus software installed on your computer and that it is automatically updating. However, keep in mind that no anti-virus can catch all malware; your computer can still be infected. That is why it's so important you use common sense and be wary of any messages that seem odd or suspicious.

Browse With Encryption

SANS Tip-of-the-Day - Wed, 07/01/2015 - 22:59
When browsing online, encrypting your online activities is one of the best ways to protect yourself. Make sure your online connection is encrypted by making sure HTTPS is in the website address and that there is a green lock next to it.

Long live REcon – my 10th REcon anniversary

Malware Alerts - Wed, 07/01/2015 - 11:12

I got back from REcon 2015 a week ago and I’m well and truly over the jet lag at last. As usual, it was a great conference with many interesting talks and people. It is always great to meet other reverse engineers from all over the world and discuss new techniques, tools and research.

Tradition dictates that the event starts with training sessions, and I gave my usual four-day training on malware reverse engineering. During that time we covered all sorts of topics such as how to unpack/decrypt malware, analyze APT and so on.

I even got an award to mark 10 years of teaching Reverse Engineering class at REcon. Time flies

The conference was great. There were several interesting talks, more or less related to malware research. Here are the summaries of a few of them:

  • Introducing Dynamic IDA Enrichment framework (a.k.a DIE):

    DIE is a new Hex-Rays IDA plugin that crosses the static-dynamic gap directly into the native IDA GUI. It gives researchers access to runtime values from within their standard disassembler screen.

    As opposed to previous projects with similar goals, DIE takes a different approach by using an extensive plugin framework which allows the community to constantly add logic in order to better analyze and optimize the retrieved runtime values.

    With a click of a button, everything is accessible to the researcher: he can inspect handles passed to a function, analyze injected code or runtime strings, enumerate dynamic structures, follow indirect function calls and more.

    After the framework was explained, 3 live demos showed how to use the tool.

    The slides are available here: http://fr.slideshare.net/ynvb/0x3e9-waystodie
    The framework can be downloaded here: https://github.com/ynvb/DIE

  • Totally Spies!

    This presentation covered research done into the AnimalFarm operation as well as technical details of their various pieces of malware. The presentation also highlighted connections between samples as well as technical hints found regarding attribution.

  • The M/o/Vfuscator

    Based on a paper that proves that the “mov” instruction is Turing complete, the M/o/Vfuscator takes the source code and compiles it into a program that uses *only* mov instructions – no comparisons, no jumps, no math (and definitely no SMC cheating).

    The talk demonstrated how it is possible to write programs with only mov instructions as a way to obfuscate code. I asked the author of the presentation to make a crackme using the obfuscator, which he kindly made.

Crackme: https://github.com/xoreaxeaxeax/movfuscator/tree/master/crackme
Obfuscator: https://github.com/xoreaxeaxeax/movfuscator

Other interesting talks included:

  • This Time Font can hunt you down in 4 bytes
  • Hooking Nirvana
  • One font vulnerability to rule them all
  • Reversing the Nintendo 64 CIC

You can find the full conference schedule at http://recon.cx/2015/schedule/

Slides and the videos from every talk will be uploaded soon on the REcon website.

See you next year at REcon 2016!

Kids and Family Members

SANS Tip-of-the-Day - Tue, 06/30/2015 - 23:31
If you have children visiting or staying with family members (such as grandparents), make sure the family members know your rules concerning technology that your kids must follow. Just because your kids leave the house does not mean the rules about what they can do online change.

Shopping Online

SANS Tip-of-the-Day - Tue, 06/30/2015 - 15:13
When shopping online, always use your credit cards instead of a debit card. If any fraud happens, it is far easier to recover your money from a credit card transaction. Gift cards and one-time-use credit card numbers are even more secure.

Conversations

SANS Tip-of-the-Day - Tue, 06/30/2015 - 15:13
When traveling, it is very easy to forget where you are when discussing business with colleagues. That airport, taxi, restaurant or hotel lobby may have individuals nearby eavesdropping on your conversation. When discussing confidential information, agree to hold off on the conversation until you can be assured of privacy. Also, be careful not to share sensitive information with strangers you meet.

Go With Passphrases

SANS Tip-of-the-Day - Tue, 06/30/2015 - 15:13
Passphrases are the strongest type of passwords and the easiest to remember. Simply use an entire sentence for your password, such as "What time is coffee?" By using spaces and punctuation, you create a long password that is hard to guess but easy to remember.

One night to hack in Paris

Malware Alerts - Tue, 06/30/2015 - 12:11

The past Saturday we had the privilege of participating in this year’s edition of “Nuit du Hack”, a French security conference which brings together professionals and amateurs of all skill levels for a series of lectures and challenges. It’s a full day (and night) of hacking goodness. A cloudy day set the perfect mood at the venue, the Academie Fratellini, in the marvelous and beautiful city of Paris.

With an interesting mix of security talks, capture the flag challenges, bug bounty programs, and workshops, the audience was welcome to join in any activities they chose. It was a security professional’s vision of heaven: learning about the latest security trends and issues while enjoying a beer and even getting a glimpse of the legendary Captain Crunch walking around. It’s also a great place for people of all ages and backgrounds to get involved.

The event started at full throttle with a memorable keynote from the director of ANSSI (National Agency for the Security of Information Systems) Guillaume Poupard, who spoke about local cyber security risks such as industrial espionage, electronic warfare and infrastructure sabotage. Moreover, he emphasized the importance of maintaining a balance between security and legality, an ethical dilemma that many security practitioners are facing right now in their daily activities.

The content of the talks was undoubtedly varied, including some that were more technically oriented, while others focused exclusively on the analysis of current security trends, malware and vulnerabilities.

David Melendez spoke about how he was able to build drone control system from scratch, basing his architecture and design on a GNU/Linux OS. Using a regular home Wi-Fi router and conventional hardware materials such as Wii accelerometer, he demonstrated a plausible way to control the drone’s flight using nothing more than an everyday gaming joystick. By sending commands and establishing a secure communication channel between the drone and the pilot, he successfully implemented a new protocol based on the 802.11 standard so as to prevent man-in-the-middle attacks.

The Internet of Things (IoT) is a topic that cannot be ignored any security event. With a very interesting approach, Guillaume Greyhound put on the table a hypothetical scenario about what would happen if some disaster were to damage the current technological infrastructure of a country. How could we face the impending chaos?

Faced with this situation, he exposed how IoT technologies can play a very important role in the implementing low-cost solutions that rely, for example, on Raspberry Pi devices or custom built drones and antennae to maintain a backup communication network that can ensure the exchange of goods and services.

Afterwards, Karsten Nohl introduced us to the world of mobile communication vulnerabilities. Showing a wide array of different technologies and mobile communication protocols such as SS7 and 3G, and how these can be compromised, he grabbed the audience’s attention right from the start. The presentation made it clear that the basic security level for mobile networks is not the same in every country around the world, he explained that some regions are evidently more exposed to intervention and eavesdropping. He also shared some specific tools to evaluate a network’s security, asking attendees to join him in his effort to protect free speech and the privacy of every individual that uses this type of communication (everyone). Interestingly, he also showed some solutions to defend against such attacks, once again highlighting the importance of protecting and defending privacy in digital communications.

My colleague Santiago Pontiroli and I presented our joint research into the evolution of .NET and PowerShell malware, which we titled “The TAO of .NET and PowerShell Malware analysis”. In our talk, Santi showed how malware development on .NET and PowerShell has increased more than 6,000% since 2009 (unique detections), all while presenting a detailed analysis several samples built with these technologies. Everything from devious ransomware campaigns such CoinVault to more complex and persistent threats used by pro-government Syrian hacking groups was shown to the audience.

From my side, I shared another side of the seemingly benevolent PowerShell, demonstrating its powerful incident response and forensics capabilities for us security researchers, and how malware developers are using these same methods for anti-forensics and code protection. As they seek to avoid detection and extend a particular piece of malware’s functionality in post exploitation activities, a plethora of offensive frameworks depending on PowerShell are amongst the bad guys’ favorite weapons of choice.

In addition, I tried to explain how malware developers could be using different penetration testing frameworks as a way to develop malware more rapidly. Certainly, we have found enough evidence in a considerable amount of malware samples showing the usage of SET and other offensive frameworks in the development of everyday malware and APTs, such as the case with the previously reported Machete.

I raised a question with the crowd, asking about the risks involved in the growing trend of cross-platform software development… Will the ability of running a piece of software between different platforms easily enable cybercriminals to create the ultimate multi-platform malware?

In summary, this was a great event with exceptionally exciting talks and very interesting with professionals from all over the world (having Captain Crunch there was an added bonus). As they say…we’ll always have Paris. And Nuit du Hack, of course.

Shopping Online

SANS Tip-of-the-Day - Mon, 06/29/2015 - 22:45
When shopping online, always use your credit cards instead of a debit card. If any fraud happens, it is far easier to recover your money from a credit card transaction. Gift cards and one-time-use credit card numbers are even more secure.

Conversations

SANS Tip-of-the-Day - Thu, 06/25/2015 - 11:55
When traveling, it is very easy to forget where you are when discussing business with colleagues. That airport, taxi, restaurant or hotel lobby may have individuals nearby eavesdropping on your conversation. When discussing confidential information, agree to hold off on the conversation until you can be assured of privacy. Also, be careful not to share sensitive information with strangers you meet.

Go With Passphrases

SANS Tip-of-the-Day - Wed, 06/24/2015 - 12:37
Passphrases are the strongest type of passwords and the easiest to remember. Simply use an entire sentence for your password, such as "What time is coffee?" By using spaces and punctuation, you create a long password that is hard to guess but easy to remember.

Secure Your Home Wi-Fi Router

SANS Tip-of-the-Day - Tue, 06/23/2015 - 17:47
The most effective steps you can take to secure your wireless network at home is to change the default admin password, enable WPA2 encryption and use a strong password for your wireless network.

Games are over

Malware Alerts - Mon, 06/22/2015 - 10:19

For a long time the Winnti group had been considered as a Chinese threat actor targeting gaming companies specifically. But we’ve seen information indicating that the scope of targets can be wider and is not limited to the entertainment business. We track samples of Winnti malware all the time, but had not been able to catch one with solid clues indicating other targeted industries. Also our visibility as a vendor does not cover every company in the world (at least so far ;)) and the Kaspersky Security Network (KSN) did not reveal other attacks except those against gaming companies. Well, sometimes targeted entities have been telecommunication companies, rather large holdings, but at least one of their businesses was in some way related to the production or distribution of computer games.

In April Novetta released its report on Winnti malware spotted in the operations of Axiom group. And Axiom group has been presented as a Chinese universal hacking actor carrying out espionage APT attacks against a whole range of different industries. So this report was another source of intelligence that Winnti was already not focused just on online games. Finally, we received a sample proving this.

The sample belongs to one of the Winnti versions described in Novetta’s report – Winnti 3.0. This is one of the Dynamic Link Libraries composing this RAT (Remote Access Trojan) platform – the worker library (which in essence is the RAT DLL) with the internal name w64.dll and the exported functions work_end and work_start. Since, as usual, this component is stored on the disk with the strings and much of other data in the PE header removed/zeroed, it is impossible to restore the compilation date of this DLL. But this library includes two drivers compiled on August 22 and September 4 2014. The sample has an encrypted configuration block placed in overlay. This block may include a tag for the sample – usually it is a campaign ID or victim ID/name. This time the operators put such tag in the configuration and it turned out to be the name of the well-known global pharmaceutical company headquartered in Europe:

Pic.1 Configuration block

Besides the sample tag, the configuration block includes the names of other files involved in the working of the RAT platform and the service name (Adobe Service), after which malware is installed. The presence of the following files could indicate that the system has been compromised:

C:\Windows\TEMP\tmpCCD.tmp
ServiceAdobe.dll
ksadobe.dat

One of the mentioned drivers (a known, malicious Winnti network rootkit) was signed with a stolen certificate of a division of a huge Japanese conglomerate. Although this division is involved in microelectronics manufacturing, other business directions of the conglomerate include development and production of drugs and medicine equipment as well.

Although the nature of the involvement of Winnti operators, who were earlier perceived to be a threat only to the online gaming industry, in the activities of other cyber-espionage teams still remains rather obscure, the evidence is there. From now on, when you see Winnti mentioned, don’t think just about gaming companies; consider also at least targeted telecoms and big pharma.

Here are the samples in question:

8e61219b18d36748ce956099277cc29b – Backdoor.Win64.Winnti.gy
5979cf5018c03be2524b87b7dda64a1a – Backdoor.Win64.Winnti.gf
ac9b247691b1036a1cdb4aaf37bea97f – Rootkit.Win64.Winnti.ai

 

Pages

Subscribe to RIT Information Security aggregator