Recently I saw a story on SecurityWeek about how the Cerber ransomware morphs every 15 seconds (each download results in a file with a new hash), which I then tracked back to the source, this article by Invincea. The various news articles made some dubious claims which can be put down …

I’ve seen plenty blogs from people who got into infosec through the academic route, so i figured I’d cover the other side and try to answer the three most asked questions I get via email and twitter: “Do I need a degree to get a job in infosec?”, “Will a …

Dridex spreads mainly using Office documents containing malicious macros, initially the primary stage would involve using VBA (Visual Basic for Applications) to download and execute the loader from one of multiple servers, though this had some flaws. Antivirus and Firewall vendors maintain a list of malicious URLs and IP addresses …

Sorry for the longer than expected delay, occasionally the Dridex group will take the servers offline during the weekend and resume normal operations on Monday; however, it appears they decided to take an extended break as the network went offline at some point a week ago, preventing me from fetching …

In the previous article we went over how to dump the names of the majority of functions dridex resolves dynamically to complicate analysis. Today we will be using some similar methods to get the other main piece of the puzzle (encrypted string). Encrypted Strings As we’ve already got a nice list …

Due to popular request I’m starting a new reverse engineering article series which will detail how I go about analyzing various samples, instead of just presenting my findings like I normally do. Most of the posts will be centered around IDA Pro (evaluation edition should work too) with WinDbg as …

While I was reverse engineering ZeroAccess in order to write a monitoring system, I had an idea which would allow me to use ZeroAccess C&C infrastructure to reflect and amplify a UDP based DDoS attack, which I’d found to be beautifully ironic. After further analysis, I discovered it may even …

Last week I received a tip about a sample displaying some indication that it could be peer-to-peer (a large amount of UDP traffic being sent to residential IPs), after a couple days of analysis I was able to confirm that not only was it peer-to-peer but also currently active. The person …

Usually I don’t blog about the hundreds of ridiculous or down right crazy emails I receive each year, but this exchange makes all the others seem completely reasonable in comparison. Normally my unwanted emails range from people asking obviously blackhat questions presented as whitehat questions to offers of under the …

Here is an interesting article I found this week, it’s about how A researcher released two pieces of ‘educational’ ransomware which were secretly backdoored in order to own some advanced and prolific cyber-criminals a small number of scriptkiddies. There two pieces were HiddenTear (a ransomware with deliberately insecure cryptography designed to …