Blog
Uncategorized
4

Inline Hooking for Programmers (Part 1: Introduction)

A lot of my articles have been aimed at giving a high-level insight into malware for beginners, or those unfamiliar with specific concepts. Today I’ve decided to start a new series designed to familiarize people with malware internals on a programming level. This will not be a tutorial aimed towards …

Read More
Uncategorized
3

Distributed Denial Of Service (DDoS) for Beginners

Distributed Denial Of Service, or DDoS, is an attack in which multiple devices send data to a target device (usually a server), with the hope of rendering the network connection or a system application unusable. There are many forms of DDoS attack, but almost all modern attacks are either at …

Read More
Uncategorized
10

Darkode – Ode to Lizard Squad (The Rise and Fall of a Private Community)

For the 10 of you who don’t know, darkode was on of the most active English-speaking “underground” cybercrime boards. The forum was started around 2009 by a coder named “Iserdo” and gained popularity off the back of Iserdo’s bot, “Buterfly bot” (AKA Mariposa), which was sold there. In The Beginning …

Read More
Uncategorized
3

Phase Bot – Exploiting C&C Panel

I’ve been withholding this article for a while, due to the fact that the minute I post it all the vulnerabilities will be patched, thus becoming useless to us; however, it turns out hacking all of the phase C&C panels has generated a bit of noise, resulting in the vulnerabilities …

Read More
Uncategorized
3

OphionLocker Analysis: Proof Anyone Really Can Write Malware

OphionLocker is supposedly the new ransomware on the block and is already being compared with sophisticated operations such as CryptoLocker and CryptoWall, so i decided to take a look and what I found is nothing short of hilarious. That’s right, the ransomware is actually a console application, Instead of writing …

Read More
Uncategorized
3

Phase Bot – A Fileless Rootkit (Part 2)

As I said in the last part of the analysis the sample I had was just a test binary, but now I have some real ones thanks to some help from @Xylit0l. The new binaries incorporate some much more interesting features which I’ll go over in this article. Reverse Connection …

Read More
Uncategorized
9

Phase Bot – A Fileless Rootkit (Part 1)

Phase Bot is a fileless rootkit that went on sale during late October, the bot is fairly cheap ($200) and boasts features such as formgrabbing, ftp stealing, and of course the ability to run without a file. The bot has both a 32-bit binary (Win32/Phase) and a 64-bit binary (Win64/Phase), …

Read More
Uncategorized
1

Zombie Processes as a HIPS Bypass

A long long time ago (about 10 years in non-internet time) malware developers only had to worry about signature based detection, which could be easily bypasses with polymorphic droppers or executable encryption. To deal with rapidly evolving malware, capable of evading signature detection, HIPS was created. HIPS (Host-based Intrusion Prevention System), sometimes …

Read More
Uncategorized
3

Virtual File Systems for Beginners

A virtual File System (VFS), sometimes referred to as a Hidden File System, is a storage technique most commonly used by kernel mode malware, usually to store components outside of the existing filesystem. By using a virtual filesystem, malware developers can both bypass antivirus scanners as well as complicating work …

Read More
Uncategorized

MS14-066 In Depth Analysis

A few days ago I published an article detailing how a second bug, in the schannel TLS handshake handling, could allow an attacker to trigger the DecodeSigAndReverse heap overflow in an application that doesn’t support client certificates. I had stated I was not familiar with ECC signatures and was unsure …

Read More