Blog
Uncategorized
9

Phase Bot – A Fileless Rootkit (Part 1)

Phase Bot is a fileless rootkit that went on sale during late October, the bot is fairly cheap ($200) and boasts features such as formgrabbing, ftp stealing, and of course the ability to run without a file. The bot has both a 32-bit binary (Win32/Phase) and a 64-bit binary (Win64/Phase), …

Read More
Uncategorized
1

Zombie Processes as a HIPS Bypass

A long long time ago (about 10 years in non-internet time) malware developers only had to worry about signature based detection, which could be easily bypasses with polymorphic droppers or executable encryption. To deal with rapidly evolving malware, capable of evading signature detection, HIPS was created. HIPS (Host-based Intrusion Prevention System), sometimes …

Read More
Uncategorized
3

Virtual File Systems for Beginners

A virtual File System (VFS), sometimes referred to as a Hidden File System, is a storage technique most commonly used by kernel mode malware, usually to store components outside of the existing filesystem. By using a virtual filesystem, malware developers can both bypass antivirus scanners as well as complicating work …

Read More
Vulnerability Research

MS14-066 In Depth Analysis

A few days ago I published an article detailing how a second bug, in the schannel TLS handshake handling, could allow an attacker to trigger the DecodeSigAndReverse heap overflow in an application that doesn’t support client certificates. I had stated I was not familiar with ECC signatures and was unsure …

Read More
Uncategorized
7

How MS14-066 (CVE-2014-6321) is More Serious Than First Thought

If you’ve been in a coma for the past week, MS14-066 (CVE-2014-6321) is a TLS heap overflow vulnerability in Microsoft’s schannel.dll, which can result in denial of service and even remote code execution on windows systems (the bug is exploitable during the TLS handshake stage, prior to any authentication). According to beyondtrust the …

Read More
Uncategorized
8

Passive UAC Elevation

I had a cool idea for a way to get the user to passively elevate your application without socially engineering them to do so or requiring exploits. Obviously you could just go ahead and start mass infecting executables, but that would cause a lot of unforeseen problems and would also …

Read More
Uncategorized
5

Creating a Secure Tor Environment

As we all know there are ways that your real IP can be leaked when using tor (JavasScript, Flash, Malware and software errors). In this tutorial I’m going to show how to create a fairly secure tor environment using VMWare, which will prevent any IP leaks. The environment can be …

Read More
Uncategorized
4

New IRC Launch

For anyone still into IRC, MalwareTech has partnered with sigterm.no to launch a new IRC network. It’s still fairly new so don’t expect an instant response, but everyone is welcome (socializing or just asking for help). Easy Method Simply use our web IRC client: https://irc.malwaretech.com/ Proper Method The server requires SSL so …

Read More
Uncategorized
1

Usermode Sandboxing

A lot of people (including myself, until recently) think that effective sandboxing requires a filter driver or kernel hooking, but this is no longer the case. A new security feature introduced in Windows Vista known as the Windows Integrity Mechanism can be used to create sandboxes that run entirely in usermode. Although …

Read More
Uncategorized

Astute Explorer (GCHQ Challenge 5 – 10)

Continuation for http://www.malwaretech.com/2014/09/astute-explorer-gchq-challenge-1-5.html Vulnerability On line 26 the function fails if exactly BLOCK_SIZE is not read, this means if there is data available but less than BLOCK_SIZE is present, or the read fails, the function will return NULL. On failure the function does not free szBuffer so there’s a pretty serious …

Read More