Blog
Uncategorized

Formgrabbers for Beginners

Introduction For a long time malware has targeted web data such as site logins. A malicious application could intercept socket functions within a web browser and scan for HTTP headers in order to retrieve HTTP data, however as HTTPS (HTTP Secure) became more widespread, it caused a problem. HTTPS is …

Read More
Uncategorized

Selfish Mining – How to make Yourself Broke

Selfish Mining Selfish Mining in short is theoretical concept in which a malicious pool of miners could gain a better income by deliberately forking the blockchain. If a mining pool were to not immediately broadcast blocks, but instead add them to their own private chain, when the private chain becomes …

Read More
Uncategorized
3

Portable Executable Injection For Beginners

Process Injection Process injection is an age old technique used by malware for 3 main reasons: Running without a process, placing user-mode hooks for a rootkit or formgrabber, and  bypassing antivirus / firewalls by injecting whitelisted processes. The most common method of process injection is DLL Injection, which is popular …

Read More
Uncategorized

MtGox Nearly Breaks Bitcoin…Again

Previous Incident  In April 2013 large trading volume caused the MtGox trading engine to begin lagging. As soon as the trading engine lag started to build, traders panic sold due to the increasing risk of loss from trading blind. Of course the panic selling just added to the trading volume, …

Read More
Uncategorized
1

Botnet Takedowns – fun and good publicity, nothing more

Takedowns For the past year or so the Kelihos botnet has been in the news after constant attempts to take it down. recently the ZeroAccess botnet has also been subject to similar publicity, but what do these efforts actually achieve? Not much. Damage ZeroAccess and Kelihos are what i like to refer …

Read More
Uncategorized

End of The Line for Solar Bot (Win32/Napolar)?

Solar Bot Solar Bot is a new type of usermode rootkit that created much hype by being “the first of it’s kind”. The rootkit is able to inject and hook both 32-bit and 64-bit processes, making it effective on 64-bit systems, which is uncommon for usermode rootkits. Solar bot makes …

Read More
Uncategorized
1

KINS Source Code Leaked

Much Ado About Nothing Today the KINS source code was posted publicly after being sold to just about everyone and their dog. As expected it’s just a Zeus modification containing code taken from various places (there is also evidence of the bootkit). As you can see in this image, there …

Read More
Uncategorized
4

Ring3 / Ring0 Rootkit Hook Detection 2/2

Introduction This article was actually planned to be posted the day after the first, however; I’ve not had much sleep the past few weeks, then I got sick, so it was very delayed. I’m pleased with how popular the previous article was, so in the future I plan to write …

Read More
Uncategorized
11

Ring3 / Ring0 Rootkit Hook Detection 1/2

Introduction The cybercrime underworld hasn’t given me any exciting malware to reverse and I’m running out of ideas for new posts, so I’m going to do a 2 part article about the techniques used by rootkits to intercept function calls, and how to detect them. The first part will explain …

Read More
Uncategorized

Fighting Hooks With Hooks – Sandbox Escape

Introduction I was pretty bored today and couldn’t think of an article to write, decided I’d come up with an example of escaping a sandbox. Most sandboxes use hooks placed within user-mode dlls in order to monitor process activity. If someone was able to remove or bypass these hooks, they …

Read More