Home   Blog   Twitter   Database  

Fatal flaw found in PricewaterhouseCoopers SAP security software

Instead of fixing the issue, PwC lawyered up

A security tool built for SAP systems by PricewaterhouseCoopers has turned out to have worrying security holes of its own.…

Posted: 9 Dec 2016 | 3:57 pm

How one man could have set loose a Yahoo Mail virus

Last year, Jouko Pynnönen scored $10k from Yahoo for helping it head off the risk of a Yahoo-wide email virus. This year... same again.

Posted: 9 Dec 2016 | 10:57 am

Kaspersky Security Bulletin 2016. The ransomware revolution


 Download the PDF


In 2016, ransomware continued its rampage across the world, tightening its hold on data and devices, and on individuals and businesses.

The numbers speak for themselves:

Kaspersky Security Bulletin 2016. Story of the year

2016 also saw ransomware grow in sophistication and diversity, for example: changing tack if it encountered financial software, written in scripting languages, exploiting new infection paths, becoming more targeted, and offering turn-key ransomware-as-a-service solutions to those with fewer skills, resources or time – all through a growing and increasingly efficient underground ecosystem.

At the same time, 2016 saw the world begin to unite to fight back:

The No More Ransom project was launched in July, bringing togetheal Police, Europol, Intel Security and Kaspersky Lab. A further 13 organizations joined in October. Among other things, the collaboration has resulted in a number of free online decryption tools that have so far helped thousands of ransomware victims to recover their data.

This is just the tip of the iceberg – much remains to be done. Together we can achieve far more than any of us can on our own.

What is ransomware?

Ransomware comes in two forms. The most common form of ransomware is the cryptor. These programs encrypt data on the victim’s device and demand money in return for a promise to restore the data. Blockers, by contrast, don’t affect the data stored on the device. Instead, they prevent the victim from accessing the device. The ransom demand, displayed across the screen, typically masquerades as a notice from a law enforcement agency, reporting that the victim has accessed illegal web content and indicating that they must pay a spot-fine. You can find an overview of both forms of ransomware here.

Ransomware: the main trends & discoveries of 2016

“Most ransomware thrives on an unlikely relationship of trust between the victim and their attacker: that, once payment is received, the ransomed files will be returned. Cybercriminals have exhibited a surprising semblance of professionalism in fulfilling this promise.”

GReAT, Threat Predictions for 2017

Kaspersky Security Bulletin 2016. Story of the year

Arrivals and departures

Arrivals – in 2016, the world said hello to Cerber, Locky and CryptXXX – as well as to 44,287 new ransomware modifications

Cerber and Locky arrived in the early Spring. Both are nasty, virulent strains of ransomware that are propagated widely, mainly through spam attachments and exploit kits. They rapidly established themselves as ‘major players’, targeting individuals and corporates. Not far behind them was CryptXXX. All three families continue to evolve and to hold the world to ransom alongside well-established incumbents such as CTB-Locker, CryptoWall and Shade.

Locky ransomware has so far been spread across 114 countries #KLReport


As of October 2016, the top ransomware families detected by Kaspersky Lab products look like this:

Name Verdicts* percentage of users**
1 CTB-Locker Trojan-Ransom.Win32.Onion /
2 Locky Trojan-Ransom.Win32.Locky /
3 TeslaCrypt (active till May 2016) Trojan-Ransom.Win32.Bitman 6.54
4 Scatter Trojan-Ransom.Win32.Scatter /
Trojan-Ransom.BAT.Scatter /
Trojan-Downloader.JS.Scatter /
5 Cryakl Trojan-Ransom.Win32.Cryakl 2.79
6 CryptoWall Trojan-Ransom.Win32.Cryptodef 2.36
7 Shade Trojan-Ransom.Win32.Shade 1.73
8 (generic verdict) Trojan-Ransom.Win32.Snocry 1.26
9 Crysis Trojan-Ransom.Win32.Crusis 1.15
10 Cryrar/ACCDFISA Trojan-Ransom.Win32.Cryrar 0.90

* These statistics are based on the detection verdicts returned by Kaspersky Lab products, received from usersof Kaspersky Lab products who have consented to provide their statistical data.
** Percentage of users targeted by a certain crypto-ransomware family relative to all users targeted with crypto-ransomware.

Departures – and goodbye to Teslascrypt, Chimera and Wildfire – or so it seemed…

Kaspersky Security Bulletin 2016. Story of the year

Probably the biggest surprise of 2016 was the shutdown of TeslaCrypt and the subsequent release of the master key, apparently by the malware actors themselves.

TeslaCrypt “committed suicide” – while the police shut down Encryptor RaaS and Wildfire #KLReport


Encryptor RaaS, one of the first Trojans to offer a Ransomware-as-a-Service model to other criminals shut up shop after part of its botnet was taken down by the police.

Then, in July, approximately 3,500 keys for the Chimera ransomware were publicly released by someone claiming to be behind the Petya/Mischa ransomware. However, since Petya used some of the Chimera source code for its own ransomware, it could in fact be the same group, simply updating its product suite and causing mischief.

Similarly, Wildfire, whose servers were seized and a decryption key developed following a combined effort by Kaspersky Lab, Intel Security and the Dutch Police, now appears to have re-emerged as Hades.

Abuse of ‘educational’ ransomware

Kaspersky Security Bulletin 2016. Story of the year

Well-intentioned researchers developed ‘educational’ ransomware to give system administrators a tool to simulate a ransomware attack and test their defenses. Criminals were quick to seize upon these tools for their own malicious purposes.

Ransomware developed for ‘education’ gave rise to Ded Cryptor and Fantom, among others #KLReport


The developer of the educational ransomware Hidden Tear & EDA2 helpfully posted the source code on GitHub. Inevitably, 2016 saw the appearance of numerous malicious Trojans based on this code. This included Ded Cryptor, which changed the wallpaper on a victim computer to a picture of an evil-looking Santa Claus, and demanded a massive two Bitcoins (around $1,300) as a ransom. Another such program was Fantom, which simulated a genuine-looking Windows update screen.

Unconventional approaches

Ransomware in scripting languages

Kaspersky Security Bulletin 2016. Story of the year

Another trend that attracted our attention in 2016 was the growing number of cryptors written in scripting languages. In the third quarter alone, we came across several new families written in Python, including HolyCrypt and CryPy, as well as Stampado written in AutoIt, the automation language.

A long line of amateurs and copycats

Many of the new ransomware Trojans detected in 2016 turned out to be of low-quality; unsophisticated, with software flaws and sloppy errors in the ransom notes.

Poor quality ransomware increases likelihood of data being lost forever #KLReport


This was accompanied by a rise in copycat ransomware. Among other things, we spotted that:

Probably the most prominent copycat we discovered this year was Polyglot (aka MarsJoke). It fully mimics the appearance and file processing approach of CTB-Locker.

These trends are all expected to increase in 2017.

“As the popularity continues to rise and a lesser grade of criminal decides to enter the space, we are likely to encounter more and more ‘ransomware’ that lacks the quality assurance or general coding capability to actually uphold this promise. We expect ‘skiddie’ ransomware to lock away files or system access or simply delete the files, trick the victim into paying the ransom, and provide nothing in return.”

GReAT, Threat Predictions for 2017

The thriving ransomware economy

Kaspersky Security Bulletin 2016. Story of the year

The rise of RaaS

While Ransomware-as-a-Service is not a new trend, in 2016 this propagation model continued to develop, with ever more ransomware creators offering their malicious product ‘on demand’. This approach has proved immensely appealing to criminals who lack the skills, resources or inclination to develop their own.

Ransomware is increasingly for hire on the criminal underground #KLReport


Notable examples of ransomware that appeared in 2016 and use this model are Petya/Mischa and Shark ransomware, which was later rebranded under the name Atom.

This business model is increasingly sophisticated:

Kaspersky Security Bulletin 2016. Story of the year

The Petya ransomware partner site

The partner often signs up to a traditional commission-based arrangement. For example, the “payment table” for Petya ransomware shows that if a partner makes 125 Bitcoins a week thy will walk away with 106.25 Bitcoins after commission.

Kaspersky Security Bulletin 2016. Story of the year

Petya payment table

There is also an initial usage fee. Someone looking to use the Stompado ransomware, for example, needs to come up with just $39.

With other criminals offering their services in spam distribution, ransomware notes etc. it’s not difficult for an aspiring attacker to get started.

From commission-based networks to customer support and branding

The most ‘professional’ attackers offered their victims a help desk and technical support, guiding them through the process of buying Bitcoins to pay the ransom, and sometimes even being open to negotiation. Every step further encouraged the victim to pay.

Criminals offer customer support to ensure more victims pay #KLReport


Further, Kaspersky Lab experts studying ransomware in Brazil noticed that for many attacks, branding the ransomware was a matter of some importance. Those looking for media attention and customer fear would opt for a high profile, celebrity theme or gimmick – while those more concerned about staying under the radar would forgo the temptation of fame and leave their victims facing just an e-mail for contacting the bad guys and a Bitcoin address to pay into.

It’s still all about the Bitcoins

Throughout 2016, the most popular ransomware families still favored payment in Bitcoins. Most ransomware demands were not excessive, averaging at around $300, although some were charged – and paid – a great deal more.

Others, particularly regional and hand-crafted operations, often preferred a local payment option – although this also meant that they were no longer able to hide in plain sight and blend in with the rest of the ransomware noise.

Ransomware turned its weapons on business

Kaspersky Security Bulletin 2016. Story of the year

In the first three months of 2016, 17% of ransomware attacks targeted corporates – this equates to an attack hitting a business somewhere in the world every two minutes1. By the end of Q3 this had increased to 23.9% – an attack every 40 seconds.

A business is attacked with ransomware every 40 seconds #KLReport


According to Kaspersky Lab research, in 2016, one in every five businesses worldwide suffered an IT security incident as a result of a ransomware attack.

One in five SMBs never gets their data back, even after paying #KLReport


Social engineering and human error remain key factors in corporate vulnerability. One in five cases involving significant data loss came about through employee carelessness or lack of awareness.

“We are seeing more targeted ransomware, where criminal groups carefully hand-pick and spear-phish their targets because of the data they possess and/or their reliance on the availability of this valuable data.”

John Fokker, Digital team Coordinator with the Dutch National High Tech Crime unit


Some industry sectors are harder hit than others, but our research shows that all are at risk

There is no such thing as a low-risk sector anymore #KLReport

Industry sector % attacked with ransomware
1 Education 23
2 IT/Telecoms 22
3 Entertainment/Media 21
4 Financial Services 21
5 Construction 19
6 Government/
public sector/defence
7 Manufacturing 18
8 Transport 17
9 Healthcare 16
10 Retail/wholesale/leisure 16

Ransomware attacks that made the headlines

Fighting Back

Kaspersky Security Bulletin 2016. Story of the year

Through technology

The latest versions of Kaspersky Lab products for smaller companies have been enhanced with anti-cryptomalware functionality. In addition, a new, free anti-ransomware tool has been made available for all businesses to download and use, regardless of the security solution they use.

A new free, AV-independent anti-ransomware tool is available #KLReport


Kaspersky Lab’s Anti-Ransomware Tool for Business is a ‘light’ solution that can function in parallel with other antivirus software. The tool uses two components needed for the early detection of Trojans: the distributed Kaspersky Security Network and System Watcher, which monitors applications’ activity.

Kaspersky Security Network quickly checks the reputation of files and website URLs through the cloud, and System Watcher monitors the behavior of programs, and provides proactive protection from yet-unknown versions of Trojans. Most importantly, the tool can back up files opened by suspicious applications and roll back the changes if the actions taken by programs prove malicious.

Through collaboration: The No More Ransom Initiative

On 25 July 2016, the Dutch National Police, Europol, Intel Security and Kaspersky Lab announced the launch of the No More Ransom project – a non-commercial initiative that unites public and private organizations and aims to inform people of the dangers of ransomware and help them to recover their data.

The online portal currently carries eight decryption tools, five of which were made by Kaspersky Lab. These can help to restore files encrypted by more than 20 types of cryptomalware. To date, more than 4,400 victims have got their data back – and more than $1.5 million dollars in ransom demands has been saved.

No More Ransom has so far got 4.400 people their data back – and deprived criminals of $1.5 million in ransom #KLReport


In October, law enforcement agencies from a further 13 countries joined the project, including: Bosnia and Herzegovina, Bulgaria, Colombia, France, Hungary, Ireland, Italy, Latvia, Lithuania, Portugal, Spain, Switzerland and the United Kingdom.

Eurojust and the European Commission also support the project’s objectives, and more partners from the private sector and law enforcement are expected to be announced soon.

“Public/Private partnerships are the essence and the strength of the NMR initiative. They are essential to effectively and efficiently tackle the problem, providing us with much greater capability and reach than law enforcement could have alone.”

Steven Wilson, Head of Europol’s EC3


Standing up to ransomware – how to stay safe

  1. Back up data regularly.
  2. Use a reliable security solution, and remember to keep key features – such as System Watcher – switched on.
  3. Always keep software updated on all the devices you use.
  4. Treat email attachments, or messages from people you don’t know, with caution. If in doubt, don’t open it.
  5. If you’re a business, you should also educate your employees and IT teams; keep sensitive data separate; restrict access; and back up everything, always.
  6. If you are unlucky enough to fall victim to an encryptor, don’t panic. Use a clean system to check our No More Ransom site; you may well find a decryption tool that can help you get your files back.
  7. Last, but not least, remember that ransomware is a criminal offence. Report it to your local law enforcement agency.

“We urge people to report an attack. Every victim holds an essential piece of evidence that provides invaluable insight. In return, we can keep them informed and protect them from dodgy third-party ‘offers’ to unencrypt data. But we need to ensure that more law enforcement offices know how to deal with digital crime.”

Ton Maas, Digital team Coordinator with the Dutch National High Tech Crime unit


Why you shouldn’t pay – advice from the Dutch National High Tech Crime Unit

  1. You become a bigger target.
  2. You can’t trust criminals – you may never get your data back, even if you pay.
  3. Your next ransom will be higher.
  4. You encourage the criminals.

Can we ever win the fight against ransomware?

We believe we can – but only by working together. Ransomware is a lucrative criminal business. To make it stop the world needs to unite to disrupt the criminals’ kill-chain and make it increasingly difficult for them to implement and profit from their attacks.

1Estimates based on: 17% of 372,602 unique users with ransomware attacks blocked by Kaspersky Lab products in Q1, 2016 and 23.9% of 821,865 unique users with ransomware attacks blocked by Kaspersky Lab products in Q3,2016.

Posted: 8 Dec 2016 | 12:54 am

Mobile Ransomware: Pocket-Sized Badness

A few weeks ago, I spoke at Black Hat Europe 2016 on Pocket-Sized Badness: Why Ransomware Comes as a Plot Twist in the Cat-Mouse Game. While watching mobile ransomware from April 2015 to April 2016, I noticed a big spike in the number of Android ransomware samples. During that year, the number of Android ransomware increased by 140%. In certain areas, mobile ransomware accounts for up to 22 percent of mobile malware overall! (These numbers were obtained from the Trend Micro Mobile App Reputation Service.)  One trend noticed during this time is that it closely mirrors the path paved by traditional ransomware: like other ransomware types, mobile ransomware is constantly evolving and growing.

This research began during my time at Politecnico di Milano (POLIMI), and Trend Micro’s mobile research team has contributed substantially to this research. Below are some of the technical aspects of prominent mobile ransomware variants, along with detection techniques to help mitigate these concerns.

What makes mobile ransomware tick? Locks and Fear

From what my colleagues and I have analyzed, locking the screen and scaring victims into paying to regain access to their devices is all it takes to be successful for mobile ransomware. Let’s take a look at the most interesting techniques for screen or device locking.

Locking the screen

The SMSLocker family (detected as ANDROIDOS_SLOCKER or ANDROIDOS_SMSLOCKER) was the beginning of what we now consider Android ransomware. Originally it didn’t use encryption, but simply hid targeted files beyond the reach of everyday users. The 2015 variant used encryption with per-device keys, which made it quite difficult to create a generic “unlocker.” It mostly uses SMS for command and control (C&C) communication; some variants use Tor. The biggest contribution that SLocker made to mobile ransomware was the abuse of the Android UI API to lock the device screen. This was the first time I saw malware taking control of a device using this technique, which can be summarized as follows based on the KeyEvent.Callback API call:

Figure 1. Documentation of the onKeyDown() function in the Android package index list

Android ransomware now commonly uses this technique to make the device unusable to an inexperienced user. Rebooting does not necessarily solve the problem, especially if the malware family uses persistency techniques. However, an experienced user can still uninstall the malicious app.

The current state-of-the-art locking technique is based on abusing the device-administration APIs. The attacker can leverage it to surreptitiously change the passcode with a randomly generated one to lock the device. While the device-administration APIs have a legitimate use case (that is, allowing enterprises to manage their employees’ devices) they offer an interesting attack surface.

For instance, the sample with the hash a6dedc5f639b2e1f7101d18c08afc66d (detected as ANDROIDOS_FAKETOKEN.FCA) uses this technique. The first place to inspect is the manifest, which must declare (and ask permission for) the usage of the API methods of interest:

Figures 2 and 3. Portions of example app manifest where the device-administration API permission and policy are requested.

The manifest above is sample code from the Android developer guide. If we dig into the (disassembled and decompiled) code of the aforementioned malware sample, we find this:

Figures 4 and 5. Code snippets from the malware

We find a call to the lockNow() function to lock the device, and, on another object method, a call to the removeActiveAdmin() function, which is needed to “remove” device-administering app (i.e., the malware). Before calling the lockNow() method, ransomware samples typically call the resetPassword() function, which forcefully change the passcode. LockDroid.E uses a randomly generated passcode, which is essentially the secret information that the criminal sends to victims upon receiving the payment.

The upcoming version of Android, Android 7.0 Nougat, has a countermeasure for this. Digging into the code reveals that Nougat checks whether there is a passcode already set by the user. If that is the case, no device-admin app—regardless of whether it is legitimate or not—is allowed to change or reset it.

Figure 6. Code from Android 7.0 Nougat

The above variants and techniques provide insight into how malware developers are able to lock mobile devices via modern ransomware. So how do attackers get their victims to pay?

How Mobile Ransomware Uses Fear to Win

When talking about how ransomware uses the fear factor, one interesting family to look at is Koler (detected as ANDROIDOS_KOLER). Although a fairly standard family from a purely technical perspective, it uses an extensive distribution network with localization for about 60 countries. The obligatory ransomware “warning” appears to the victim as if it were actually coming from local law enforcement agencies. This effort in creating well-localized campaigns is, of course, intended to persuade victims to pay the requested fee.

Figure 7. Ransomware warnings in various languages (Click to enlarge)
(Images provided by Kafeine)

The English version goes along the lines of the following example:

Figure 8. English-language ransomware warning (Image provided by Kafeine)

This ransom note is accompanied by the obligatory payment screen, similar to that seen here:

Figure 9. Ransomware payment screen (Image provided by Kafeine)

Another family that must be mentioned is Svpeng (detected as ANDROIDOS_SVPENG). It may have begun as a banking Trojan, but the 2,000 samples we analyzed now exhibit the classic features of modern mobile ransomware. For instance, here is how the encryption routine works:

Figure 10. Obtaining a Cipher class

After obtaining an instance of the Cipher class, the sample loops through all the files found on the SD card and encrypts them. This effect is similar to ransomware on the Windows platform: files that have been stored on the device are now inaccessible.

Figure 11. Searching for and encrypting files on the SD card

Mobile ransomware has adapted the very same tactics that made desktop ransomware such a potent threat, raking in millions of dollars for the persons responsible. How do we detect and block these threats? That is something we will discuss in our next blog post.

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

Mobile Ransomware: Pocket-Sized Badness

Posted: 8 Dec 2016 | 12:05 am

Wild Wild West – 11/2016

It’s been awhile since I updated this; my apologies for the delay to those who have been asking.

Many thanks to Kafeine for his expertise and invaluable feedback!


Posted: 5 Nov 2016 | 2:27 pm

Stepping up security for an Internet-of-Things World

The optimistic outlook is that the internet of things will be an enabling technology that will help make the people and physical systems of the world — health care, food production, transportation, energy consumption — smarter and more efficient.

The pessimistic outlook? Hackers will have something else to hack. And consumers accustomed to adding security tools to their computers and phones should expect to adopt similar precautions with internet-connected home appliances.

“If we want to put networked technologies into more and more things, we also have to find a way to make them safer,” said Michael Walker, a program manager and computer security expert at the Pentagon’s advanced research arm. “It’s a challenge for civilization.”

To help address that challenge, Mr. Walker and the Defense Advanced Research Projects Agency, or Darpa, created a contest with millions of dollars in prize money, called the Cyber Grand Challenge. To win, contestants would have to create automated digital defense systems that could identify and fix software vulnerabilities on their own — essentially smart software robots as sentinels for digital security.

A reminder of the need for stepped-up security came a few weeks after the Darpa-sponsored competition, which was held in August. Researchers for Level 3 Communications, a telecommunications company, said they had detected several strains of malware that launched attacks on websites from compromised internet-of-things devices.

Read the full article at The New York Times.

The post Stepping up security for an Internet-of-Things World appeared first on CyberESI.

Posted: 18 Oct 2016 | 7:42 am

Malware Hiding Techniques to Watch for: AlienVault Labs

I saw a webcast done by Peter Ewane and Javvad Malik recently. The summary of what Peter had to say and Q&A follows; you can also view the recorded webcast.

What is Malware?

Malware can be a lot of things. It can be a virus, a worm, spyware, a Trojan horse, or ransomware. It’s basically any malicious program that you would not want on your computer.

Windows Registry

Lately it has become common to see malware hide in the Windows Registry. Why the Windows registry? The Windows registry is quite large and complex, which means there many places where malware can insert itself to achieve persistence. A good example of this behavior is Poweliks. Poweliks sets a null entry utilizing one of the built-in Windows APIs, ZwSetValueKey, which allows it to create a registry key with an encoded data blob. I’m not sure why the Windows API allows a null entry, but it does. This is one of the many ways that malware can utilize the Windows registry to hide out, autostart, and maintain persistence on many systems.

Here’s an OTX pulse on Poweliks: https://otx.alienvault.com/browse/pulses/?q=POWELIKS

Process Injection

Process injection is exactly what it sounds like. It is injecting some bits of code into a running process. Malware leverages process injection techniques to hide code execution and avoid detection by utilizing known “good” processes such as svchost.exe or explorer.exe. To inject itself into known good processes, malware writers use built-in Windows APIs. One of them is setting debug. When a process sets as debug, it gains access to many of the debug API calls, such as attaching to other processes and instructing processes to allocate additional memory. Once a process has allocate more memory, then a malicious process can inject whatever code it wishes into that process.

A great example of malware that uses process injection is Poison Ivy. Poison Ivy's process injection is one of my favorites not only because it is very well known but also because it is used in many campaigns, and does process injection slightly differently than other kinds of malware. When malware allocates a chunk of memory, normally that chunk of memory is “contiguous”, so at the end of a memory block, it will allocate another memory block and inject code there. Poison Ivy does what we call “sharding.” Instead of having one giant memory block, it has a whole bunch of tiny memory blocks split all over the process and sometimes in various processes. A great example of malware that uses process injection is Poison Ivy. Poison Ivy's process injection is one of my favorites not only because it is very well known but also because it is used in many campaigns, and does process injection slightly differently than other kinds of malware. When malware allocates a chunk of memory, normally that chunk of memory is “contiguous”, so at the end of a memory block, it will allocate another memory block and inject code there.

Here’s an OTX pulse on Poison Ivy: https://otx.alienvault.com/browse/pulses/?q=poison%20ivy

Process Hollowing

Another technique related to process injection is process hollowing. ‘Hollowing’ is a process where you take a known good process and start it in a suspended state. When that code is loaded and about to execute, you scoop some of the good code out (like with an ice cream scoop). Now there is available space where a bad guy can place whatever code they like, maybe change a few headers on the top and bottom to make everything seem okay, and then restart the execution process. As far as a user knows, this process looks like a normal system process started by Windows. It is therefore much more difficult for reverse engineers and memory forensics people to analyze.

Dridex is a very good example of a malware family that often uses process hollowing. Here’s an OTX pulse on Dridex:

Process List Unlinking

Process List Unlinking is another key concept. A process is anything that is running on your computer, whether it be in user space or kernel space. Process List Unlinking involves a double-linked list that contains all “active” processes. It’s important because unlinking will result in a process being hidden from all “active” tools. This can be done using ZwSystemDebugControl() or by mapping \Device\PhysicalMemory. Inside the process list is a list of every single process that is running and inside the process object is forward-pointed and backwards-pointed into the process in front of it or the process behind it to make a double-linked list.

A Flink to the process before it and then Blink to the one in front of it effectively removes the process from the list. More advanced malware will take this a step further and after they remove that process from the list, they will also write over that bit of memory, so even with memory forensics you wouldn't be able to locate that process.

There are tools that security researchers can use to find hidden malicious code, such as

This is an example bit of code that somebody would use to unlink from the process list.

DLL List Unlinking

Malware can also hide by manipulating the DLL list. Just like the process list, a DLL list has a double-linked list that points to the DLL in front and behind, and again just like the process lists are APIs that can be called to rewrite entries in the DLL list, remove that DLL entry and wipe out that bit of memory to help hide the malware from memory forensics or from backup tools. This is used a lot in rootkit activity. Here’s a graphic explaining DLL lists:

Here we have another example of code used to unlink from the DLL list:

You can see where it is writing over the one in front, the one behind, and then wiping out the memory and the zero memory function call. One other thing to remember about DLL and process list linking is that all that can be done from the user space, so I don't need kernel-level administrative rights.

Kernel Module List Unlinking

Kernel modules are the next level down. A kernel module is any of the modules that is loaded into the kernel. Like the DLL and process list, the kernel modules have their own list that can be queried with APIs and return every kernel module that is loaded. There are also debug APIs that can remove one DLL module from the list and zero it out. This is especially important because at the kernel level when something is zeroed out it makes it lot harder to find. This access is like ring zero access - definitely associated with rootkit activity. Generally, a piece of malware will execute in user space and then try a kernel-level exploit to get kernel administrative access; it then drops the main rootkit, which would then zero itself out inside the kernel module list process list. At this point, the malware is very well hidden and it will be very difficult to find.

How Kernel Module List Unlinking Works:

Questions from the Audience:

JAVVAD: So most malware sandboxes can’t deal with samples that remain dormant for a considerable amount of time before execution, such as Keranger. Have any new techniques been developed to overcome this?

PETER: Yes, there are a couple of different ways to overcome that. One way to tell malware remains dormant involves a certain amount system time. One way to manipulate that is to make the time go faster on the virtual machine, so every millisecond is actually ten minutes or every millisecond is actually five hours, defeating the dormant malware by waiting it out.

JAVVAD: How can AlienVault detect the malware hiding techniques that were described in the presentation?

PETER: Excellent question. One of the ways we can detect various hiding techniques described in the presentation, is based upon Windows logging. One example of such detection would be a processes acquiring the ability to utilize the built in Windows debug capabilities. There are known "Good" applications that use those functions, but outside of them it looks suspicious when other processes outside that circle utilize those debug capabilities which when then can alert on.

JAVVAD: Do you have anything to detect CryptoLocker or any other similar type family of ransomware?

PETER: Yes, we have correlation rules for CryptoLocker and various ransomware families.

JAVVAD: Is it anything specific that makes Ransomware different to look for compared to other sorts of malware, or is it pretty much the same techniques that you use?

PETER: These techniques are more about hiding. Ransomware generally is not very good at hiding, that is not its job. Its job is to be loud and in your face. So generally we can look for that being loud and in your face or any sort of network detector, so like it is connecting to known bad domains, etcetera.

JAVVAD: Is there a tool that can utilize OTX to scan a raw memory image file for IoCs?

PETER: What I would personally recommend is while you can't import memory images into OTX yet, you can use a tool such as Volatility to pull out IP and/or domains depending on what you want to scan, and then you can cross-reference with OTX based on the information that you pull up from the memory image.

JAVVAD: What is the general turnaround time between the AlienVault team capturing a sample of the zero-day attack and actually producing signatures?

PETER: That is hard to give an exact answer to because every bit of malware is different and every zero-day is different. Sometimes it can be a couple of hours, sometimes it may take longer than that.

JAVVAD: Yes. I will just add to that, actually. Last year, Adobe released a zero-day, and actually because the IoCs were being reused from previous campaigns, effectively we were blocking that zero-day three months prior to Adobe actually publicly announcing it. So it is not always the case that zero-days produce effects.

About Peter and Javvad

Peter Ewane is a security researcher at AlienVault. Follow him on Twitter https://twitter.com/eaterofpumpkin

Javvad Malik is the security advocate at AlienVault. Follow him on Twitter https://twitter.com/J4vv4D


Posted: 3 Oct 2016 | 6:00 am

Linux.Agent malware sample - data stealer

Research: SentinelOne, Tim Strazzere Hiding in plain sight?
Sample credit: Tim Strazzere

List of files

9f7ead4a7e9412225be540c30e04bf98dbd69f62b8910877f0f33057ca153b65  malware
d507119f6684c2d978129542f632346774fa2e96cf76fa77f377d130463e9c2c  malware
fddb36800fbd0a9c9bfffb22ce7eacbccecd1c26b0d3fb3560da5e9ed97ec14c  script.decompiled-pretty
ec5d4f90c91273b3794814be6b6257523d5300c28a492093e4fa1743291858dc  script.decompiled-raw
4d46893167464852455fce9829d4f9fcf3cce171c6f1a9c70ee133f225444d37  script.dumped

malware fcbfb234b912c84e052a4a393c516c78
script.decompiled-pretty aab8ea012eafddabcdeee115ecc0e9b5
script.decompiled-raw ae0ea319de60dae6d3e0e58265e0cfcc
script.dumped b30df2e63bd4f35a32f9ea9b23a6f9e7


Download. Email me if you need the password

Posted: 23 Aug 2016 | 9:19 pm

Freedome VPN For Mac OS X

Take a look at this:

F-Secure Freedome Mac OS X

F-Secure Freedome for OS X (freshly installed on a Labs Mac Team MacBook).


The beta is now open for everyone to try for 60 days at no cost.

Download or share.

On 24/04/15 At 12:37 PM

Posted: 24 Apr 2015 | 1:37 am