This document discusses anti-virus evasion techniques and countermeasures. It explains how to split malware execution into two parts - a standalone executable code and an interface to execute that code - in order to bypass signature-based and emulation-based antivirus detection. It provides three techniques for the interface: code injection into another process, jumping and executing the code, and using loaders. It also discusses how antiviruses can detect these techniques through shellcode detection and provides a demonstration of shellcode detection.
Anti-virus Mechanisms and Various Ways to Bypass Antivirus detectionNeel Pathak
Slide briefly describes various av mechanisms, how they actually work, where any file signature is stored etc. And finally discusses av bypassing techniques.
Hackers already knows these techniques but do we know these ? These are just few techniques but there are many.
Related document can be found at
http://www.scribd.com/doc/176058721/Anti-Virus-Mechanism-and-Anti-Virus-Bypassing-Techniques
Watchtowers of the Internet - Source Boston 2012Stephan Chenette
Watchtowers of the Internet: Analysis of Outbound Malware Communication, Stephan Chenette, Principal Security Researcher, (@StephanChenette) & Armin Buescher, Security Researcher
With advanced malware, targeted attacks, and advanced persistent threats, it’s not IF but WHEN a persistant attacker will penetrate your network and install malware on your company’s network and desktop computers. To get the full picture of the threat landscape created by malware, our malware sandbox lab runs over 30,000 malware samples a day. Network traffic is subsequently analyzed using heuristics and machine learning techniques to statistically score any outbound communication and identify command & control, back-channel, worm-like and other types of traffic used by malware.
Our talk will focus on the setup of the lab, major malware families as well as outlier malware, and the statistics we have generated to give our audience an exposure like never before into the details of malicious outbound communication. We will provide several tips, based on our analysis to help you create a safer and more secure network.
Stephan Chenette is a principal security researcher at Websense Security Labs, specializing in research tools and next generation emerging threats. In this role, he identifies and implements exploit and malcode detection techniques.
Armin Buescher is a Security Researcher and Software Engineer experienced in strategic development of detection/prevention technologies and analysis tools. Graduated as Dipl.-Inf. (MSc) with thesis on Client Honeypot systems. Interested in academic research work and published author of security research papers.
Anti-virus Mechanisms and Various Ways to Bypass Antivirus detectionNeel Pathak
Slide briefly describes various av mechanisms, how they actually work, where any file signature is stored etc. And finally discusses av bypassing techniques.
Hackers already knows these techniques but do we know these ? These are just few techniques but there are many.
Related document can be found at
http://www.scribd.com/doc/176058721/Anti-Virus-Mechanism-and-Anti-Virus-Bypassing-Techniques
Watchtowers of the Internet - Source Boston 2012Stephan Chenette
Watchtowers of the Internet: Analysis of Outbound Malware Communication, Stephan Chenette, Principal Security Researcher, (@StephanChenette) & Armin Buescher, Security Researcher
With advanced malware, targeted attacks, and advanced persistent threats, it’s not IF but WHEN a persistant attacker will penetrate your network and install malware on your company’s network and desktop computers. To get the full picture of the threat landscape created by malware, our malware sandbox lab runs over 30,000 malware samples a day. Network traffic is subsequently analyzed using heuristics and machine learning techniques to statistically score any outbound communication and identify command & control, back-channel, worm-like and other types of traffic used by malware.
Our talk will focus on the setup of the lab, major malware families as well as outlier malware, and the statistics we have generated to give our audience an exposure like never before into the details of malicious outbound communication. We will provide several tips, based on our analysis to help you create a safer and more secure network.
Stephan Chenette is a principal security researcher at Websense Security Labs, specializing in research tools and next generation emerging threats. In this role, he identifies and implements exploit and malcode detection techniques.
Armin Buescher is a Security Researcher and Software Engineer experienced in strategic development of detection/prevention technologies and analysis tools. Graduated as Dipl.-Inf. (MSc) with thesis on Client Honeypot systems. Interested in academic research work and published author of security research papers.
Malware varies mostly in the visible payloads that they manifest. We can see them infecting files, un-installing antimalware applications, stealing important documents, controlling our computers remotely, and other malicious activities.
What we don’t see is how they are implemented within the malware code. Modern malware uses different techniques to protect themselves from detection, analysis, and eradication. Some malware uses layers to even obfuscate the way they use these protections.Layers in malware are defense mechanisms against deep analysis. Within these layers, different malware tricks are also deployed.
In this presentation, we are going to look into Scieron and Vawtrak. Two different malware that implements layers differently. We will see some video demo on how some of the malware code are executed within the context of a debugger.
Finally, we are going to leverage Volatility, a memory forensic tool, to detect the presence of layers in an infected system.
Beginner level presentation on Malware Identification as part of the Malware Reverse Engineering course. Learn what malware is, how it functions, how it can be detected, identified and isolated for reverse engineering. For more information about malware detection and removal visit https://www.intertel.co.za
Understanding The Known: OWASP A9 Using Components With Known VulnerabilitiesAnant Shrivastava
c0c0n 2015 Presentation. This talk discussed about the impact of using components with known vulnerabilities along with various tips and tools for software developer or administrator to facilitate identification of vulnerable components.
Software Security Assurance for DevOps - Hewlett Packard Enterprise + Black DuckBlack Duck by Synopsys
Presented August 11, 2016 by Michael Right, Senior Product Manager, HPE Security Fortify; Mike Pittenger, VP of Security Strategy, Black Duck.
Open source software is an integral part of today’s technology ecosystem, powering everything from enterprise and mobile applications to cloud computing, containers and the Internet of Things.
While open source offers attractive economic and productivity benefits for application development, it also presents organizations with significant security challenges. Every year, thousands of new open source security vulnerabilities – such as Heartbleed, Venom and Shellshock – are reported. Unfortunately, many organizations lack visibility into and control of their open source. Addressing this challenge is vital for ensuring security in applications and containers.
Whether you’re building software for customers or for internal use, the majority of the code is likely open source and securing it is no easy task. In this session, you’ll learn about:
• The evolving DevOps and software security assurance lifecycle in the age of open source
• The software security considerations CISOs, security, and development teams must address when using open source
• An automated approach to identifying vulnerabilities and managing software security assurance for custom and open source code.
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...grecsl
Knowing how to perform basic malware analysis can go a long way in helping infosec analysts do some basic triage to either crush the mundane or recognize when its time to pass the more serious samples on to the the big boys. This presentation covers several analysis environment options and the three quick steps that allows almost anyone with a general technical background to go from n00b to ninja (;)) in no time. Well … maybe not a "ninja" per se but the closing does address follow-on resources on the cheap for those wanting to dive deeper into the dark world of malware analysis.
Malware varies mostly in the visible payloads that they manifest. We can see them infecting files, un-installing antimalware applications, stealing important documents, controlling our computers remotely, and other malicious activities.
What we don’t see is how they are implemented within the malware code. Modern malware uses different techniques to protect themselves from detection, analysis, and eradication. Some malware uses layers to even obfuscate the way they use these protections.Layers in malware are defense mechanisms against deep analysis. Within these layers, different malware tricks are also deployed.
In this presentation, we are going to look into Scieron and Vawtrak. Two different malware that implements layers differently. We will see some video demo on how some of the malware code are executed within the context of a debugger.
Finally, we are going to leverage Volatility, a memory forensic tool, to detect the presence of layers in an infected system.
Beginner level presentation on Malware Identification as part of the Malware Reverse Engineering course. Learn what malware is, how it functions, how it can be detected, identified and isolated for reverse engineering. For more information about malware detection and removal visit https://www.intertel.co.za
Understanding The Known: OWASP A9 Using Components With Known VulnerabilitiesAnant Shrivastava
c0c0n 2015 Presentation. This talk discussed about the impact of using components with known vulnerabilities along with various tips and tools for software developer or administrator to facilitate identification of vulnerable components.
Software Security Assurance for DevOps - Hewlett Packard Enterprise + Black DuckBlack Duck by Synopsys
Presented August 11, 2016 by Michael Right, Senior Product Manager, HPE Security Fortify; Mike Pittenger, VP of Security Strategy, Black Duck.
Open source software is an integral part of today’s technology ecosystem, powering everything from enterprise and mobile applications to cloud computing, containers and the Internet of Things.
While open source offers attractive economic and productivity benefits for application development, it also presents organizations with significant security challenges. Every year, thousands of new open source security vulnerabilities – such as Heartbleed, Venom and Shellshock – are reported. Unfortunately, many organizations lack visibility into and control of their open source. Addressing this challenge is vital for ensuring security in applications and containers.
Whether you’re building software for customers or for internal use, the majority of the code is likely open source and securing it is no easy task. In this session, you’ll learn about:
• The evolving DevOps and software security assurance lifecycle in the age of open source
• The software security considerations CISOs, security, and development teams must address when using open source
• An automated approach to identifying vulnerabilities and managing software security assurance for custom and open source code.
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...grecsl
Knowing how to perform basic malware analysis can go a long way in helping infosec analysts do some basic triage to either crush the mundane or recognize when its time to pass the more serious samples on to the the big boys. This presentation covers several analysis environment options and the three quick steps that allows almost anyone with a general technical background to go from n00b to ninja (;)) in no time. Well … maybe not a "ninja" per se but the closing does address follow-on resources on the cheap for those wanting to dive deeper into the dark world of malware analysis.
Get the FUD out of Cybersecurity! ISACA CSXNA 2016 in Las VegasShawn Tuma
This presentation was delivered by Shawn E. Tuma, Cybersecurity and Data Privacy Attorney, to ISACA CSXNA 2016 in Las Vegas on October 18, 2016.
https://www.isaca.org/cyber-conference/index.html
This presentation was significantly updated from past presentations and included a discussion of the groundbreaking New York Department of Financial Services (NYDFS) Cybersecurity Requirements for Financial Services Companies.
The main points of this presentation are:
(1) Cybersecurity events create a crisis situation and should be treated as such;
(2) Cybersecurity incidents are as much legal events as they are IT or Business / Public Relations events;
(3) Companies must have a cybersecurity breach response plan in place and tested, in advance;
(4) While consumer class action data breach litigation is a significant threat to companies and their leadership, it is not as great of a threat as regulatory enforcement by agencies such as the FTC and SEC, or the shareholder derivative claims for officer and director liability; and
(5) The odds are that all company will be breached, but preparation and diligence can help minimize the likelihood that such a breach from being a catastrophic event.
This presentation addresses the role of attorneys as the first responders in leading their clients through cybersecurity and data loss crisis events. The discussion begins by looking at the risk business have of being the victim of a cybersecurity or data loss incident and examining the nature of such incidents and the crisis environment they create. Then, because of this crisis environment, the need for leadership in helping keep the parties calm, rational, and making deliberate, calculated decisions.
The discussion then explains why cybersecurity events are legal events and legal counsel is the natural leader that should fulfill this role and how they can do so. It will then discuss the process legal counsel will take, including assembling the key players in such an event, both internally and externally. It discusses the obligations for responding to such an event, the steps that must be taken, those that must be considered, and certain factors that go into the decision-making process. It briefly addresses the costs of such an incident and the liability issues that can arise from such an incident and failing to properly respond to the incident. This section includes a discussion of the cybersecurity lawsuit landscape, cybersecurity regulatory landscape, and the issue of cybersecurity-related officer and director liability stemming from shareholder derivative lawsuits based on cybersecurity incidents.
It concludes with a discussion of the steps that companies can take to prepare for and be in a better position to respond to and mitigate the negative repercussions of such an incident.
These are the slides from a talk "Analysis of mass SQL injection attacks" held at FSec 2012 conference (Croatia / Varazdin 21st September 2012) by Miroslav Stampar
NGAV is the natural (and much needed) evolution of traditional AV that protects computers from the full spectrum of modern cyber attacks, delivering the best endpoint protection with the least amount of work. NGAV speaks to a fundamentally different technical approach in the way malicious activity is detected and blocked.
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Rob Fuller
This talk (hopefully) provides some new pentesters tools and tricks. Basically a continuation of last year’s Dirty Little Secrets they didn’t teach you in Pentest class. Topics include; OSINT and APIs, certificate stealing, F**king with Incident Response Teams, 10 ways to psexec, and more. Yes, mostly using metasploit.
Writing malware while the blue team is staring at youRob Fuller
Talk given at DerbyCon 2016 and RuxCon 2016
Malware authors and reverse engineers have been playing cat and mouse for a number of years now when it comes to writing and reversing of malware. From nation state level malware to the mass malware that infects grandmas and grandpas, mothers and fathers, the different types of malware employ a myriad of techniques to stop those who look at it from guessing the true intent. This talk will be about some of the unorthodox methods employed by some malware to stay hidden from, or out right ignore the reverse engineering community.
Why should we use TDD to develop in Elixir? When we are applying it correctly? What are the differences that we can find in a code developed with TDD and in code not developed with it? Is it TDD about testing? Really? In this talk, I'll show what is TDD and how can be used it in functional programming like Elixir to design the small and the big parts of your system, showing what are the difference and the similarities between an OOP and FP environment. Showing what is the values of applying a technique like TDD in Elixir and what we should obtain applying it.
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1 securityxploded
This presentation is part of our Advanced Malware Analysis Training Series program.
For more details refer our Security Training page
http://securityxploded.com/security-training.php
Different Techniques Of Debugging Selenium Based Test Scripts.pdfpCloudy
Writing and maintaining the test automation code is not always a piece of cake. As a matter of fact, we frequently face many scenarios where automated test cases don’t work as expected and might lead to false positive or false negative results, in such cases, debugging is the only way out.
Benjamin Howarth from Code Gecko Developments discussed running Umbraco in shared hosting and what the benefits mean for businesses (both small and large) and developers.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
Connector Corner: Automate dynamic content and events by pushing a button
Anti-Virus Evasion Techniques and Countermeasures
1. Amit Malik (DouBle_Zer0) SecurityXploded and Garage4hackers Bangalore Chapter Lead E-Mail: m.amit30@gmail.com Anti-Virus Evasion techniques and Countermeasures
3. I am a Penetration Tester. I want to use public codes* without fear. I want to know the system internals. I want to impress my girl friend ^_^. I want to test effectiveness of security technologies. WHY
4. Warning: Everything that I will discuss here is not applicable to .exe files. Logic – divide exe in two parts – means don’t make exe. Code Interface Code – it is our normal code with some additional powers – stand alone executable code. Interface - interface will execute the code In simple words we need a shellcode type code and a interface to execute the shellcode. HOW #1
5. Why we are splitting exe in two parts ? AV detection techniques Signature based Emulation + signature MD5 Heuristic If your binary is packed then AV uses Emulation + signature tech. for detection. By splitting exe in two parts we can bypass AVs. True fact: generating exe is simpler than writing the stand alone executable code that performs the same function. HOW #2
7. Code injection in another process Interface – make a interface that will read the “code” and will inject it into another process. Raw Material: OpenProcess WriteProcessMemory CreateRemoteThread HOW #4 – Technique #1
9. Jump and Execute Interface – make a interface that will read the file and then jump to that location and execute the code Raw Material: ReadFile JMP HOW #4 – Technique #2
11. Loaders Interface – make a interface that will read the “code” and creates a trusted process in suspended mode and overwrite the “code” at the entry point of the suspended process and then resume the thread. Raw Material: CreateProcess – suspended WriteProcessMemory ResumeThread HOW #4 – Technique #3
13. What if AV flag Interface ? Yes, they can but the interface code is using legitimate APIs with very minimal code. Many legitimate programs use similar APIs so fear of false positive. May be they can flag on the basis of MD5 HOW #5
14. Simply call it shellcode detection The Philosophy Emulate or Execute Everything Exception – move to next byte Abort execution if anytime EIP >= 7xxxxxxx Scan – Detection Countermeasures
16. “Shellcode Detection” Technique and source codes are distributed under CC. http://creativecommons.org/licenses/by-nc/3.0/ Codes: https://sites.google.com/site/hacking1now/tools Legal Statement
Editor's Notes
Reference: Three ways to inject code into a remote process - http://www.codeproject.com/KB/threads/winspy.aspx