Clik here to view.
Hard Disk Firmware Hacking (Part 3)
Before we get started with part 3, I have a few updates regarding part 1 & 2.I've found that the reset pad on the JTAG header is not actually a system reset (SRST) but a TAP reset (TRST), which...
View ArticleClik here to view.
Hard Disk Firmware Hacking (Part 4)
It seems that the bootstrap code is just scattered around various memory addresses and there's no simple way to dump all of it, so i decided to just dump a chunk of memory from 0x00000000 and look for...
View ArticleClik here to view.
Hard Disk Firmware Hacking (Part 5)
"Discovery requires experimentation"This weekend I made a pretty big breakthrough which lead to me making a few smaller breakthroughs and ultimately negating most of my previous research. I've also...
View ArticleClik here to view.
Hard Disk Firmware Hacking (Final)
Core 2, I choose you.Less than 5 minutes after posting the last article, i discovered the final piece of my puzzle: a second CPU core. I was looking through my OpenOCD configuration when I realized it...
View ArticleClik here to view.
MalwareTech SBK - A Bootkit Capable of Surviving Reformat
Since i got into firmware hacking, I've been working on a little project behind the scenes: A hard disk firmware based rootkit which allows malware to survive an operating system re-install or full...
View ArticleClik here to view.
Windows 10 System Call Stub Changes
Recently I installed Windows 10 RTM and while I was digging around I happened to notice some changes to the user mode portion of the system call stub: these changes appear to break the current methods...
View ArticleClik here to view.
Darkode Returns Following International Raids
When I was contacted asking for a comment about the darkode raid, I'd said that the main administrator was not arrested and that'd I'd be surprised if it wasn't back within a week; well It's been a...
View ArticleClik here to view.
David Cameron Wants Porn Sites to Require Banking Information
It would seem that David Cameron doesn't have a tech advisory or even knows anyone who uses browser other than Netscape, but that doesn't seem stop him with his endless stream of proposals and laws to...
View ArticleClik here to view.
User Mode Hook Scanner (Alpha)
I finally decided to write my first security tool based on an idea I had for advanced hook detection, I couldn't find any evidence of the method being used so I based a tool around it. It's still a...
View ArticleClik here to view.
Creating the Ultimate Tor Virtual Network
Although the methods in this article can be used for proper anonymity outside of the tor browser, the main focus is creating a secure tor based research environment. As most security researchers know...
View ArticleClik here to view.
Advanced Desktop Application Sandboxing via AppContainer
This post is kind of a follow on from my previous article Usermode Sandboxing, so if you've not yet read that you should do so first.AppContainer was a fairly quietly introduced feature in Windows 8,...
View ArticleClik here to view.
Hidden VNC for Beginners
Hidden VNC is a creative solution to a solution to a problem which stemmed from banking fraud. Back years ago when fraud was uncommon, most banks only had basic IP or Geo-location checks to flag or...
View ArticleClik here to view.
Device Guard - The Beginning of the End for Malware?
Finally I manage to put together a computer capable of running Device Guard and I've had a little bit of time to play around with the code signing part. Everyone is probably already familiar with x64...
View ArticleKelihos Analysis - Part 1
In the recent years I've noticed a shift in the malware economy from botnets to ransomware, which is likely due to the AV industry employing more aggressive tactics against botnets resulting in a drop...
View ArticleExploring Peer to Peer Botnets
Peer to Peer and Everything In between Back in October I'd gotten bored of the endless stream of cryptolockers and PoS trojan, so decided to look at something old school, that something was Kelihos....
View ArticleBackdoored Ransomware for Educational Purposes
Here is an interesting article I found this week, it's about how A researcher released two pieces of 'educational' ransomware which were secretly backdoored in order to own some advanced and prolific...
View ArticleWhen Scriptkiddies Attack
Usually I don't blog about the hundreds of ridiculous or down right crazy emails I receive each year, but this exchange makes all the others seem completely reasonable in comparison. Normally my...
View ArticleNecurs.P2P - A New Hybrid Peer-to-Peer Botnet
Last week I received a tip about a sample displaying some indication that it could be peer-to-peer (a large amount of UDP traffic being sent to residential IPs), after a couple days of analysis I was...
View ArticleDDoSing with Other People's Botnets
While I was reverse engineering ZeroAccess in order to write a monitoring system, I had an idea which would allow me to use ZeroAccess C&C infrastructure to reflect and amplify a UDP based DDoS...
View ArticleLet's Analyze: Dridex (Part 1)
Due to popular request I'm starting a new reverse engineering article series which will detail how I go about analyzing various samples, instead of just presenting my findings like I normally do. Most...
View ArticleLet's Analyze: Dridex (Part 2)
In the previous article we went over how to dump the names of the majority of functions dridex resolves dynamically to complicate analysis. Today we will be using some similar methods to get the other...
View ArticleLet's Analyze: Dridex (Part 3)
Sorry for the longer than expected delay, occasionally the Dridex group will take the servers offline during the weekend and resume normal operations on Monday; however, it appears they decided to...
View ArticleDridex Updates Payload Distribution
Dridex spreads mainly using Office documents containing malicious macros, initially the primary stage would involve using VBA (Visual Basic for Applications) to download and execute the loader from...
View ArticleInfosec Without a Degree
I've seen plenty blogs from people who got into infosec through the academic route, so i figured I'd cover the other side and try to answer the three most asked questions I get via email and twitter:...
View ArticleHow Cerber's Hash Factory Works
Recently I saw a story on SecurityWeek about how the Cerber ransomware morphs every 15 seconds (each download results in a file with a new hash), which I then tracked back to the source, this article...
View Article