Clik here to view.
Ring3 / Ring0 Rootkit Hook Detection 1/2
IntroductionThe cybercrime underworld hasn't given me any exciting malware to reverse and I'm running out of ideas for new posts, so I'm going to do a 2 part article about the techniques used by...
View ArticleClik here to view.
Usermode Sandboxing
A lot of people (including myself, until recently) think that effective sandboxing requires a filter driver or kernel hooking, but this is no longer the case. A new security feature introduced in...
View ArticleClik here to view.
New IRC Launch
For anyone still into IRC, MalwareTech has partnered with sigterm.no to launch a new IRC network. It's still fairly new so don't expect an instant response, but everyone is welcome (socializing or just...
View ArticleClik here to view.
Creating a Secure Tor Environment
As we all know there are ways that your real IP can be leaked when using tor (JavasScript, Flash, Malware and software errors). In this tutorial I'm going to show how to create a fairly secure tor...
View ArticleClik here to view.
Passive UAC Elevation
I had a cool idea for a way to get the user to passively elevate your application without socially engineering them to do so or requiring exploits. Obviously you could just go ahead and start mass...
View ArticleClik here to view.
How MS14-066 (CVE-2014-6321) is More Serious Than First Thought
If you've been in a coma for the past week, MS14-066 (CVE-2014-6321)Â is a TLS heap overflow vulnerability in Microsoft's schannel.dll, which can result in denial of service and even remote code...
View ArticleClik here to view.
MS14-066 In Depth Analysis
A few days ago I published an article detailing how a second bug, in the schannel TLS handshake handling, could allow an attacker to trigger the DecodeSigAndReverse heap overflow in an application that...
View ArticleClik here to view.
Fraudsters & Malware Sellers Still Shifting to the Deep Web
On November the 6th and 7th a global operation (dubbed Operation Onymous) was carried out against illegal (mostly black market) sites hosted on the tor network, as a result over 400 hidden service were...
View ArticleClik here to view.
Virtual File Systems for Beginners
A virtual File System (VFS), sometimes referred to as a Hidden File System, is a storage technique most commonly used by kernel mode malware, usually to store components outside of the existing...
View ArticleClik here to view.
Zombie Processes as a HIPS Bypass
A long long time ago (about 10 years in non-internet time) malware developers only had to worry about signature based detection, which could be easily bypasses with polymorphic droppers or executable...
View ArticleClik here to view.
Phase Bot - A Fileless Rootkit (Part 1)
Phase Bot is a fileless rootkit that went on sale during late October, the bot is fairly cheap ($200) and boasts features such as formgrabbing, ftp stealing, and of course the ability to run without a...
View ArticleClik here to view.
Phase Bot - A Fileless Rootkit (Part 2)
As I said in the last part of the analysis the sample I had was just a test binary, but now I have some real ones thanks to some help from @Xylit0l. The new binaries incorporate some much more...
View ArticleClik here to view.
OphionLocker: Proof Anyone Really Can Write Malware
OphionLocker is supposedly the new ransomware on the block and is already being compared with sophisticated operations such as CryptoLocker and CryptoWall, so i decided to take a look and what I found...
View ArticleClik here to view.
2013 In Malware
As an end of year article, I though it might be a nice idea to review some of the interesting (to me) malware related events of this year. There's no specific order to the list, but I'll try to include...
View ArticleClik here to view.
Phase Bot - Exploiting C&C Panel
I've been withholding this article for a while, due to the fact that the minute I post it all the vulnerabilities will be patched, thus becoming useless to us; however, it turns out hacking all of the...
View ArticleClik here to view.
Darkode - Ode to LizardSquad (The Rise and Fall of a Private Community)
For the 10 of you who don't know, darkode was on of the most active English-speaking "underground" cybercrime boards. The forum was started around 2009 by a coder named "Iserdo" and gained popularity...
View ArticleClik here to view.
Distributed Denial Of Service (DDoS) for Beginners
Distributed Denial Of Service, or DDoS, is an attack in which multiple devices send data to a target device (usually a server), with the hope of rendering the network connection or a system application...
View ArticleClik here to view.
Inline Hooking for Programmers (Part 1: Introduction)
A lot of my articles have been aimed at giving a high-level insight into malware for beginners, or those unfamiliar with specific concepts. Today I've decided to start a new series designed to...
View ArticleClik here to view.
Inline Hooking for Programmers (Part 2: Writing a Hooking Engine)
We'll be writing a hooking engine using trampoline based hooks as explained in the previous article (we don't handle relative instructions as they're very rare, but we do use atomic write operations to...
View ArticleClik here to view.
Using Kernel Rootkits to Conceal Infected MBR
If you've look at any of the major bootkits such as TDL4 and Rovnix, you've probably noticed they employ certain self defense features to prevent removal; specifically, intercepting read/write requests...
View Article