Viry a Červi

Swiss Army Knife for Information Security: What Is Comprehensive Protection? - 21 Duben, 2021 - 15:00
Data-breach risk should be tackled with a toolset for monitoring data in motion and data at rest, analysis of user behavior, and the detection of fraud and weak spots.
Kategorie: Viry a Červi

Novel Email-Based Campaign Targets Bloomberg Clients with RATs - 21 Duben, 2021 - 14:00
Attacks dubbed ‘Fajan’ by researchers are specifically targeted and appear to be testing various threat techniques to find ones with the greatest impact.
Kategorie: Viry a Červi

Targeted Malware Reverse Engineering Workshop follow-up. Part 2

Kaspersky Securelist - 21 Duben, 2021 - 12:00

If you have read our previous blogpost “Targeted Malware Reverse Engineering Workshop follow-up. Part 1“, you probably know about the webinar we conducted on April 8, 2021, with Kaspersky GReAT’s Ivan Kwiatkowski and Denis Legezo, to share best practices in reverse engineering and demonstrate real-time analysis of recent targeted malware samples. The experts also had a fireside chat with Igor Skochinsky of Hex-Rays and introduced the Targeted Malware Reverse Engineering online self-study course.

The webinar audience having been so active – it was a very pleasant surprise, thanks again! – not only were we unable to address all the incoming questions online, we didn’t even manage to pack the rest of them in one blogpost. So here comes the second part of the webinar follow-up.

Questions related to malware analysis
  1. How common are opaque predicates in legitimate software? Can these predicates be leveraged as detection signatures?
    Ivan: It is difficult to provide an answer encompassing all legitimate software. As a general rule, obfuscation or evasion techniques can provide a relevant weak signal  potentially indicating malicious behavior, but should not be used for detection.
    Denis: We mostly deal with malicious, not legit code, but I would not expect such tricks there. What for — protection? I would not expect opaque predicates even from third-party protectors.
  2. Do you often come across binary obfuscation methods like nanomites, control flow flattening or VM in malwares?
    Ivan: Such techniques are extremely rare, possibly because attackers know that the presence of such protections will raise suspicion.
    Denis: We met several flattening cases lately. I could also name a couple of cases of custom internal VM usage in malware. So, not often, but they do exist.
  3. When it comes to packed executables, are automated unpackers usually good enough (like using dynamic instrumentation to detect tail jump and so forth) or is it more about manual work?
    Ivan: It turns out that packed executables are not as widespread as you would think. They turn up so rarely that I always default to manual work.
    Denis: We mostly deal with targeted malware, and packing executables are not common in this world, I agree.
  4. Do we also see any “exotic” commercial packers like vmprotect?
    Ivan: We don’t, however, if this is of interest to you, I strongly recommend you to watch Vitaly Kamluk’s presentation on the subject.
    Denis: Not in this training, but again, I would not say such tools are too popular in the world of targeted malware. Mostly due to being detected by security products, I suppose.
  5. What are the most creative anti-reversing tricks from malware creators you have seen so far?
    Ivan: I would name the LuckyMouse APT which deploys stripped down malware samples containing none of its configuration anymore, once saved somewhere on the victim’s machine. Generally speaking, they’re very good at making sure that files obtained by defenders are incomplete.
    Denis: The best anti-reversing trick I have seen is a seasoned software design pro with brain-damaging multi-module development style and 30 years of experience on the other side of the court. The only thing you want to do after the encounter is to yell at him/her, your disassembler, your PC, and yourself. But when you are done at last — well, this is the reason why we do it.
Questions on the Targeted Malware Reverse Engineering course syllabus

You can find the full syllabus here.

  1. Is the training focused on static reverse engineering or do you use dynamic analysis (e.g. debug/emulation) as well? Is the virtual lab analysis limited to static one?
    Ivan: We occasionally use debugging, and debuggers are available in the VM. Most of the work, however, takes place in IDA Pro.
    Denis: Ah, our deep belief in static analysis has affected the training for sure. But we do debugging as well, it is true. For example, in the LuckyMouse track.
  2. Will the analysis exercises deal only with the “final” malicious payloads/files or with analyzing the entire infection chains (e.g. downloader -> dropper/injector -> shellcode)?
    Ivan: It is closer to the other way around. When we have no time to show everything, we focus on the most complex parts of the infection chain (the beginning), tackle all the problems, and leave the easy part (looking at the unobfuscated final stage) as an exercise for the audience.
  3. You have mentioned that a lot of course time will be spent discussing deobfuscation mechanisms. Will there also be a chapter/section dealing on bypassing anti-reversing mechanisms?
    Ivan: The course is organized around the specific real malware cases. There is no theory segment on obfuscation. However, we show many samples that use different techniques and demonstrate how to approach each one of them.
  4. Does the course cover the C2 protocol traffic analysis?
    Ivan: To some extent, yes. One of the tracks is entirely dedicated to analyzing a network utility, understanding and re-implementing its custom protocol.
    Denis: For example, in the Topinambour track, you deal with simple C2 communication protocol analysis from the reversing point of view: it means means by analyzing the code you come to understand what to expect from the traffic.
  5. Do you cover both IDA Python and IDC during the course?
    Ivan: We only cover IDA Python, but the participants are free to use IDC if they choose to.
  6. Will you teach any countermeasures against this kind of anti-reversing techniques?
    Ivan: It’s our intentional choice to focus on real-life cases; and it is a fact that the vast majority of samples I have worked on involved no such protections. One of the malware specimens shown in the course has Anti-VM detection, which doesn’t bother us as we are just reading the code.
  7. What malicious document formats will be analyzed in the training?
    Ivan: The malicious document studied in the course is the InPage exploit.
    Denis: The InPage file format is based upon Compound Document Format, and we will analyze how the Biodata campaign operators had embedded the shellcode into it.
  8. If you detect such antimalware techniques, will there be a link to your previous Yara training: how to write a good detection rule to find such complex anti obfuscation techniques?
    Ivan: As you will probably see, the course is quite packed as it is! We may make a comment here and there about what could be a good Yara rule, but only in passing. I am, however, certain that the training will help you write better Yara rules.
  9. Shall we also learn to write or automate these anti obfuscation tasks at scale?
    Ivan: Yes, a large part of the course focuses on defeating the various protections that prevent us from seeing the actual payload!
Topics not addressed in the Targeted Malware Reverse Engineering training
  1. The course seems to include various topics on RE. Anything that has been left out? Probably saved for a future update to the course.
    Ivan: There are many things we could not get into. Rust/Go malware, CPU architectures beyond x86 and x64, ARM arch and Mac OS, etc. But we believe we were able to provide a varied yet realistic sample of what we usually encounter.
    Denis: In the third-level reverse engineering course from Kaspersky, you may expect the use of a decryption framework to facilitate such typical reversing tasks.
  2. Does the course address any malware employing unique file formats, thus requiring one to create an IDA loader module? How often do you deal with malware that uses unique file formats? It is something I am looking to learn.
    Ivan: This is a use case not covered by the course, and in fact one that I have yet to encounter.
    Denis: One quite unique _document_ format with the shellcode in it is featured in the course, but it needs no loader module, as you understand. Pity, but your topic seems to be out of the scope of this training. We are planning to create additional reversing screencasts from time to time — let’s think about covering this, too.
Virtual lab
  1. Will it be possible to do the exercises in a personal lab at home to analyze the samples of the course?
    Ivan: Due to legal restrictions in some countries, participants are required to work in the dedicated virtual lab that we provide and the VM cannot be downloaded. The good news is that it contains all the necessary tools, including a full version of IDA Pro.
  2. Can the lab hours be extended if required?
    Ivan: Virtual machines will indeed be suspended after 100 hours of runtime. We can extend the hours on a case-by-case basis, but we expect this should be enough to complete all the tracks of the training.
  3. Do we need to RDP from a VM?
    Ivan: The virtual environment is accessed directly from the web browser.
  4. Are the VM’s stealthy for the malware, or can they be detected through redpill/no-pill techniques?
    Ivan: The VMs provided in the training make no attempt at concealing what they are. Most of the malware provided does not particularly try to prevent execution in virtualized environments, and in any case the training is focused on static analysis with IDA Pro.
  5. If we write IDA scripts, can we extract them to our home environment at the end?
    Ivan: Sadly, this will not be possible. But the scripts you write should remain relatively modest in size, and will probably not be generic enough to allow future use anyway.

You can check information on prerequisites here.

  • Do you have any good recommendations on how to prepare for the training? Any prerequisites for this course?
    Ivan: I would advise to check out the demo version of the training. It should give you an idea of whether you meet the prerequisites, and we also provide a number of third-party resources in the introduction in case you need a bit of preparation.
  • Is knowledge of cryptographic algorithms also required? Or shall we learn how to detect them in the binaries?
    Ivan: We touch on that subject lightly. In most cases, figuring out which cryptographic algorithm is used is straightforward. If not, some help will be provided during the solution segments.
  • Knowledge of which languages is required?
    Ivan: Python scripting is required at some point. Other than that, familiarity with compiled languages, such as C or C++, is recommended.
Support & feedback
  • How much support or guidance will be available if I get stuck on an exercise?
    Ivan: We will collect your requests through helpdesk. Also a monthly call with the trainers is scheduled to answer your questions about the course. Otherwise, we are generally available on Twitter: @JusticeRage and @legezo.
  • Does the Targeted Malware Reverse Engineering training provide for some kind of exam/cert at the end?
    Ivan: There is no exam as such, although each track contains challenging knowledge checks and quizzes to check your progress. Certification will be awarded to all participants who complete all the tracks of the course.
  • How much will this course cost?
    Ivan: $1,400 VAT included.
  • Future plans/Future courses
    • What is the difference between the Targeted Malware Reverse Engineering training and the upcoming third-level Advanced Malware Analysis training?
      Ivan: This is an intermediate-level course, while the upcoming one will be an advanced expert-level course.

New article: Run your malicious VBA macros anywhere!

Virus Bulletin News - 21 Duben, 2021 - 10:11
Kurt Natvig explains how he recompiled malicious VBA macro code to valid harmless Python 3.x code.

Read more
Kategorie: Viry a Červi

REvil ransomware gang claims it stole top-secret tech designs – including Apple lappies – from Quanta Computer

The Register - Anti-Virus - 21 Duben, 2021 - 09:57
Threatens to release designs and data if not paid. But dangles 2005-vintage ThinkPad as proof it's serious

An entity claiming to represent ransomware gang REvil says it has accessed "large quantities of confidential drawings and gigabytes of personal data" from Quanta Computer Incorporated, a Taiwanese manufacturer that builds laptops and other gadgets for the likes of Apple, HPE, Lenovo, Cisco, and plenty of other top-tier tech companies.…

Kategorie: Viry a Červi

Your cloud security is static – and you’re open to more risk than you realize

The Register - Anti-Virus - 21 Duben, 2021 - 09:30
Make your move before the cyber-crims make theirs, says Sysdig

Promo  The cloud has transformed how you manage your infrastructure and software development, enabling continuous integration and deployment, while allowing you to keep your operations running, well, continuously.…

Kategorie: Viry a Červi

Japan accuses Chinese military of cyber-attacks on its space agency

The Register - Anti-Virus - 21 Duben, 2021 - 05:30
200 other companies also targeted, but no data lost

Japan has accused a member of the Chinese Communist Party of conducting cyber-attacks on its space agency and 200 other local entities.…

Kategorie: Viry a Červi

China broke into govt, defense, finance networks via zero-day in Pulse Secure VPN gateways? No way

The Register - Anti-Virus - 21 Duben, 2021 - 00:20
Crucial flaw won't be fixed until next month

Dozens of defense companies, government agencies, and financial organizations in America and abroad appear to have been compromised by China via vulnerabilities in their Pulse Connect Secure VPN appliances – including a zero-day flaw that won't be patched until next month.…

Kategorie: Viry a Červi

Mozilla Fixes Firefox Flaw That Allowed Spoofing of HTTPS Browser Padlock - 20 Duben, 2021 - 22:40
The Mozilla Foundation releases Firefox 88, fixing 13 bugs ranging from high to low severity.
Kategorie: Viry a Červi

Would be so cool if everyone normalized these pesky data leaks, says data-leaking Facebook in leaked memo

The Register - Anti-Virus - 20 Duben, 2021 - 21:51
Blundering mouthpiece sent arrogant line to journalist by accident

Facebook wants you to believe that the scraping of 533 million people’s personal data from its platform, and the dumping of that data online by nefarious people, is something to be “normalised.”…

Kategorie: Viry a Červi

Firefox 88 patches bugs and kills off a sneaky JavaScript tracking trick

Sophos Naked Security - 20 Duben, 2021 - 20:04
What's in a window name? Turns out that it could be a sneaky tracking code, so Firefox has put a stop to that.

GEICO Alerts Customers Hackers Stole Driver License Data for Two Months - 20 Duben, 2021 - 17:59
The second-largest auto insurance provider in the U.S. has since fixed the vulnerability that exposed information from its website.
Kategorie: Viry a Červi

Do you expect me to talk? Yes, Mr Bond, I expect you to reply: 10k Brits targeted on LinkedIn by Chinese, Russian spies

The Register - Anti-Virus - 20 Duben, 2021 - 17:48
Campaign launched to alert public sector staff that not everyone on the internet is nice

Updated  Ten thousand Britons have been targeted on LinkedIn by recruiters for the Chinese and Russian intelligence services, according to an awareness campaign launched by domestic spy agency MI5 this morning.…

Kategorie: Viry a Červi

We need to talk about criminal adversaries who want you to eat undercooked onion rings

The Register - Anti-Virus - 20 Duben, 2021 - 13:37
Cisco Talos discovers flaws in air fryer, connected chip cooker firm fails to fix

Updated  Bad news for lockdown slimmers who've ignored advice about not needing to connect every friggin' appliance in their home to the internet: Talos researchers have sniffed out security flaws allowing attackers to hijack your air fryer.…

Kategorie: Viry a Červi

Bank of England ponders minting 'Britcoin' to sit alongside the Pound

The Register - Anti-Virus - 20 Duben, 2021 - 08:56
Taskforce and two forums to consider Central Bank Digital Currency

The Bank of England and HM Treasury have formed a Taskforce to "coordinate the exploration of a potential UK Central Bank Digital Currency" (CBDC).…

Kategorie: Viry a Červi

Who knew Uncle Sam had strike teams for SolarWinds, Exchange flaws? Well, anyway, they are disbanded

The Register - Anti-Virus - 20 Duben, 2021 - 00:28
Lessons learned and mission accomplished, apparently

The US government's response groups for dealing with recent SolarWinds and Microsoft Exchange vulnerabilities have reached the end of the road.…

Kategorie: Viry a Červi

WordPress core contributor proposes treating Google FLoC as a security vulnerability

The Register - Anti-Virus - 19 Duben, 2021 - 22:27
Let's opt every WordPress site out of FLoC. Nice idea, but security update? Really?

A proposal by a WordPress core contributor to treat Google's FLoC ad tech as a security vulnerability, and therefore backport an automatic opt-out to previous WordPress versions, shows the depth of community opposition to the technology.…

Kategorie: Viry a Červi

NitroRansomware Asks for $9.99 Discord Gift Codes, Steals Access Tokens - 19 Duben, 2021 - 21:23
The malware seems like a silly coding lark at first, but further exploration shows it can wreak serious damage in follow-on attacks.
Kategorie: Viry a Červi

Won't somebody please think of the children!!! UK to mount fresh assault on end-to-end encryption in Facebook

The Register - Anti-Virus - 19 Duben, 2021 - 20:45
Change the record, nobody's fooled by this now

UK Home Secretary Priti Patel will badmouth Facebook's use of end-to-end encryption on Monday evening as she links the security technology with paedophilia, terrorism, organised crime, and so on.…

Kategorie: Viry a Červi

Ransomware: A Deep Dive into 2021 Emerging Cyber-Risks - 19 Duben, 2021 - 20:01
Our new eBook goes beyond the status quo to take a look at the evolution of ransomware and what to prepare for next.
Kategorie: Viry a Červi
Syndikovat obsah