«
Expand/Collapse
331 items tagged "malware"
Related tags:
security [+],
darknet [+],
authors [+],
hack in the box [+],
nicholas j. percoco [+],
botnet [+],
web [+],
malaysia [+],
hook tool [+],
hook [+],
flashback [+],
analysing [+],
removal [+],
mobile [+],
infected [+],
windows [+],
tool 1 [+],
tool [+],
tags [+],
stuxnet [+],
phone [+],
malware removal tool [+],
krakow [+],
execution [+],
detection [+],
com [+],
chaos communication congress [+],
antivirus [+],
year [+],
whitepaper [+],
web attacks [+],
trojan [+],
third party software [+],
symbian [+],
stealth [+],
security advisory [+],
searching [+],
search engines [+],
report [+],
potential security vulnerability [+],
paul judge [+],
part [+],
new [+],
network [+],
neil daswani [+],
migrating [+],
maynor [+],
jeremiah grossman [+],
javascript [+],
hp procurve [+],
hideout [+],
hacking [+],
hacker [+],
fyodor [+],
freak show [+],
freak [+],
fiasco [+],
executable file [+],
download [+],
dave maynor [+],
compact flash card [+],
chan ahn [+],
card [+],
bypass [+],
aurora [+],
attackers [+],
asia [+],
apple [+],
ahn [+],
Software [+],
black hat [+],
zip [+],
zeus [+],
windows operation [+],
whys [+],
wes brown tags [+],
wes brown [+],
web server apache [+],
web authors [+],
wayne huang [+],
virus scanners [+],
virus infection [+],
variants [+],
val smith [+],
tracking tools [+],
tom stracener [+],
tier ii [+],
technical vulnerability [+],
tdl [+],
targets [+],
targeted [+],
target [+],
tar gz [+],
talk [+],
storm botnet [+],
stopping [+],
static analysis [+],
spreading [+],
spread [+],
source [+],
snort [+],
skilled developers [+],
similarity [+],
silberman [+],
show [+],
security researchers [+],
security management [+],
scenes [+],
scanners [+],
scanner [+],
scams [+],
ryan sherstobitoff [+],
robert [+],
researchers [+],
removal tool [+],
removal guide [+],
python script [+],
proof of concept [+],
proof [+],
project alternatives [+],
privacy [+],
peter silberman [+],
peter ferrie [+],
other search engines [+],
os x [+],
ninga [+],
nicolas seriot [+],
nguyen anh [+],
networked equipment [+],
mod [+],
mitigation steps [+],
microsoft [+],
miami [+],
malicious files [+],
mainstream press [+],
mac computers [+],
love [+],
linux [+],
levels [+],
laurent oudot [+],
kendall [+],
jose nazario [+],
jose [+],
jonathan voris [+],
joe stewart tags [+],
joe stewart [+],
jesse burns [+],
jeremy chiu [+],
iphone [+],
ios [+],
intranet websites [+],
infections [+],
industry authors [+],
industry [+],
implementation [+],
ian amit tags [+],
hp printers [+],
hp firmware [+],
horsemen [+],
honeynet [+],
hide [+],
hackers [+],
grossman [+],
georg wicherski [+],
garry pejski [+],
gadgets [+],
fundamental techniques [+],
freakshow [+],
four horsemen [+],
forensics [+],
firmware [+],
faq [+],
fake [+],
facebook [+],
fabrice jaubert [+],
exploting [+],
dubai [+],
dissecting [+],
discovered [+],
demystifying [+],
control [+],
confidence [+],
colin ames [+],
check tool [+],
check [+],
chad [+],
burns [+],
bruce dang [+],
attacks [+],
apple security [+],
apple ios [+],
app [+],
api [+],
andro [+],
andrew walenstein [+],
anatomy [+],
amit [+],
aka alureon [+],
advisory [+],
adult toy store [+],
Countermeasures [+],
64 bit windows [+],
usa [+],
android [+],
zeus malware [+],
zeus botmaster [+],
years [+],
writers [+],
worms [+],
worm [+],
wordpress [+],
will [+],
web graph [+],
waves [+],
warns [+],
want [+],
vulnerable [+],
virus [+],
virtual currency [+],
virtual [+],
viral threats [+],
variant [+],
using open source tools [+],
used [+],
uranium centrifuges [+],
update [+],
unprecedented wave [+],
unprecedented [+],
uk police arrest [+],
tsunami [+],
tricks [+],
trendmicro [+],
tracking [+],
track [+],
tor [+],
time analysis [+],
tim mullen [+],
tidal waves [+],
tidal [+],
three men [+],
three [+],
threat [+],
thorsten holz [+],
thorsten [+],
the way [+],
the rise [+],
texas [+],
technological development [+],
targeting [+],
target system [+],
takes [+],
system phones [+],
symantec [+],
suzaki [+],
surge [+],
super [+],
strains [+],
strain [+],
stefano zanero [+],
stealth secrets [+],
status [+],
spyeye [+],
spy [+],
spotify [+],
splattered [+],
spam mail [+],
spam [+],
source code [+],
source address [+],
sophos [+],
social engineering [+],
smartphone [+],
silvio cesare [+],
silvio [+],
signs [+],
shopping [+],
self destruct [+],
self [+],
sees [+],
security firms [+],
sean paul correll [+],
sean paul [+],
scale [+],
safe bet [+],
sabotaged [+],
router [+],
rootsmart [+],
rootkit [+],
rooting [+],
rise [+],
rfid [+],
review [+],
reverse engineering [+],
resilient [+],
research [+],
reports [+],
removing [+],
real [+],
ransom [+],
quynh nguyen [+],
pushers [+],
protocols [+],
profiles [+],
problem scenarios [+],
premium rate numbers [+],
preloaded [+],
practical [+],
popularity [+],
police [+],
poisons [+],
play [+],
pirates [+],
picture [+],
pdf [+],
pc components [+],
osama [+],
original source [+],
open target [+],
open source tools [+],
open source [+],
official [+],
nsdecoder [+],
now [+],
nimda [+],
night dragon [+],
nicolas falliere [+],
nick harbour [+],
next generation [+],
next [+],
new malware [+],
neutralizing [+],
nerve centre [+],
nerve [+],
neat piece [+],
mystery [+],
mysql [+],
murdoch staff [+],
moves [+],
mobile security [+],
mobile banking [+],
mobile apps [+],
mints [+],
mind tricks [+],
million [+],
microsoft malware removal tool [+],
microsoft malware removal [+],
microscope [+],
memory [+],
melanie rieback [+],
massive web [+],
massive proliferation [+],
mass web [+],
marks [+],
marketplace [+],
market [+],
man [+],
makes [+],
makers [+],
mail source [+],
mafia wars [+],
machine [+],
mac osx [+],
mac menacing [+],
mac malware [+],
mac linux [+],
mac defender [+],
mac [+],
luis corrons [+],
low [+],
locks [+],
little bug [+],
linux windows [+],
liam o murchu [+],
launch [+],
job [+],
jeremiah [+],
java [+],
japanese market [+],
japanese man [+],
jailed [+],
iran [+],
international [+],
inspired [+],
ika [+],
ice [+],
hp switches [+],
housecall [+],
host [+],
honeypots [+],
hits [+],
hire [+],
hide android [+],
hidden [+],
halloween [+],
half a million [+],
hacks [+],
hack [+],
growth [+],
grows [+],
gregory conti [+],
gpu [+],
gordon brown claims [+],
gordon brown [+],
google maps [+],
gets [+],
geographic distribution [+],
geographic [+],
gaming sites [+],
gaming [+],
game spy [+],
freebie [+],
fraud [+],
forensic [+],
fore [+],
force [+],
flow [+],
flash card [+],
flash [+],
fishy [+],
financial [+],
feed [+],
fbi [+],
extension [+],
explosive growth [+],
exploits [+],
executable files [+],
evilness [+],
evasion [+],
eric chien [+],
engineering [+],
embrace [+],
electronic payment [+],
ekimono [+],
earns [+],
e mail address [+],
dwarfs [+],
drone [+],
droidkungfu [+],
downloads [+],
don [+],
doj [+],
doing the rounds [+],
dlls [+],
distribution [+],
dino covotsos [+],
digital underground [+],
digital [+],
devs [+],
development [+],
detecting [+],
detect [+],
desktop antivirus [+],
dennis brown tags [+],
dennis brown [+],
demystified [+],
debugger [+],
ddos tool [+],
ddos [+],
database [+],
cyber criminals [+],
current architecture [+],
correll [+],
control flow graphs [+],
conti [+],
computer [+],
compromised [+],
collections [+],
code [+],
classic sandbox [+],
cinema [+],
china [+],
charlie sheen [+],
centre [+],
cell phone [+],
catch [+],
carberp [+],
canada [+],
call [+],
business users [+],
busine [+],
building [+],
bugtraq [+],
bug [+],
botnets [+],
botmaster [+],
bot [+],
bit [+],
bird [+],
banking security [+],
banking [+],
bank information [+],
bank [+],
badness [+],
attack [+],
arrest [+],
apps [+],
approach [+],
application binaries [+],
application [+],
apple ships [+],
apple opens [+],
anti malware [+],
anti [+],
ante [+],
anonymous [+],
angry [+],
analyzing [+],
analyze [+],
analysis tool [+],
amnesty international uk [+],
amnesty [+],
ambulance system [+],
afterdark [+],
account passwords [+],
abu dhabi [+],
NON [+],
ExploitsVulnerabilities [+],
slides [+],
analyser [+],
video [+],
paper [+],
dynamic analysis [+],
read [+],
malicious software [+],
freeware [+],
program behavior [+],
norman sandbox [+],
malheur [+],
google [+],
behavior [+],
audio [+],
analysis [+],
yuriy bulygin,
wombat,
web history,
wapi,
virus vendors,
virus activity,
virus 7,
virtualization,
video protocols,
uses,
unprecedented losses,
undead,
trojan threat,
time,
than iloveyou,
texas man,
technical improvements,
tax,
summer breeze,
subdomains,
storm,
staff,
sql injection,
sql,
specification languages,
software techniques,
social networks,
sized families,
similarity analysis,
siddharth tags,
security report,
security company,
seamless manner,
rootkits,
requirements,
repository,
remnux,
regional,
rabbit hole,
rabbit,
quist,
puremessage,
publishes,
protection,
post,
polymorphic,
piotr oleszkiewicz,
pinhead,
paul vixie,
paul royal,
paolo milani,
open environment,
office documents,
office,
new trend,
network flow analysis,
nasty piece,
nancy france,
nancy,
michael ligh,
metamorphic,
messagelabs,
medicine,
matthew richard tags,
matthew richard,
major defenses,
mac os x,
mac os,
lurking,
lorie,
linux distribution,
ligh,
lenny zeltser,
legal,
laboratory environment,
koobface,
justin clarke tags,
justin clarke,
jonathan rom,
jonathan,
jinx,
jibran,
jerusalem post,
jerusalem,
jason ross tags,
jason ross,
internet,
insane,
injection,
infection,
ilyas,
hole,
hijacked,
herder,
hentai,
fun,
france,
found,
firefox,
family ties,
exchange,
evolution,
epidemic proportions,
endpoint security,
email,
domain registrars,
dna,
dell blames,
dell,
ddos attacks,
david dagon,
david anthony edwards,
danny quist,
daniel raygoza,
dang,
dagon,
creating,
copyright,
conficker,
conference,
china reports,
chet hosmer,
bypasses,
bruce potter,
blame,
big rise,
backdoor,
b trojan,
automatic classification,
automated,
apple ipad,
anthony edwards,
andrew fried,
alternative medicine,
alternative,
alarming rise,
aim,
ads,
add,
activity monitor,
accused,
Issues,
General
-
-
15:14
»
Packet Storm Security Advisories
Apple Security Advisory 2012-05-14-1 - This update runs a malware removal tool that will remove the most common variants of the Flashback malware. If the Flashback malware is found, it presents a dialog notifying the user that malware was removed. There is no indication to the user if malware is not found.
-
15:14
»
Packet Storm Security Recent Files
Apple Security Advisory 2012-05-14-1 - This update runs a malware removal tool that will remove the most common variants of the Flashback malware. If the Flashback malware is found, it presents a dialog notifying the user that malware was removed. There is no indication to the user if malware is not found.
-
15:14
»
Packet Storm Security Misc. Files
Apple Security Advisory 2012-05-14-1 - This update runs a malware removal tool that will remove the most common variants of the Flashback malware. If the Flashback malware is found, it presents a dialog notifying the user that malware was removed. There is no indication to the user if malware is not found.
-
-
13:33
»
Packet Storm Security Advisories
HP Security Bulletin HPSBPV02754 SSRT100803 2 - A potential security vulnerability has been identified with certain HP ProCurve 5400 zl switches using a compact flash card which may contain malware content that is a PC trojan executable. The ProCurve switch operating system is not infected with the malware and the content on the compact flash card has no impact on the operation of the switch. Reuse of the compact flash card in a personal computer and manual execution of the malware content could result in a compromise of that system's integrity. Revision 2 of this advisory.
-
13:33
»
Packet Storm Security Recent Files
HP Security Bulletin HPSBPV02754 SSRT100803 2 - A potential security vulnerability has been identified with certain HP ProCurve 5400 zl switches using a compact flash card which may contain malware content that is a PC trojan executable. The ProCurve switch operating system is not infected with the malware and the content on the compact flash card has no impact on the operation of the switch. Reuse of the compact flash card in a personal computer and manual execution of the malware content could result in a compromise of that system's integrity. Revision 2 of this advisory.
-
13:33
»
Packet Storm Security Misc. Files
HP Security Bulletin HPSBPV02754 SSRT100803 2 - A potential security vulnerability has been identified with certain HP ProCurve 5400 zl switches using a compact flash card which may contain malware content that is a PC trojan executable. The ProCurve switch operating system is not infected with the malware and the content on the compact flash card has no impact on the operation of the switch. Reuse of the compact flash card in a personal computer and manual execution of the malware content could result in a compromise of that system's integrity. Revision 2 of this advisory.
-
-
21:27
»
SecDocs
Authors:
Bruce Dang Peter Ferrie Tags:
malware malware analysis Stuxnet Event:
Chaos Communication Congress 27th (27C3) 2010 Abstract: There has been many publications on the topic of Stuxnet and its "sophistication" in the mainstream press. However, there is not a complete publication which explains all of the technical vulnerability details and how they were discovered. In this talk, you will get a first-hand account of the entire story. We will discuss various techniques used in analyzing Stuxnet. First, we will share several tricks that were used to quickly identify the vulnerabilities. Second, we describe the thought processes that went into debugging and triaging the vulnerabilities themselves. Finally, we show some tips that you can use if you feel like decompiling stuff for fun :).
-
21:27
»
SecDocs
Authors:
Bruce Dang Peter Ferrie Tags:
malware malware analysis Stuxnet Event:
Chaos Communication Congress 27th (27C3) 2010 Abstract: There has been many publications on the topic of Stuxnet and its "sophistication" in the mainstream press. However, there is not a complete publication which explains all of the technical vulnerability details and how they were discovered. In this talk, you will get a first-hand account of the entire story. We will discuss various techniques used in analyzing Stuxnet. First, we will share several tricks that were used to quickly identify the vulnerabilities. Second, we describe the thought processes that went into debugging and triaging the vulnerabilities themselves. Finally, we show some tips that you can use if you feel like decompiling stuff for fun :).
-
-
7:32
»
Packet Storm Security Misc. Files
Hook Analyser is a hook tool which can be potentially helpful in reversing applications and analysing malware. It can hook to an API in a process and search for a pattern in memory or dump the buffer.
-
-
15:22
»
SecDocs
Authors:
Ang Cui Jonathan Voris Tags:
hardware hacking Event:
Chaos Communication Congress 28th (28C3) 2011 Abstract: Network printers are ubiquitous fixtures within the modern IT infrastructure. Residing within sensitive networks and lacking in security, these devices represent high-value targets that can theoretically be used not only to manipulate and exfiltrate the sensitive information such as network credentials and sensitive documents, but also as fully functional general-purpose bot-nodes which give attackers a stealthy, persistent foothold inside the victim network for further recognizance, exploitation and exfiltration. We first present several generic firmware modification attacks against HP printers. Weaknesses within the firmware update process allows the attacker to make arbitrary modifications to the NVRAM contents of the device. The attacks we present exploit a functional vulnerability common to all HP printers, and do not depend on any specific code vulnerability. These attacks cannot be prevented by any authentication mechanism on the printer, and can be delivered over the network, either directly or through a print server (active attack) and as hidden payloads within documents (reflexive attack). In order to demonstrate these firmware modification attacks, we present a detailed description of several common HP firmware RFU (remote firmware update) formats, including the general file format, along with the compression and checksum algorithms used. Furthermore, we will release a tool (HPacker), which can unpack existing RFUs and create/pack arbitrary RFUs. This information was obtained by analysis of publicly available RFUs as well as reverse engineering the SPI BootRom contents of several printers. Next, we describe the design and operation a sophisticated piece of malware for HP (P2050) printers. Essentially a VxWorks rootkit, this malware is equipped with: port scanner, covert reverse-IP proxy, print-job snooper that can monitor, intercept, manipulate and exfiltrate incoming print-jobs, a live code update mechanism, and more (see presentation outline below). Lastly, we will demonstrate a self-propagation mechanism, turning this malware into a full-blown printer worm. Using HPacker, we demonstrate the injection of our malware into arbitrary P2050 RFUs, and show how similar malware can be created for other popular HP printer types. Next, we demonstrate the delivery of this modified firmware update over the network to a fully locked-down printer. Lastly, we present an accurate distribution of all HP printers vulnerable to our attack, as determined by our global embedded device vulnerability scanner (see [1]). Our scan is still incomplete, but extrapolating from available data, we estimate that there exist at least 100,000 HP printers that can be compromised through an active attack, and several million devices that can be compromised through reflexive attacks. We will present a detailed breakdown of the geographical and organizational distribution of observable vulnerable printers in the world. *We have also unpacked several engine-control processor firmwares (different from the main SoC) and are currently attempting to locate code related to tracking dots. Perhaps we will have some results by December. In any case, HPacker will help the community to do further research in this direction, possibly allowing us to spoof / disable these yellow dots of burden.
-
15:07
»
SecDocs
Authors:
Ang Cui Jonathan Voris Tags:
hardware hacking Event:
Chaos Communication Congress 28th (28C3) 2011 Abstract: Network printers are ubiquitous fixtures within the modern IT infrastructure. Residing within sensitive networks and lacking in security, these devices represent high-value targets that can theoretically be used not only to manipulate and exfiltrate the sensitive information such as network credentials and sensitive documents, but also as fully functional general-purpose bot-nodes which give attackers a stealthy, persistent foothold inside the victim network for further recognizance, exploitation and exfiltration. We first present several generic firmware modification attacks against HP printers. Weaknesses within the firmware update process allows the attacker to make arbitrary modifications to the NVRAM contents of the device. The attacks we present exploit a functional vulnerability common to all HP printers, and do not depend on any specific code vulnerability. These attacks cannot be prevented by any authentication mechanism on the printer, and can be delivered over the network, either directly or through a print server (active attack) and as hidden payloads within documents (reflexive attack). In order to demonstrate these firmware modification attacks, we present a detailed description of several common HP firmware RFU (remote firmware update) formats, including the general file format, along with the compression and checksum algorithms used. Furthermore, we will release a tool (HPacker), which can unpack existing RFUs and create/pack arbitrary RFUs. This information was obtained by analysis of publicly available RFUs as well as reverse engineering the SPI BootRom contents of several printers. Next, we describe the design and operation a sophisticated piece of malware for HP (P2050) printers. Essentially a VxWorks rootkit, this malware is equipped with: port scanner, covert reverse-IP proxy, print-job snooper that can monitor, intercept, manipulate and exfiltrate incoming print-jobs, a live code update mechanism, and more (see presentation outline below). Lastly, we will demonstrate a self-propagation mechanism, turning this malware into a full-blown printer worm. Using HPacker, we demonstrate the injection of our malware into arbitrary P2050 RFUs, and show how similar malware can be created for other popular HP printer types. Next, we demonstrate the delivery of this modified firmware update over the network to a fully locked-down printer. Lastly, we present an accurate distribution of all HP printers vulnerable to our attack, as determined by our global embedded device vulnerability scanner (see [1]). Our scan is still incomplete, but extrapolating from available data, we estimate that there exist at least 100,000 HP printers that can be compromised through an active attack, and several million devices that can be compromised through reflexive attacks. We will present a detailed breakdown of the geographical and organizational distribution of observable vulnerable printers in the world. *We have also unpacked several engine-control processor firmwares (different from the main SoC) and are currently attempting to locate code related to tracking dots. Perhaps we will have some results by December. In any case, HPacker will help the community to do further research in this direction, possibly allowing us to spoof / disable these yellow dots of burden.
-
-
21:41
»
SecDocs
Authors:
Christiaan Beek Tags:
malware intelligence malware analysis Event:
Black Hat Abu Dhabi 2011 Abstract: Over years the use of malware has dramatically changed. Ranging from programmers exploring the malicious possibilities of their programming code, copycats trying to combine code snippets, to organized crime and governments using custom made malware for their purposes. Where financial gratification is the main drive for cybercrime, it seems that the hunger for secrets and intellectual property is taking over. Some examples of cases are: Operation Aurora, Night-Dragon and recently Shady-RAT. These are examples of investigations that started with the detection of unknown customized malware, hiding on corporate networks and ended in large investigations regarding Data Loss. So how is it possible that this malware was undetected? How can you detect hidden malware on your network using open-source tools, what patterns to look for? What countermeasures can you take? How to build a layered malware defense to keep unknown malware out of your network. In my talk I will give some demo's how you can use Wireshark to investigate networkdata for traces of malware, how to filter for suspicious connections.
-
15:54
»
Packet Storm Security Recent Files
This malware report is part 1 of 2. This report is an effort to track, categorize, contain, understand root cause and infection vector of said user account/s, networked equipment or computer/s. This report pertains to all incidents reported by TIER II help desk, TIER III engineers, customer complaints or random IT Security audit/finding/pen test.
-
15:54
»
Packet Storm Security Misc. Files
This malware report is part 1 of 2. This report is an effort to track, categorize, contain, understand root cause and infection vector of said user account/s, networked equipment or computer/s. This report pertains to all incidents reported by TIER II help desk, TIER III engineers, customer complaints or random IT Security audit/finding/pen test.
-
-
7:53
»
Packet Storm Security Recent Files
Hook analyser is a hook tool which can be potentially helpful in reversing applications and analysing malware. It can hook to an API in a process and search for a pattern in memory or dump the buffer.
-
7:53
»
Packet Storm Security Tools
Hook analyser is a hook tool which can be potentially helpful in reversing applications and analysing malware. It can hook to an API in a process and search for a pattern in memory or dump the buffer.
-
7:53
»
Packet Storm Security Misc. Files
Hook analyser is a hook tool which can be potentially helpful in reversing applications and analysing malware. It can hook to an API in a process and search for a pattern in memory or dump the buffer.
-
7:27
»
Packet Storm Security Advisories
Various antivirus software on Windows fails to detect, block and/or move malware if the executable file has only execution permission and no read, write, or other bits set.
-
7:27
»
Packet Storm Security Recent Files
Various antivirus software on Windows fails to detect, block and/or move malware if the executable file has only execution permission and no read, write, or other bits set.
-
7:27
»
Packet Storm Security Misc. Files
Various antivirus software on Windows fails to detect, block and/or move malware if the executable file has only execution permission and no read, write, or other bits set.
-
13:18
»
SecDocs
Authors:
Georg Wicherski Tags:
virtual machine malware malware analysis Event:
Black Hat USA 2010 Abstract: The increasing amount of new malware each day does not only put anti-virus companies up to new limits handling these samples for detection by creating new signatures. But also for network security providers and administrators, getting information on how samples affect the networks they try to protect is an increasing problem. Dynamic analysis of malware by execution in sandboxes has been an approach that has been successfully applied in both of these problem scenarios, however classic sandbox approaches clearly suffer from severe scalability problems. Most of these rely on setting up a real target system such as the Windows XP operating system as a virtual machine with additional software that does logging of performed actions. While these are easy to develop and set up, they require a separate virtual machine instance for each malware sample to be analyzed and therefore do not scale up with today's requirements in terms of malware growth. Anti-Virus vendors tried to circumvent performance issues for file analysis by developing custom emulators that can be deployed on a customer end-host for detection and do not require a whole operating system inside a virtual machine. These emulators however often are software interpreters for the x86 instruction set and run therefore into execution speed limitations on their own. Additionally, they suffer from detectability because they try to emulate every single Windows API but suffer from accuracy issues. dirtbox is an attempt to implement a highly scalable x86/Windows emulator that can be both used for simple malware detection and detailed behavior analysis reports. Instead of emulating every single x86 instruction in software, malware instructions are executed directly on the host CPU in a per basic block fashion. A disassembling run on each basic block ensures that no privileged or control flow subverting instructions are executed. The notion of virtual memory that is separated from the emulators memory is employed by special LDT segments and switching segment selectors before executing guest instructions. Since no instrumentation alike instruction rewriting is being done, disassembler results per basic block can be cached and all execution happens in the same process without context-switches, a high grade of performance is achieved. The operating system is emulated at the syscall layer. While this layer is mostly undocumented and implementing it in an accurate fashion is a challenging task on its own, the fact that no register changes are leaked from Ring 0 thwarts a lot of detection techniques. For usage of the high-level APIs, corresponding libraries are directly mapped into the virtual memory as well.
-
-
11:15
»
SecDocs
Authors:
Jibran Ilyas Nicholas J. Percoco Tags:
malware cybercrime malware analysis Event:
Black Hat USA 2010 Abstract: We had a busy year. We investigated over 200 incidents in 24 different countries. We ended up collecting enough malware freaks [samples] to fill up Kunstkammer a few times over. Building upon last year's DEFCON talk, we want to dive deeper and bring you the most interesting samples from around the world - including one that made international headlines and the rest we're positive no one's ever seen before (outside of us and the kids who wrote them). This talk will bring you 4 new freaks and 4 new victims including: a Sports Bar in Miami, Online Adult Toy Store, US Defense Contractor, and an International VoiP Provider. The malware we are going to demo are very advanced pieces of software written by very skilled developers. The complexity in their propagation, control channels, anti-forensic techniques and data exporting properties will be very interesting to anyone interested in this topic.
-
11:15
»
SecDocs
Authors:
Jibran Ilyas Nicholas J. Percoco Tags:
malware cybercrime malware analysis Event:
Black Hat USA 2010 Abstract: We had a busy year. We investigated over 200 incidents in 24 different countries. We ended up collecting enough malware freaks [samples] to fill up Kunstkammer a few times over. Building upon last year's DEFCON talk, we want to dive deeper and bring you the most interesting samples from around the world - including one that made international headlines and the rest we're positive no one's ever seen before (outside of us and the kids who wrote them). This talk will bring you 4 new freaks and 4 new victims including: a Sports Bar in Miami, Online Adult Toy Store, US Defense Contractor, and an International VoiP Provider. The malware we are going to demo are very advanced pieces of software written by very skilled developers. The complexity in their propagation, control channels, anti-forensic techniques and data exporting properties will be very interesting to anyone interested in this topic.
-
-
0:26
»
SecDocs
Authors:
Kevin Mahaffey John Hering Tags:
malware malware analysis phone Event:
Black Hat USA 2010 Abstract: The mobile app revolution is upon us. Applications on your smartphone know more about you than anyone or anything else in the world. Apps know where you are, who you talk to, and what you're doing on the web; they have access to your financial accounts, can trigger charges to your phone bill, and much more. Have you ever wondered what smartphone apps are actually doing under the hood? We built the largest-ever mobile application security dataset to find out. Mobile apps have grown tremendously both in numbers and capabilities over the past few years with hundreds of thousands of apps and billions of downloads. Such a wealth of data and functionality on each phone and a massive proliferation of apps that can access them are driving a new wave of security implications. Over the course of several months, we gathered both application binaries and meta-data about applications on the most popular smartphone platforms and built tools to analyze the data en masse. The results were surprising. Not only do users have very little insight into what happens in their apps, neither do the developers of the applications themselves. In this talk we're going to share the results of our research, demonstrate a new class of mobile application vulnerability, show how we can quickly find out if anyone in the wild is exploiting it, and discuss the future of mobile application security and mobile malware.
-
-
7:29
»
Packet Storm Security Recent Files
Hook analyser is a hook tool which can be potentially helpful in reversing applications and analysing malware. It can hook to an API in a process and search for a pattern in memory or dump the buffer.
-
7:29
»
Packet Storm Security Misc. Files
Hook analyser is a hook tool which can be potentially helpful in reversing applications and analysing malware. It can hook to an API in a process and search for a pattern in memory or dump the buffer.
-
-
7:17
»
SecDocs
Authors:
Mikko Hypponen Tags:
malware phone Event:
Black Hat USA 2010 Abstract: Computers do not have a built-in billing system. Phones do: it's called the phone bill. We have already seen the first examples of money-making malware that infects various types of smartphones. This talk will go into details of the currently known smartphone trojans that either place calls or send text messages to expensive premium-rate numbers. How does this work technically? Which platforms are at risk? What kind of premium-rate numbers are the criminals using? How do they route the money back to them without getting caught? And what can we do about this before it gets worse?
-
-
10:41
»
SecDocs
Authors:
Neil Daswani Tags:
malware web server Apache Event:
Black Hat USA 2010 Abstract: Drive-by downloads planted on legitimate sites (e.g., via "structural" and other vulnerabilities in web applications) cause web sites to get blacklisted by Google, Yahoo, and other search engines and browsers. In this talk, I describe the technical architecture and implementation of mod_antimalware, a novel, open-source containment technology for web servers that can be used to 1) quarantine web-based malware infections before they impact users, 2) allow web pages to safely be served even while a site is infected, and 3) give webmasters time to recover from an attack before their web sites get blacklisted by popular search engines and browsers.
-
10:41
»
SecDocs
Authors:
Neil Daswani Tags:
malware web server Apache Event:
Black Hat USA 2010 Abstract: Drive-by downloads planted on legitimate sites (e.g., via "structural" and other vulnerabilities in web applications) cause web sites to get blacklisted by Google, Yahoo, and other search engines and browsers. In this talk, I describe the technical architecture and implementation of mod_antimalware, a novel, open-source containment technology for web servers that can be used to 1) quarantine web-based malware infections before they impact users, 2) allow web pages to safely be served even while a site is infected, and 3) give webmasters time to recover from an attack before their web sites get blacklisted by popular search engines and browsers.
-
-
19:23
»
Packet Storm Security Recent Files
This white paper aims to understand the operation of an Android malware named "*DroidKungFu 2 - A*" and investigate the parameters, code and structure which is created or modified by this malware. It also highlights the mitigation steps which requires the user and the developer to be proactive.
-
19:23
»
Packet Storm Security Misc. Files
This white paper aims to understand the operation of an Android malware named "*DroidKungFu 2 - A*" and investigate the parameters, code and structure which is created or modified by this malware. It also highlights the mitigation steps which requires the user and the developer to be proactive.
-
-
13:13
»
SecDocs
Authors:
Christiaan Schade Damiano Bolzoni Tags:
malware malware analysis Event:
Black Hat USA 2010 Abstract: In this presentation we will show a new approach to perform on-the-fly malware analysis (even of previously unknown malware), without the need of deploying any instrumentation at the end host before hand. Our approach leverages the fact that malware quite often comes as a small (in size) "spore", which is then responsible for making the malware persistent on the targeted host and download additional components ("eggs"). Eggs usually come in the shape of executables or DLLs, and extend the capabilities of the spore (password grabbing, URL redirection, etc.) Our system, we call it Avatar, detect failed attempts to download eggs, and ships back to the suspected malware what we call a "red pill". When the malware executes the red pill, this performs some preliminary checks and can send to an instrumented host a copy of the parent process' executable. In this instrumented (i.e., sand-boxed) environment it is possible to perform real-time analysis of the suspicious program. The red pill can be then remotely instrumented to terminate the monitored process, in case it appears to be a real threat. By doing so, it is possible to effectively contain a large infection.
-
-
2:57
»
SecDocs
Authors:
Kuniyasu Suzaki Quynh Nguyen Anh Tags:
malware debugger malware analysis Event:
Black Hat USA 2010 Abstract: Dynamic malware analysis is an important method to analyze malware. The most important tool for dynamic malware analysis is debugger. However, because debuggers are originally built by software developers to debug legitimate software, they have some significant flaws against malware. First of all, malware can easily detect the presence of debugger with various tricks. Another fundamental problem is that because malware run in the same security domain with debugger, they can potentially tamper with the debugger, and prevent it from functioning correctly. Unfortunately, all of the above drawbacks are unfixable in the current architecture. This research presents a new debugger named Virt-ICE, which is designed to address the problems of current malware debuggers. Using virtualization technology, Virt-ICE is totally invisible to malware, thus renders most available anti-debugging techniques useless. Thanks to the isolation provided by virtual machine, Virt-ICE is out of the reach of malware, and cannot be tampered with. Another advantage of Virt-ICE is that unlike many other popular debuggers, it can deal with ring-0 code, therefore it has no issue handling kernel rootkits. Virt-ICE also offers a novel event-based method to intercept malware execution, which can help to improve the debugging efficiency. Finally, Virt-ICE includes some built-in automatic malware analysis facilities to give the analysts more information on malware, so they can reduce the time on the job by focusing their debugging efforts on important points. We conclude the talk with some live demos to show how Virt-ICE can debug some real malware.
-
-
19:03
»
Packet Storm Security Recent Files
Malheur is a tool for automatic analysis of program behavior recorded from malicious software (malware). It is designed to support the regular analysis of malicious software and the development of detection and defense measures. It allows for identifying novel classes of malware with similar behavior and assigning unknown malware to discovered classes. It can be applied to recorded program behavior of various formats as long as monitored events are separated by delimiter symbols, e.g. as in reports generated by the popular malware sandboxes CWSandbox, Anubis, Norman Sandbox, and Joebox.
-
19:03
»
Packet Storm Security Tools
Malheur is a tool for automatic analysis of program behavior recorded from malicious software (malware). It is designed to support the regular analysis of malicious software and the development of detection and defense measures. It allows for identifying novel classes of malware with similar behavior and assigning unknown malware to discovered classes. It can be applied to recorded program behavior of various formats as long as monitored events are separated by delimiter symbols, e.g. as in reports generated by the popular malware sandboxes CWSandbox, Anubis, Norman Sandbox, and Joebox.
-
19:03
»
Packet Storm Security Misc. Files
Malheur is a tool for automatic analysis of program behavior recorded from malicious software (malware). It is designed to support the regular analysis of malicious software and the development of detection and defense measures. It allows for identifying novel classes of malware with similar behavior and assigning unknown malware to discovered classes. It can be applied to recorded program behavior of various formats as long as monitored events are separated by delimiter symbols, e.g. as in reports generated by the popular malware sandboxes CWSandbox, Anubis, Norman Sandbox, and Joebox.
-
-
10:01
»
SecDocs
Authors:
Nicolas Seriot Tags:
malware iPhone rootkit Event:
Hashdays 2010 Abstract: Apple's AppStore moves the burden of security management from the user to the vendor. Apple semi-automatically verifies each of the 200.000 applications and their updates. Moreover, when an application is downloaded on the iPhone, a sandboxing mechanism is supposed to prevent it from reading other applications' data. We showed at Black Hat DC 2010 that such a schema did not prevent malware from reaching the App Store and harvesting personal data. This talk will discuss the current state of iOS 4 privacy and show to what extent iOS 4 fixes the issues raised earlier this year. We will also present some findings about another possible frauds happening inside the App Store eco-system such as "App Farms", which basically consists in artificially boosting applications ratings with stolen accounts.
-
10:01
»
SecDocs
Authors:
Nicolas Seriot Tags:
malware iPhone rootkit Event:
Hashdays 2010 Abstract: Apple's AppStore moves the burden of security management from the user to the vendor. Apple semi-automatically verifies each of the 200.000 applications and their updates. Moreover, when an application is downloaded on the iPhone, a sandboxing mechanism is supposed to prevent it from reading other applications' data. We showed at Black Hat DC 2010 that such a schema did not prevent malware from reaching the App Store and harvesting personal data. This talk will discuss the current state of iOS 4 privacy and show to what extent iOS 4 fixes the issues raised earlier this year. We will also present some findings about another possible frauds happening inside the App Store eco-system such as "App Farms", which basically consists in artificially boosting applications ratings with stolen accounts.
-
-
16:04
»
Packet Storm Security Recent Files
Whitepaper called Demystifying the Android Malware. It dives into various phases to discuss the hows and whys behind malware implementation for Android.
-
16:04
»
Packet Storm Security Misc. Files
Whitepaper called Demystifying the Android Malware. It dives into various phases to discuss the hows and whys behind malware implementation for Android.
-
-
17:39
»
Packet Storm Security Recent Files
Malheur is a tool for automatic analysis of program behavior recorded from malicious software (malware). It is designed to support the regular analysis of malicious software and the development of detection and defense measures. It allows for identifying novel classes of malware with similar behavior and assigning unknown malware to discovered classes. It can be applied to recorded program behavior of various formats as long as monitored events are separated by delimiter symbols, e.g. as in reports generated by the popular malware sandboxes CWSandbox, Anubis, Norman Sandbox, and Joebox.
-
17:39
»
Packet Storm Security Tools
Malheur is a tool for automatic analysis of program behavior recorded from malicious software (malware). It is designed to support the regular analysis of malicious software and the development of detection and defense measures. It allows for identifying novel classes of malware with similar behavior and assigning unknown malware to discovered classes. It can be applied to recorded program behavior of various formats as long as monitored events are separated by delimiter symbols, e.g. as in reports generated by the popular malware sandboxes CWSandbox, Anubis, Norman Sandbox, and Joebox.
-
17:39
»
Packet Storm Security Misc. Files
Malheur is a tool for automatic analysis of program behavior recorded from malicious software (malware). It is designed to support the regular analysis of malicious software and the development of detection and defense measures. It allows for identifying novel classes of malware with similar behavior and assigning unknown malware to discovered classes. It can be applied to recorded program behavior of various formats as long as monitored events are separated by delimiter symbols, e.g. as in reports generated by the popular malware sandboxes CWSandbox, Anubis, Norman Sandbox, and Joebox.
-
-
7:50
»
Packet Storm Security Recent Files
Whitepaper called Fake Malware and Virus Scanners. Rogue security software reports a virus infection, even if your computer is clean. This kind of "software" could also fail to report viruses when your computer is infected. This document show what are the mechanisms to obfuscate this process.
-
7:50
»
Packet Storm Security Misc. Files
Whitepaper called Fake Malware and Virus Scanners. Rogue security software reports a virus infection, even if your computer is clean. This kind of "software" could also fail to report viruses when your computer is infected. This document show what are the mechanisms to obfuscate this process.
-
-
4:01
»
Hack a Day
Looks like the FBI is starting to get pretty serious about fighting malware. Traditionally they have attacked the servers that activate and control botnets made up of infected computers. This time they’re going much further by taking control of and issuing commands to the botnets. In this instance it’s a nasty little bug called Coreflood, [...]
-
-
18:58
»
Packet Storm Security Recent Files
Malheur is a tool for automatic analysis of program behavior recorded from malicious software (malware). It is designed to support the regular analysis of malicious software and the development of detection and defense measures. It allows for identifying novel classes of malware with similar behavior and assigning unknown malware to discovered classes. It can be applied to recorded program behavior of various formats as long as monitored events are separated by delimiter symbols, e.g. as in reports generated by the popular malware sandboxes CWSandbox, Anubis, Norman Sandbox, and Joebox.
-
18:58
»
Packet Storm Security Tools
Malheur is a tool for automatic analysis of program behavior recorded from malicious software (malware). It is designed to support the regular analysis of malicious software and the development of detection and defense measures. It allows for identifying novel classes of malware with similar behavior and assigning unknown malware to discovered classes. It can be applied to recorded program behavior of various formats as long as monitored events are separated by delimiter symbols, e.g. as in reports generated by the popular malware sandboxes CWSandbox, Anubis, Norman Sandbox, and Joebox.
-
18:58
»
Packet Storm Security Misc. Files
Malheur is a tool for automatic analysis of program behavior recorded from malicious software (malware). It is designed to support the regular analysis of malicious software and the development of detection and defense measures. It allows for identifying novel classes of malware with similar behavior and assigning unknown malware to discovered classes. It can be applied to recorded program behavior of various formats as long as monitored events are separated by delimiter symbols, e.g. as in reports generated by the popular malware sandboxes CWSandbox, Anubis, Norman Sandbox, and Joebox.
-
-
13:39
»
SecDocs
Authors:
Neil Daswani Tags:
malware Event:
Black Hat DC 2011 Abstract: The Web 2.0 transformation has in part involved many sites using third-party widgets. We present the "widgetized web graph" showing the structure of high traffic web sites from the standpoint of widgets, show how web-based malware and scareware is propagated via such widgets, and provide data on how a mass web-based malware attack can take place against the Quantcast 1000 web sites via widgets.
-
-
21:25
»
SecDocs
Authors:
Silvio Cesare Tags:
malware malware analysis obfuscation Event:
Ruxcon 2010 Abstract: Silvio developed a signature based Malware detection system using control flow graphs as features for his Masters work. Two academic papers were published during this time. He continues the work on malware classification in his PhD. The work is distinguished from previous research by being able to approach the speed and efficiency of traditional Antivirus, yet with the significantly increased effectiveness of using control flow based signatures. Control flow is seen a more accurate identifier of malware variants and relies on fingerprinting program structure instead of the byte-level content. The system is designed to scale for potential applications including desktop Antivirus, E-Mail and Internet gateways.
-
-
11:39
»
SecDocs
-
11:39
»
SecDocs
-
-
11:34
»
SecDocs
-
11:16
»
SecDocs
-
-
3:29
»
SecDocs
Tags:
malware malware analysis Event:
AVTokyo 2009 Abstract: I thought this may be interesting if we could map the Malware source IP and the SPAM mail source IP on the global map with the geo coding. This talk will show the current status and how it looks.
-
-
21:01
»
Packet Storm Security Tools
Malware Check Tool is a python script that detects malicious files via checking md5 hashes from an offline set or via the virustotal site. It has http proxy support and an update feature.
-
-
15:01
»
Packet Storm Security Tools
Malheur is a tool for automatic analysis of program behavior recorded from malicious software (malware). It is designed to support the regular analysis of malicious software and the development of detection and defense measures. It allows for identifying novel classes of malware with similar behavior and assigning unknown malware to discovered classes. It can be applied to recorded program behavior of various formats as long as monitored events are separated by delimiter symbols, e.g. as in reports generated by the popular malware sandboxes CWSandbox, Anubis, Norman Sandbox, and Joebox.
-
15:01
»
Packet Storm Security Recent Files
Malheur is a tool for automatic analysis of program behavior recorded from malicious software (malware). It is designed to support the regular analysis of malicious software and the development of detection and defense measures. It allows for identifying novel classes of malware with similar behavior and assigning unknown malware to discovered classes. It can be applied to recorded program behavior of various formats as long as monitored events are separated by delimiter symbols, e.g. as in reports generated by the popular malware sandboxes CWSandbox, Anubis, Norman Sandbox, and Joebox.
1337day (was: Inj3ct0r, 1337db)
OSVDB Vulnerabilities
Exploit-DB
SecurityFocus Vulnerabilities
Bugtraq
XSSed
Sophos security news
Penetration Testing
SecuriTeam
BackTrack Linux Forums
Threatpost
carnal0wnage.attackresearch.com
Carnal0wnage
Darknet
The Exploitant
Wirevolution