Monday, September 21, 2015 New "Speed" and New Samples Available now.

Hello everybody, today is about speed improvements and new malware samples in If you followed the genesys you might remeber the early stage development where took between 8 to 10 minutes to visualize statistics over 43k Malware Analysis. Today it runs much better alost 15 seconds to visualize 76.2K Malware Analysis (ok, I know.. it really depends on Network speed and Computation power... but tested on the same machine you might experience a hug performance gap).

Let me just remind you what is about:
"The continued growth in number and in complexity of malware is a well established fact. Malwares are no longer simple pieces of code that rely on unsuspecting users to spread and thrive. They can change, adapt and hide themselves from analysts, using very sophisticated techniques. Static analysis is complex and time consuming, and it could be difficult to deduce every possible malicious behaviour, yet it is often very effective because it hinders the capability of malware to detect the analysis environment.  The purpose of is to provide valuable assistance to the phase of static analysis, supporting analysts in their exploration of code features, by letting them make more focused, statistically motivated and structured decisions."
We are facing a "Big Data" problem. Thousands of samples produce Hundred Thousands of results, which end up to be Giga Bytes of well structured Text. And.. yes, I want to make general tatistics so far (general !== from "time frame defined") so I am not interested on filtering data (well..I know I will end up putting a time filter on the main page.. but not today!). My main goal is to answer in the quickest way to such a questions: " What are the most used packers ?" or "What are the most used evasion techniques?" or again "What are the most used API or Anti-Debbugging Techniques?" and so on and so forth. Obviusly I want to give such statistics by using a simple and intuitive web interface. You might wonder why those questions are so important for me !? Well, because they really drive my decisions during a romantic Malware analysis.

The following image shows the today stats on detail

In order to provide a fast and reilable web visualization user interface I've tried several algorithms and several frameworks but my best choice (so far)  has to approached the problem using the Javascript "Web Workers" (HTML5). total samples.

From W3C School :
A web worker is a JavaScript that runs in the background, independently of other scripts, without affecting the performance of the page. You can continue to do whatever you want: clicking, selecting things, etc., while the web worker runs in the background.

 The new and simple algorithm (which is not the best I can create and it is not remarkable in any point but it made a huge improvement) which made possible the huge visualization improvement from the last two versions is available here.  The following image shows the principal code function responsible to build the output, before passing it to google graphs.

Simple Visualization Algorithm
 As you might agree with me the entire code should be protected (which is not protected on undefinition, null pointers, etc..) and even improved in speed introducing multiple web workers. If you like to be involved in that project just drop me an email, any suggestion is welcomed as well. Enjoy the new results !

Thursday, September 3, 2015

Shifu: A new interesting Banking Trojan

Hello everybody, today I'd like to share some infos on "Shifu" a new incredibly interesting banking trojan. At this point you might think:
"Why are you writing about Shifu among many other new threats (even more discussed)  out there ? "
Well... Shifu is a new banking trojan which actually attacks Japanese banks mostly,  it's actually well geo-localized and probably it will end up on a specific amount of organizations, but what fascinates me is the way it implements many features by copying what have done so far some of the "best in class" known Malware. Shifu implements the following features:
  • Domain Generation Algorithm (DGA): Shifu uses the Shiz Trojan’s DGA. The exposed algorithm itself is easy to find online, and the developers behind Shifu have elected to use it for the generation of random domain names for covert botnet communications. 
  • Theft From Bank Apps: Theft of passwords, authentication token files, user certificate keys and sensitive data from Java applets is one of Shifu’s principal mechanisms. This type of modus operandi is familiar from Corcow’s and Shiz’s codes. Both Trojans used these mechanisms to target the banking applications of Russia- and Ukraine-based banks. Shifu, too, targets Russian banks as part of its target list in addition to Japanese banks.
  •  Anti-Sec: Shifu’s string obfuscation and anti-research techniques were taken from Zeus VM (in its Chtonik/Maple variation), including anti-VM and the disabling of security tools and sandboxes. 
  • Stealth: Part of Shifu’s stealth techniques are unique to the Gozi/ISFB Trojan, and Shifu uses Gozi’s exact same command execution scheme to hide itself in the Windows file system.
  • Config: The Shifu Trojan is operated with a configuration file written in XML format — not a common format for Trojans, and similar to the Dridex Trojan’s configuration (Dridex is a Bugat offspring). 
  • Wipe System Restore: Shifu wipes the local System Restore point on infected machines in a similar way to the Conficker worm, which was popular in 2009. 
  • Commuication protocol: Shifu implements an SSL communication layer based on a Self-signed certificate. The implemented module reminds analysts to the one used on Dyre Trojan campains in Late 2015.
Another interesting feature is about Point Of Sales. To make matters worse, Shifu searches for specific POS memory strings (and processes). If it finds a POS trace it starts a "stealing credit card numbers" procedure.

Last but not least Shifu makes sure none else will own the attacked system. Once it gets installed on the victim machine is starts an "AV" procedure (forgive me, is not actually an AV procedure, but it makes the idea) which locates "suspicious" files and  denies their installation. According to IBM Security Intelligence's report (here) the Malware is likely developed by a Russian group.

Let's get dirty hands on it performing basics Reverse Engineering actions to see what are the real countermeasures it adopts.  From the IBM Report (linked abouve) you may find the Malware signature (NmE5ZDRhMzIzOTg3NDg5YzhlOGI1NTc2ZjY3YjJjOTQ) which can be used into common online SandBox systems to look for samples. As you might observe the sample I've got implemets some anti-debugging techniques as well as some basic SandBox evasion techniques (for more information please have a look to malwarestats):

GetLastError, IsDebuggerPresent, GetVolumeInformations, etc..
 An interesting sequences of API calls were found: GetProcessAddress  (Retrieve the address of of an exported function or variable from the specified dynamic-link library) -- VirtualProtect (stack) (Changes the protection on a region of committed pages in the virtual address space of the calling process.) -- VirtualAlloc (Reserves, commits, or changes the state of a region of pages in the virtual address space of the calling process. Memory allocated by this function is automatically initialized to zero.) -- Sleep (Suspends the execution of the current thread until the time-out interval elapses.) -- VirtualAlloc -- 

Another interesting pattern found during the simple static analysis performed phase (showed on the following image) is the dynamically loaded Library pattern (previous downloaded).  As you may observe on row 2861 the system points out to a specific location and call LoadLibraryA to load it into memory.

Dynamically Loaded DLL
Dynamic Analysis clearly shows Sample's RAT features by spawning a shell (on my machine PID: 1388 within Parent PID: 788 owning to the executed Sample ) and executing commands. Unfortunately the evasion techniques detected the SandBox execution. The following image shows the check of Python presence, which often is one of the detection mechanisms (How many common users have Python on their Windows Machines ? Not much, really).

Python Detection

After a simple de-obfuscation round (Visual C Packer was detected) the analyst could appreciate the command line parser. Probably the one used to communicate through Command and Control (not much further analysis has been performed)

Command Line Parser
Network wise the sample embeds the following addresses:
  • ( Noisy maker
  • ( Much more interesting because geolocalized in China and the domain has changed at least two servers during the last year.
A simple nmap scan on it shows up-and-running a nginx server on both ports 80 and 443, used to comunicate to Malware and a ssh daemon active on standard port and and an interesting port 53 TCP opened. Statically analized behaviour presents the following TimeLine (click on it to enlarge):

Behaviour Time Line
Not really a significant one but the cmd.exe spawned feels like an hero. Concluding my post I wanted to impress on my pages this significant piece of Malware which embeds many different techniques borrowed from many older Malware underlining a new Malware writers skill sets, able to make harder and harder piece of code as their wish (just by adding feature from different Malwares).

Tuesday, August 11, 2015

Exploit Kits on August 2015

Often people, including students and security professionals asks me about Exploit kits (EK). EKs play a foundamental role in todays malware propagation because developed to deliver content through vulnerabilities. Aims of the EK is to exploit a target client machine through well known or sometimes "less known" vulnerabilities which usually target browsers, Java Runtime Environment, Adobe products and commonly used applications including (but not limited to): Media Players, Visualisation utilities, Microsoft Office documents and so on. A key characteristic of an exploit kit is the ease with which it can be used even by attackers who are not IT or security experts. The attacker doesn’t need to know how to create exploits to benefit from infecting systems. Further, an exploit pack typically provides a user-friendly web interface that helps the attacker track the infection campaign. Some exploit kits offer capabilities for remotely controlling the exploited system, allowing the attacker to create an Internet crimeware platform for further malicious activities.

The following table (from contagiodump ) keeps trace of most of the known exploit kits out there within relatives exploited vulnerabilities.

Click to Enlarge, credits to Contagio Data

As you might appreciate from the Sally's work many vulnerabilities are covered by most of the exploit kits but not all, so depending on the administration console (which almost every EK gives to attackers) and, most important, on the target system, the attacker could choose between several EKs. While several exploits kits are available nowadays only a subset of them are mostly used. As described in this post from from MalwareBytes the most used EKs are represented in the following picture.

Exploit Kits from MalwareBytes analysis.

Now you would probably know how the EK infection process works, well a nice work made by TrendMicro explains in a simple view the 4 stage infection chain.

4 stage EKs infection chain by TrendMicro

Contact is the beginning of infection, where an attacker attempts to make people access the link of an exploit kit server. Contact is often done through spammed email, wherein recipients are tricked into clicking a link through social engineering lures. 

Traffic redirection system refers to the capacity with which the exploit kit operator can screen through victims based on certain condition sets. This is done through a traffic direct system, such as SutraTDS or KeitaroTDS, for aggregating and filtering redirect traffic before accessing the exploit kit server.

Once users are successfully tricked into clicking the link of an exploit kit server in the contact stage and filtered in the redirect stage, they will be directed to the exploit kit’s landing page. The landing page is responsible for profiling client environment and in determining which vulnerabilities should be used in the ensuing attack.

According to TrendMicro research (except for SweetOrange)  I do observe the following EK in almost the same score position in my current Cyber Attack detections

Most used Exploit Kits
As Malware does, ExploitKits are in continuous development conditions and day by day we observe different variants and improved evasion techniques as well as exploits integrations. Be aware that  those kits made really simple (well, I didn't say easy) Malware propagation so watch out your apps !

Monday, June 22, 2015

Static Analysis Malware Statistics

During the past month I've been dedicated some of my free time in building a Malware static analysis pipeline. Goal of this work is to give to Malware analists usefull statistics on what evasion techniques current Malware are implementing. If you are interested on Malware evasion techniques please have a look to my previous post on that topic ( here ). As my readers know one of my favorite Cyber Security topic is Malware and thier creation, if you are new about it, I suggest you to take a look to the following "blog posts": 

The following image shows the as appears nowaday. Besides the "romantic algebraic sums" (of the analyzed samples),  the number of xor encrypted detections, the Malicious DLL found over the total amount of detections and the average file size, more graphs showing out  more "evasion techniques" are represented.

One of the most interesting information I wanted to give was about the used evasive techniques to detect the virtualized environment the sample might be in. These information have been collected and represented in the "Used  Evasion Technique" graph. 

As a today (please refer to the "blog post" date) the most common Virtual Environment evasion technique is the VMCheck.dll (Red Pill) followed by QEMU CPUID Trick and VirtualBox Detection.


The second most important information given is about Packers. Whate ater the most used packer Malware implements to evade signature detection? The following pie chart shows represents the most used packers among others.


Active analysts (and IDA Pros) will agree to me when I say that one of the most time consuming avtivity is to debug a given sample. Figuring out what is the most used Anti-Debugging technique, could be time saving especially when the analyst is at the beginning of his analysis. The following graph shows my statistics on 21k malware (confirmed malware and not just sample).

 More stats will be available on the web site:, please have a look ! 

How To Contribute:
Day by day I'll add more and more samples but actually the pushing pipeline is not available online and is not available for free submiting. If you wish to contribute (and please do!) you should share with me your malware (GoogleDrive, DropBox, MegaTransfer, etc... might help the sharing process) I'll add them to my simple importing pipeline and I'll put your name on contributor page.

 The data is hosted for free on who accepted to get me a free license for that project.

Thank you !

Sunday, May 10, 2015

Volatility on Darkcomet

Let's assume you've got a friend who asked you to have a look to his computer because he feels like something wrong is happening. What would you do? 

Option 1: "I have no idea about how to investigate on 'computer stuff', please contact your reseller "
Option 2: "Ok, Let me access to your computer, I will see what I can do"

I's raining a lot and my friend was pretty serious about it so I decided to choose the option number 2... :O

I've been starting by downloading DumpIT by MoonSols which is a "single click" Windows memory dumping tool. After a few command line answers I've got a fully dumped memory in one file. I downloaded it on my MAC and started the volatility analysis hunting the "something wrong".  By running imageinfo, volatility analyses the memory layout getting back the memory profile used by identify the analyzed machine.

Volatility imageinfo
Understanding what are the processes running on the analyzed machine is a foundamental step to grab the eventually "unwanted software". The following image shows the volatility psxview. Few processes are suspicious to me but the most weird is the one named runddl32.exe. It 's suspicious (at least to me) because the name mispelling and because it tries to evade "deskthrd" detection (not common at all). Psxview is a nice volatility plugin which compares the following different proces' searches in order figure out hiding techniques. The implemented process searche techniques follows:
  •  PsActiveProcessHead linked list 
  •  EPROCESS pool scanning
  •  ETHREAD pool scanning (then it references the owning EPROCESS) 
  •  PspCidTable 
  •  Csrss.exe handle table 
  •  Csrss.exe internal linked list

Volatility Psxview
Let's have a deep look into runddl32.exe by running a dlllist on such a pid. Dlllist returns the memory location and the location path of each used DLL. This information is useful to recognazie malicious patterns in file locations. Malicious files are used to be located into TEMP directories due to dir rights. QED (See the following image) !

Volatility dlllist
Volatility dumpfiles helps researchers to dump pieces of memory and saving them into files. The following image shows how I used dumpfiles to obtain the physical supicious files. Having them means to be able to perform static analysis (It wont run... no dyno) on the samples figuring out what they do and if they might be the cause of the "weird behavior".

Volatility dumpfiles

Just few steps into static analysis to discover the sample is actually doing something very bad such as: keylogging, selfupdate, drop and download,  shllcoding etc etc...

AntiDebug functions
Looking into the sample's memory page -- for sure -- something strange is happening ! Page EXECUTE_READWRITE is found. VAD Tree (ref: here) is used to check for injections with a super positive result! We can know assert tha the PC was infected.

VAD Tree search on volatility
Let me try to search the file on Virustotal to se if I get more on it.... Here it goes, VirusTotal identifies the sample as Darkcomet... a simple opensource Remote Aadministration Tool (RAT).

VirusTotal DarkComet

Weird things were happening to my friend's PC and he was right. Actually Darkcomet is only one of the suspicuous file indentified on the psxview, for example I saw a notepad.exe child of explorer.exe and an cmd.exe child of explorer.exe as well. It was a nice hunting saturday night !

Tuesday, April 7, 2015

GitHub and the Man On The Side Attack

Recently most of the people used to collaborate through GitHub experienced a new kind of Denial Of Service Attack widly recognized as Main-On-The-Side Attack. The Github DDOS attack was driven by the State of China (NewYorkTime) with the intent to alert GitHub company about the violation of the Chinese censorship policies.
"Because GitHub is fully encrypted, China’s domestic web filters cannot distinguish between pages that host code useful to programmers and code that circumvents censorship." (Source: NewYorkTime)
The cyber attack has made possible because the Chinese Government poisoned web traffic throuugh its "great firewall" (Golden Shield Project) injetting a malicious javascript payload into specific http requests.  Chinese Government sacrified a local analytics company named Baidu injecting into its analytics scripts a malicious content able to load multiple times the tergeted github pages. A simple attack flow follows:
  1. A unaware user is browsing from outside China
  2. The website the user visits loads a javascript from a server located in China, for example Baidu Analytics script (much like Google Analytics)
  3. The user web broswet requests for Baidu javascript
  4. The requested javascript is intercepted by Chinese passive infrastructures as it enter in China perimeter
  5. A compromised response is sent out from China instead of the actual Baidu Analytics script
  6. The compromised response tells to the user browser to contnuosly load specific pages on
Finding the original malicious code in order to analyze it,  was actually the real challenge (at least for me). I've tried to execute tons of Baidu urls GET requests but no malicious payloads were found. Fortunately saw the code and stored it (here). The following image shows one of the used payloads (that report proves tha multiple payloads were involved).

Script From Baidu during the Chinese Github Attack

After a couple of deobfuscation "raunds" (JDetox would help you out) the piece of javascript coming out the analysis owned two specific URLs: and . Both of the URLs are mirror sites for and the Chinese New York Times. GreatFire and NYT both use GitHub to circumvent the online censorship performed by the Great Firewall of China (GFW).

Decripted "Malcode"
The connections path captured by urlquery is shown in the following picture where is almost evident the query to cloudfront comming after having loaded a fake baidu script.

Connection Flows

Getting little bit deeper -- a malicious payload downloaded from --
HTTP/1.0 200 OK

Content-Type: text/html
Server: nginx
Date: Wed, 18 Mar 2015 09:56:57 GMT
Content-Length: 114
Last-Modified: Wed, 18 Mar 2015 05:43:55 GMT
Etag: "5509109b-72"
Expires: Wed, 18 Mar 2015 09:56:57 GMT
Cache-Control: max-age=0
Accept-Ranges: bytes
Connection: keep-alive
forced the user browser to load content from:

GET /?1425380212 HTTP/1.1


User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322)
Accept: text/plain, */*; q=0.01
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Currently the host has been blocked down due to the described attack as follows:
Blocked host because the "Chinese Attack"
I decided to write a little bit about this attack since it is one of the most "dramatic"  examples on how "states" might perform wide attacks using unware services and state infrastructures...

Friday, March 6, 2015

Angler and the new threats

What I am writing is not a "news" anymore, but it is like a "consciousness raising" about the incredible job the guys behind Angler Exploit kit did.

But, let me start from the beginning. For everybody out there do not know what an Exploit Kit is I found out a clear and nice description from McAfee Labs:
An exploit kit is an off-the-shelf software package containing easy-to-use packaged attacks on known and unknown (zero-day) vulnerabilities. These toolkits exploit client-side vulnerabilities, typically targeting the web browser and applications that can be accessed by the web browser. Exploit kits can also track infection metrics and have robust control capabilities
Angler is one of several Exploit Kits available for attackers. Actually Angler Exploit Kit has become the most advanced, much more powerful and the best exploit kit available in the market so far, beating the infamous BlackHole exploit kit, with a host of exploits including zero-days and new techniques added to it. 

What makes Angler so great are the following two characteristics: Domain Shadowing (”DSH“) and Filess Infection "Filess".

One of the newest techniques bheind Angnler Exploit Kit is the so called “Domain Shadowing”. Domain Shadowing, first appeared in 2011, is the process of using "users domain registration logins" to create subdomains used to spread the malware content. Nik Biasini from the Cisco Talos Group did a great job in describing the differences between the classic Fast Flux DNS Techniques and the Domain Shadowing technique implemented in Angler Exploit Kit. The following image (taken from Talos Description) shows the difference between the most common Fast Flux Versus the recent Domain Shadowing.

Fast Flux VS Domain Shadogin (from Talos Description)

While fast flux is continuously changing the DNS record value (well there are plenty variants of it, so please forgive my generalization) in order to confuse analysis, domain shadowing makes use af many real dns stolen account to make them redirect to malicious content. This techniques is "a way more complex" to be realized since the bot maker needs to compromise DNS records and/or DNS credentials.

Filess Infection is another great new feature introduced into the Angler ExploitKit. The obvious difference between Filess injection and File injection is in the way the Exploitkit drops and loads the new payloads. The following image clearly shows the difference between the two techniques. On the left side a file injection in which the Exploit kit saves the malicious .ddl into a temp directory and later on it loads the malicious .dll from the disk (This approach preserves easy persistance but it mostly subjected to AV discovery).

File injection VS Filess injection
On the right side of the image the process directly loads into memory the downloaded stream running it through a new thread. This method makes it harder the persistence and makes it easier the network detection but it makes almost impossible the host detection by AV engines.  The following screenshot shows a piece of code that makes this happen by (I did follow the steps in here):

  1.  Read first page of the file which includes DOS header, PE header, section headers etc. 
  2. Fetch Image Base address from PE header and determine if that address is available else allocate another area. (Case of relocation) 
  3. Map the sections into the allocated area 
  4. Read information from import table and load the DLLs 
  5. Resolve the function addresses and create Import Address Table (IAT). 
  6. Create initial heap and stack using values from PE header.
  7. Create main thread and start the process.
Filess Execution Example. Code goes from left to right (it's the sam file)

Nowadays we are even experiences Powelinks (CVE-2012-0158, which makes storing payloads into registry) and Filess Combo, which makes Angler even more undetectable.

Following a McAfee graph showing the variance of several Exploit kits during 2014. Angler got 14 variances in few months,  Amusing !

Exploit Kits in 2014 (McAfee)