Let’s Unpack: Dridex Loader
A few people have been having problems with unpacking the initial loader for Dridex (the one dropped by the macro), so I’m going to show you an easy way to do it. One of the other problems people have,...
View ArticleThe Kelihos Botnet
A while ago I started writing a series of articles documenting the Kelihos Peer-to-Peer infrastructure but had to pull them due to an ongoing operation. As most of you have probably seen, the botnet...
View ArticleHow to Accidentally Stop a Global Cyber Attacks
So finally I’ve found enough time between emails and Skype calls to write up on the crazy events which occurred over Friday, which was supposed to be part of my week off (I made it a total of 4 days...
View ArticleNote on WannaCrypt Infection Count Accuracy
Our sinkhole is designed to collect any and all HTTP requests to sinkholed domain for investigation purposes (these are then sent to a back-end database). What this means is that around the period when...
View ArticlePetya Ransomware Attack – What’s Known
Petya The jury is still out on whether the malware is Petya or something that just looks like it (it messes with the Master Boot Record in a way which is very similar to Petya and not commonly used in […]
View ArticleCreating a Simple Free Malware Analysis Environment
Computer Requirements: A CPU with AMD-V or Intel VT-x support (pretty much any modern CPU). 4 GB RAM (more is better). Make sure Virtualization (AMD-V or Intel VT-x) is enabled in the BIOS. To do this,...
View ArticleInvestigating Command and Control Infrastructure (Emotet)
Although the majority of botnets still use a basic client-server model, with most relying on HTTP servers to receive commands, many prominent threats now use more advanced infrastructure to evade...
View ArticleBest Programming Languages to Learn for Malware Analysis
One of the most common questions I’m asked is “what programming language(s) should I learn to get into malware analysis/reverse engineering”, to answer this question I’m going to write about the top 3...
View ArticleTracking the Hide and Seek Botnet
Hide and Seek (HNS) is a malicious worm which mainly infects Linux based IoT devices and routers. The malware spreads via bruteforcing SSH/Telnet credentials, as well as some old CVEs. What makes HNS...
View ArticleAnalyzing a Windows DHCP Server Bug (CVE-2019-0626)
Today I’ll be doing an in-depth write up on CVE-2019-0626, and how to find it. Due to the fact this bug only exists on Windows Server, I’ll be using a Server 2016 VM (corresponding patch is KB4487026)....
View ArticleVideo: First Look at Ghidra (NSA Reverse Engineering Tool)
Today during RSA Conference, the National Security Agency release their much hyped Ghidra reverse engineering toolkit. Described as “A software reverse engineering (SRE) suite of tools”, Ghidra...
View ArticleAnalysis of a VB Script Heap Overflow (CVE-2019-0666)
Anyone who uses RegEx knows how easy it is to shoot yourself in the foot; but, is it possible to write RegEx so badly that it can lead to RCE? With VB Script, the answer is yes! In this article I’ll be...
View ArticleAnalysis of CVE-2019-0708 (BlueKeep)
I held back this write-up until a proof of concept (PoC) was publicly available, as not to cause any harm. Now that there are multiple denial-of-service PoC on github, I’m posting my analysis. Binary...
View ArticleYouTube’s New Policy on Hacking Tutorials is Problematic
Recently YouTube changed its policy on “hacking” tutorials to an essential blanket ban. In the past, such content was occasionally removed under YouTube’s broad “Harmful and Dangerous Content” clause,...
View ArticleDejaBlue: Analyzing a RDP Heap Overflow
In August 2019 Microsoft announced it had patched a collection of RDP bugs, two of which were wormable. The wormable bugs, CVE-2019-1181 & CVE-2019-1182 affect every OS from Windows 7 to Windows...
View ArticleBlueKeep: A Journey from DoS to RCE (CVE-2019-0708)
Due to the serious risk of a BlueKeep based worm, I’ve held back this write-up to avoid advancing the timeline. Now that a proof-of-concept for RCE (remote code execution) has been release as part of...
View ArticleHow I Found My First Ever ZeroDay (In RDP)
Up until recently, I’d never tried the bug hunting part of vulnerability research. I’ve been reverse engineering Windows malware for over a decade, and I’d done the occasional patch analysis, but I...
View ArticleAn in-depth look at hacking back, active defense, and cyber letters of marque
There has been much discussion in cyber security about the possibility of enabling the private sector to engage in active cyber defense, or colloquially “hacking back”. Several house bills have been...
View Article[Video] Exploiting Windows RPC – CVE-2022-26809 Explained | Patch Analysis
Walking through my process of how I use patch analysis and reverse engineering to find vulnerabilities, then evaluate the risk and exploitability of bugs. The post [Video] Exploiting Windows RPC –...
View Article[Video] Introduction to Use-After-Free Vulnerabilities | UserAfterFree...
An introduction to Use-After-Free exploitation and walking through one of my old challenges. Challenge Info: https://www.malwaretech.com/challenges/windows-exploitation/user-after-free-1-0 Download...
View Article