WannaCry! Un ransomware dal codice grossolano mette in ginocchio il cyber-spazio.

WannaCry! Un ransomware dal codice grossolano mette in ginocchio il cyber-spazio.

Nel momento in cui scrivo, tutti i professionisti dell'IT Security avranno già sentito parlare del ransomware che sta terrorizzando il mondo: WannaCry. Dal 12/05 ogni blog specializzato nel settore oltre che la stampa in genere, non fa che parlare dei danni (reali, ipotetici o presunti) che l'incrontrollata diffusione di tale codice starebbe causando. Da circa un paio di giorni ho iniziato a studiare in maniera abbastanza approfondita diversi campioni (malware samples) appartenenti alla campagna … [Read more]

EyePyramid – A truly mysterious malware is shaking Italy !

EyePyramid - A truly mysterious malware is shaking Italy !

EyePyramid. This is the name of the malware that is shaking the Italian institutions as well as the private sector of this country. I recovered, from open sources and from a collection of malware, some samples probably belonging to the family in object. I elaborated as well a simple behavioral workflow after my first analysis available for download. EyePyramid is not an advanced threat. It's a malware built in vb.net and leans to a whole infrastructure built on Microsoft products. This is … [Read more]

XVir anti-APT Scanner 1.0 beta available for download

XVir anti-APT Scanner 1.0 beta available for download

XVir is a software designed and developed by Emanuele De Lucia. It scans folders and files looking for APT threats and has real-time monitor capabilities. It is distinguished from a common anti-malware software by its specialization on APT threats. The project is still in the experimental stage and the number of signatures available is currently limited. These signatures (updated daily) are produced independently on the basis of personal researches and through a net of collection nodes belonging … [Read more]

Dridex Downloader Analysis

Dridex Downloader Analysis

This morning I received on my company box an email with an attached .xlsm file named D92724446.xlsm coming from [email protected] Central and local AV engines did not found anything malicious and also a multiengine scan got 0/57 as result. I decided to investigate a little more in-depth in order to confirm that was a malicious file and to extract at least the code I was imagining being inside this document. These are some general info collected about the received file: Name: … [Read more]

Pattern-Based Approach for In-Memory ShellCodes Detection

Pattern-Based Approach for In-Memory ShellCodes Detection

This topic has been dealt in one of my last technical articles. The document shows as it’s possible to approach an incident investigation on the basis of common instructions used by shellcodes to achieve their goals. The analysis is conducted within a memory dump. In this regard have been developed some yara custom rules that can be used as an aid for experienced analyst to quickly locate malicious code. Note, however, that this is a very wide topic (have you ever heard of padding, permutations, … [Read more]

Meeting with a Chinese Malware

Meeting with a Chinese Malware

This evening I received an email with an attached zip. This email was very well made and my anti-virus did not detect anything dangerous -_- veeeery nice…i decided to take a look and see what strange monster was inside :] The executable is a trojan/downloader packed with something custom! After recovering the original executable bypassing all protections, i  was able to have a look within it and immediately i saw some interesting functions … [Read more]

OpenSSL TLS HeartBeat (HeartBleed) Vulnerability Subnet Scan

OpenSSL TLS HeartBeat (HeartBleed) Vulnerability Subnet Scan

This script allows to test a full /24 subnet for OpenSLL TLS HeartBeat (HeartBleed) Vulnerability. Originally coded by Jared Stafford ([email protected]) to test this weakness on a single host at a time, it has been modified by Emanuele De Lucia to allow the scan of an entire subnet. This modification has been made for work reasons within few hours by the notice of the vulnerability, in order to readily identify the affected services within a very wide range of systems exposed. May be … [Read more]

Steganography and Steganalysis: Common Image Formats and LSB

Steganography and Steganalysis: Common Image Formats and LSB

 Thousands and thousands of data items currently are riding the Internet every day; their representation could be a continuous stream of data transiting through the entire globe. With the growth in quantity and especially in the importance of such informations, the need to adopt systems designed to guarantee a good level of protection and security has also grown in proportion. This paper explores those that are the common steganographic algorithms used to hide informations within seemingly … [Read more]

Red October: Cyber-Espionage ToolKit Analysis

Red October: Cyber-Espionage ToolKit Analysis

Reb October is the name of a cyber-espionage toolkit discovered by Kaspersky Lab. The malware was operating worldwide for up to 5 years before to be discovered, transmitting to its C&C servers a lot of informations. Red October is considered an advanced cyber-espionage campaign intended to targeting diplomatic, governmental and financial organizations. This is an analysis conducted by me on 01/13 for InfoSec Institute but published but published after a little... It's possible to view my … [Read more]

SANS DFIRCON APT Malware Challenge

SANS DFIRCON APT Malware Challenge

 SANS DFIRCON is a challenge where we have to download a memory image from SANS and perform over it a complete forensic analysis in order to find the real chinese APT hidden inside and so to answer to five questions about it; These questions may be very similar to: What's the PID of the rogue process ? How is the malware achieving persistence on the system ? What is the name of the file that caused the infection of the system ? If you think to be able to answer, download the image and hunt the … [Read more]