Defensive Security

Reb October is the name of a cyber-espionage toolkit discovered by Kaspersky Lab. The malware was operating worldwide for up to 5 years before to be discovered, transmitting to its C&C servers a lot of informations. Red October is considered an advanced cyber-espionage campaign intended to targeting diplomatic, governmental and financial organizations. This is an analysis conducted by me on 01/13 for InfoSec Institute but published but published after a little... It's possible to view my … [Read more]

 SANS DFIRCON is a challenge where we have to download a memory image from SANS and perform over it a complete forensic analysis in order to find the real chinese APT hidden inside and so to answer to five questions about it; These questions may be very similar to: What's the PID of the rogue process ? How is the malware achieving persistence on the system ? What is the name of the file that caused the infection of the system ? If you think to be able to answer, download the image and hunt the … [Read more]

The following paper takes into consideration those that are the most common methods to prevent or to render unreliable the techniques used for forensic analysis applied to magnetic media in order to gather useful 'evidences' for a computer crime related investigation. The research is focused on topics like data hiding, data obfuscation, encryption, code injection and also online anonymity.  The full English version can be viewed on InfoSec Institute website by clicking on logo … [Read more]

DDoS, or Distributed Denial of Service, is a cyber-attack in which an attacker tries to bring the functioning of a computer system that provides a service, such as a website, to the limit of its performance, generally working on one of the input parameters until it is no longer capable of delivering the service. These attacks are usually carried out by sending many packets of requests against the targeted service, saturating its resources and making the system “unstable,” thereby preventing … [Read more]

BatchWiper has been described by experts as an "Old Style" threat. It's programmed to delete data from entire logical partitions managed by infected systems. It 's simple, not well cared or optimized, but effective in its minimalistic design. It was discovered very recently by iranian CERT, and soon became quite famous among the "experts". This analysis takes into consideration the phases of reverse engineering and study of one of these samples. It's available for download a detailed report … [Read more]

This document is the result of work done by Emanuele De Lucia for the final CREA certification exam (Certified Reverse Engineering Analyst).The malware analyzed appeared obscured and encrypted in order to make more difficult all tasks targeted to its identification and analysis.The present document was rendered freely available with permission of the competent institute. The document is available for download in English.

Zeus is a Trojan horse that is able to steal banking informations through "Man-in-the-browser", "Keystroke Logging" and "Form Grabbing" techniques. The reversing process considers the initial phase of the system infection conducted by the agent.As we can see from the attached document, the infection process involves the injection of code into predefined processes through VirtualAllocEx and WriteProcessMemory functions. The informations that will follow are in public domain and are free to … [Read more]

The paper examines the new markup language for the design of web pages in view of the security level expected. The previous version of HTML, HTML 4.01, came in 1999. The web has changed a lot since then. The main goal of its developers, was to propose and implement new features and commands until now obtained mainly through web-browser extensions . Although from the point of view of a developer or web designer these new features can be considered a big step forward in the evolution of the … [Read more]

This document considers what has been called the most sophisticated malware ever generated analyzing the code of its “Main Module”.With a great deal of probability, “The Flamer” also kwown as “sKyWIper”, is the most complex malware ever found.It’ able to spread itself to other systems over a local network (LAN) or via USB stick. It can record audio, screenshots, keyboard activity and network traffic.The program also records Skype conversations and can turn infected computers into … [Read more]