Emanuele De Lucia

Exobot source code has been leaked and released in darkweb. The code proved to be version 2.5 of the Exobot banking trojan, also known as the "Trump Edition," one of Exobot's last version before its original author gave up on its development. To avoid proliferations of malware samples based on the source code here presented, security restrictions have been applied to download.(Please note that archive is encrypted !! Only accredited security vendors, vetted security researchers and law … [Read more]

During a discussion with colleagues about the ability of modern malware to evade the most common anti-virus solutions, a fixed point seemed to be using anti-rootkit tools to thoroughly check the status of a system. One of the most reliable and trustworthy (and widely used) seems to be undoubtedly GMER. It was widely believed that only very advanced malware (certainly sponsored by governments or by Microsoft itself) could simultaneously hide its presence within the system and to mock, at the same … [Read more]

This morning I received on my company box an email with an attached .xlsm file named D92724446.xlsm coming from [email protected] Central and local AV engines did not found anything malicious and also a multiengine scan got 0/57 as result. I decided to investigate a little more in-depth in order to confirm that was a malicious file and to extract at least the code I was imagining being inside this document. These are some general info collected about the received file: Name: … [Read more]

This morning, a colleague of mine pointed out me to some reversing “challenges” addressed to participants of SANS Brussels 2015 (what? I was not there?). Why not to take a quick look and try to solve them ? I hope to publish the solutions/suggestions is not cause of rage for mentors of SANS, for whom I have a lot of esteem. However, at the time of this writing these challenges are online and accessible without any particular restriction at https://www.sansemea.com/challenges.php, therefore I … [Read more]

This topic has been dealt in one of my last technical articles. The document shows as it’s possible to approach an incident investigation on the basis of common instructions used by shellcodes to achieve their goals. The analysis is conducted within a memory dump. In this regard have been developed some yara custom rules that can be used as an aid for experienced analyst to quickly locate malicious code. Note, however, that this is a very wide topic (have you ever heard of padding, permutations, … [Read more]

This is a document written for an italian magazine by Emanuele De Lucia (Information Security n°27 @ Edisef Editore) and used for a training course headed by the author.In this paper are covered topics useful to ensure business continuity of our organizations. The common differences between a BCP and a DRP and others topics such as “centers of redundancy” and “high availability infrastructures” are also dealt.The article can be viewed on Information Security Magazine website:  … [Read more]

Do you know what to do with this below ?  # ShellShock Bash Vulnerability CVE-2014-6271 Test Tool # # This has been coded by Emanuele 'ac1d' De Lucia for educational purposes only # # The author is NOT responsible for any harmful use you decide to make # # Coded 25/09/2014 01.55. Online 25/09/2014 02.30 CET # # yabba dabba doooooo, Wilma !!! Where's my club ?!?! # # Please, turn on your brain before to continue.... # # nc -l -p 4444 may be useful but...take a look at the bottom … [Read more]

“Conflitti Digitali: Classificazione e Retroscena” is an article written for a seminar to which the author has participated as speaker. The text is very discursive and examines the evolution of a new way of thinking about the offense: the wars in the cyber space and their backstory. For now, the text is available in italian only... Download Now

This evening I received an email with an attached zip. This email was very well made and my anti-virus did not detect anything dangerous -_- veeeery nice…i decided to take a look and see what strange monster was inside :] The executable is a trojan/downloader packed with something custom! After recovering the original executable bypassing all protections, i  was able to have a look within it and immediately i saw some interesting functions … [Read more]

To quickly summarize: there has not been an anti-malware solution that was effectively able to avoid the infection of the system or to prevent the privileges escalation put into play. None of the tested solutions was also able to alert the user about an abnormal behavior of our executable. Stop! That’s all ! Further details: The malware is a P2P (D)DoS agent written in pure C by Emanuele De Lucia with TCP SYN and HTTP Flood capabilities, named “apt.exe”. This is basically a dropper. It’s … [Read more]