web spinning

In my younger years I had all sorts of collections: books, bottle caps, rocks, coins, action figures, movies, etc. Now, most of those collections sit at the back of my parents shed – although I do still have a tendency to hoard movies.

To many the idea of hoarding malware would be akin to hoarding venomous snakes in a dogs cage. What if one escapes? But, it does serve a very useful purpose of providing huge datasets for analysis – allowing for the creation of new signatures and anti-malware techniques whilst also improving malware analysis abilities.

Continue reading “web spinning”

stealthy, like a snake

Naja: a genus of venomous elapid snakes known as cobras. Pseudonaja textilis, more commonly known as the Eastern brown snake, is considered the world’s second most venomous land snake based on its LD50 value in mice.

Naja – in this instance – is a Windows trojan developed by me in Python, inspired by several other Python projects (mentioned throughout this post), which makes use of Metasploit shellcode to facilitate a reverse connection to targets. It is distributed in two parts and makes heavy use of various encoding mechanisms and encryption in conjunction with process injection to bypass antivirus and other mitigations like Microsoft’s EMET.

Note: This post was originally made on 16 Dec ’14, but has since been updated.
Continue reading “stealthy, like a snake”

overdue payment

Yesterday one of the mail admin’s at work forwarded me a message to take a look at. It was perpetuating to be from ANZ bank, suggesting a payment was due but macro’s should be enabled to view the document. It’s a pretty standard social engineering vector:

Obviously, this isn’t true. However, compared to other documents I’ve sighted recently a fair amount of effort has gone into this one, and there may have been some thought as to what bank the recipient may use. The other campaigns just seemed to indiscriminately select a bank – even one who didn’t operate in the location of the target. The document, as could be expected, has a macro attached to it that’s used to pull down malware from the internet. Heavy use of CallByName in conjunction with obfuscated strings and the banking vector would suggest it could be used to distribute Dridex, however there’s any possibility it could also be Locky. Unfortunately, by the time I had deobfuscated the contents of the macro the binary looks to have been removed from it’s host (I’ve put the feelers out on Twitter to see if anyone did) – but the process of deciphering the script to obtain the location for possible future incidents is still worth looking at.
Continue reading “overdue payment”

oinkception

A project I’m involved with that’s still in it’s early stages is the development of an automated, intelligent security environment that consists of:

  • Firewall, router and switch configuration management (existing in-house developed software).
  • Asset management and vulnerability scanning (Metasploit and OpenVAS).
  • Malware detection and analysis (analysis performed by Cuckoo).
  • Intrusion detection and analysis.

The last two are the final pieces to our puzzle, and given the data has high:

  • Variety: applicance, application and server logs.
  • Velocity and Volume: dozens of networks across the globe, hundrens of servers, 1000+ databases, 1000+ applications.

… it’s really a no brainer to use Hadoop as the storage framework. To dip our toes into the newfound waters of big data, whilst also evaluating a solution that could prove useful in piecing together our environment, I pieced together a network analysis server consisting of Snort, Hadoop, Pig and PacketPig. Continue reading “oinkception”

bubblewrap

As a company grows in size and it’s public image becomes more and more prominent, it is inevitable that it will become a more attractive target to attackers – whether it be the prime focus of an attack, or the low hanging fruit attached to a greater one. I certainly see this with my employer, and the effort put into some emails that I have had forwarded to me for inspection following my most recent social engineering test have very much illustrated that we are on the radar of some people who possess both determination and resource. However, regardless of how much effort you put into education you’re still guaranteed to get someone who opens a malicious attachment, so to guide incident response you need to analyse the behavior of the file(s) to have meaningful data to work with.

worst phishing attempt ever – recently sent to our hr team

Continue reading “bubblewrap”

casual (truthful?) racism

I’ll make it very clear: racism isn’t something I stand for. Intolerance is quite possibly one of the greatest threats to modern society and one of the worst attributes a person can have. However, in the security world everyone has this preconceived notion that China is to blame for a bulk of the worlds internet borne threats.

Is this true? Well, following an incident I was tasked with recently, some of the lesser technically inclined persons involved wanted a bit of insight into exactly where our threats were/are coming from.