Friday, September 11, 2015

Free IDA Pro Binary Auditing Training Material for University Lectures Note: There are NO true runnable viruses included with this package!

Every wanted free malware analysis training?

IDA Pro 5.0 (Free)1
HLL Mapping 1 (NOT for training, only as reference!)98
HLL Mapping 2 (Start here and convert them to C)31
Manual Decompilation (Simple exercises)10
Algorithm Analysis 1 (Simple math exercises)3
Algorithm Analysis 2 (Simple math exercises)6
Crash Auditing (more complicated, why crashing?)10
File Understanding (Simple to hard Reversemes)31
Copy Protection Auditing (Simple to very hard)47
Unpacking (Simple exercises)3
Vulnerability Auditing (Simple to intermediate)38
Malware Auditing 1 (Simple old .com/.exe exercises)41
Malware Auditing 2 (Some fakes for analysis)4
Malware Auditing 3 (Simple win32 analysis)


You can download the free training package here. The password for the package is:


Package was packed using zip under Linux. Unpacking was tested with unzip under Linux and Mac.

MD5 Hash: c2b4720549b3410385087fa1b1e28bc7

Autorun.inf Malware

I though this find was really interesting and wanted to share the post.

Check out this Github link for more details form the source.


USB malware immunity script and hidden files revealer.
Does not remove malware. Must be used in conjunction with an anti-virus program.

What does it do

  • Detects and removes AutoRun commands for your Command Processor (cmd.exe).
  • Disables AutoRun entirely, for both CD-ROM drives, and USB flash drives. The IniFileMapping method. Most secure.
  • Cleans MountPoints2 registry key, which is the AutoRun cache used by OS, for all users.
  • Disables "Hide extensions for known file types", for security reasons.
  • Show extensions for PIF files, also for security reasons.
  • Restores shortcut arrow icons, that may be removed due to malware's infection (registry hack).
Travels through the root directories of all drives (including USB drives and SD/MMC cards), and:
  • deletes all shortcuts, file symbolic links, and (malicious) executable files that mimic regular folders;
  • un-hide all files that have been made hidden by malware;
  • deletes autorun.inf file, and creates a folder with the same name to prevent further infections. This is the same technique used by most USB protectors on the Web.
All actions may be skipped and not done by user request.

What does it NOT do

  • It does NOT kill or remove the malware. This is anti-virus program's job.
  • It does NOT make an already-infected system clean. This scripts is useful on non-infectedsystem, to enhance security and prevent new infections.
  • It does NOT sit in the system tray or monitor every insertion/removal of USB drives or SD/MMC cards. On an ideal secure system, this is not needed, as the AutoRun is disabled and nothing will be run automatically. (Think of Mac OS X and Linux.)

How to use

Requires Windows 2000 or later. Tested to work with Windows 2000 through Windows 10.
  1. Download and unpack to get the script file (usb_vaccine.cmd).
  2. Unplug all of your USB flash drives, so that if your USB flash drives are infected they won't interfere with your computer.
  3. Right-click on "usb_vaccine.cmd" file and select "Run as administrator". Context menu, with option "Run as administrator" highlighted
  4. Follow the instructions on screen.
You may try usb_vaccine.cmd --help on the command line for additional options you can use.

Copyright and license

Written by Kang-Che Sung.
Licensed under GNU Lesser General Public License v2.1 or later. This is free (libre) and open source software.
This scripts comes with ABSOLUTELY NO WARRANTY.



Wednesday, July 22, 2015

Virtual Patching and why this method can balance your patching cycles

I have been in various companies and they all have there own system on how they update and patch servers, workstations. One common denominator are out of band patching. Some will allow them to be out of date for 1-2 weeks. But the more agreesive will do out of band patching/scanning to confirm this is mediated.
One thing I would like to suggest is virtual patching solutions to reduce the attack surface.
Malware bytes offers a Anti-exploit kit for virtually patching these software bugs.
Trend Micro also offers a more exspensive IPS module for there Deep security end point protection. They also have a anti-threat exploit stand alone which only does that.
Most hackers already know you will patch on patch tuesday or shortly after and when there are out of band vulns. that show up critical they will target large companies that dont fix these glaring issues. Virtual patching will instanting protect your end points. 

Wednesday, March 4, 2015

POS Malware

How are we to ever protect ourselves until we can get these systems with End to End Encryption. This is what Edward Snowden has been preaching for years and its about time we make this a federally audited standard. We need to get this under control.

Here is an interesting read.

Tuesday, December 16, 2014

Hack on Sony with Malware takes out the network for 1 week - Destructive Malware

Dropper – prepares and then ends tasks by adding another type of malware to finish for the kill. This is why we often see more than one variant. Malware acts as a team of attackers which serve different functions for an overall agenda/goal.

“The Destover droppers install and run EldoS RawDisk drivers to evade NTFS security permissions and overwrite disk data and the MBR itself. “

The complied on date for the malware was 4-5 hours before deployment so Phishing is ruled out and more then likely its done through embedding into images on high traffic websites.

"The Destover droppers install and run EldoS RawDisk drivers to evade NTFS security permissions and overwrite disk data and the MBR itself. There are implications for data recovery in this. In the case of theDarkSeoul malware, the overwritten data could be restored using a method similar to the restoration of the Shamoon 'destroyed' data. Destover data recovery is likely to be the same.
The chain of intermediary components leading to the destructive payload follows multiple stages (which have previously been described elsewhere), with capabilities set to run in several modes, just likeShamoon:
1.     The sample is run on a 32-bit OS for the first time.
2.     The sample is run on a 32-bit OS as a self-installed service, with one of several code paths.
3.     The sample is run on a 64-bit OS as a self-installed service.
On a first run, it creates the 'Backup and Restore Management' Windows brmgmtsvc service, adds its own executable and sets a startup '-i' switch. It also drops several copies of itself and starts each of them with a different switch: -m, -d, and -w.
-m (mbr overwrite):
This attempts to connect with the three IP addresses.  Even if this is unsuccessful, process execution takes place.
It fetches its resource that contains the compressed EldoS RawDisk driver, and writes it out to the temp directory as a 'usbdrv3.sys'.
It then installs the driver as the usbdrv3 service 'USB 3.0 Host Controller'.
After this, it starts the driver service and closes its service handle.
It then creates a filehandle to the driver with write permissions:
and writes to that handle with 64k strings of '0xAAAAAAAA'. ← note that the issue of a  lengthy license key (#99E2428…) is discussed in our 
Shamoon The Wiper - part ii blogpost.
It then creates new threads, each of which attempts to connect to any possible physical drive letter and overwrite them as well.
-d (data overwrite):
This attempts to connect with the same three IP addresses. Again, process execution takes place regardless of communications.
It gets the logical drives and traverses recursively through them, identifying all data files. If it is not .exe or .dll, the process overwrites file contents with '0x0df0adba' in a 20k chunk. This overwrite is completed from user mode, without the EldoS drivers.
It then attempts to delete the data file using the win32 api 'DeleteFileW'. As it recurses through all the system's directories, it attempts to delete .exe and .dll files.
-w (web server):
This attempts to connect with the same three IP addresses. Again, process execution takes place regardless of communications.
It stops the Windows Terminal Services from the cmd line: 'cmd.exe /c net stop termservice /y'
Then finds resource#85, decompresses and writes contents out to 'c:\windows\iissvr.exe'.
It launches the iissvr.exe process and exits.
iissvr is what it seems to be - a web server that maintains an encoded JPG, HTML and WAV file. It listens on Port 80 and serves these files. The full graphic and scrolling green warning can be found later in the article.

Description: Mystery_2
Lastly, after a two hour sleep, the original service restarts the machine with a call to ExitWindowsEx(EWX_REBOOT|EWX_FORCE, 0).   This forces an exit but delays the shutdown itself while system state file creation occurs."

I have edited this content and made it shorter so we can understand just the important items.

Monday, June 16, 2014

Check out a free Pen testing website

What you will learn?

  • SQL injections
  • Authentication issues
  • Captcha issues
  • Authorization issues
  • Mass Assignment attacks
  • Randomness Issues
  • MongoDB injections


  • A computer with a virtualisation software
  • A basic understanding of HTTP
  • Ability to write small scripts
  • Yes, that's it!

Thursday, September 26, 2013

Getting Up to date with Botnet's

As a Security consultant you will have to interact with botnets (Especially in financial networks). I wanted to give young security folks a good list of ways to stay on top of your botnet game.

1) Use network traffic and signatures sets to detect communication to C&C's from inside your network.

2) Keep in mind C&C's will often switch and you must have a view of the big picture to understand you might have a large scale attack from underground crime syndicates rather then several different attackers. (Know your enemy)

3)Best practice is to re-image the PC and more forward. Spend your time studying the malware in a sandbox, rather then having a reactive security response team.