Clik here to view.
One-Bit To Rule Them All: Bypassing Windows’ 10 Protections using a Single Bit
ga('create', 'UA-59615674-1', 'auto'); ga('send', 'pageview'); Introduction Today, Microsoft released their latest Patch Tuesday. This Patch includes a fix for vulnerability CVE-2015-0057, an...
View ArticleClik here to view.
Vulnerability Patching: Learning from AVG on Doing it Right.
Updated March 25: added a proof-of-concept video Introduction As part of our research, we analyze the intricate relationship between Anti-Virus and Operating Systems (OS). During this process, we came...
View ArticleClik here to view.
“Selfie”: A Tool to Unpack Self-Modifying Code using DynamoRIO
tl;dr: In this blog post we describe “Selfie”, a tool we have developed that automates finding the OEP for a majority of malwares packed with self-modifying code. The tool itself is now open-sourced,...
View ArticleClik here to view.
Class Dismissed: 4 Use-After-Free Vulnerabilities in Windows
Introduction Today, Microsoft released their latest Patch Tuesday. This Patch includes a fix for CVE-2015-2363, a complementary patch to CVE-2015-2360 from last month. The two CVEs together bundles...
View ArticleInjection on Steroids: Code-less Code Injections and 0-Day Techniques
tldr; You’ll find the talk deck embedded within this post. The relevant code is posted on Github – https://github.com/BreakingMalware/PowerLoaderEx The folks at BSides were also kind enough to publish...
View ArticleClik here to view.
Moker, Part 1: dissecting a new APT under the microscope
Recently, we came across Moker, an advanced malware residing in a sensitive network of a customer. Since the malware did not try to access an external server, but rather tamper with the system inner...
View ArticleClik here to view.
Moker, Part 2: Capabilities
A few days ago, we published a blog entry on an advanced malware – Moker, and discussed the different challenges that Moker placed to avoid detection and anti-dissection. Now that we have the stripped...
View ArticleClik here to view.
A Technical Breakdown of ModPOS
ModPOS is the latest in the string of POS malware that’s making the news. As its family name implies, this malware is intent on one: stealing credit card information. We decided to research ModPOS...
View ArticleClik here to view.
Sedating the Watchdog: Abusing Security Products to Bypass Mitigations
tldr; design issues in various security products, such as anti-virus, make it significantly easier for threat actors to bypass exploit mitigations. In particular, we found a prevalent flaw where...
View ArticleClik here to view.
ArdBot: A Malware Under Construction
Recently we came across a new sample of the ArdBot malware, appearing on kernelmode, credited to R136a1. A research of this sample showed a malware strain that is not yet ready for production use and...
View ArticleClik here to view.
Analyzing Furtim: Malware that Avoids Mass-Infection
Overview Recently we came across a new malware strain, first discovered by @hFireF0X, and at point of discovery, it was not detected by any of the 56 anti-virus programs tested by VirusTotal service....
View ArticleClik here to view.
Documenting the Undocumented: Adding CFG Exceptions
TL;DR Microsoft’s Control Flow Guard (CFG) is a security feature that prevents the abuse of indirect calls from calling addresses that are not marked as safe. CFG can cause problems for anyone trying...
View ArticleClik here to view.
Captain Hook: Pirating AVs to Bypass Exploit Mitigations
tl;dr: We found 6(!) different common security issues that stem from incorrect implementation of code hooking and injections techniques. These issues were found in more than 15 different products. The...
View ArticleClik here to view.
Elastic Boundaries – Elevating privileges by environment variables expansion
Even though any process is provided variables from its environment – they are often overlooked by users, developers and sometimes even the OS itself. Environment variables are an essential part of any...
View ArticleInjection on Steroids: Code-less Code Injections and 0-Day Techniques
tldr; You’ll find the talk deck embedded within this post. The relevant code is posted on Github – https://github.com/BreakingMalware/PowerLoaderEx The folks at BSides were also kind enough to publish...
View ArticleClik here to view.
Moker, Part 1: dissecting a new APT under the microscope
Recently, we came across Moker, an advanced malware residing in a sensitive network of a customer. Since the malware did not try to access an external server, but rather tamper with the system inner...
View ArticleClik here to view.
Moker, Part 2: Capabilities
A few days ago, we published a blog entry on an advanced malware – Moker, and discussed the different challenges that Moker placed to avoid detection and anti-dissection. Now that we have the stripped...
View ArticleClik here to view.
A Technical Breakdown of ModPOS
ModPOS is the latest in the string of POS malware that’s making the news. As its family name implies, this malware is intent on one: stealing credit card information. We decided to research ModPOS...
View ArticleClik here to view.
Sedating the Watchdog: Abusing Security Products to Bypass Mitigations
tldr; design issues in various security products, such as anti-virus, make it significantly easier for threat actors to bypass exploit mitigations. In particular, we found a prevalent flaw where...
View ArticleClik here to view.
ArdBot: A Malware Under Construction
Recently we came across a new sample of the ArdBot malware, appearing on kernelmode, credited to R136a1. A research of this sample showed a malware strain that is not yet ready for production use and...
View Article