Writing modules for bamfdetect requires a variety of talents including reverse engineering, parsing, decryption, as well as development. For this reason, I invite everyone to test their skills to create bamfdetect modules, and compete for cash prizes. bamfdetect bamfdetect is a tool designed to extract the command and control configuration details from malware statically. bamfdetect modules It is highly suggested that before writing modules for the competition that you use bamfdetect to some capacity to get an understanding of how it operates.
In a previous blog post, I detailed a convention I developed in order to use Markov models in order obfuscate data. In this blog post, I will talk about a script, mtunnel, which acts as both ends of a SOCKS tunneling proxy where the transport between the two ends is obfuscated using MarkovObfuscation. MarkovObfuscation in a tunneling SOCKS Proxy After I saw folks appeared interested in the MarkovObfuscation blog post, I decided I needed a proof of concept that actually did something.
Machine learning methods, simple and complex, can be used in almost all aspects of our digital lives. Interestingly enough, it is rarely observed in the offensive side of information security. When I was thinking about the number of ways an attacker can exfiltrate data past a firewall, I decided to try out an old favorite, Markov chains, in order to build the next generation of “book ciphers”. UPDATE A Github repository has been created for this project: markovobfuscate Markov Chains as a Keyed Obfuscation Method This is a project that has been sitting in my private git repository for a long while, and after I was recently reminded of it, I’ve decided to write it up and do an initial release.
In this blog post, I will describe a method of using libemu along with scapy in order to detect shellcode being sent across the network in unencrypted channels. This method would not be particularly reasonable for large networks without a significant amount of computing power. On the other hand, for semi-automated analysis, or even integration into something like Cuckoo Sandbox, it may be quite useful. While this proof of concept is currently functional, it would take some work on the project’s dependencies in order for me to consider the project a success.
When hunting botnets, whether they are custom developed or widely available, it can be helpful to statically extract configurations. With this ability, an automated workflow can be developed to identify and track botnets at scale. For this reason, I have developed bamfdetect. bamfdetect bamfdetect is a tool which is designed to identify malware samples and statically extract their configuration information, such as the domain name of the command and control server.
The purpose of this post is to explain the TORQUE vulnerability I recently created a proof of concept for. Since the proof of concept was just a simple stub, I feel the mechanics behind the exploit should be described as well. Torque To be completely honest, I have never used TORQUE before attempting to exploit it. I was looking for a vague CVE to proof of concept, and this one did not appear to obscure CVE-2014-0749.
Recently, I have been trying to focus more on creating small but useful utilities. The first of these tools to be posted publicly is Extract Hosts. The purpose of this utility is to search for domain names and IP addresses in the supplied input. The following is information posted to the readme on the project page. You can download the 1.1.0 release of Extract Hosts here. ExtractHosts Extracts hosts (IP/Hostnames) from files.
Occasionally, I like to build a vulnerable virtual machine demonstating a recently published vulnerability. One of the reasons I do this is because such a small section of the industry is exposed to botnet panels, and the easiest way to get acquianted is by pwning them. It also gives people an opportunity to legally use my exploits without hunting down the source code for the command and control panels themselves. In this vulnerable virtual machine, you get an opportunity to “Murder Dexter”, the point of sale malware.
During my talk at RSAC 2014, we announced multiple botnet vulnerabilities which had been discovered. The following vulnerability is one of them. Herpes Net is botnet with a wide range of functions, with everything from opening the CD tray to mining bitcoins (via plugins). With a vulnerability in the command and control panel, we can get information on the botnet operator. When this vulnerability was discovered by myself, I had thought it was a rediscovery of a vulnerability discovered by malware.lu.
In a recent search through some underground communities, I came across the source code to a version of the MultiLocker panel. With ransomware, the security industry is always looking for a good way to resolve the issue without the ransom being paid. This could potentially be done by gathering information from the botnet’s panel. While there are likely other vulnerabilities, this one stood out after a quick grep of the code.