Reverse Engineering, Exploit & Malware Analysis, Vulnerability Research
In this issue we are going to analyze McRat, a user's data and passwords stealer. This malware is interesting since it makes use of some anti-debugging techniques and several encryption/obfuscation layers in order to prevent us from analyzing its code; the analysis will be divided in two parts, during the the first part we will bypass the anti-debugging protection and during … read more.
In this article we will analyze the exploit released by Kacper Szczesniak for CVE -2013-1763. In simple terms this exploit takes advantage of a vulnerability at kernel-level of the array sock_diag_handlers, and allows a local user to gain privileges of "root" on the system. Before starting the analysis, however, the underlying concept should be clarified: in Linux systems, … read more.
After noticing a substantial increase in RedKit infections, following a series of investigations performed on URLQuery, we have decided to go deeper to understand what was happening behind the curtains. RedKit is an exploitation packs that uses the following infection flow: We have this for today's example: http://urlquery.net/report.php?id=1305873 and the resource … read more.
In these days I've seen some friends of mine taken a facebook virus: this virus posts a message with ten friends tagged and a link to a bad site; the infection, that came from Turkey (almost on the surface), is OS independent just because it uses firefox and chrome extension: a fake Flash Player. Html code of the link showed: <-- link to http://xn--47aaeabb.net/ … read more.
Few days ago two new 0-days have been spotted in the wild: CVE-2013-0633 and CVE-2013-0634, both of them involving a .swf file, possibly embedded inside a Word Document. It might be interesting to understand how to dump a similar resource while the attacked process is running, after all the obfuscation layers are cleared. Clearly this same technique can be expanded to … read more.
On Sunday (13th January 2013), I’ve received an email from @it4sec with regards to a malicious Java applet that he had received. So I’ve decided to write about it since Java applet seems like a … read more.
According to Kafeine Security a new exploit for Java 7 is in the wild. Not surprisingly this new exploit, announced yesterday on the underweb, comes right after the BlackHole crew announced that … read more.
According to Symantec, Stabuniq is a financial infostealer trojan which has been found on servers belonging to financial institutions, including banking firms and credit unions. The Trojan also … read more.
Cythosia v2 is a DDoS Botnet System has been published in BlackMarket Forums a while ago, we decided to publish an article shared on my private blog. Here at UIC R.E. Academy we strongly believe in … read more.
Following the idea of knowledge sharing, here another article taken from my private blog and shared for our readers. Some time ago, while talking with Roman from abuse.ch, we found it necessary to … read more.