Inside a Kippo honeypot: how the billgates botnet spreads

pen resting on business document

A few months ago I decided to install a honeypot to find some new threat and to collect some new malware to be analyzed. There are several honeypot I had in mind to try, but for now I have chosen Kippo. From the Kippo's homepage: "Kippo is a medium interaction SSH honeypot designed to log brute force attacks and, most importantly, the entire shell interaction performed by … read more.

Kaspersky Hooking Engine Analysis

Kaspersky_Hooking_Engine_Analysis

In this article we will talk about a few hooking techniques used by antivirus software. For the purpose of this analysis the antivirus chosen will be Kaspersky (http://www.kaspersky.com/it/trials PURE 3.0 Total Security), we will deal with various hooking techniques used both at user and kernel mode. The reference operating system will be Windows 7 Professional 32-bit. The … read more.

Win32.BlackBerryBBC Malware Analysis

Win32BlackBerryBBC

Today I got a mail containing a malware from [email protected] The sender's address is forged and this is kind of Email Spoofing. Email contains a description about malwares and encourages the receiver to install a file called Anti-Vir.rar. … read more.

PDF analysis of Nuclear Pack EK and CVE-2010-0188/CVE-2010-2883

CVE-2010-0188_CVE-2013-2883

On Malwarebytes' blog it's recently been published a description about Nuclear Pack exploit kit, though there isn't a description of the PDF exploit used, so we've decided to proceed with a more in-depth analysis. PDF analysis In order to start the analysis we have used peepdf: There are two objects that appear to be suspicious: so let's start with... object … read more.

HiMan EK and CVE-2013-2551

Quick Analysis

Recently during one of my analysis of URLs from urlquery, I came up with a URL ending in: /ie8910.html. The link, after being opened, returns an index with the following code:   As it can be seen from the "ip-blocked-by-firefox" Google Safe Browsing is already blocking the address, though there is no active service on port 8080 while there's one running on port … read more.

Introduction to ARMv8 64-bit Architecture

Arm

Introduction The ARM architecture is a Reduced Instruction Set Computer (RISC) architecture, indeed its originally stood for "Acorn RISC Machine" but now stood for "Advanced RISC Machines". In the … read more.

Eset ChallengeME 2013 Solution

Eset-crackme

About a month ago I got a link to ESET's ChallengeMe from a friend, yesterday I had some free time to work on that, and finally I solved it. You can get the crackme from the link … read more.

In depth analysis of Caphaw/Shylock from “FirefoxUpdate.exe” campaign – Part 3

Shylock_3

We are finally at the end of our Caphaw/Shylock analysis. This time we will deal entirely with the code injected into explorer.exe process, the context will be a little more complex than previous … read more.

In depth analysis of Caphaw/Shylock from “FirefoxUpdate.exe” campaign – Part 2

Shylock_2

Welcome to the second part of our analysis of Caphaw/Shylock. In the first chapter we have gone through the dropping and unpacking stages of this malware. In this second part we will go through the … read more.

In depth analysis of Caphaw/Shylock from “FirefoxUpdate.exe” campaign – Part 1

Shylock

In this essay we will perform an in-depth analysis (from the unpacking to explorer.exe code injection) of the most recent version of Caphaw/Shylock, a banking malware that, at the time of discovery, … read more.