In this blog post, we will discuss the history of sandbox detection. We will then unveil the malware families that KTIS has observed from spear-phishing emails that attempt to bypass the user-mode API hook in order to evade sandbox detection. And finally, we will share the mitigation method we use to harden the Cuckoo sandbox against this bypass technique. [Read More]
by RSS Floser Bacurio and Wayne Low  |  Jan 03, 2018  |  Filed in: Security Research
PowerDNS Recursor is a high-end, high-performance resolving name server that powers the DNS resolution of at least a hundred million subscribers. The “Recursor” is one of two name server products whose primary goal is to act as resolving DNS server. On Aug. 7, 2017, I reported an XSS (cross-site scripting) vulnerability to PowerDNS and its Security Team. They assigned it the identifier CVE-2017-15092. In this report I will explain how I was able to identify and trigger the vulnerability. [Read More]
by RSS Chris Navarrete  |  Dec 02, 2017  |  Filed in: Security Research
Recently, FortiGuard Labs found an interesting malware campaign using the recently documented vulnerability CVE-2017-11826 that was patched by Microsoft in October of this year. A detailed analysis of this exploit is also included in this article. [Read More]
by RSS Jasper Manuel, Joie Salvio, Wayne Low  |  Nov 22, 2017  |  Filed in: Security Research
Fortinet’s John Maddison offers some perspective following our Security Fabric and Fabric Ready announcements earlier this year. Can you talk about why “open” is such a critical element of our GTM selling strategy? An “open” strategy demonstrates the maturity of a vendor in their evolution towards developing a complete ecosystem of partnerships. This... [Read More]
by RSS John Welton  |  Nov 28, 2016  |  Filed in: Business and Technology, Security Q & A
On September 26th, Fortinet announced our new Fortinet Fabric Ready Program, which delivers on the “Open” attribute of the Fortinet Security Fabric by providing threat intelligence visibility across multi-vendor cybersecurity solutions. Cross-product  coordination (regardless of vendor) is a critical capability for today’s enterprises, as it is rare for an organization to completely source all IT security components from a single vendor across the entirety of their network and covering all attack vectors.  Leaving... [Read More]
by RSS David Finger  |  Oct 18, 2016  |  Filed in: Industry Trends
[ This article originally appeared in Virus Bulletin ]( http://www.virusbtn.com/virusbulletin/archive/2013/12/vb201312-Onkod) Downloaders are usually small and simple files whose goal is purely to download the 'main course' of a malware infection. The downloaded file (or 'downloadee') invariably has more features and functionalities than the downloader. In this article, we will look into a fairly new downloader variant, named W32/Onkod, and its downloaded file. THE DOWNLOADER Initial analysis of Onkod is made a little trickier and more time... [Read More]
by RSS Raul Alvarez  |  Feb 26, 2014  |  Filed in: Security Research
Antivirus software installed on your machine can detect malware, if it knows the signature or can detect the unique pattern for malware. On the other hand, malware attached to an email or downloaded from a website can also be tagged as malicious using heuristic technology. Some heuristic detection methods involve looking into some readable and printable strings within the file, such as the names of APIs (Application Programming Interface) that can be used for malicious activities. These APIs are not malicious by themselves, but a combination of... [Read More]
by RSS Raul Alvarez  |  Oct 16, 2013  |  Filed in: Security Research
In-depth analysis of malware shows different methods of obfuscating their codes. They employ different tactics to hide themselves to harden analysis. They also dynamically load functions that they will be using. Those functions more often times called API (Application Programming Interface) are commonly loaded when we run an application. Malware authors also use dynamic function loading to enable itself to adapt to different operating system. They use it to enable their program to run on Windows XP, Vista, Windows 7 or other platform. Common practice... [Read More]
by RSS Raul Alvarez  |  Mar 01, 2010  |  Filed in: Security Research