Over the last few months we saw that Locky’s loader uses seed parameter to execute properly. This method was probably used to prevent sandboxing, since it will not execute without the correct parameter. Afterwards, we saw Locky shift itself from an EXE to Dynamic Link Library (DLL). We recently encountered yet another Locky development, where binary strains are using the Nullsoft installer package as its loader. In this post we will delve into how to unpack the final binary payload from its Nullsoft package loader. Decompressing Locky’s... [Read More]
by RSS ​​​​​​​Floser Bacurio Jr. and Kenny Yongjian Yang  |  Sep 12, 2016  |  Filed in: Security Research
It’s been just less than a month since the Shark Ransomware was discovered, and there is already an upgrade from the same authors, along with a new Ransomware-as-a-Service (RaaS) website,a new name, and new features. While this site follows the standard RaaS business model being commonly used by other ransomware developers, it has a new twist.  Besides the usual offer to let users customize and build their own ransomware, Atom is being promoted as a “Ransomware Affiliate Program.” The twist is that it offers the soon-to-be... [Read More]
by RSS Rommel Joven  |  Sep 12, 2016  |  Filed in: Security Research
A new ransomware variant, named “Fsociety Locker” (“Fsociety ALpha 1.0”), showed up recently seeking a place in the threat marketplace. The authors of this malware must be “Mr. Robot” fans, as the name “Fsociety” refers to the fictional group of hackers in that show. This new ransomware variant is one of the very few examples of Python-based ransomware in the wild. Python is typically considered to be a fast, easy language to code in, so this maybe the start of a new malware trend.  In this... [Read More]
by RSS Sarah (Qi) Wu and He Xu  |  Sep 01, 2016  |  Filed in: Security Research
Ransomware is now a common term not only in the security industry, but also in our day-to-day life. A new ransomware seems to pop up almost every given day. What we don’t normally see is how codes are implemented within these malware. Ransomware employs different techniques and attack vectors in order to infiltrate your computer system. They also use different armoring techniques to evade detection and avoid analysis. One trick they use to harden themselves against analysis is through implementing metamorphic, encryption, and polymorphic algorithms.We... [Read More]
by RSS Raul Alvarez  |  Jun 07, 2016  |  Filed in: Security Research
The competition for the most secure instant messaging tool has been running for years. It re-surfaced this month when WhatsApp announced it has completed implementing end-to-end encryption. Curiously, in security research circles, this has resulted in endless debates between WhatsApp and Telegram. Very much like Emacs vs Vi, everybody has a (strong) opinion, but there is no general consensus. ;) I think we can agree that Signal, WhatsApp, and Telegram stand out as the most secure messaging solutions - thanks to end-to-end encryption or Perfect... [Read More]
by RSS Axelle Apvrille  |  Apr 15, 2016  |  Filed in: Industry Trends
While some of everyone's social media presence is inevitably publicly viewable, there are parts that we only want shared/visible to "friends" or other confirmed connections. Facebook, which is already using security tools like HTTPS with HSTS (HTTP Strict Transport Security) to authenticate and secure user/Facebook connections -- and offering a Tor "onion" site for users wanting even more security, announced on June 1 that it will be (slowly) letting (some) users PGP-encrypt the content (as in, message body and attachments,... [Read More]
by RSS Daniel Dern  |  Jun 09, 2015  |  Filed in: Industry Trends
The so-called Logjam vulnerability has been making headlines in both the tech and mainstream press since it was announced last week and for good reason. Potentially tens of thousands of websites and mail servers (as well as the users who access them) remain open to attack because of weaknesses in the TLS security protocol. A group of researchers published their findings about Logjam and drew attention to fundamental problems with export-grade encryption standards. As the researchers noted, a substantial portion of HTTPS, SSH, and VPN servers... [Read More]
by RSS Chris Dawson  |  May 29, 2015  |  Filed in: Industry Trends
Cryptography has been around for a while, which is a bit of an understatement. Below is an infographic that will give a glimpse into the world of cryptography. [Read More]
by RSS Michael Perna  |  Feb 03, 2014  |  Filed in:
Story Around the end of June, I found a new Kelihos binary that was being pushed to all the proxy peers from Kelihos' job servers. At that time, I assumed the binary was just a typical bug fix build. But on July 14th, my Kelihos tracker stopped getting new peers. I then realized the update in late June was a new build which changed the communication protocol and encryption scheme. So, I took some days to reverse this new Kelihos build. First Look After successfully unpacking the build, I found it was compiled with the Crypto++ library which... [Read More]
by RSS Kyle Yang  |  Jul 18, 2013  |  Filed in: Security Research
I recently tried an amazing browser extension named Datarmine whose goal is to secure social network posts. It works for Facebook, Twitter etc. The idea is that your posts get encrypted, and only people with your secret key can decrypt it. Others see a fake replacement post (that you can choose). This is a post encrypted by Datarmine. The end-user chooses the text which is displayed to people who are not authorized to decrypt it. (Text in French basically says "I am trying Datarmine"). This is the real post, decrypted from the message above. I... [Read More]
by RSS Axelle Apvrille  |  Jul 30, 2012  |  Filed in: Security Research