All malicious tools try to hide their WinAPI calls: if the program code contains suspicious functions, its execution can be blocked. There are very few documented ways to obfuscate WinAPI calls, but I would like to share with you some promising ideas…
CONTINUE READING 🡒 Category: Malware
Windows Malware 101: Creating a Simple Proof-of-Concept in Assembly
Building viruses is a great reason to learn assembly. And while you can technically write a virus in C, that feels un-hacker-like and just plain wrong. The text that follows is a piece by Chris Kaspersky that…
CONTINUE READING 🡒 
Life Without Antivirus: How to Remove Malware Manually and Harden…
When asked “What antivirus do you use on your Windows machine?” many security professionals (including people on our editorial team) answer: none. When massive outbreaks infect hundreds of thousands of computers despite all the latest defense tech,…
CONTINUE READING 🡒 
Building a Simple Trojan with Python: A Step-by-Step Guide
In this article, I will explain how to create a basic remote access Trojan using Python, and for added stealth, we'll embed it within a game. Even if you're not familiar with Python, this will help you…
CONTINUE READING 🡒 
Defending Windows: DIY Security Without Antivirus Software
If you want to protect yourself from viruses, you need an antivirus, right? Not necessarily. Antivirus programs have many shortcomings, so if you use your head and are willing to rely on your own judgment, you can…
CONTINUE READING 🡒 
Dumping at nanolevel. How I reinvented SafetyKatz to dump LSASS…
This article discusses the covert use of the NanoDump utility from memory (i.e. the simulated attacker doesn’t have a C&C ‘beacon’ on the attacked network node) and compares such an application of NanoDump with the use of SafetyKatz.
CONTINUE READING 🡒 
Agent Tesla: Reversing combat malware in Ghidra
Recently I encountered an interesting piece of malware called Agent Tesla. It’s still widespread and actively used by cybercriminals (the analyzed sample was dated 2023). Let’s dissect this remote access trojan and find out what’s hidden inside it.
CONTINUE READING 🡒 
Disassembling REvil. The notorious ransomware hides WinAPI calls
Some unknown hackers have recently attacked Travelex foreign exchange company using REvil ransomware. This trojan employs simple but efficient obfuscation techniques that conceal its WinAPI calls from the victim. Let's see how the encoder works.
CONTINUE READING 🡒 
Encoder for Android: сomplete software anatomy
Until recently, based on the results of surveys and personal experience, I had the impression that users believe that the value of data stored on a device greatly exceeds the cost of the device itself. Why until…
CONTINUE READING 🡒 
Avian influenza. Review of *nix vulnerabilities in 2015
According to cvedetails.com, more than 1,305 vulnerabilities have been found in the Linux core since 1999. Sixty-eight of these were in 2015. Most of them don't cause many problems (they are marked as Local and Low), and…
CONTINUE READING 🡒 
How to Handle Malware: Complete Guide. Give it to your…
Numerous times you used to help your friends and people when their PCs fell to onslaught of malware. So did we. But we got pretty sick and tired of all that and pulled out a trump card…
CONTINUE READING 🡒 
The Children of CryptoLocker, Part 2. TeslaCrypt, TorLocker, TorrentLocker
The first examples of malware that encrypts files and then demands money for decryption appeared a long time ago. Just remember Trojan.Xorist with its primitive encryption algorithm based on XOR, or Trojan.ArchiveLock written in PureBasic, which used…
CONTINUE READING 🡒 The Children of CryptoLocker, Part 1. Critroni, CryptoWall, DirCrypt
The first examples of malware that encrypts files and then demands money for decryption appeared a long time ago. Just remember Trojan.Xorist with its primitive encryption algorithm based on XOR, or Trojan.ArchiveLock written in PureBasic, which used…
CONTINUE READING 🡒 
Crypto-Ransomware: Russian Style. Large-scale Research on Russian Ransomware
Nowadays the Russian segment of the Web is not dominated by CryptoWall or CTB-Locker, Russia has seen the formation of an "ecosystem" consisting of other types of ransom trojans, which generally don't enter the global arena. Today,…
CONTINUE READING 🡒 
What data Windows 10 sends to Microsoft and how to…
Since its rise Windows was a natural habitat for all kinds of malware. Now the OS itself seems to have become one big trojan. Right after being installed it starts acting weird. The data flows in rivers…
CONTINUE READING 🡒 
Сode injections for Windows applications
Code Injection is a process of injection code (often malicious) into third party application’s memory. A lot of software is using this technique: from malware to game bots. To show this approach, let’s try to execute third…
CONTINUE READING 🡒 
How to use WSUS to get control over Windows
This was one of the most interesting attacks showed on Black Hat Las Vegas 2015. Let’s imagine the situation: there’s a large park of Windows computers in a large organization, and they all need to be updated.…
CONTINUE READING 🡒 
Malware for OS X: Full Chronicle
The number of malware targeting OS X has been growing along with popularity of this operating system. Few expected it (good protection and the need of root privileges created a sense of security), but now you can…
CONTINUE READING 🡒 
The Smallest Trojan of Modern Age
This Trojan could have easily got lost among thousands of its fellows in the craft, if there wasn't one overriding reason. You probably would agree that in today's world of gigabytes, gigahertz and hundreds of thousands of…
CONTINUE READING 🡒 
Spam with viruses
Spamming with malicious attachments is a popular way of malware spreading and infecting computers of Internet users. According to data of different antivirus companies, the share of messages with malicious attachments makes 3 to 5 percent in…
CONTINUE READING 🡒