DeepSec2020 Talk: What’s Up Doc? – Self Learning Sandboxes to Defeat Modern Malwares Using RSA: Rapid Static Analysis – Shyam Sundar Ramaswami

Sanna/ October 30, 2020/ Conference/ 0 comments

“Catch me if you can!” is the right phrase to describe today’s malware genre. Malwares have become more stealthy, deadly and authors have become more wiser too. What if sandboxes started performing rapid static analysis on malware files and passed on the metadata to spin a sandbox environment based on malware attributes and the malware does not evade? Well, the talk deals with about how to do RSA (Rapid Static Analysis, i coined it), pass on the attributes and how we defeat modern malwares by dynamically spinning sandboxes. RSA embedded in “H.E.L.E.N” and “Dummy” and how we extracted the real IOC from Ryuk forms the rest of the talk and story! The talk also covers how these key “attributes” that are extracted are used for ML, how we build bipartite graphs, build instruction based

Read More

Status Update with regard to the current Sars-Cov-2 / Covid-19 Emergency

René Pfeiffer/ March 16, 2020/ Administrivia

We wrote in an earlier blog article about the current Sars-Cov-2 / Covid-19 emergency. Mathematics and biology didn’t stop, so you (hopefully) live in an area with restrictions regarding crowds and place where people can’t keep a safe distance. We, the organisation team of DeepSec, are in close contact with peers, members of the community, and reliable sources of information regarding countermeasures by the Austrian government. Given the current state of affairs the November dates of our events are still in the far future. This means that nothing has changed for our plans. Our calls for papers are still open. The only change will be no marketing messages and advertising for DeepSec and DeepINTEL. We don’t think that a crisis should be used for one’s own advantage. Please stick to facts and verified sources

Read More

DeepSec 2019 Talk: Saving Private Brian – Michael Burke

Sanna/ November 5, 2019/ Conference

This talk will be given as the story of Brian, an aid worker operating in a hostile third country. When he’s stopped going in at the border he had his iPhone taken from him and then returned to him 15 minutes later. Now he can’t be sure if any malware was implanted on his device. Malware that could compromise him, his organisation and anyone who co-operates with him. He needs his phone to do his work but should he stop using it instead? Are all his contacts already compromised? Should he warn them and should he use his phone to do so? And will he and his phone be tracked to any in-person meetings? iOS malware is rare, advanced and difficult to detect when deployed. I will talk through the above scenario on the

Read More

DeepSec 2019 Talk: “The Daily Malware Grind” – Looking Beyond the Cybers – Tim Berghoff, Hauke Gierow

Sanna/ October 8, 2019/ Conference

Given the noise generated around all the “sexy” and no doubt interesting topics like 0days, APT, and nation state-sponsored threat actors it is easy to miss what is really going on out there, in the world of Joe Average. Actual telemetry data paints a picture that is in many respects different from what happens in a lot of the news coverage. Much of the malware out there, including some that is attributed to some sort of APT, is nowhere near anything that might be considered “sophisticated”. In this talk we will shine a light on different aspects of the realities of home users as well as companies, and offer some interesting data about the malware that actually does the most damage, while precious few get all the press. We asked Tim and Hauke a

Read More

DeepSec 2019 Talk: The Turtle Gone Ninja – Investigation of an Unusual Crypto-Mining Campaign – Ophir Harpaz

Sanna/ September 20, 2019/ Conference, Security

Despite the absence of blockchain and „crypto“ at DeepSec we have some content which covers security incidents connected to both terms. Ophir Harpaz will present her insights into an attack that is used to do „crypto“ mining. She describes what to expect in her own words: At first sight, Nansh0u is yet another attack campaign aiming to mine a marginal crypto-currency named TurtleCoin. However, things get much more interesting once you gain full access to the attacker’s infrastructure. Our investigation revealed a complete picture of how the Nansh0u campaign operates, who the infected victims are and what advanced tools are used in the attacks. Port scanner, brute-force module, remote-code execution tool, verbose log files and tens of different malware payloads – these are only a portion of the attacker’s assets we managed to put

Read More

Translated Press Release: Systemic Errors as Vulnerabilities – Backdoors and Trojan Horses

René Pfeiffer/ October 9, 2018/ Conference, Discussion, Press, Security

DeepSec and Privacy Week highlight consequences of backdoors in IT Vienna (pts009/09.10.2018/09:15) – Ever since the first messages were sent, people try to intercept them. Today, our modern communication society writes more small, digital notes than one can read along. Everything is protected with methods of mathematics – encryption is omnipresent on the Internet. The state of security technology is the so-called end-to-end encryption, where only the communication partners have access to the conversation content or messages. Third parties can not read along, regardless of the situation. The introduction of this technology has led to a battle between security researchers, privacy advocates and investigators. Kick down doors with Horses In end-to-end encryption the keys to the messages, as well as the content itself, remain on the terminal devices involved in the conversation. This is

Read More

DeepSec 2018 Talk: Dissecting The Boot Sector: The Hunt for Ransomware in the Boot Process – Raul Alvarez

Sanna/ October 4, 2018/ Conference, Security

Ransomware is as cyber as it gets these days. It’s all over the news, and it is a lucrative business case. Modern malicious software has been put to work for its masters. It is the platform of deployment for a whole variety of additional code. So why is ransomware not the same as any other malicious software? Raul Alvarez will explain this to you at DeepSec 2018: Ransomware slightly differs in their attack vectors, encryption algorithms, and selection of files to encrypt. A common ransomware technique is to encrypt files and hold it for ransom. Petya ransomware does the infection a bit different from the others. Instead of encrypting files, it encrypts the MFT, Master File Table, which contains the metadata and headers for each file in the system. Another trait of this malware

Read More

DeepSec 2018 Training: Malware Analysis Intro – Christian Wojner

Sanna/ September 28, 2018/ Conference, Security, Training

With malware (malicious software) featuring crypto-trojans (ransomware), banking-trojans, information- and credential-stealers, bot-nets of various specifications, and, last but not least, industry- or even state-driven cyber espionage, the analysis of this kind of software ıs becoming more and more important these days. With a naturally strong focus on Microsoft Windows based systems this entertaining first-contact workshop introduces you to one of the most demanding but nonetheless compelling fields in IT-Security. We asked Christian a few more questions about his talk. Please tell us the main facts about your training. This training is for every IT (Security) person who wants/needs to have their first encounter with the stunning field of malware analysis. On the basis of an especially designed, exciting scenario blended with various technical detours packed into a 6-stages workshop, students will… learn how easy

Read More

DeepSec 2017 Talk: Who Hid My Desktop – Deep Dive Into hVNC – Or Safran & Pavel Asinovsky

Sanna/ October 17, 2017/ Conference

Seeing is believing. If you sit in front of your desktop and everything looks as it should look, then you are not in the Matrix, right? Right? Well, maybe. Manipulating the surface to make something to look similar is a technique also used by phishing, spammers, and social engineers. But what if the attacker sitting on your computer does not need to see what you see? Enter hidden virtual network computing where malicious software controls your system, and you don’t know about it. Since the past decade, financial institutions are increasingly faced with the problem of malware stealing hefty amounts of money by performing fraudulent fund transfers from their customers’ online banking accounts. Many vendors attempt to solve this issue by developing sophisticated products for classifying or risk scoring each transaction. Often, identifying legitimate

Read More

DeepSec 2017 Talk: Uncovering And Visualizing Botnet Infrastructure And Behavior – Andrea Scarfo & Josh Pyorre

Sanna/ September 28, 2017/ Conference, Internet

When you read about information security, then you might get the impression that there are lots of nameless threats Out There™. Especially when it comes to networked malicious software, i.e. malware, that forms robot armies, the picture gets a lot more vague and foggy. So you need to get some details to sharpen your view. There are some means how to do this, and you will be told at DeepSec 2017 by Andrea Scarfo and Josh Pyorre. How much information about a botnet can one find using a single IP address, domain name or indicator of compromise (IOC)? What kind of behavior can be determined when looking at attacker and victim infrastructure? In an attempt to discover and analyze the infrastructure behind large-scale malware activity, Andrea and Josh began their research with known indicators

Read More

DeepSec 2017 Talk: Malware Analysis: A Machine Learning Approach – Chiheb Chebbi

Sanna/ August 26, 2017/ Conference, Security

Software has a character. It can be beneficial. It can also be malicious. A networked business world and the Internet of connected individuals make life for malicious software, also known as malware, easier. Just like international travel facilitates the spread of diseases and parasites, the networked globe is a big advantage for malware. Researcher can hardly keep up with the numbers of detected viruses, worms, and trojan horses. So why not let machines look for malware on their own? Certainly automation already benefits the hunt for malicious code. Chiheb Chebbi has some ideas that can help. Threats are a growing problem for people and organizations across the globe. With millions of malicious programs in the wild it has become hard to detect zero-day attacks and polymorphic viruses.This is why the need for machine learning-based

Read More

Mythbusting: Anti-Virus Research considered dangerous

Sanna/ August 18, 2017/ High Entropy, Internet, Security Intelligence, Stories

Everyone doing research in information security or doing any work in this field takes some risks. Since most of the „cyber stuff“ is black magic to others not working in this context, there are a lot of problems and severe misunderstandings. The Crypto Wars still haven’t been decided in favour of mathematics. Real people prefer end-to-end encryption over insecure communication all of the time. Proposals of severely damaging information security for all of us by using sanctioned malicious software are still being debated in parliaments. Backdoors, covert or otherwise, are no line of any defence, as many military strategists will readily tell you. Marcus Hutchins was in the news recently, because of claims that he developed a strand of malware tied to attacks on financial institutions. While you can debate all you want about

Read More

Decline of the Scientific Method: New (Austrian) “Trojan” Law without Technical Expertise

Sanna/ August 3, 2017/ Discussion, High Entropy, Security

The Crypto Wars are still raging despite everyone relying on secure communication. Everyone means everyone. The good thing is that mathematics still works, even though some people wouldn’t want it to. The latest cryptographic review comes from Amber Rudd, the current UK Home Secretary. She said recently: “Real people often prefer ease of use and a multitude of features to perfect, unbreakable security.” The corollary in turn states that DeepSec conferences aren’t attended by real people. Since we are not yet a purely robot-based event, there is something wrong with this approach to secure communication. The common denominator is simply the lack of technical expertise. There is no surprise there. Ever since the Internet was discovered by the rest of the world (which was in the 1990s, don’t get fooled by web sites who

Read More

Malicious Software explores new Business Models – Politics

René Pfeiffer/ July 19, 2017/ Discussion, Internet, Security

Malicious software has become a major component of criminal business and geopolitics. In addition it is a convenient explanation for anything one does not want to investigate. Since code always come from somewhere you have to ask yourself many more questions when it comes to infected networks and compromised hosts. What is the agenda of the day? Journalist Erich Moechel has written an article about the arms race regarding malicious software. We have translated the original text from German to English. Expect the state of cyber in your network to rise in the course of the next years. Arms race with Malicious Software enters a dangerous Phase The enormous damage done by “Petya” and “WannaCry” can be traced back to a single, reworked tool from the leaked NSA pool of the “Shadow Brokers”. Experts

Read More

Wannacry, Code Red, and „Cyber“ Warfare

René Pfeiffer/ May 14, 2017/ High Entropy, Security

Society and businesses increasingly rely on networked infrastructure. This is not news. Worms that used networks to spread to new hosts in order to infect them is also not news. Code Red did this back in 2001. There is a new worm going around. Its name is Wannacry, and it is allegedly based on published attack code developed by the NSA. The malicious software is delivered by email. After successful installation it infects the host and propagates to other systems by using probes to port 139/TCP, 445/TCP and 3389/TCP. It belongs to the class of ransomware, encrypting files and demanding ransom. Thousands of infected systems are still active. The attack is still ongoing. If you are in doubt if you have compromised systems within your network, we recommend taking a look at how to

Read More