Paul Jung 🗣
Abstract (click to view)
PassWord Stealer (PWS) are around since more than a decade now. They are legions. Some like Pony, aka FareIT are well known. But nobody takes really time to explain what is around, what it is capable of and how this little industry works.
However, they are still a common threat actively used according to our incidents logs.
A PWS is not a RAT we made this distinction. The aim of a PWS is to be launched, steal a lot of credentials and optionally keylog and/or drop another payload.
Sadly nobody cares about them anymore when they fire an antivirus inside a company.
To illustrate this, my presentation will go thought a couple of PWS that I meet, and I will an overview of the history and capabilities of the threat, give tricks and tools/script needed to identify and decipher them. A couple of these decoding/identification tools are freely available to the community and not written by me, this task may be achieved by a lot of security people without even any skills in reverse engineering.
Finally I will try to summarize these threats by giving to the participants a clear view of what is available in the field.
Paul Jung 🗣
Abstract (click to view)
A hosted box botnet, is a botnet of compromised web servers, usually using vulnerabilities in CMS on low cost hosted servers. Since last year I had followed an indonesian group which operate this kind of botnet and resell access to theses powned servers.
The amazing thing is that this botnet is self expanding since compromised servers are automatically findings and compromizing other servers.
Paul Jung 🗣
Abstract (click to view)
Nowadays malware sandboxes are commonly used by malware researchers. Sandboxes have also find they place commercially as a new security device. Not surprisingly, As was firewall in the 90’, IPS in early 2K and Web applications firewall recently, they are presented as a new silver bullet security device in the threat detection arsenal of vendors.
Even if it could be very helpful in some cases. It’s not as perfect as vendors claims. Unfortunately, since all protections are subject to countermeasures, bypassing sandbox detection is now a feature commonly seen in malwares and droppers samples. Many sandboxes are nowadays available; Malwr based on open source Cuckoo, other sandboxes rely on closed source; Anubis, Xandora, Commodo or ThreatExpert and finally some commercials ones appears also ; Fireeyes and recently also announced with BlueCoat devices.
We will see common sandboxes detection tricks used in the wild by malware’s dropper. As personal hobby I had studied how malware try to bypass them and I have also found other tricks to bypass some of them. I will details some working tricks. We will finally review some good practices to harden your sandboxes against theses detection.