Most new articles on high profile cyberattacks call these attacks sophisticated, but are they really? At the RSA 2015 conference a few days ago, researchers Ira Winkler and Araceli Treu Gomes, wrote ‘the Irari rules for declaring a cyberattack sophisticated’. The summary article can be found here, and the conference slide pack here. The main message is just because the cyber attackers managed a large successful attack (such as the Sony breach), does not make it sophisticated. Sophisticated means it defeated security defences and was undetected until perhaps too late. We don’t call a burglar sophisticated if they managed to steal everything valuable out of a building if the doors where left unlocked, the codes for the vault were written on a post-it above it and the security alarms were easily turned off. Therefore, just because a piece of malware was able to wipe out all computers, exfiltrate a huge amount of data, commit fraud and cause all sorts of damage does not mean it did anything clever – it may mean that the victim just had poor security controls.

Read full article

6 years ago (yikes!) I wrote about image steganography as a concept. At the moment there are a couple of pieces of malware that use steganography, such as Vawtrak (aka Neverquest) and ZeuS, to hide the command and control servers (C&C) or configuration files in images. This means that the malware does not need to contain a static list of C&Cs which will become old quickly, but can just download an innocent looking image from the internet; decode the hidden message and then connect out. The advantages are that the image can be refreshed with C&C data without having to recompile the malware; and the images can be hidden in plain sight; e.g. on legitimate message boards.

Read full article

Have you ever wondered how some malware variants are able to delete themselves? A malicious executable is launched on a machine, and once launched in memory, the executable vanishes. This makes malware analysis very hard if no memory dump was taken, as there is seemingly nothing there. We can however use other artefacts to confirm the running of a non-existent file, such as by looking at the Prefetch files, User Assist files and certain registry entries.

Read full article

Read full article

I recently discovered a wonderful unicode character that makes the following text reverse called right-to-left-override. For example: print "Hello[U+202E]World", produces the output: Hello dlroW. I'm not sure of what legitimate reason you would use the unicode character, but several blogs have warned that it can be used by malware writers to get people to click on files. Most people are wary that .exe files might be harmful, but extensions like JPG and other images are generally not. You can 'trick' a user into thinking a file is a JPG by using this special unicode character. If you named your malware executable ClickHer[U+202E]gpj.exe for example, you'd end up with a file called ClickHerexe.jpg.

Read full article