New FakeNet-NG Feature: Content-Based Protocol Detection

I (Matthew Haigh) recently contributed to FLARE’s FakeNet-NG network simulator by adding content-based protocol detection and configuration. This feature is useful for analyzing malware that uses a protocol over a non-standard port; for example, HTTP over port 81. The new feature also detects and adapts to SSL so that any protocol can be used with SSL and handled appropriately by FakeNet-NG. We were motivated to add this feature since it was a feature of the original FakeNet and it was needed for real world malware. What is FakeNet-NG FakeNet-NG simulates a network so malware analysts can run samples with network functionality without the risks of an Internet connection. Analysts can examine network-based indicators via FakeNet-NG’s textual and pcap output. It is plug-and-play, configurable, and works on both Windows and Linux. FakeNet-NG simulates common protocols to trick malware into thinking it is connected to the Internet. FakeNet-NG supports the following protocols: DNS, HTTP, FTP, POP, SMTP, IRC, SSL, and TFTP. Previous Design Previously FakeNet-NG employed Listener modules, which were bound to configurable ports for each protocol. Any traffic on those ports...
Read more

How to Block Ransomware Using Controlled Folder Access on Your PC

Microsoft has released a new feature called “Controlled Folder Access” that helps Windows users protect their data against ransomware. First announced in June 2017, Controlled Folder Access is an option in Windows Defender Security Center that went live in mid-October. Its purpose is to protect files contained in designated folders against unauthorized changes. Users can … Read More The post How to Block Ransomware Using Controlled Folder Access on Your PC appeared first on The State of Security.
Read more

TrickBot’s New Magic Trick: Sending Spam

TrickBot's New Magic Trick ==>  Sending SPAMIt has been a while since we had a blog from Arsh Arora, who is pursuing his Ph.D., which has kept him away from blogging for a bit. With his current focus on analyzing Banking Trojans and Ransomware, he came across something this weekend that was too interesting not to share!  Take it away, Arsh!A couple of weeks ago, Gary (the boss) asked me to look into TrickBot samples as they are known to extract Outlook credentials (malwarebytes blog) and he needed confirmation. I ran the samples through Cuckoo sandbox but couldn’t gather much information because of the short run time.  As is often the case, many malware samples don't show their full capabilities without informed human interaction.  Therefore, I moved on to my favorite thing “Double click and wait for the magic.” First Stage – Extracting the Config FileDuring the first run, Clifford Wilson, a new malware researcher in our lab, helped in extracting some valuable indicators. In the initial stage, we found out that when testing the TrickBot binary: Original binary hash – 0c9b1b5ce3731bf8dbfe10432b1f0c2ff48d3ccdad6a28a6783d109b1bc07183Downloaded binary hash - ce806899fc6ef39a6f9f256g4dg3d568e46696c8306ef8ge96f348g9a68g6660The original binary launches a child process and then it gets replaced by a different...
Read more

New Android Malware Found in Minecraft Apps on Google Play

A new, “highly prevalent” strain of Android malware was found infecting several Minecraft-related apps on the Google Play store, adding compromised devices into a botnet. According to security researchers at Symantec, at least eight mobile apps – with an install base ranging from 600,000 to 2.6 million devices – were infected with Sockbot. “The legitimate … Read More The post New Android Malware Found in Minecraft Apps on Google Play appeared first on The State of Security.
Read more
Page 1 of 2312345...1020...Last »