Blue Coat recently announced their selection of Norman Shark’s Malware Analyzer G2 (MAG2), to provide advanced sandboxing technology as a key component of their new Content Analysis System, which offers a lifecycle approach to advanced threat protection. With the addition of MAG2’s technology to Blue Coat’s platform, customers will be able to
![](https://www.3lectrik.com/normanshark/wp-content/themes/normanshark/images/list_blue_arrow.png)
The Chinese backdoor trojan PlugX has been used in a number of attacks on various targets over the years. It has followed a long, gradual development, and is now considered one of the "usual suspects" whenever a Chinese-originated intrusion is indicated. The basic layout is that its main code is contained in a binary blob, which is loaded and ex
![](https://www.3lectrik.com/normanshark/wp-content/themes/normanshark/images/list_blue_arrow.png)
A few days back, Kaspersky blogged on “Brazilian bankers gone wild: now using malicious Office files”. They stated: New trick from cybercriminals of Brazil – a suspicious message arrives to the user with a file attached named “Comprovante_Internet_Banking.rtf”, translated from Portuguese it means “Receipt from Inter
![](https://www.3lectrik.com/normanshark/wp-content/themes/normanshark/images/list_blue_arrow.png)
Malware authors are clever, patient, well-funded, and relentless adversaries. They won’t stop until they achieve their objectives. If you’ve got data that they want, no defenses seemingly will prove sufficient. If you lock a door, they’ll come in a window. If you block the window, they’ll come down the chimney. If you plug the chi
![](https://www.3lectrik.com/normanshark/wp-content/themes/normanshark/images/list_blue_arrow.png)
Norman Shark has received an open letter from Bits of Freedom (www.bof.nl), requesting answers to four questions on our policy on the detection of software for state surveillance. We are happy to answer these questions. 1. Have you ever detected the use of software by any government (or state actor) for the purpose o
![](https://www.3lectrik.com/normanshark/wp-content/themes/normanshark/images/list_blue_arrow.png)
In Part 1 of this post I discussed what is decentralized domain name system and how Necurs is using it to avoid take-down. Then I got busy with other regular work and did not do further analysis. but recently I got some time and performed further analysis that I will share in this blog post. Necurs is using decentralized top level domain '.
![](https://www.3lectrik.com/normanshark/wp-content/themes/normanshark/images/list_blue_arrow.png)
Recently, I attended Grrcon. Grrcon is an information security and hacking conference based in Grand Rapids Michigan (grrcon.org) It was an interesting conference, because it managed to be small enough to have that close friends feel, but large enough to attract good speakers. Oh and there was free beer. Amongst the free beer, there were some prese
![](https://www.3lectrik.com/normanshark/wp-content/themes/normanshark/images/list_blue_arrow.png)
Sometimes we come across targeted attacks a bit out of the ordinary. One such campaign I stumbled across the other day while going through some Malware Analyzer G2 screenshots. Contrary to regular malware, targeted malware is often visual, due to the need to social engineer the targeted person into thinking a normal document was opened. The
![](https://www.3lectrik.com/normanshark/wp-content/themes/normanshark/images/list_blue_arrow.png)
In November 2012 Necurs malware came in the limelight when Microsoft reported 83000+ infections. After that it was not very active. Some time back it started to show activity again. I started following new samples. As I was analyzing one of the samples I found something that I have never seen in any other malware. I checked some old samples
![](https://www.3lectrik.com/normanshark/wp-content/themes/normanshark/images/list_blue_arrow.png)
Most teams commonly utilize a particular set of tools to perform analysis on suspicious files. When reviewing a new tool, the team can see where it will help them in their day-to-day tasks, yet there is always the big “if”. This tool will help me a lot IF I can make it work with my existing tools and processes. No one wants to rebuild everythin
![](https://www.3lectrik.com/normanshark/wp-content/themes/normanshark/images/list_blue_arrow.png)
File MD5: c2db982fccf8d4ce960a3727a53128f7 Virus Total 15/47 Detected as Generic Trojan Not all malicious samples are after your data. Some simply want to redirect your browser. Often this is less about stealing your data, and more about getting ‘hits’ on their website. Sometimes it’s an easy fix, change your home page, and its fine. Ot
![](https://www.3lectrik.com/normanshark/wp-content/themes/normanshark/images/list_blue_arrow.png)
Clicking buttons for a living With the huge and ever-growing volume of malicious samples we see today, automation has become increasingly important. Security vendors and companies with an interest in securing their networks expend more and more resources analyzing files and network traffic looking for malware, targeted attacks and other threats.
![](https://www.3lectrik.com/normanshark/wp-content/themes/normanshark/images/list_blue_arrow.png)
RSA recently announced the newest iteration of banking Trojan – “KINS” (see below). Despite its efforts for vm detection, this commercially available variant’s behavior was processed in our Malware Analyzer G2, including the rerunning of its dropped files and its active connection with C&C. Pictures or it didn't happen.
![](https://www.3lectrik.com/normanshark/wp-content/themes/normanshark/images/list_blue_arrow.png)
Information is Beautiful recently released a visualization of the “World’s Biggest Data Breaches” allowing for filtration between sector, tactic and sensitivity. Although this only displays the data of known breaches of more than 30,000 records, it is apparent that the concept of common-sector targets is no longer true. The data visualizatio
![](https://www.3lectrik.com/normanshark/wp-content/themes/normanshark/images/list_blue_arrow.png)
Unveiling an Indian Cyberattack Infrastructure Sunday, March 17th this year the Norwegian telecom corporation Telenor reported that they had suffered an intrusion into their computer networks. Based on information Telenor shared with the infosec community, Norman Shark on its own initiative started an investigation into the attack infrastruc
![](https://www.3lectrik.com/normanshark/wp-content/themes/normanshark/images/list_blue_arrow.png)
“Should I build it myself or buy off the shelf?” This is the classic question found in nearly every industry and across all technological eras. It extends equally to both the physical and virtual worlds, and involves multi-factor tradeoffs that necessarily include imperfect information, plus highly subjective value judgments concerning
![](https://www.3lectrik.com/normanshark/wp-content/themes/normanshark/images/list_blue_arrow.png)
IT security teams at federal government agencies and their cleared industrial contractors face a daunting series of challenges in securing their networks against modern malware intrusions, including advanced persistent threats (APTs) and advanced targeted attacks (ATAs). Their networks are prime targets for individual, political, nation-state and
![](https://www.3lectrik.com/normanshark/wp-content/themes/normanshark/images/list_blue_arrow.png)
Starting on February 3, our own Jason Carpenter, sales engineer and malware researcher at Norman Shark, began a trek even more grueling than analyzing the most pernicious threat. Jason is participating in the 2013 Yukon Arctic Ultra 300, an ultramarathon that follows the Yukon Quest trail, the route used by the world’s toughest dogsled race.
![](https://www.3lectrik.com/normanshark/wp-content/themes/normanshark/images/list_blue_arrow.png)
There have been many articles about infected USB drives spreading malware to sensitive systems. Recently, ICS-CERT assisted a power generation facility where both common and sophisticated malware had invaded the ICS environment. The discovery happened perchance. An employee was having issues with the USB drive’s operation and asked the IT team
![](https://www.3lectrik.com/normanshark/wp-content/themes/normanshark/images/list_blue_arrow.png)
As the year and congressional session closed without the passage of a comprehensive cyber security bill, the CEO of a non-profit cyber security intelligence organization weighs in on the role of legislation. Although he’s unauthorized to comment on the most recent efforts, the executive challenges the relevance of past legislation based on length
![](https://www.3lectrik.com/normanshark/wp-content/themes/normanshark/images/list_blue_arrow.png)
As we’ve been following the development of (and advocating for) the failed Cyber Security Act of 2012, a similarly worded amendment to the FY 2013 National Defense Authorization Act (NDAA) has been brewing within the Senate. Just as last year’s Cyber Security Act would apply to critical infrastructure and financial institutions, Senator Carl Le
![](https://www.3lectrik.com/normanshark/wp-content/themes/normanshark/images/list_blue_arrow.png)
The CEO of a leading non-profit cybersecurity organization speaks out about the challenges associated with determining malware criminality in the newest episode of “Inside Network Security.” This expert was eager to participate in Norman Shark’s video series, but asked for anonymity, to ensure hacktivists would be unable to discover and threa
![](https://www.3lectrik.com/normanshark/wp-content/themes/normanshark/images/list_blue_arrow.png)
If universities fail to include cyber security in the control system curriculum, how can we ensure full protection of critical infrastructure? In the tenth episode of our cyber security awareness video series, “Inside Network Security: Cybercrime, Malware and Today’s Emerging Threats,” returning guest Joe Weiss expresses concern about the
![](https://www.3lectrik.com/normanshark/wp-content/themes/normanshark/images/list_blue_arrow.png)
In the ninth episode of our video series, “Inside Network Security,” Managing Partner of Applied Control Solutions, Joe Weiss, shares five tips for senior management to protect industrial control systems against today’s most advanced malware threats. In the full episode, Weiss offers details each recommended action, but here are some highl
![](https://www.3lectrik.com/normanshark/wp-content/themes/normanshark/images/list_blue_arrow.png)
Recently, media reported of a targeted attack against the Israeli government, in the form of emails purporting to come from IDF Chief of Staff Benny Gantz, where the email contained a malicious attachment. We located this file. It was signed with a fake digital certificate. In the following investigation we first found several other trojans simi
![](https://www.3lectrik.com/normanshark/wp-content/themes/normanshark/images/list_blue_arrow.png)
Samples we receive are routinely sent to automatic processing in our in-house Malware Analyzer G2 systems. I often sift through these looking for interesting details. One of the things I keep looking for is whether the sample displays information to the user. Normal malware usually tries to be invisible. Targeted malware, on the other hand, usually
![](https://www.3lectrik.com/normanshark/wp-content/themes/normanshark/images/list_blue_arrow.png)
Gh0st Rat is an open source backdoor trojan (or “Remote Administration Tool” ) that has been used in a large number of incidents, of which many have been targeted attacks. It is famed for being used in the espionage operation called “GhostNet”. It is originally Chinese which naturally means that it is popular to use by Chinese hackers.
![](https://www.3lectrik.com/normanshark/wp-content/themes/normanshark/images/list_blue_arrow.png)
DistTrack is an overwriting malware rumored to be behind destructive actions in the Middle East. Some report it to be used in targeted attacks against companies in the energy sector. The initial executable is a 32-bit Windows executable, 989184 bytes long. When run, it installs itself as a service using the name TRKSVR.EXE in the Windows system
![](https://www.3lectrik.com/normanshark/wp-content/themes/normanshark/images/list_blue_arrow.png)
I recently got asked on twitter about whether I had plans to release the plugin that produced the graphs seen in the “Zbot Illustrated” blog post. This is a side project I have been working on for creating call graphs for IDA. These call graphs are pretty useless for understanding the code on the microscopic level, instead they try to make s
![](https://www.3lectrik.com/normanshark/wp-content/themes/normanshark/images/list_blue_arrow.png)
A while ago, Kaspersky labs found what we all should have seen before – namely that an older version of Stuxnet contained a file (atmpsvcn.ocx) which essentially is a Flamer plugin. Apart from that, Stuxnet and Flamer are rather different in code. Or are they? I was looking at the Stuxnet PLC hooking DLL, s7otbxdx.dll, as I needed to extra
![](https://www.3lectrik.com/normanshark/wp-content/themes/normanshark/images/list_blue_arrow.png)
TL;DR: IDAPython Flamer string decoder script available from here: http://download01.norman.no/blog/flamedec.py Modify as you see fit. When analyzing complex malwares like Flamer it is necessary to find the strings used by the malware, as they contain essential information about what the malware is trying to do. In the Flamer case, these s
![](https://www.3lectrik.com/normanshark/wp-content/themes/normanshark/images/list_blue_arrow.png)
Despite reports that digitally signed malware is becoming more common, it still calls for a bit of attention when a new stolen certificate is found. Much signed malware is either signed with a certificate which is known to be on the loose, signed with a self-signed (and thus untrusted) certificate, or validly signed because the malware can be cons
![](https://www.3lectrik.com/normanshark/wp-content/themes/normanshark/images/list_blue_arrow.png)
In a series of blog posts our colleagues at Trend and AlienVault have detailed recent attacks on NGO’s, and how trojanized RTF files have been used as vehicles to plant various remote access trojans on unsuspecting users using the CVE-2012-0158 vulnerability. In addition, they both mention that apparently stolen digital certificates have been
![](https://www.3lectrik.com/normanshark/wp-content/themes/normanshark/images/list_blue_arrow.png)