Ethical Hacking, Malware Analysis, Disinfection Techniques and more...

CVE-2023-34096: Path Traversal Vulnerability in Thruk Monitoring Web Interface

2023-06-08T15:51:00.036-05:00

Important Note: All of the findings listed here were previously reported to the manufacturer of the software.

As part of the responsible disclosure policy, we waited for a response of the manufacturer (confirming the vulnerability, issuing a patch, or accepting that they won't solve the finding) before sharing this post.

Introduction

During a Penetration Test performed to a Security Company I was able to identify certain findings that could affect the popular Thruk Monitoring Web Interface. So, after analyzing the GitHub repository and performing some tests on the target environment, I was able to identify and exploit the vulnerabilities, then I reported these issues to the manufacturer.

Summary

The file panorama.pm is vulnerable to a Path Traversal Vulnerability which allows a remote authenticated attacker to upload arbitrary files to any folder which has write permissions on the affected system. This vulnerability affects all versions of Thruk even the one that was recently published (<=3.06) in May 24, 2023.

Details

The parameter "location" is not filtered, validated or sanitized and it accepts any kind of characters. For a path traversal attack, the only characters required were the dot (.) and the slash (/).

This was verified by analyzing in detail the GitHub repository and the source files.

In this step, the location is received from the parameters sent by the client through the web request and there is no sanitization at all.

Then, the variable folder is constructed doing a basic concatenation without any sanitization.

Next, the folder variable is concatenated with the filename and its result is stored in the newlocation variable, again no sanitization at all.

Finally, here the uploaded file is moved to the desired folder.

Through this flow, it is easy to see that due to the lack of sanitization we can manipulate the location parameter and exploit a Path Traversal vulnerability to upload a file to any folder we want.

Proof of Concept (PoC)

Go to the form where we can upload an image that will be used as background for a Dashboard.
Select any file with the allowed extensions and intercept the request with Burp Suite.
Modify the location parameter which is the backgrounds/ string and replace it with something like backgrounds/../../../../tmp/
You will receive a message that the file was uploaded successfully.
Check your /tmp/ folder and verify the presence of the file.

As part of the PoC, I decided to include the following screenshots.

Normal Case

In this first screenshot I included the normal request where a file will be uploaded to a folder where the current user does not have any write permissions, and I received an error message.

Path Traversal Exploitation

In this second screenshot I included the manipulated request where the path traversal vulnerability is being exploited to upload the file to /tmp/ folder, as you can see I received a success message.

CVSS

The NIST NVD assigned a CVSS 3.1 Score of 8.8 (High) to this vulnerability.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

The CNA GitHub, Inc. assigned a CVSS 3.1 Score of 6.5 (Medium) to this vulnerability.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Check NIST NVD for further details.

Impact

A Path Traversal vulnerability allows an attacker to upload arbitrary files to the server. The attacker can overwrite existing files on the system and cause a defacement (replacing legitimate images on the web server) or simply can upload random files to fill the disk completely and affect the availability and correct status of the platform.

It is well known that a Path Traversal Vulnerability in certain cases can allow an attacker to upload a webshell and gain Remote Code Execution (RCE) on the affected host, which could lead to a Complete System Takeover.

This vulnerability affects all versions of Thruk even the one that was published 15 days ago (3.06) in May 24, 2023; so the impact is bigger as this issue affects all instances of Thruk around the world.

This was reported through a Security Advisory via GitHub. You can find the security advisory report and other useful references in the following links:

Vulnerability Summary

Assigned CVE: CVE-2023-34096
CVE Author: Galoget Latorre (@galoget)
Severity (NIST): 8.8 High
Severity (GitHub): 6.5 Medium
Type: Path Traversal
Product: Thruk Monitoring Web Interface
Affected Versions: All versions <= 3.06
Patched Version: 3.06-2

Timeline

2023-05-25: This vulnerability was identified by Galoget Latorre.
2023-06-02: Initial contact with maintainer via GitHub Security Advisory including vulnerability details and Proof of Concept (PoC).
2023-06-05: CVE-2023-34096 is assigned.
2023-06-06: Maintainer releases a patch with version 3.06-2, see Thruk's Changelog.
2023-06-08: GitHub Security Advisory is released by maintainer.
2023-06-08: Security advisory (this blog post) is released by Galoget Latorre.
2023-06-08: Exploit PoC is released by Galoget Latorre.
2023-06-09: Exploit PoC is shared by Exploit Database (Exploit-DB).
2023-06-09: Exploit PoC is shared by Packet Storm Security.

Credits

This security vulnerability was identified by Galoget Latorre, Security Consultant (Pentester) at Hackem Cybersecurity Research Group and Dreamlab Technologies.

Cracking Passwords: Brute-force Attack with Hydra (CLI) + xHydra (GTK)

2018-01-08T07:32:00.005-05:00

Recently on Security StackExchange, I saw a lot of people asking how to use properly THC Hydra for Password Cracking, so in this post I'm going to explain how to install the command line utility, and also how to install the graphical user interface (GUI) for it. Then you can find step by step instructions on how to use this tool properly to attack an http-form-post that simulates a Login form for a corporate website. Hope you enjoy this post as much as I did when I was writing it.

How to Install THC Hydra on GNU Linux?

Debian-based distributions (Ubuntu, Linux Mint, Linux Lite):

If you're using a Debian-based GNU Linux distribution, you can easily install the tool and the GUI using the following command:

galoget@hackem:~$ sudo apt-get install hydra hydra-gtk

Figure 1. Installing hydra and hydra-gtk in Ubuntu

RPM-based distributions (Red Hat, CentOS, Fedora):

On the other hand, if you're using a RPM-based GNU Linux distribution, then you have to use this command:

[galoget@hackem ~]$ sudo dnf install hydra

Figure 2. Installing hydra in Fedora (hydra-gtk not available)

Analyzing our Target Website

In this step, we're going to analyze our target website from an attacker perspective, after this process, we'll use the collected information to prepare our attack.

Figure 3. Target's website login form

Information extracted:

Host: hackem

Login form path: /hydra/login.php

Now, let's check the source code to get more details about the web app:

Figure 4: Source code of the target's website login form

From Figure 4, we can extract the following information:

Form action: auth.php

Method: POST

Name attribute of username field: uname

Name attribute of password field: psw

This is almost all the information we need to start our attack, let's see some basic behavior of the web app:

Figure 5. Login into the web app, username: galoget, password: hackem

When we use the real credentials for our web app, the we get the message "Access Granted", otherwise we get the message "Access Denied", this last message is the one that is available for the attacker to see, and this is the last piece of information we need to start our password cracking attack.

Figure 6. Success Case, logging in with a registered user in the system

Figure 7. Fail Case, logging in with an unknown user for the system

Brute-forcing with hydra (CLI)

At this stage we need to use all the collected information to fill all the required parameters in THC Hydra, the basic structure is:

hydra <HOSTNAME> <PROTOCOL/METHOD> -m "</PATH/TO/AUTH/FILE>:<USERNAME_FIELD>=^USER^&<PASSWORD_FIELD>=^PASS^:<ERROR_MESSAGE>" -L listOfUsers.txt -P listOfPasswords.txt -t 10 -w 30 -o <OUTPUT_FILENAME>

<HOSTNAME>: URL or IP address of your target, DON'T USE http:// or https:// in this field.

<PROTOCOL/METHOD>: The type of attack/protocol that you want to use.

</PATH/TO/AUTH/FILE>: Path to the file that receives the form data.

<USERNAME_FIELD>: Name attribute of username field.

<PASSWORD_FIELD>: Name attribute of password field.

<ERROR_MESSAGE>: The error message that you get when the login process fails, so Hydra could keep trying and identify when the brute-force attack succeeds.

<OUTPUT_FILENAME>: The filename where you're going to save the results of the attack.

Our complete command (ready to COPY & PASTE) with all the required parameters should look like this (Valid for Debian-based and RPM-based GNU Linux distributions):

galoget@hackem:~$ hydra hackem http-form-post -m "/hydra/auth.php:uname=^USER^&psw=^PASS^:Access Denied" -L users.txt -P pass.txt -t 10 -w 30 -o hydra-http-post-attack.txt

After executing the attack, we can see our results in the following image.

Figure 8. Executing hydra with all the required parameters, at this point we're brute-forcing the authentication process in our target's website

In Figure 8, you can see that we succeed on cracking the login form authentication, and as I mentioned before, the username was galoget and the password was hackem. We can also check our logfile with the cat command.

Figure 9. Checking our hydra's logfile

Update (08-Jan-2018):

Some users asked me how to make the tool works if the error message is: "Error: Cannot find user record", see the image below:

Figure A. Fail Case Updated, logging in with an unknown user for the system

The easiest way to avoid the ":" conflict is to use just some part of the error message, so our command will be:

galoget@hackem:~$ hydra hackem http-form-post -m "/hydra/auth.php:uname=^USER^&psw=^PASS^:Cannot find user record" -L users.txt -P pass.txt -t 10 -w 30 -o hydra-http-post-attack.txt

Figure B. Executing hydra as in Figure 8, but using a partial error message

Other option could be to escape that character, in that case the command will be:

galoget@hackem:~$ hydra hackem http-form-post -m "/hydra/auth.php:uname=^USER^&psw=^PASS^:Error\: Cannot find user record" -L users.txt -P pass.txt -t 10 -w 30 -o hydra-http-post-attack.txt

Figure C. Executing hydra as in Figure 8, but escaping the special character, this means using the complete error message in our command.

As you can see on the figures, it works in both cases, so just use the one that makes you feel more comfortable.

Continuing with the post, in case you were wondering what was the content inside users.txt and pass.txt, here they are:

Figure 10. Content of users.txt file

Figure 11. Content of pass.txt file

If we change the password for the user galoget to any random string that is not present in our *.txt files, then the output of executing the attack again will be something similar to this.

Figure 12. Hydra attack results with no success (the password was not in the dictionary)

But what happens if you actually find not just one, but many valid logins, then the output will be very similar to this:

Figure 13. Hydra attack results with 2 valid logins

Brute-forcing with xHydra (GUI/GTK)

Now, we're going to repeat the same process, but using the graphical user interface (hydra-gtk).

First, we search for Hydra in our system, it depends on what distribution you're using, but in the worst case scenario that you can't find it, open it with a terminal by writing: hydra-gtk

Figure 14. Searching for Hydra GTK (xHydra) in Ubuntu

After opening the app, we need to fill the same parameters that we used in the CLI version of hydra, in the following picture you can see 2 important details that are required to be filled (Single Target, Protocol):

Figure 15. Target tab parameters for xHydra in Ubuntu

In the second tab, we need to set the routes to the users.txt and pass.txt files and also we can set some options to try more attempts (Try login as password, Try empty password, Try reverse login).

Figure 16. Passwords tab parameters for xHydra in Ubuntu

Then we pass to the Tuning tab, where you can set the number of tasks that you may want to execute in your machine, this depends on the hardware capabilities of your computer. Also we set a timeout in case the website is not responding to our requests. We're not using a proxy so ignore that part.

Figure 17. Tuning tab parameters for xHydra in Ubuntu

The next tab is called "Specific", here the only required parameter is the http/https url, please refer to the image below for a better understanding:

Figure 18. Specific tab parameters for xHydra in Ubuntu

We're all set, now let's take a look at the "Start" tab, it is empty before we launch our attack.

Figure 19. Start tab of xHydra in Ubuntu before launching the attack

Finally, after executing our attack, we can see some output, that is the same we got with the CLI utility, the username was galoget and the password was hackem.

Figure 20. Start tab of xHydra in Ubuntu after launching the attack, 1 valid login found

If you want to compare the command that we had in the CLI utility with the one generated in our GUI utility, please see the image below, at the end of the app is the command that you're searching for.

Figure 21. Start tab expanded of xHydra after the attack, 1 valid login found

As you can see in this demo, the time required to bruteforce a login form is pretty small, that's why it is recommended to have strong and unique passwords, with words/phrases that are difficult to find on dictionaries online.

Hope you liked this post, if you have any recommendation or if you find a mistake, please leave a comment.

Happy Password Cracking!! :D

Blitz CTF 001 Writeup (Step by Step Solutions) [CTF365]

2017-12-04T03:04:00.000-05:00

A few days ago, we received an invitation to the BlitzCTF001, a very short and fast cybersecurity CTF. The challenges contained in this CTF covers: Crypto (Encoding), SQLi, Broken Access Control, Session Manipulation and Steganography.

In our opinion, the challenges are interesting and entertaining, especially to learn about web application security, so we decided to share the solutions (just in case that you got stuck in some level), hope you like and enjoy them as we did.

Level 01

After signing in into your personal account, the first screen shown looks like a standard GNU/Linux shell. After trying some basic commands we can see that there are 2 files: README and challenge1.txt, in the figure below we can see the content of both files.

Figure 1. Content of "README" and "challenge1.txt" files

The content of the file challenge1.txt looks like and hex-encoded string, but before trying to decode it, we proceed to check the source code of the "shell" to look for any hints. At this point we realize that it's nothing close to a shell, because it has the print statements for each command, and there are only 17 cases for the commands available.

Figure 2. Source code of the "Shell", here we can see the print statements for each command

After checking this, we can assume that this "shell" can't accept our flag because of its obvious limitations, so it has to be another URL that may be encoded on the the hex-encoded string, so let's try to convert it to normal text.

Initial hex-encoded string:
3364203435203664203561203638203465203534203464203330203535203537203561203737203539203537203466203638203331203639203539203739203431203434203466203734203633203534203561203738203435203534203463203331203535203664203539203662203331203433203464203739203539203434203464203332203435203664203464203330203338203433203634203663203461203333203539203663203465203333203463203734203339203332203539203735203535203661203465203761203539203437203634203661203335203639203635203330203663203437203632203639203339203739203463203336203431203438203634203330203638203437203439203736203532203438203439203736203634203435203439203638203464203438203634203638203461203333203561203735203339203332203531

We are going to use xxd and echo with a pipe in a bash shell to get the result:

Figure 3. Decoding the initial hex-encoded string

The result of decoding the hex-encoded string is another hex-encoded string, so we repeat the same process again:

The result (another hex-encoded string):
3d456d5a684e544d3055575a7759574f683169597941444f7463545a7845544c31556d596b31434d7959444d32456d4d303843646c4a33596c4e334c7439325975556a4e7a5947646a356965306c47626939794c36414864306847497652484976644549684d4864684a335a75393251

Figure 4. Decoding the 2nd hex-encoded string

Now, we get something similar to a Base 64 encoded string, but if we try to decode it right now, we are going to get an invalid result, because it's reversed, so let's flip it around. For these part of the solution, we are going to use python (reversing and decoding the string), for decoding it, we'll use the base64 module.

The string that appears to be a Base64 encoded string:
=EmZhNTM0UWZwYWOh1iYyADOtcTZxETL1UmYk1CMyYDM2EmM08CdlJ3YlN3Lt92YuUjNzYGdj5ie0lGbi9yL6AHd0hGIvRHIvdEIhMHdhJ3Zu92Q

Figure 5. Reversing the last string and decoding it

Finally!, we got the Flag, It's a secret URL, let's open it to confirm our success:
http://blitz.ctf365.com/secret/42a60620-dbe5-11e7-802b-a9f0ee413afa

Figure 6. Success on Level 01

Yaaay!, now let's continue, by pressing the "next challenge >" button.

Level 02

The 2nd level receives us with a Login Form, after checking the source code we found nothing, so let's to try one of the most common vulnerabilities in web apps (from OWASP TOP 10): SQL Injection.

Figure 7. Login form for the 2nd level, let's try SQLi attacks

Figure 8. Source code of Level 02 login page

After some attempts with various combinatios we bypassed the login form, just have to set both, the username and the password to an expression that always evaluate to true like " OR 1=1# and we're done with this level.

Figure 9. Correct combination for bypassing the Login form

Figure 10. Success on Level 02

Level 03

The 3rd level receives us with a message that says: "You’re not authorized to access this page. Are you an admin?", there is no login form to fill, so we can assume that this level is related with Cookie Manipulation, let's have a look at our cookies.

Figure 11. Checking the Cookies and its values

As we can see, the value for the userRole is just "user", so let's change it to "admin" in order to become Administrators, and then, refresh the page!!

Figure 12. Success on Level 03

Level 04

The 4th and last level starts with a form where you're supposed to enter the flag, there are some messages but they are not related with the solution, so let's check the source code.

Figure 13. The welcome page for the Level 04

Figure 14. Source code of Level 04 main page

We found nothing in here, but wait, there is a strange message that says: "Nothing here. Check in the back", what is "the back" exactly?, maybe is referring to the background image, we realized that it is a really heavy image on Level 02, but at that moment we didn't pay attention to it, so maybe it is related with this level, let's have a look at the CSS code.

Figure 15. The image to be downloaded is highlighted in the CSS code

Now, we proceed to download the image using wget, at this moment we can see the actual size of the image (1,3MB), pretty big for just a simple background, so we are going to check if the file has embedded hidden strings inside of it, this can be done with the string command.

Figure 16. Downloading the image with wget and checking its size

Figure 17. Getting hidden strings on the background image with the string command (Steganography)

All we have to do, is copy that flag and put it in the main page of the Level 04.

Figure 18. Entering the flag into the Level 04 main page

And, as we can see, it was correct, we have finished the Blitz CTF 001 [CTF365]!! =D

Figure 19. Success on Level 04

This was a nice CTF, we really have fun solving it, just it was a bit short, also it is important to consider that the instructions were a pretty great hidden clue in their own way. Because they listed the types of challenges and it matches with the order of the levels almost perfectly.

A collection of easy challenges that covers:
1. Crypto,
2. SQLi,
3. Broken Access Control,
4. Cookie Manipulation and
5. Stegano.

Thanks to the organizers of this game, hope there will be a next release of Blitz CTF soon.

Password Management in GNU/Linux by using passwd command

2014-01-03T22:38:00.000-05:00

A password (commonly knows as passwd in linux) is an unspaced sequence of characters used to determine that a computer user requesting access to a computer system is really that particular user. Typically, users of a multiuser or securely protected single-user system claim a unique name (called a user ID) that can be generally known. In order to verify that someone entering that user ID really is that person, a second identification, the password, known only to that person and to the system itself, is entered by the user. Most networks require that end users change their passwords on a periodic basis.

passwd command

The passwd command is used to create and change the password of a user account. A normal user can run passwd to change their own password, and a system administrator (the superuser ROOT) can use passwd to change another user’s password, or define how that account’s password can be used or changed.

PASSWD SYNTAX

passwd [OPTION] [USER]
Usage: passwd [OPTION...] <accountName>
-k, --keep-tokens keep non-expired authentication tokens
-d, --delete delete the password for the named account (root only)
-l, --lock lock the named account (root only)
-u, --unlock unlock the named account (root only)
-f, --force force operation
-x, --maximum=DAYS maximum password lifetime (root only)
-n, --minimum=DAYS minimum password lifetime (root only)
-w, --warning=DAYS number of days warning users receives before password expiration
 (root only)
-i, --inactive=DAYS number of days after password expiration when an account becomes 
disabled (root only)
-S, --status report password status on the named account (root only)
--stdin read new tokens from stdin (root only)

Change the password for Normal user

When you logged in as non-root user like user1 in my case and run passwd command then it will reset password of logged in user.

[user1@localhost ~]$ passwd
Changing password for user user1.
Changing password for user1.
(current) UNIX password:
New password:
Retype new password:
passwd: 
all authentication tokens updated successfully.

When you logged in as root user and run passwd command then it will reset the root password by default and if you specify the user-name after passwd command then it will change the password of that particular user.

Display Password Status Information

To display password status information of a user , use -S option in passwd command.

[root@localhost ~]# passwd -S user1
user1 PS 2016-04-21 0 99999 7 -1 (Password set, SHA512 crypt.)

In the above output first field shows the user name and second field shows Password status ( PS = Password Set , LK = Password locked , NP = No Password ), third field shows when the password was changed and last & fourth field shows minimum age, maximum age, warning period, and inactivity period for the password.

We can display password status information for all users at a time by using the option –Sa

root@localhost:~# passwd -Sa

Removing Password of a User

We can remove the password for particular user by using option -d

[root@localhost ~]# passwd -d user1
Removing password for user user1.
passwd: Success
[root@localhost ~]#

Lock the password of System User

Use ‘-l‘ option in passwd command to lock a user’s password, it will add “!” at starting of user’s password. A User can’t Change it’s password when his/her password is locked.

[root@localhost ~]# passwd -l user1
Locking password for user user1.
passwd: Success

Unlock User’s Password using -u option

use -u option to unlock the user accounts locked by passwd -l option

[root@localhost ~]# passwd -u user1
Unlocking password for user user1.
passwd: Success

Setting inactive days using -i option

use -i option along with passwd command to set inactive days for a system user. This will come into the picture when password of user expired and user didn’t change its password in ‘n‘ number of days ( i.e 7 days in my case) then after that user will not able to login.

[root@localhost ~]# passwd -i 7 user1
Adjusting aging data for user user1.
passwd: Success
[root@localhost ~]# passwd -S user1
user1 PS 2016-04-21 0 99999 7 7 (Password set, SHA512 crypt.)
[root@localhost ~]#

Setting Minimum No.of Days to Change Password using passwd -n option

Using the option -n along with passwd command we can set the minimum number of days to change the password. A value of zero shows that user can change it’s password in any time.

[root@localhost ~]# passwd -n 90 user1
Adjusting aging data for user user1.
passwd: Success
[root@localhost ~]# passwd -S user1
user1 PS 2016-04-21 90 99999 7 7 (Password set, SHA512 crypt.)
[root@localhost ~]#

Setting the Warning days before password expire using passwd -w option

Using the option -w along with passwd can be used to set the warning days before the password expires.

[root@localhost ~]# passwd -w 30 user1
Adjusting aging data for user user1.
passwd: Success
[root@localhost ~]# chage -l user1
Last password change                                    : Apr 21, 2016
Password expires                                        : never
Password inactive                                       : never
Account expires                                         : never
Minimum number of days between password change          : 90
Maximum number of days between password change          : 99999
Number of days of warning before password expires       : 30
[root@localhost ~]#

Source: Unixmen

[Malware Classifier] Malware Analysis Tool - Adobe

2013-11-03T19:24:00.000-05:00

In this post I am going to talk about a new tool: "Adobe Malware Classifier", this is a command-line tool that lets antivirus analysts, IT administrators, and security researchers quickly and easily determine if a binary file contains malware, so they can develop malware detection signatures faster, reducing the time in which users' systems are vulnerable.

Malware Classifier uses machine learning algorithms to classify Win32 binaries – EXEs and DLLs – into three classes: 0 for “clean,” 1 for “malicious,” or “UNKNOWN.”

The tool was developed using models resultant from running the J48, J48 Graft, PART, and Ridor machine-learning algorithms on a dataset of approximately 100,000 malicious programs and 16,000 clean programs.

The tool extracts seven key features from an unknown binary, feeds them to one of the four classifiers or all of them, and presents its classification of the unknown binary.

usage: AdobeMalwareClassifier.py [-h] [-f filename] [-n model] [-v [verbose]]

Classify an unknown binary as MALWARE or CLEAN.

optional arguments:
-h, --help show this help message and exit
-f filename The name of the input file
-n model The ordinal for model classifier: 0=all (default) | 1=J48 |
2=J48Graft | 3=PART | 4=Ridor
-v [verbose] Dump the PE data being processed

You can download this tool from its official site in Sourceforge:

http://sourceforge.net/projects/malclassifier.adobe/files/?source=navbar

(D)DoS Deflate - A script designed to Block a Denial of Service Attack

2013-10-03T02:16:00.000-05:00

Nowadays a common problem for many companies is Distributed Denial of Service Attack (DDoS), so in this post is explained: what is a DDoS and a possible solution for it?

Distributed Denial of Service (DDoS):

In computing, this attack is an attempt to make a machine (usually a web server) or a network resource unavaliable to its intended users, the reasons for this attack may vary, but it generally consists of efforts to temporarily or indefinitely interrupt or suspend services of a host connected to the Internet, a visual explanation is shown in Figure 1.

Figure 1: Stachledraht DDos Attack Diagram

There are some solutions to mitigate this attacks (IDS, IPS, etc.), but today I want to share a new simple tool that can be implemented in your own network:

"(D)DoS Deflate is a lightweight bash shell script designed to assist in the process of blocking a denial of service attack. It utilizes the command below to create a list of IP addresses connected to the server, along with their total number of connections. It is one of the simplest and easiest to install solutions at the software level.

netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

IP addresses with over a pre-configured number of connections are automatically blocked in the server's firewall, which can be direct iptables or Advanced Policy Firewall (APF). (We highly recommend that you use APF on your server in general, but deflate will work without it.)"

Here are some Features:

It is possible to whitelist IP addresses, via /usr/local/ddos/ignore.ip.list.
Simple configuration file: /usr/local/ddos/ddos.conf
IP addresses are automatically unblocked after a preconfigured time limit (default: 600 seconds)
The script can run at a chosen frequency via the configuration file (default: 1 minute)
You can receive email alerts when IP addresses are blocked.

How to install:

wget http://www.inetbase.com/scripts/ddos/install.sh
chmod 0700 install.sh
./install.sh

How to uninstall:

wget http://www.inetbase.com/scripts/ddos/uninstall.ddos
chmod 0700 uninstall.ddos
./uninstall.ddos

Configuration:

After installing the script you need to open the file "ddos.conf" located in "/usr/local/ddos".

Edit the paths according to your system:

PROGDIR=”/usr/local/ddos”

PROG=”/usr/local/ddos/ddos.sh”

IGNORE_IP_LIST=”/usr/local/ddos/ignore.ip.list”

CRON=”/etc/cron.d/ddos.cron”

APF=”/etc/apf/apf”

IPT=”/sbin/iptables”

Customize the options and its values as you want:

FREQ=1

# Frequency in minutes in which the script will be executed

NO_OF_CONNECTIONS=150

# Number of connections received to block an IP address of an alleged attacker

APF_BAN=1

# 1 means that DDoS Deflate will use APF to block, 0 use directly Iptables

BAN_PERIOD=600

# Time (in seconds) to block an attacker.

EMAIL_TO=”root”

# Address to send an email when someone is banned

KILL=1

# With a 0 value, the attackers won't be banned, 1 is selected by default

Official Site: deflate.meadialayer.com

ESET Security Challenge - Solution

2013-09-03T19:40:00.000-05:00

Figure 1: New Search Engine in Development

Scenario:

A malicious code had access to a small enterprise of web developers, who are working on building a new search engine that will be participating on the market. Figure 1 shows a screenshot of the new project.

To verify the functionalities of this new search engine, we are going to make some tests. First, we will enter the word "trololo" to see the results. The server response to the request mentioned above is:

Figure 2: Search results for trololo of the new project

As you can see, this modest search engine is not ready to compete in the market, since the database is still very small, and only responds to keywords like "facebook" or "trololo":

Figure 3: Search results for facebook of the new project

Because the database is so poor, the developer has decided to redirect searches to other popular search engine in case that you don't get results. For example, let's try it with the word "nirvana" which is not found in the database corresponding to the new project:

Figure 4: Nirvana Search in the new project

The search is redirected to another search engine and the result can be seen below:

Figure 5: Nirvana Search Results on Bing

As you can see, the previous action aims to continue loading the database based on the response of the other search engines. Broadly speaking, we can understand how the server works.

The problem seems to be that this company has an internal attacker, who was devoted to analyzing vulnerabilities in the search engine, even knowing that it was an alpha version. Additionally, remember that there is a malware that is actively reporting all traffic from the internal network to the outside thereby filtering sensitive information.

A capture of the final traffic sent by the malware can be downloaded here.

Finally, after four days, the server was found in the following state:

Figure 6: Defacement of the search engine

Your job will be to see if it is an external attack executed by the malware author who infiltrated the systems, or whether it is an internal attack. To accomplish this objective You will have to verify the capture available to see if you can get the password of the administrator of that site. If it is possible, what is the password?

Note: In case you find irrefutable proof of his innocence, leave a comment and then develop a small tutorial, demonstrating the accuracy of the analysis. Apparently, only the root user had permissions to modify the files in the web.

Solution:

First, we need a tool to open the file, you can download Wireshark for this purpose, after that, we need to find something unusual in the traffic, as shown in Figure 7, there is an access to a FTP server where a file named data-intrusion.rar was downloaded:

Figure 7: FTP Server Access on Wireshark

In order to get a better view of this traffic we can use the option "Follow TCP Stream", let's see the results:

Figure 8: "Follow TCP Stream" of FTP Server

With this information we can see the credentials that were used to access to the server and the file that was downloaded, then we are going to reassemble the file and see what it contains:

Figure 9: This Image shows the transfer of "data-intrusion.rar"

And the next Figure shows the "Follow TCP Stream" of the RAR File in Raw:

Figure 10: "Follow TCP Stream" of "data-intrusion.rar" in Raw

This stream can be reassembled by pressing "Save as", then name it as you want, but don't forget the ".rar" extension:

Figure 11: "data-intrusion.rar" contains access.log

In the file "access.log" we can see all the requests made to the server and an interesting thing is that the server was attacked by an automated tool to inject SQL sentences.

Figure 12: SQLi requests by an automated tool (sqlmap)

In this case, the log file shows the requests but these are encoded, to learn more about this, please follow this link: HTML URL Encoding Reference

So we need to decode them, in order to make them easier to understand, you can use any tool for that purpose (I used a web app):

Figure 13: SQLi requests decoded (Easier to understand).

Example of one of the requests found in the log file:

"GET /search.php?q=facebook' AND ORD(MID((SELECT IFNULL(CAST(user AS CHAR),0x20) FROM challenge.users ORDER BY id LIMIT 1,1),5,1)) > 116 AND 'zJfx'='zJfx HTTP/1.1" 302 622 "-" "sqlmap/1.0-dev (1bae9955b7) (http://www.sqlmap.org)"

We can see that the tool (sqlmap) made some requests with the objective of getting a dump of the database, the tool is using the keyword "facebook" that would return a 200 code, with this the attacker can dump sensible information, to verify this, we can create a script that shows the results of the requests:

Figure 14: Script to extract useful information from access.log

In Figure 14, we can see the users & passwords that were extracted by the attacker, the last 2 lines are md5 hashes that can easily be cracked.

Decrypted Info:

user: root

password: pepe

user: guest

password: hacker

With these credentials the external attacker can easily make a defacement, so with this we verify that there is no internal attacker, or in this case, the internal attacker was not responsible for the defacement.

Cracking a Simple Application (ByPass Login)

2013-08-03T07:36:00.000-05:00

In this post I am going to explain how to solve a "Crackme" challenge that I found on the Internet, in this example you can see a Login form but we don't know the Username or the Password, so what do you think could be a possible solution?, or the first step to solve it?

Well, maybe you thought that you can run a brute force tool against the login form, that is not a wrong answer but it isn't the best, so first of all I am going to write test values on the text boxes to see how the application works.

Figure 1: The Application returns an Error Message Box when the Credentials are wrong.

The next step is to verify if the application is Packed, I mean protected, this technique is used to make harder the Analyst work and also to hide the programming language in which this application was developed.

Figure 2: The Application was developed in "Microsoft Visual C# / Basic .NET" and it isn't packed!!

With this information the Analyst must be very happy, because this means that cracking the application will be much easier than expected.

Figure 3: My face when I saw the previous results. =D

What's next?, now We need a tool that allow us to see the functions (source code) that are implemented within the ".exe" file.

Figure 4: This image shows the source code of the function that is called when the Login button is pressed.

In figure 4, We can see some interesting and maybe useful information, let's pay attention to the red text (the strings), specially the ones that weren't visible during the test phase when we entered wrong values.

We can see a string that may be a username: "|Usuario|" and another one that could be a possible password: "|J5L2C-K4B8L-D2K9S|", so let's try this combination in the text boxes to see what happens?

Figure 5: A successful message appears when using the login information found before.

Figure 6: The feeling of every malware researcher after a successful job.

Now maybe you have a better idea of how some cracks and key generators are created, well, that's all, hope you enjoyed with this post,

I also analyzed this crackme challenge to verify if its clean, you can see the complet report here:

https://www.virustotal.com/es/file/fd4447ef41a34d4f40b3f315a2e9b9ab0c80fe8753cf4b3afd831d9eaddf76cd/analysis/

How can you be fooled by the U+202E trick?

2013-07-03T17:43:00.000-05:00

A common technique, used by malicious attackers to fool their victims, is using the Unicode special character U+202E known as an annulment from right to left to make the malicious file appears as a PDF document instead of a potentially dangerous executable file.

To understand this concept, let's imagine that our malicious file is "document.exe" (see Figure 1):

Figure 1: Malicious file recently created with no changes.

Now we are going to follow the steps below to accomplish our goal:

Open the Windows Character Map (Start, Run, charmap)
Find and Copy the Unicode character U+202E. Notice that at the bottom left shows the ASCII value of the characters (see Figure 2).

Figure 2: Charmap with U+202E selected and copied.

Paste (Ctrl + V) the character just before the extension point: "document[[U+202E]].exe"
Enter the extension that you want but in reverse, for example, if we want "doc", we need to write "cod", or if we want "pdf", then we need to write "fdp".

The result will be something like the file shown in Figure 3.

Figure 3: Malicious file renamed with the special character.

(The real name of the file without the special character should be: "documentfdp.exe")

Finally, to perfect the infection vector, a good idea would be to change the icon of the malicious file and also use a name that can trick the user, considering that the "exe" or the original extension must remain. E.g.:

Figure 4: Malicious file disguised as a Microsoft Word file, with a tricky name in order to preserve the original extension and fool the user.

The malicious file is ready to be delivered to the target and the following happens:

Figure 5: Common Infection Flow (TrendMicro)

If the victim executes the malware (Double Click or Enter), the following screen would appear:

Figure 6: Malicious File starts a command prompt and shows a message: "Hello World".

Now, let's look at the title of the shell: "annexe.doc", apparently our technique is almost perfect because we can't see the original extension even in the command line, or we can?

Possible Countermeasures:

If we try to rename the file (F2), we will see something strange, this effect is produced by the special character, so this is a clue to realize that something is wrong.
If you are in a GNU/Linux based system, you can check the headers of the file with some commands.
Another trick that you can use to verify the name of any file and its extension could be using the command prompt, but how?

To prove this theory we need to open a new "cmd.exe" in the location of the suspicious file, after that, we write the first two characters of the name and press "Tab", the system will autocompletes the true name, then we will know the truth!! (See Figure 7).

Figure 7: Revealing the true name of the suspicious file and executing it.

As shown in Figure 7, the name of the file has (one or more) strange characters that aren't recognized and are shown as 2 question marks, revealing the presence of the "U+202E" character, that's all, hope you like this post. =)

Source of Figure 5: http://blog.trendmicro.es/bot-zeus-y-conexion-kneber/

Test if your Anti-Malware suite is good enough to Protect your Computer

2013-06-03T06:13:00.000-05:00

EICAR Test File

The EICAR Standard Anti-Virus Test File or EICAR test file is a computer file that was developed by the European Institute for Computer Antivirus Research (EICAR) and Computer Antivirus Research Organization (CARO), to test the response of computer antivirus (AV) programs. Instead of using real malware, which could do real damage, this test file allows people to test anti-virus software without having to use a real computer virus.

Anti-virus programmers set the EICAR string as a verified virus, similar to other identified signatures. A compliant virus scanner, when detecting the file, will respond in exactly the same manner as if it found a harmful virus. Not all virus scanners are compliant, and may not detect the file even when they are correctly configured.

The use of the EICAR test string can be more versatile than straightforward detection: a file containing the EICAR test string can be compressed or archived, and then the antivirus software can be run to see whether it can detect the test string in the compressed file.

How this File was Designed?

The file is a text file of either 68 or 70 bytes that is a legitimate executable file called a COM file that can be run by Microsoft operating systems and some work-alikes (except for 64-bit due to 16-bit limitations), including OS/2. When executed, the EICAR test file will print "EICAR-STANDARD-ANTIVIRUS-TEST-FILE!" and then will stop. The test string was engineered to consist of ASCII human-readable characters, easily created using a standard computer keyboard. It makes use of self-modifying code to work around technical issues that this constraint imposes on the execution of the test string.

The EICAR Test string reads:


X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

You can download the EICAR File from the Official Site, here You can choose various scenarios:

http://www.eicar.org/download/eicar.com (A ".COM" File)
http://www.eicar.org/download/eicar.com.txt (A ".TXT" with the same Content)
http://www.eicar.org/download/eicar_com.zip (The same file ".COM" but compressed)
http://www.eicar.org/download/eicarcom2.zip (The same file ".TXT" but compressed)

If you have an Internet Security Suite, this application may prevent the download of the EICAR Files from the Official Website.

In that case You can make your own EICAR File following this steps:

Open a new Notepad.
Copy & Paste this String in the Notepad (Please be sure that all the caracters are correct): X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
Save your new file as "anyName.com" (It is important the .com extension)
Just at the moment that you save this file, your Anti-Malware Suite should detect it as a threat, if not, you can run a custom scan to verify the effectiveness of your AV.

More Info:

http://www.eicar.org/86-0-Intended-use.html

http://www.eicar.org/85-0-Download.html

[Malwasm] - Offline Debugger for Malware's Reverse Engineering

2013-05-03T08:17:00.000-05:00

Today I want to share a new tool that I was testing, its name is "Malwasm", this is a tool based on Cuckoo Sandbox.

Malwasm was designed to help people that do reverse engineering. Malwasm step by step:

The malware to analyse is executed through Cuckoo Sandbox
During the execution, malwasm logs all activites of the malware with pintool
All activities are stored in a database (Postgres)
A web service is available to visualize and manage the data stored in the database

Features

Malwasm provides these features:

Offline programs debugging
Possibility to go back or forward in the execution's time (with a time slide bar)
States of registers and flags
Values of the stack/heap/data
"Following dump" options
Fully works in the browser

In Figure 1 you can see how it works with a sample:

Figure 1: Malwasm running a Malware Sample

After all this introduction here are the links:

Hope You like It! =)

OWASP Top 10 - XSS

2013-04-03T03:01:00.000-05:00

In this post I want to share one of the most popular attacks that are used in web applications, so let's start:

"Cross-Site Scripting attacks are a type of injection problem, in which malicious scripts are injected into the otherwise benign and trusted web sites. Cross-site scripting (XSS) attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user in the output it generates without validating or encoding it.

An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by your browser and used with that site. These scripts can even rewrite the content of the HTML page." - OWASP XSS -

For this practice, I am going to create a scenario that is vulnerable to this attack, first you need to set up a web server that supports PHP, the easiest way is downloading XAMPP (Avaliable for all Platforms).

To test if your web server is up, in a new tab you need to go to: http://localhost/

If all is OK, you will see an image that requests you to select a language, after you choose your language, the main page is shown and it looks like this:

Figure 1: XAMPP Started on GNU/Linux

If you used a web server before, you probably know that you need to move all your website to an specific directory, in this case "htdocs" directory in order to test your files in your browser.

In this exercise, for people that is starting in web development, I am going to create a file "color.php" with a Hello World message, so the code inside this file would be:

<?php
echo 'Hello World';
?>

In order to test this file you need to go to the URL: http://localhost/color.php
And the output of this file should be something similar to Figure 2.

Figure 2: Hello World in PHP using XAMPP on GNU/Linux

Now that all is working, I am going to explain what I am going to do with this color.php file:

Scenario: Suppose you are a web developer, and you create websites for people, in your personal site, you have a short demo where people can choose a background color in the page that is shown to them, this is only to see if the color it is OK for your client. All the code for this file (color.php) it is not included in this post, but you can imagine how it works, hehehe.

Hint 1 (how the requests are sent?): <form method="post" action="">

Hint 2 (what is the background color code?): <body><center>

After you have finished your color.php file, you can test if it works correctly, for my example please refer to Figure 3, depending of how you coded it, it could be very similar to my file:

Figure 3: Color.php File working on XAMPP

How this web app works?

Really simple, you need to choose your color, then press the button and the background color will change depending of your selection, for example if I choose the yellow color and after that I press the button, my web app will show me the background with that color, see Figure 4.

Figure 4: My Web App with the background color changed

So now, how can we exploit this vulnerability (XSS) on the Demo website?, really simple, you need to capture the requests that are sent to the server and modify them.

For that purpose, you can use a Proxy tool, like OWASP ZAP 2.0, or an Add-on for your favorite browser as you prefer.

After I sent my request (without any modification), what are the changes on the web app?

The background color code: <body bgcolor="yellow"><center>

With this information an attacker can image how this web application works and then how to modify the request to get an XSS, showing an alert message.

In the Figure 5, you can see a tool that is used to modify the information that is generated by a request, the injection of code is made in the color box, where I wrote javacript code to show an alert message that says "\Hackem Research Group\".

Figure 5: Tool where you can edit the request

After you finished the edition of the request, you can send it to the server, and the response is a pretty XSS, as shown in Figure 6.

Figure 6: Alert message shown in the page, means that this web app is really vulnerable...

This is not only limited to an alert message, you can submit forms, or any kind of element, for example, you can inject code to show a login form, if a banking site is vulnerable to this attack, an malicious programmer can steal login credentials from the original website when people fill the fake form that were injected by XSS.

Malware Analysis – Trojan Banker

2013-03-03T17:42:00.000-05:00

After we have already prepared our environment for Malware Analysis, let's start practicing with a simple Trojan Banker, this malware was uploaded to VirusTotal for the first time in 2011-08-22 19:18:47 UTC, and maybe you think, this is a really old sample, but if you are a begginer in this area this could be a good option for getting started.

First of all, What is a Trojan?

A trojan (or trojan horse) is a type of malware which appears to perform a desirable function or an innocent action but instead facilitates unauthorized access to the user's computer system. Trojans do not attempt to inject themselves into other files like a computer virus. Trojan horses may steal information, or harm their host computer systems. Trojans may use drive-by downloads or install via online games or internet-driven applications in order to reach target computers. The term is derived from the Trojan Horse story in Greek mythology because Trojan horses employ a form of "social engineering", presenting themselves as harmless, useful gifts, in order to persuade victims to install them on their computers.

Well, this kind of malware is usually sent in an email in a compressed file (when the e-mail antivirus can not detect it), but also can be hosted in a compromised server and the victim receives a link to access to it, in this case the malware is a "Postcard".

Figure 1: The "Postcard" downloaded from a compromised server.

So, What is the best way to know what does this malware do in my system?

There are a lot of methodologies, but in this case what I am going to do is to monitor the activity of the malware during its execution, with that I'm gonna see all the changes that it makes to my system.

Figure 2: Process Tree of the Trojan Execution

Oh, this is interesting, as you can see in the Figure 2, when we execute the malware sample, in background a new process is created, which process?, A cmd.exe, we don't know what does this cmd.exe do, but also we know that after the cmd.exe execution another process is created (firefox.exe).

Now let's see what the common user observes in his screen after the malware execution.

Figure 3: What is shown after the malware execution?

The common user only believes that when he executes the "Postcard", a new instance of Firefox is created, and a webpage is loaded showing the postcard that was sent to him via e-mail.

The domain of the webpage that is loaded in Firefox is a real page, with no malicious code inside, so the final user will never know that was infected, because there is no other visible actions made by the trojan.

But during the execution of this sample some registers of its activity were collected, so please observe, while we execute the malware a ".bat" file were created in the Temp Folder of the User that opened the "Postcard", and some instructions were written on it.

Figure 4: The Trojan creates a ".bat" file in the Temp Folder

Now that we know where is located the batch file, let's take a look at the folder and see the instructions written by the trojan.

Figure 5: The malicious batch file (recovered)

As shown in Figure 5, "4094.bat" is a batch file generated by our malware sample, the name of the file is random, so in every execution another file is created with a different name, I have to mention that this file was recovered, why recovered?, because the "Postcard" erases the ".bat" file after executing it in a command line.

Figure 6. Content of the Batch File (Modifies the hosts file and start the default browser with a defined webpage)

After checking the commands that are executed by "cmd.exe" that was started by the Trojan, we can conclude that this is a Trojan Banker, because it modifies the "hosts" file, in order to commit fraud banking, all the people that get infected, when they want to access to their banks (In this case Banks from Chile), they are going to be redirected to a malicious site controlled by the malware creator, in this site the banking credentials can be collected by a phishing webpage.

During the analysis there weren't other changes made by the malware in the infected system.

If you want to see more information and the complete report about this sample, please follow this link:
VirusTotal Complete Report

Getting Started on Malware Analysis

2013-02-03T16:58:00.000-05:00

Some of my friends asked me how to get started with Malware Analysis, so in this post I want to share the answer, not only for them but for the rest of the world. Malware Analysis for me is some kind a hobby because I think it is funny, really interesting, a good way to help people to solve their problems and finally to fight against Cybercrime.

How to start?

There is no a strict guide to follow, but I recommend to you to follow these phases:

Design your Infrastructure for Malware Analysis
Prepare a set of tools for Reverse Engineering and Monitoring
Select a target OS for the infection
Decide if you want to virtualize the target OS
Isolate the Environment
Obtain a Malware Source
Infect the target OS and Start the Analysis (You can monitor the malware behaviour or you can debug it)
Generate your Report with your conclusions

1. Infrastructure Design

In this step you need to think what do you want to create, for example, this infrastructure could be for personal use only, for an Educational Institution, or even for corporations interested in this topics and the requirements for all this scenarios are not the same so you must know the differences between them.

In this post I am going to show an example of an Infrastructure por a personal use only so we need a physical host and inside it we can install some virtual machines and create virtual networks, as shown in Figure 1.

Figure 1. Infrastructure Example for Malware Analysis

2. Tools
Selecting the tools is one of the most interesting steps, because there are many tools on the Internet, and you are free to select what you want or the one that you like the most, here are some basic tools that you can use to start in this great new world of Malware Analysis.

Behaviour Analysis Tools (e.g Sandboxes, Process Explorer, etc)
Code Analysis Tools (e.g. Any Hex Editor, Debugger like Ollydbg or gdb)
Network Traffic Analysis Tools (e.g. Sniffers, Wireshark)

3. Target OS

In this part you need to select one or more Operative Systems that you are going to infect in order to analyse the behaviour of a malware sample, you can choose from various options like:

Microsoft Windows XP SP3, Vista, Windows 7, Windows 8
GNU/Linux Distros (e.g. Ubuntu, Linux Mint, Debian, RedHat, CentOS, etc.)
Mac OS X (e.g. Tiger, Leopard, Snow Leopard, etc.)
Unix, BSD and others.

Maybe right now you have this question: "Why do we need to select an specific platform for a malware sample?",

Well the answer is really simple, because some kinds of malware can only be executed in a specific operative system or architecture, so for this it would be a good idea to have an ISO image of all of those operative systems listed before.

4. Virtualize, Yes or No?

At this point we have to decide in which environment we want to work with, in our real machine or in a virtual machine?

Why is a good idea to virtualize?

Is an isolated environment, and it is easier to control the behaviour and activity of our malware samples.

We can take screenshots od the system, so after finishing the analysis can easily return the environment to its initial state.

Why is NOT a good idea to virtualize?

Malware coders incorporate some functions to detect a virtualized environment, like:

Searching for some drivers
Searching for some devices
Searching for some directories
Searching for some registry entries
Searching for some installed tools
Searching for some executing processes

5. Isolate the Environment

After you decide if you use a virtual machine or your real machine, in both ways you need to isolate the environment in order to control the behaviour of the sample in your OS. This means that we need to know the changes that are made in our hard drive by the malware (creating, replacing or deleting files, changes in our registry, etc.), for that purpose we can use a sandbox.

6. Malware Samples

Now you need to focus on where to get malware samples, the most common way to get infected it is visiting cyber cafes, but this is not the most efficient way, so maybe you should search on the Internet for Cracks, Keygens, Patches and then you will find out a lot of samples.

But if you are a member of a Security Corporation (e.g. Antivirus Companies), you can get malware samples from VirusTotal or similar Projects, in future entries I am going to publish two things, 1. Some malware samples recollected by me. 2. A list of sites where you can get some samples, so stay tunned. ;)

7. Infection and Monitoring

Now it is the time, we must infect our target system, if the malware sample is an .exe, .bat, .com, etc. We only need to execute it pressing Enter key, but some samples need to exploit some vulnerabilities (e.g. Java, Microsoft Office, Adobe Acrobat Reader, Adobe Flash, etc.) so we need to install the required software for the malware to be executed correctly, after that, you can start monitoring the malware behaviour, this part is going to be explained with more details in a future post.

8. Report Generation

After the analysis, you can build a report with the results of your research about the malware sample, you can list the affected files, the registry entries that were affected, the methods that the sample uses to spread itself, the vulnerabilities that were exploited and more details. In future entries I am going to post an example of a Malware Analysis Report.

Note: This post was part of my experience in Malware Analysis, if you want to know more about it a Research Paper was presented at Cybersecurity for the Next Generation South American Round 2013 Conference organized by Kaspersky Lab and Hackem Research Group, this event was celebrated at National Polytechnic School in Quito, Ecuador.