Top 8 Things to Analyze in Outbound Packets to Detect Compromised Systems

1. Reputation of destination IPs and domains
• Send IP addresses and DNS names to your SIEM for comparison to black lists
• Look at low volume outliers New IPs and DNS names

2. DNS queries from clients on your network
• First, simply look for outbound DNS queries originating from internal IP not your internal DNS server (domain controller)
• Look at the domain names
• Easy to recognize algorithm generated domain names

3. Suspect traffic patterns
• Look at your destination ports
• Weird outbound protocols and times
• Look at application / protocol mismatches
• Bandwidth imbalance
• Much more outbound than for normal web browsing
• https traffic a black box?
• Think again. Options
• Put an SSL decryptor between endpoints and Internet
• Alert on applications that fail to work with decryptor
• Wealth of information available to analyze even on undecrypted https connections
• Server certificate
• Does it match the DNS name?
• Who is the certification authority?
• Is it self-signed?

4. Unrecognized protocols
• Unknown outbound ports
• SSL traffic that bypasses your proxy server

5. Masquerading protocols
• Traffic doesn’t match application associated with the port
• Why are 7 different apps running on port 53?

6. Known signatures
• This tends to be least effective unless you have a feed of constantly updated rules from proprietary intelligence provider
• Can generate a lot of false positives
• But careful use can be valuable

7. Prohibited protocols

8. DLP indicators
• Searching data payloads for PII patterns
• Regular expressions
• Keywords relevant to proprietary information of your organization
• SSL decryptors helpful here

Original Post:

How to Create a Virus Using the Assembly Language

The art of virus creation seems to be lost. Let’s not confuse a virus for malware, trojan horses, worms, etc. You can make that garbage in any kiddie scripting language and pat yourself on the back, but that doesn’t make you a virus author.
You see, creating a computer virus wasn’t necessarily about destruction. It was about seeing how widespread your virus can go while avoiding detection. It was about being clever enough to outsmart the anti-virus companies. It was about innovation and creativity. A computer virus is like a paper airplane in many regards. You fold your airplane in clever and creative ways and try to make it fly as far as possible before the inevitable landing. Before the world wide web, it was a challenge to distribute a virus. With any luck, it would infect anything beyond your own computer. With even more luck, your virus would gain…

View original post 3,981 more words

Google Released an Open Source Pentesting Tool Called Project Wycheproof

Google this week announced the availability of Project Wycheproof, an open source tool designed for finding known vulnerabilities in popular cryptographic software libraries.

Developed in Java due to its common cryptographic interface, Project Wycheproof includes tests for the most popular crypto algorithms, including AES-EAX, AES-GCM, DH, DHIES, DSA, ECDH, ECDSA, ECIES and RSA. The more than 80 test cases developed by Google experts have led to the discovery of over 40 bugs in RSA, DSA, ECDH and DH.

Google has pointed out that Project Wycheproof is not complete as crypto experts regularly discover new weaknesses in protocols. However, the search giant believes the tool can be useful for developers and users considering that the secure implementation of cryptographic algorithms is not an easy task.

“The main motivation for the project is to have an achievable goal. That’s why we’ve named it after the Mount Wycheproof, the smallest mountain in the world. The smaller the mountain the easier it is to climb it!” Daniel Bleichenbacher and Thai Duong, Google security engineers and Project Wycheproof maintainers, said in a blog post.

While the tool is developed and maintained by members of the Google Security Team, Project Wycheproof is not an official Google product. Contributions are welcome, but those who want to take part in the project have been advised to report the vulnerabilities they find directly to the maintainers of the affected libraries and submit the tests only after the bug has been fixed or acknowledged.

Some of the flaws discovered by Google have yet to be made public as they are still being patched by vendors.

Google also pointed out that some open-source products are covered by its bug bounty program and vulnerabilities found with Project Wycheproof tests could qualify for a reward.

Project Wycheproof is not the only security tool released this year by Google. The company also made available the OSS-Fuzz open source fuzzing service, a Vendor Security Assessment Questionnaire framework, the binary comparison tool BinDiff, and the XSS prevention tools CSP Evaluator and CSP Mitigator.

Original Post:

A DDoS Attack Hit the Dyn Managed DNS: Is Someone Trying To Cause An Internet Takedown?

The Cyber Attack

The Internet is one of the most important critical infrastructures for almost every country in the world. It is a “global commons” on which leverage the most important services of modern society.

Are the modern Internet and its infrastructure resilient to any kind of cyber-attack?

What will happen in the case of a massive a cyber-attack against its backbone?

In a worst scenario, many critical services will go down causing serious damages to the population.

A few hours ago a massive distributed denial-of-service (DDoS) targeted the Managed DNS infrastructure of cloud-based Internet performance management company Dyn.

The attack had a significant impact on Internet users located in the US that were not able to reach popular web services. The list of affected websites includes Twitter, Spotify, SaneBox, Reddit, Box, Github, Zoho CRM, PayPal, Airbnb, Freshbooks,, Pinterest, Heroku and Vox Media properties.

GitHub has notified its users that its upstream DNS provider is under a massive DDoS that caused problems on a global scale.

Figure 1 – GitHub Announcement

Dyn confirmed the DDoS attack against its DNS service that started at 11:10 UTC. The company is still working on mitigating the attack.

The company announced that a DDoS attack hit the Dyn Managed DNS advanced services.

The DDoS attack started at 11:10 UTC, some customers experienced increased DNS query latency and delayed zone propagation during the offensive.

Below is the official Announcement published by the company:

“Update This DDoS attack may also be impacting Dyn Managed DNS advanced services with possible delays in monitoring. Our Engineers are continuing to work on mitigating this issue. 

Oct 21, 16:48 UTC

Investigating – As of 15:52 UTC, we have begun monitoring and mitigating a DDoS attack against our Dyn Managed DNS infrastructure. Our Engineers are continuing to work on mitigating this issue.

Oct 21, 16:06 UTC

Monitoring – Services have been restored to normal as of 13:20 UTC.

Oct 21, 13:36 UTC

Update – This attack is mainly impacting US East and is impacting Managed DNS customers in this region. Our Engineers are continuing to work on mitigating this issue.

Oct 21, 12:45 UTC

Investigating – Starting at 11:10 UTC on October 21st-Friday 2016 we began monitoring and mitigating a DDoS attack against our Dyn Managed DNS infrastructure. Some customers may experience increased DNS query latency and delayed zone propagation during this time. Updates will be posted as information becomes available. ”

In the following graph, it is reported the status of the Twitter service just after the attack, at the time of the writing, the service also was not reachable.

Why is someone attacking the DNS?

DNS act as the authoritative reference for mapping the domain names to IP addresses. It works as an Internet’s phone book that maps human-readable domain names to IP addresses.

In the specific case, Dyn DNS is used by many websites and services as their upstream DNS provider.

Figure 2 – Twitter Status (

The attack had apparently a limited impact on the European and Asian Users, I live in Italy, and here we had initially no problems in reaching some of the affected websites. Anyway, at the time I was writing Github is not reachable, and also European users are experiencing the Dyn DNS outage.

Figure 3 – status-for-dyn (

Extortion or cyber-attack from a nation-state attack?

DDoS attacks continue to represent a serious threat for against the web services and the overall Internet infrastructure.

Although such kind of attack appears very simple to carry on for the attackers, it is often very difficult to mitigate the threat without the support of companies specialized in DDoS mitigation services.

DDoS attacks are powered by large botnets that are able to launch powerful attacks such as the recent ones that hit the websites of the popular investigators, Brian Krebs, peaking 620 Gbps, and the OVH hosting providers. In this last case, the DDoS attack was powered by the Mirai botnet and reached a magnitude never seen before, it peaked 1 Tbps.

According to security experts, the massive DDoS attack that hit the Dyn DNS service was powered by a huge army of hijacked Internet of Things devices.

The security intelligence firm Flashpoint published an interesting post on the massive DDoS in which confirm that its experts have observed the Mirai bots driving the attack against DynDNS.

“Flashpoint has confirmed that some of the infrastructure responsible for the distributed denial-of-service (DDoS) attacks against Dyn DNS were botnets compromised by Mirai malware. Mirai botnets were previously used in DDoS attacks against security researcher Brian Krebs’ blog “Krebs On Security” and French internet service and hosting provider OVH.” reads the analysis published by Flashpoint “Mirai malware targets Internet of Things (IoT) devices like routers, digital video records (DVRs), and webcams/security cameras, enslaving vast numbers of these devices into a botnet, which is then used to conduct DDoS attacks. ”

Below the Key Findings of the report published by Flashpoint

  • Flashpoint has confirmed that some of the infrastructure responsible for the distributed denial-of-service (DDoS) attacks against Dyn DNS were botnets compromised by Mirai malware.
  • Mirai botnets were previously used in DDoS attacks against the “Krebs On Security” blog and OVH.
  • As of 1730 EST, the attacks against Dyn DNS are still ongoing. Flashpoint is coordinating with multiple vendors and law enforcement to track the infected devices that constitute the botnet being used to conduct these attacks.

This is not surprising if we consider that the source code of the botnet was leaked of the popular criminal hacker forum Hackforum earlier October by a user with moniker “Anna-senpai” that shared the link to the source code of the malware “Mirai.”

The Mirai Botnet was first spotted by the researcher MalwareMustDie this summer targeting IoT devices, it mainly targets connected objects such as routers, CCTV, and DVRs.

The availability of the source code of Mirai Botnet in the wild theoretically made possible everyone to power a botnet.

Watch out! The Mirai botnet that powered the attack against the Dyn DNS service is not the same used against Krebs’s site and OVH.

“While Flashpoint has confirmed that Mirai botnets were used in the October 21, 2016, attack against Dyn, they were separate and distinct botnets from those used to execute the DDoS attacks against “Krebs on Security” and OVH. Earlier this month, “Anna_Senpai,” the hacker operating the large Mirai botnet used in the Krebs DDoS, released Mira’s source code online.” continues Flashpoint “Since this release, copycat hackers have used the malware to create botnets of their own in order to launch DDoS attacks.”

If you are interested to know more about the diffusion of the Mirai Botnet you can use this online tracker that reports more than 1.2 Million IPs seen associated with devices infected by the Mirai code in the wild. Consider that isn’t the exact number of infected devices because many of them use dynamic IPs.

Figure 4 – Mirai Botnet Tracker

The risks of cyber-attacks against the Internet infrastructure are concrete, the global network was not designed to be resilient to so powerful cyber-attacks. Many components in its backbone could be easily targeted by well-funded attackers, such as criminal syndicates or nation-state actors.

According to cyber security expert Brian Krebs, the DDoS attack on DYN comes just hours after DYN researcher Doug Madory presented a talk on DDoS attacks at a meeting of the North American Network Operators Group (NANOG) held in Dallas.

Madory and Krebs conducted a joint investigation on the operators behind a DDoS service, named vDOS.

Krebs criticized DDoS mitigation firms that often ignore such powerful attacks, their magnitude is increasing so quickly that make the actual defense often not efficient to mitigate the threat.

“The size of these DDoS attacks has increased so much lately thanks largely to the broad availability of tools for compromising and leveraging the collective firepower of so-called Internet of Things devices — poorly secured Internet-based security cameras, digital video recorders (DVRs) and Internet routers. Last month, a hacker by the name of Anna_Senpai released the source code for Mirai, a crime machine that enslaves IoT devices for use in large DDoS attacks. The 620 Gbps attack that hit my site last month was launched by a botnet built on Mirai, for example,” explained Krebs.

This means that cyber-criminals could be interested in targeting infrastructure with extortion attacks.

“According to a discussion thread started Wednesday on Web Hosting Talk, criminals are now invoking the Mirai author’s nickname in a bid to extort Bitcoins from targeted hosting providers.

“If you do not pay in time, DDoS attack will start, your web-services will go down permanently. After that, price to stop will be increased to 5 BTC with a further increment of 5 BTC for every day of the attack,” wrote Krebs.

We also cannot underestimate the threat represented by state-sponsored hackers.

Early September the popular cyber security expert Bruce Schneier published an interesting post titled “Someone Is Learning How to Take Down the Internet” that reveals an escalation of cyber-attacks against service providers and companies responsible for the basic infrastructure of the Internet.

The experts were referring coordinated attacks that could be powered by hackers aiming to shut down the Internet. Schneier explained that the attacks that experts are observing are a sort of tests to evaluate the resilience of most critical nodes of the global Internet.

The attacks experienced by the companies need a significant effort and huge resources, a circumstance that suggests the involvement of a persistent attacker like a government, and China is the first suspect.

Our society and its economy heavily depend on technology, and the Internet is the privileged vector of the information today. Blocking the Internet could paralyze countless services in almost any industry, from finance to transportation.

Clearly, an attack against the Internet could also be considered as a possible option for a government in an Information warfare context.

“Recently, some of the major companies that provide the basic infrastructure that makes the Internet work have seen an increase in DDoS attacks against them. Moreover, they have seen a certain profile of attacks. These attacks are significantly larger than the ones they’re used to seeing. They last longer. They’re more sophisticated. And they look like probing.” wrote Schneier.

“I am unable to give details because these companies spoke with me on a condition of anonymity. But this all is consistent with what Verisign is reporting. Verisign is the registrar for many popular top-level Internet domains, like .com and .net. If it goes down, there’s a global blackout of all websites and e-mail addresses in the most common top-level domains. Every quarter, Verisign publishes a DDoS trends report. While its publication doesn’t have the level of detail I heard from the companies I spoke with, the trends are the same: “in Q2 2016, attacks continued to become more frequent, persistent, and complex.”

It is clear that attackers aim to cause a global blackout of the most common top-level domains paralyzing a large portion of the Internet.

Schneier, who has spoken with companies that faced the attacks, pointed out powerful DDoS attacks that attacks that stand out of the ordinary for their methodically escalating nature.

According to the experts, recent attacks against the Internet infrastructure start with a certain power that increases as time goes by forcing the victims to deploy all its countermeasures to mitigate the threat.

Schneier cited a report titled “VERISIGN-OBSERVED DDoS ATTACK TRENDS: Q2 2016” that confirms worldwide are experiencing a wave of DDoS attacks even more sophisticated.

Figure 5 – Verisign-Observed DDos Attack Trends: Q2 2016

“DDoS Attacks Become More Sophisticated and Persistent DDoS attacks are a reality for today’s web-reliant organizations. In Q2 2016, DDoS attacks continued to become more frequent, persistent and complex,” states the report.

Schneier also reported other types of attacks against the Internet infrastructure, such as numerous attempts to tamper with Internet addresses and routing.

“One company told me about a variety of probing attacks in addition to the DDoS attacks: testing the ability to manipulate Internet addresses and routes, seeing how long it takes the defenders to respond, and so on. Someone is extensively testing the core defensive capabilities of the companies that provide critical Internet services,” continues Schneier.

Who is behind the attacks?

Schneier speculates that the recent wave of DDoS is powered by a nation-state attacker and he seems to exclude the involvement of hacktivists or cyber criminals, and I agree.

“It doesn’t seem like something an activist, criminal, or researcher would do. Profiling core infrastructure is common practice in espionage and intelligence gathering. It’s not normal for companies to do that. Furthermore, the size and scale of these probes — and especially their persistence — points to state actors,” explains Schneier.

“The attribution of the attacks is very difficult but according the expert data collected on the events suggests that China is behind them.

“Anyway, we have to consider the difficulty of attribute an attack to a specific threat actor. Attackers use to adopt diversionary strategies and false flags in order to make hard the attribution. Let me also add that other governments have such abilities, Russia is one of them and its experts are also able to hide their operations to the security community.

“Both Russia and China are largely investing in building infrastructures that would be resilient to such kind of mass attacks.

“We don’t know where the attacks come from. The data I see suggests China, an assessment shared by the people I spoke with. On the other hand, it’s possible to disguise the country of origin for these sorts of attacks.”

Unfortunately, DDoS attacks like the one that today hit the Dyn DNS service will likely occur again, and we cannot underestimate the risk that threat actors could also exploit design flaws in the core components of the Internet.

Back to the attack on the Dyn DNS service, I believe the leak of the source code of such kind of botnet could also be part of a wider strategy of a certain category of attackers that intend to power massive attacks making impossible the attribution.

According to a new report from Reuters, the FBI and the Department of Homeland Security (DHS) are investigating the massive DDoS attacks that targeted the DNS provider.

Update – The Culprit, the hacktivism

WikiLeaks confirmed that its supporters launched the massive DDoS attack to protest against the decision of the Ecuadorian government’s to cut off the Internet connection of the WikiLeaks founder Julian Assange due to the US Political election leaks.

Yesterday evening I reached the hacking collective NewWorldHacking via Twitter asking them more information about the attack.

The hackers confirmed to me that they started the massive attack against the Dyn DNS service, anyway, they were not alone.

According to the NewWorldHacking, many other groups linked to the Anonymous collective participated in the attack.

When I asked which Anon groups were involved they replied that many crews targeted the Dyn DNS service.

“Anonymous, Pretty much all of Anonymous,” says NewWorldHacking.

They confirmed that they are testing the capability of their botnet, highlighting that the DDoS attack against the Dyn DNS Service was carried with the Mirai botnet alongside with other booters.

Most interesting is the motivation that they provided. Not only the Assange’s case. They told me that the attack is also a message for the Russian Government.

“If Russia is against the U.S we are against Russia. This is where we draw the line, we are sending a warning message to Russia. ”

The information I collected seems to be in line with the statements that the hacktivist groups Anonymous and the NewWorldHacking released to the Politico.


Original Post:

Now Mirai Has DGA Feature Built in


Nearly 2 weeks ago, 2 new infection vectors (aka TCP ports of 7547 and 5555) were found being used to spread MIRAI malwares <A Few Observations of The New Mirai Variant on Port 7547>. My colleague Gensheng quickly set up some honeypots for that sort of vectors and soon had his harvests: 11 samples were captured on Nov 28th. Till now 53 unique samples have been captured by our honeypots from 6 hosting servers.

When analyzing one of the new samples, my colleague Wenji found some DGA like code and doubted there was DGA feature there. The doubt was soon verified by evidences collected from our sandboxes. Detailed RE work shows there does exist a DGA feature in the newly distributed MIRAI samples spread through TCP ports 7547 and 5555. In this blog I would like to introduce our findings. For a quick information, the attributes of the found DGA are summarized as follow:

  1. 3 TLDs are used: online/tech/support.
  2. the L2 domain has a fixed length of 12-byte, with each char randomly chosen from ‘a’~’z’.
  3. the generated domain is only determined by month, day and hardcoded seed string.
  4. only one domain is generated in one single day, so the maxium DGA domain number is 365.
  5. the DGA domains are only used when the hardcoded C2 domains fail to resolve.

With the learned knowledge, we re-implemented the DGA in our program, and used it to predict all 365 possible DGA domains. When looking up their registration information, we found some of them have been registered by the MIRAI author. They are:

Fig-0, registered DGA domains

And it is worth notice that the author has already registered other mirai C2 domain: email

Sample and Analysis

The sample used as illustration in this blog is as follows:

MD5: bf136fb3b350a96fd1003b8557bb758a

SHA256: 971156ec3dca4fa5c53723863966ed165d546a184f3c8ded008b029fd59d6a5a

File type: ELF 32-bit LSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped

The sample is stripped but not packed. According to the experience learned from previously found samples, we soon identified its main modules. The code comparison showed that its resolv_cnc_addr function has a very different CFG (control flow graph) from the previously found samples. The new version of CFG is shown Fig-1.
Fig-1, resolv_cnc_addr CFG

At the function beginning, since there are as much as 3 C2 controllers are hardcoded in the sample, a random number is generated to randomly select a C2 server from the first and second ones, as shown in Fig-2.
Fig-2, resolv_cnc_addr block 1

If the selected C2 domain fails to resolve, the bot will neither resolve the unselected nor the 3rd one, but will take a judge to decide whether to take the DGA branch or to resolve the 3rd C2 domain according to current date, as shown in Fig-3.
*Fig-3, DGA determination *

From the code snippets we can see that if current date is between Nov 1st and Dec 3rd, the 3rd CNC domain will be used. Otherwise the DGA branch will be executed. It indicates that the author doesn’t want their DGA domains being used before Dec 4th, which is verified by the fact that the firstly registered MIRAI DGA domain just corresponds to Dec 4th.

The DGA main funcition is named dga_gen_domain. The domain is generated based on a seed number and current date. The seed is converted from a hardcoded hex-format string by calling strtol(). It seems a wrong string of “\x90\x91\x80\x90\x90\x91\x80\x90” was configured, which leads to the strtol() always returning value of 0.
The local date is got by calling C library functions of time() and localtime(). Only month and day are used here, as shown in Fig-4.
Fig-4, dga_gen_domain entry

The L2 domain is generated by repeatedly executing the code block shown in Fig-5. Its length is determined by $t5 and $t2. They are set in Fig-6, from which we can tell that the L2 domain length is 12.
Fig-5, L2 domain generation loop

The TLD is determined by the residual value in register $S0 as shown in Fig-6. We can see that 3 TLDs are used here.

Fig-6, TLD determination


Currently the DGA feature is found in the following samples.


They all share the same DGA in terms of seed string and algorithm.
The hardcoded C2 domains in the samples are as follow:

We will keep an eye on the progress of this DGA variant, stay tuned for future update.

Original Post:

How to Start Reverse Engineering Malware


Everyone always asks me what are the best courses, classes, tutorials, materials, etc. out there for Reverse Engineering.

Here is a list of sources that will help you get started.

If Currently in College

Be sure to take your assembly language courses as well c/c++. Take extra courses like cryptology, forensics, or anything that makes you take things apart. You need to have the basics down before you can do the advanced fun.

Lena’s Tutorials

As a newb, I personally started out with these tutorials and they are easy to follow. There are about 40 tutorials that go over basic concepts and patching.
Go There!

Open Security Training

This site includes many other security training topics such as Exploits, Assembly Architecture, and Reverse Engineering. Courses offer both an introduction into RE as well as REing malware.
Go There!

IOS & Mac OS X

This site has some nice resources for Apple based binaries.
Go There!

Great Books

Practical Malware Analysis: The Hands‑On Guide to Dissecting Malicious Software
by Andrew Honig and Michael Sikorski
– This book provides great examples to tackle the harder questions specifically for malware.

Practical Reverse Engineering: x86, x64, ARM, Windows Kernel, Reversing Tools, and Obfuscation 1st Edition
by Bruce Dang
– This is more of a reference book in my opinion. Has some great exercises to give you a greater understanding of assembly.

Malware Analyst’s Cookbook and DVD
Book by Blake Hartstein, Matthew Richard, Michael Hale Ligh, and Steven Adair
– This book is a great starter for understanding malware from the RE perspective and creating tools to help you RE.

Reverse Engineering Challenge

The Flare Team hosts the “Flare-on” challenge annually. It’s basically broken down into multiple levels, usually ranging from 1-10 that gradually increase in complexity.
The first 4-5 levels are great practice rounds for newbie RE’s and keeping your skills up to date without burning the midnight oil.

I Need Malware!

There are many open sources out there for you to get some malware samples to download. Here are some of my favorites:

Best Choice is just get a VirusTotal Intelligence Account 🙂

I plan on giving a Reverse Engineering 101 workshop soon. So stay tuned!

Original Post:

Up ↑