[Comedy Section] Gyges - 'The Invisible Malware'

Forum for analysis and discussion about malware.
tgwalt
Posts: 5
Joined: Tue Nov 26, 2013 4:24 pm

[Comedy Section] Gyges - 'The Invisible Malware'

Post by tgwalt » Fri Jul 18, 2014 1:54 pm


User avatar
EP_X0FF
Global Moderator
Posts: 4883
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: Gyges - 'The Invisible Malware'

Post by EP_X0FF » Fri Jul 18, 2014 4:02 pm

Yes I have thoughts Image

This "Invisible Malware" and "virtually invisible and capable of operating undetected for long periods of time" is ransomware Win32/Urausy.

That what is happening when somebody is trying to play in serious bussiness without serious brain.dll installed. Also notice a date when they "discovered" this 2.5 years old malware - March 2014, nothing comes to a mind? Image

Sentinel Labs is focused on reinventing endpoint security to
protect organizations from advanced threats and nation state
malware. The company was formed by an elite team of cyber
security and defense experts from Intel, McAfee, Checkpoint,
IBM, and the Israel Defense Forces
I only hope they all ex-workers and I think I now know why they were fired.
Ring0 - the source of inspiration

tgwalt
Posts: 5
Joined: Tue Nov 26, 2013 4:24 pm

Re: Gyges - 'The Invisible Malware'

Post by tgwalt » Fri Jul 18, 2014 7:15 pm

Just searched up the Urausy thread and wanted to say thanks for the good read/response to their report :D heh I had no idea

forty-six
Posts: 66
Joined: Tue Sep 03, 2013 3:23 pm

Re: Gyges - 'The Invisible Malware'

Post by forty-six » Fri Jul 18, 2014 8:41 pm

The company was formed by an elite team of cyber
security and defense experts from Intel, McAfee, Checkpoint,
IBM, and the Israel Defense Forces
Little more highlighting.....

User avatar
EP_X0FF
Global Moderator
Posts: 4883
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: Gyges - 'The Invisible Malware'

Post by EP_X0FF » Sat Jul 19, 2014 3:30 am

Just in case of "ninja edits" and further "reinventions" their original fuckup article attached here for comedy section purposes.

It uses number of mentions:

invisible - 10 (invisible ransomware just think about this)
government - 8
espionage - 2

Here and there quotes from "elite team of experts", which contains one member -> Udi Shamir, Head of Research, must be this one? https://github.com/udishamir
We have entered a new era
highly advanced anti-debugging and anti-reverse-engineering.
heavily packed and encrypted using mutated Yoda packer
Not to mention idio.., oh I mean "elite team of experts" as always mess usage of Nt* and Zw* functions from NTDLL, thinking they are different.

In this stage, the malware launches its anti-debugging magic using ‘PAGE_GUARD’ method, allocating
memory region and passing it as ‘PC_CLIENT’ parameter
to NtOpenProcess function. If a debugger is attached, the
call to NtOpenProcess will succeed, and the malware will
call ZwTermintaeProcess function and then exit.
Antidebugging? PC_CLIENT? I'm using Native API since beginning of 200x but now I found something I don't know, must be it is too elite for me. Strange MS also don't know - http://msdn.microsoft.com/en-us/library ... s.85).aspx, such a wise experts, found something new in Windows even their dev's don't know.

Antidebugging magic? Magic.
You do not have the required permissions to view the files attached to this post.
Ring0 - the source of inspiration

User avatar
EP_X0FF
Global Moderator
Posts: 4883
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: Gyges - 'The Invisible Malware'

Post by EP_X0FF » Mon Jul 21, 2014 3:06 am

Fresh reinventions from the mediocre US propaganda mass media

http://bits.blogs.nytimes.com/2014/07/1 ... rotection/

How much $ they paid for this publication?

Favorite quotes:
“This is a very fresh product, very expensive to use,” said Tomer Weingarten, the co-founder and chief executive of Sentinel Labs, a Mountain View, Calif., company that announced the discovery. “Even if they caught the malware, it would be hard to know how it got in your system.”
A very "fresh" product dated back to 2012.
would be hard to know how it got in your system
Orly? http://malware.dontneedcoffee.com/2012/ ... ing-3.html
http://malware.dontneedcoffee.com/2013/ ... rausy.html
The researchers named the malware Gyges, after the ring of Gyges in Greek mythology. Wearing the ring made its owner invisible.
Rings? Mythology? I've a special gift for them:
Sentinel Labs Cap of fool Image,
adds +100 to bullshit and -100 to intellect <- this sure will help them in their further publications.
The payload delivered by Gyges
“It took me hours, days to understand this,” he said. “It’s really efficient, professional code. You wouldn’t want to morph it and scale it out as a service.”
Probably the only truth in whole BS blogpost
It took me hours, days to understand this
, for a such low skilled idiot Urausy is indeed hard task.
Ring0 - the source of inspiration

User avatar
rnd.usr
Posts: 27
Joined: Tue Apr 15, 2014 6:14 pm

Re: Gyges - 'The Invisible Malware'

Post by rnd.usr » Mon Jul 21, 2014 1:23 pm

For example, Gyges uses a hooking bypass technique that exploits a logic bug in Windows 7 and Windows 8 (x86 and x64 versions)
What technique are they talking about here?

User avatar
EP_X0FF
Global Moderator
Posts: 4883
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: Gyges - 'The Invisible Malware'

Post by EP_X0FF » Mon Jul 21, 2014 2:58 pm

0.chloe wrote:
For example, Gyges uses a hooking bypass technique that exploits a logic bug in Windows 7 and Windows 8 (x86 and x64 versions)
What technique are they talking about here?
I think their brains full of logic bugs.

The "bypass" they mention is using WOW64 x86-32->x64 call, known as Heavens gate and presumable ripped by Urausy from Carberp sources. They incorrectly assume this was done to "bypass" anything while this is just essential part of launch.

According to R136a1

Sentinel Labs previous "startup", same moneysucking(?) fake was named Binalyze

http://www.linkedin.com/company/binalyze
http://web.archive.org/web/201201140629 ... alyze.com/
LATEST THREATS DETECTED

3/2/2011 undetected
3/2/2011 Win32/TrojanDownloader.Fosniw
3/2/2011 Win32/Sality.NBA
3/2/2011 Win32/PcClient
3/2/2011 Win32/Agent.HXW
<- typical fake security page full of "reinventions".

They have problems with design. This painted by brain damaged kids logo everywhere.

Binalyze
12.png

Sentinel Labs (they finally managed how to compress their logo so it doesn't look like totally fucked)
34.png


Here some bullshit marketing
http://pando.com/2014/04/23/beyond-anti ... rity-game/
http://techcrunch.com/2013/08/07/cyber- ... ises-2-5m/
You do not have the required permissions to view the files attached to this post.
Ring0 - the source of inspiration

rexor
Posts: 12
Joined: Tue Oct 08, 2013 5:28 am

Re: Gyges - 'The Invisible Malware'

Post by rexor » Mon Jul 21, 2014 7:24 pm

Obviously, the paper is not intended for the security community but for the company's PR. They at least could have added the hash of the sample(s) they've analyzed but for "whatever" reason, they did not!

EP_X0FF - can you suggest/point to the sample/version of Urausy family that comes as closely as possible to what the author writes?

User avatar
rnd.usr
Posts: 27
Joined: Tue Apr 15, 2014 6:14 pm

Re: Gyges - 'The Invisible Malware'

Post by rnd.usr » Mon Jul 21, 2014 8:46 pm

EP_X0FF wrote:The "bypass" they mention is using WOW64 x86-32->x64 call, known as Heavens gate and presumable ripped by Urausy from Carberp sources. They incorrectly assume this was done to "bypass" anything while this is just essential part of launch.
Ah, the 0x33 segment selector.
EP_X0FF wrote:Sentinel Labs (they finally managed how to compress their logo so it doesn't look like totally fucked)
Haha, they can't even into Twitter.
53a18d4227e71.image.jpg
You do not have the required permissions to view the files attached to this post.

Post Reply