A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #23402  by EP_X0FF
 Fri Jul 18, 2014 4:02 pm
Yes I have thoughts Image

This "Invisible Malware" and "virtually invisible and capable of operating undetected for long periods of time" is ransomware Win32/Urausy.

That what is happening when somebody is trying to play in serious bussiness without serious brain.dll installed. Also notice a date when they "discovered" this 2.5 years old malware - March 2014, nothing comes to a mind? Image

Sentinel Labs is focused on reinventing endpoint security to
protect organizations from advanced threats and nation state
malware. The company was formed by an elite team of cyber
security and defense experts from Intel, McAfee, Checkpoint,
IBM, and the Israel Defense Forces
I only hope they all ex-workers and I think I now know why they were fired.
 #23407  by tgwalt
 Fri Jul 18, 2014 7:15 pm
Just searched up the Urausy thread and wanted to say thanks for the good read/response to their report :D heh I had no idea
 #23409  by forty-six
 Fri Jul 18, 2014 8:41 pm
The company was formed by an elite team of cyber
security and defense experts from Intel, McAfee, Checkpoint,
IBM, and the Israel Defense Forces
Little more highlighting.....
 #23412  by EP_X0FF
 Sat Jul 19, 2014 3:30 am
Just in case of "ninja edits" and further "reinventions" their original fuckup article attached here for comedy section purposes.

It uses number of mentions:

invisible - 10 (invisible ransomware just think about this)
government - 8
espionage - 2

Here and there quotes from "elite team of experts", which contains one member -> Udi Shamir, Head of Research, must be this one? https://github.com/udishamir
We have entered a new era
highly advanced anti-debugging and anti-reverse-engineering.
heavily packed and encrypted using mutated Yoda packer
Not to mention idio.., oh I mean "elite team of experts" as always mess usage of Nt* and Zw* functions from NTDLL, thinking they are different.

In this stage, the malware launches its anti-debugging magic using ‘PAGE_GUARD’ method, allocating
memory region and passing it as ‘PC_CLIENT’ parameter
to NtOpenProcess function. If a debugger is attached, the
call to NtOpenProcess will succeed, and the malware will
call ZwTermintaeProcess function and then exit.
Antidebugging? PC_CLIENT? I'm using Native API since beginning of 200x but now I found something I don't know, must be it is too elite for me. Strange MS also don't know - http://msdn.microsoft.com/en-us/library ... s.85).aspx, such a wise experts, found something new in Windows even their dev's don't know.

Antidebugging magic? Magic.
Attachments
comedy section report
(2.81 MiB) Downloaded 97 times
 #23415  by EP_X0FF
 Mon Jul 21, 2014 3:06 am
Fresh reinventions from the mediocre US propaganda mass media

http://bits.blogs.nytimes.com/2014/07/1 ... rotection/

How much $ they paid for this publication?

Favorite quotes:
“This is a very fresh product, very expensive to use,” said Tomer Weingarten, the co-founder and chief executive of Sentinel Labs, a Mountain View, Calif., company that announced the discovery. “Even if they caught the malware, it would be hard to know how it got in your system.”
A very "fresh" product dated back to 2012.
would be hard to know how it got in your system
Orly? http://malware.dontneedcoffee.com/2012/ ... ing-3.html
http://malware.dontneedcoffee.com/2013/ ... rausy.html
The researchers named the malware Gyges, after the ring of Gyges in Greek mythology. Wearing the ring made its owner invisible.
Rings? Mythology? I've a special gift for them:
Sentinel Labs Cap of fool Image,
adds +100 to bullshit and -100 to intellect <- this sure will help them in their further publications.
The payload delivered by Gyges
“It took me hours, days to understand this,” he said. “It’s really efficient, professional code. You wouldn’t want to morph it and scale it out as a service.”
Probably the only truth in whole BS blogpost
It took me hours, days to understand this
, for a such low skilled idiot Urausy is indeed hard task.
 #23416  by rnd.usr
 Mon Jul 21, 2014 1:23 pm
For example, Gyges uses a hooking bypass technique that exploits a logic bug in Windows 7 and Windows 8 (x86 and x64 versions)
What technique are they talking about here?
 #23418  by EP_X0FF
 Mon Jul 21, 2014 2:58 pm
0.chloe wrote:
For example, Gyges uses a hooking bypass technique that exploits a logic bug in Windows 7 and Windows 8 (x86 and x64 versions)
What technique are they talking about here?
I think their brains full of logic bugs.

The "bypass" they mention is using WOW64 x86-32->x64 call, known as Heavens gate and presumable ripped by Urausy from Carberp sources. They incorrectly assume this was done to "bypass" anything while this is just essential part of launch.

According to R136a1

Sentinel Labs previous "startup", same moneysucking(?) fake was named Binalyze

http://www.linkedin.com/company/binalyze
http://web.archive.org/web/201201140629 ... alyze.com/
LATEST THREATS DETECTED

3/2/2011 undetected
3/2/2011 Win32/TrojanDownloader.Fosniw
3/2/2011 Win32/Sality.NBA
3/2/2011 Win32/PcClient
3/2/2011 Win32/Agent.HXW
<- typical fake security page full of "reinventions".

They have problems with design. This painted by brain damaged kids logo everywhere.

Binalyze
12.png
12.png (98.51 KiB) Viewed 1178 times

Sentinel Labs (they finally managed how to compress their logo so it doesn't look like totally fucked)
34.png
34.png (98.47 KiB) Viewed 1178 times


Here some bullshit marketing
http://pando.com/2014/04/23/beyond-anti ... rity-game/
http://techcrunch.com/2013/08/07/cyber- ... ises-2-5m/
 #23420  by rexor
 Mon Jul 21, 2014 7:24 pm
Obviously, the paper is not intended for the security community but for the company's PR. They at least could have added the hash of the sample(s) they've analyzed but for "whatever" reason, they did not!

EP_X0FF - can you suggest/point to the sample/version of Urausy family that comes as closely as possible to what the author writes?
 #23423  by rnd.usr
 Mon Jul 21, 2014 8:46 pm
EP_X0FF wrote:The "bypass" they mention is using WOW64 x86-32->x64 call, known as Heavens gate and presumable ripped by Urausy from Carberp sources. They incorrectly assume this was done to "bypass" anything while this is just essential part of launch.
Ah, the 0x33 segment selector.
EP_X0FF wrote:Sentinel Labs (they finally managed how to compress their logo so it doesn't look like totally fucked)
Haha, they can't even into Twitter.
53a18d4227e71.image.jpg
53a18d4227e71.image.jpg (85.59 KiB) Viewed 1131 times