[tgwalt]

http://www.sentinel-labs.com/blog/senti ... nce-report

Anyone have any thoughts on this?

[EP_X0FF]

Yes I have thoughts

This "Invisible Malware" and "virtually invisible and capable of operating undetected for long periods of time" is ransomware Win32/Urausy.

That what is happening when somebody is trying to play in serious bussiness without serious brain.dll installed. Also notice a date when they "discovered" this 2.5 years old malware - March 2014, nothing comes to a mind?

Sentinel Labs is focused on reinventing endpoint security to
protect organizations from advanced threats and nation state
malware. The company was formed by an elite team of cyber
security and defense experts from Intel, McAfee, Checkpoint,
IBM, and the Israel Defense Forces

I only hope they all ex-workers and I think I now know why they were fired.

[tgwalt]

Just searched up the Urausy thread and wanted to say thanks for the good read/response to their report :D heh I had no idea

[forty-six]

The company was formed by an elite team of cyber
security and defense experts from Intel, McAfee, Checkpoint,
IBM, and the Israel Defense Forces

Little more highlighting.....

[EP_X0FF]

Just in case of "ninja edits" and further "reinventions" their original fuckup article attached here for comedy section purposes.

It uses number of mentions:

invisible - 10 (invisible ransomware just think about this)
government - 8
espionage - 2

Here and there quotes from "elite team of experts", which contains one member -> Udi Shamir, Head of Research, must be this one? https://github.com/udishamir

We have entered a new era

highly advanced anti-debugging and anti-reverse-engineering.

heavily packed and encrypted using mutated Yoda packer

Not to mention idio.., oh I mean "elite team of experts" as always mess usage of Nt* and Zw* functions from NTDLL, thinking they are different.

In this stage, the malware launches its anti-debugging magic using ‘PAGE_GUARD’ method, allocating
memory region and passing it as ‘PC_CLIENT’ parameter
to NtOpenProcess function. If a debugger is attached, the
call to NtOpenProcess will succeed, and the malware will
call ZwTermintaeProcess function and then exit.

Antidebugging? PC_CLIENT? I'm using Native API since beginning of 200x but now I found something I don't know, must be it is too elite for me. Strange MS also don't know - http://msdn.microsoft.com/en-us/library ... s.85).aspx, such a wise experts, found something new in Windows even their dev's don't know.

Antidebugging magic? Magic.

[EP_X0FF]

Fresh reinventions from the mediocre US propaganda mass media

http://bits.blogs.nytimes.com/2014/07/1 ... rotection/

How much $ they paid for this publication?

Favorite quotes:

“This is a very fresh product, very expensive to use,” said Tomer Weingarten, the co-founder and chief executive of Sentinel Labs, a Mountain View, Calif., company that announced the discovery. “Even if they caught the malware, it would be hard to know how it got in your system.”

A very "fresh" product dated back to 2012.

would be hard to know how it got in your system

Orly? http://malware.dontneedcoffee.com/2012/ ... ing-3.html
http://malware.dontneedcoffee.com/2013/ ... rausy.html

The researchers named the malware Gyges, after the ring of Gyges in Greek mythology. Wearing the ring made its owner invisible.

Rings? Mythology? I've a special gift for them:
Sentinel Labs Cap of fool ,
adds +100 to bullshit and -100 to intellect <- this sure will help them in their further publications.

The payload delivered by Gyges

“It took me hours, days to understand this,” he said. “It’s really efficient, professional code. You wouldn’t want to morph it and scale it out as a service.”

Probably the only truth in whole BS blogpost

It took me hours, days to understand this

, for a such low skilled idiot Urausy is indeed hard task.

[rnd.usr]

For example, Gyges uses a hooking bypass technique that exploits a logic bug in Windows 7 and Windows 8 (x86 and x64 versions)

What technique are they talking about here?

[EP_X0FF]

For example, Gyges uses a hooking bypass technique that exploits a logic bug in Windows 7 and Windows 8 (x86 and x64 versions)

What technique are they talking about here?

I think their brains full of logic bugs.

The "bypass" they mention is using WOW64 x86-32->x64 call, known as Heavens gate and presumable ripped by Urausy from Carberp sources. They incorrectly assume this was done to "bypass" anything while this is just essential part of launch.

According to R136a1

Sentinel Labs previous "startup", same moneysucking(?) fake was named Binalyze

http://www.linkedin.com/company/binalyze
http://web.archive.org/web/201201140629 ... alyze.com/

LATEST THREATS DETECTED

3/2/2011 undetected
3/2/2011 Win32/TrojanDownloader.Fosniw
3/2/2011 Win32/Sality.NBA
3/2/2011 Win32/PcClient
3/2/2011 Win32/Agent.HXW

<- typical fake security page full of "reinventions".

They have problems with design. This painted by brain damaged kids logo everywhere.

Binalyze

12.png (98.51 KiB) Viewed 1175 times

Sentinel Labs (they finally managed how to compress their logo so it doesn't look like totally fucked)

34.png (98.47 KiB) Viewed 1175 times

Here some bullshit marketing
http://pando.com/2014/04/23/beyond-anti ... rity-game/
http://techcrunch.com/2013/08/07/cyber- ... ises-2-5m/

[rexor]

Obviously, the paper is not intended for the security community but for the company's PR. They at least could have added the hash of the sample(s) they've analyzed but for "whatever" reason, they did not!

EP_X0FF - can you suggest/point to the sample/version of Urausy family that comes as closely as possible to what the author writes?

[rnd.usr]

The "bypass" they mention is using WOW64 x86-32->x64 call, known as Heavens gate and presumable ripped by Urausy from Carberp sources. They incorrectly assume this was done to "bypass" anything while this is just essential part of launch.

Ah, the 0x33 segment selector.

Sentinel Labs (they finally managed how to compress their logo so it doesn't look like totally fucked)

Haha, they can't even into Twitter.

53a18d4227e71.image.jpg (85.59 KiB) Viewed 1128 times