[EP_X0FF]

EP_X0FF - can you suggest/point to the sample/version of Urausy family that comes as closely as possible to what the author writes?

According to their article "content" they have analyzed Urausy.C and/or Urausy.D

Startup sequence: dropper->decrypt loader in mem, overwrite EP with decrypted mem->flow control to it->map ntdll.dll and patch NtClose to the shellcode->open Explorer.exe with NtOpenProcess (CLIEND_ID = VirtualAlloc(PAGE_READWRITE+PAGE_GUARD))->unmap ntdll.dll and replace it with modified->dropper terminate->Explorer.exe->malware gets control when NtClose called->restore hooked NtClose->new svchost.exe with injected payload shellcode->CreateDesktop->SwitchDesktop->display ransom page.

For samples see this thread http://www.kernelmode.info/forum/viewto ... =16&t=2135

And from there they copy-pasted most of info http://blog.avast.com/2013/07/24/urausy ... 0-minutes/
But of course it was SentinelLabs reinvention not plagiarism -> "It took me hours, days to understand this" (C).

[kareldjag/michk]

Hello,

I remember also that PrevX devs. were highly inspired by a Kernelmode.info member (Fyyre but not sure) for their paper about Patchguard.
The recent post of Jeffrey Carr is appropriated in this case, as for instance he refers to recent intrusions on Airbus consortium IT, but the Cassidian Labs from Airbus have only presented their study as a White paper (intrusion via Word has already been used against French GVT):
http://jeffreycarr.blogspot.fr/2014/07/ ... t-apt.html

Now APT is nothing than a buzzy and trendy word designed to impress and motivate general managers who have zero Insecurity skills, but the final word for the Money.
https://www.schneier.com/blog/archives/ ... ersis.html

And rising one millions or 15 millions dollars to fight cybercrime or malwares will not change the cyber landscape: you can not resolve an equation without solution, a mathematical, undecidable, NP Complete problem with money.
Nothing is solved since the first virus, even with an armada of security companies since years and years.
Sentinel what?

RGDS

[EP_X0FF]

I remember also that PrevX devs. were highly inspired by a Kernelmode.info member (Fyyre but not sure) for their paper about Patchguard.

I think you confuse TDL4 and Patchguard, in their kernelmode.info steal copy-paste blogpost (where this mediocre fakeav company declared that they are discovered TDL4 which don't need to bypass Patchguard). Or maybe you have a link for this?

[kareldjag/michk]

hi

https://twitter.com/Fyyre/statuses/155383565943701504

http://www.aall86.altervista.org/guide/ ... otkits.pdf

The web is full of copy paste people, like Matousec who has copy/paste GKWeb/firewallleaktester and my HIPS methodologies to provide marketing certifications of antivirus security suites.

rgd

[EP_X0FF]

I would like to ask, does anybody has a copy of this fake-av product, protecting from everything? I would really like to look on this cra.. ohh I mean outstanding top tier security product.

http://www.sentinelone.com/product/ ? :)