Sysenter Chapter

Sysenter Chapter Status Report 2012

angelo.dellaera — Tue, 30 Oct 2012 10:06:08 -0500

ORGANIZATION

The Sysenter Chapter was founded in August 2010 and currently consists of the following people:

Angelo Dell'Aera
Charlie Hurel
Gianluca Guida
Guido Landi
Patrik Lantz
Pietro Delsante
Roberto Tanara

The Chapter members are interested in research projects covering the following topics:

Automated botnet tracking
Low-interaction client honeypots

Sysenter Chapter

Sysenter Chapter - Status Report 2011

angelo.dellaera — Fri, 10 Jun 2011 08:52:27 -0500

ORGANIZATION

The Sysenter Chapter was founded in August 2010 and currently consists of the following people:

Angelo Dell'Aera
Guido Landi
Patrik Lantz
Roberto Tanara

The Chapter members are interested in research projects covering the following topics:

Automated botnet tracking
Low-interaction client honeypots
Automated malware collection and analysis systems
Distributed honeynet deployment, operation and data analysis

Sysenter Chapter

Murofet, Zeus++ or just Zeus 2.1?

guido.landi — Fri, 15 Oct 2010 06:09:44 -0500

The first one writing about this new threat was Marco Giuliani. So, Murofet or Zeus++?

Taking a look at a couple of samples we were able to identify:
- Same API hooks
- Same encryption routine for configuration file (RC4)
- Pretty much the same configuration file format

Sysenter Chapter

Trojan Carberp

guido.landi — Mon, 11 Oct 2010 07:16:11 -0500

I'm interested in infostealers and specifically in banking-trojans so I didn't want to miss this one. Samples of Carberp are floating around at least since last spring but in late September we saw such numbers increasing.

Taking a look at how Carberp hooks API it looks like yet another Zeus "clone". What I found interesting is how it hooks system calls. This is how a normal syscall looks like

MOV EAX,0xce                     // ZwResumeThread syscall id

Sysenter Chapter

Is that PDF so scary?

guido.landi — Fri, 10 Sep 2010 04:56:10 -0500

- "it bypasses DEP and ASLR using impressive tricks and unusual methods" - Vupen

- "it uses a previously unpublished technique to bypass ASLR" - Metasploit Blog

- "exploit uses the ROP technique to bypass the ASLR and DEP" - ZDnet/Kasperky

Sysenter Chapter

Export Address Table Filtering (EMET v2)

guido.landi — Tue, 31 Aug 2010 04:40:36 -0500

I'll tell you the truth: Export Address Table Filtering, the feature of the upcoming release of EMET, "designed to break nearly all shell code in use today", intrigued me a bit.

Sysenter Chapter

PHoneyC DOM Emulation – Browser Personality

angelo.dellaera — Sun, 22 Aug 2010 10:03:29 -0500

A new improvement in PHoneyC DOM emulation code was committed in SVN r1624. The idea is to better emulate the DOM behaviour depending on the selected browser personality. Let's take a look at the code starting from the personalities definition in config.py.

UserAgents = [

    (1,

     "Internet Explorer 6.0 (Windows 2000)",

     "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727)",

     "Mozilla",

     "Microsoft Internet Explorer",

Sysenter Chapter

Another great step forward

angelo.dellaera — Wed, 11 Aug 2010 09:00:18 -0500

“Dionaea is meant to be a Nepenthes successor, embedding Python as scripting language, using libemu to detect shellcodes, supporting IPv6 and TLS” (taken from Dionaea homepage). Besides being the most interesting project for trapping malware exploiting vulnerabilities, Dionaea supports a really cool feature which allows it to log to XMPP services as described here. TIP now exploits this feature receiving and storing such logs (really thanks to Markus Koetter for his help and support).

Sysenter Chapter

PHoneyC DOM Emulation - Window

angelo.dellaera — Tue, 10 Aug 2010 08:14:10 -0500

A few weeks ago I started reviewing the PHoneyC DOM emulation code and realized it was turning to be hard to maintain and debug due to a huge amount of undocumented (and sometimes awful) hacks. For this reason I decided it was time to patch (and sometimes rewrite from scratch) such code. These posts will describe how the new DOM emulation code will work. The patch is not available right now since I'm testing the code but plans exists to commit it in the PHoneyC SVN in the next days.

Sysenter Chapter