ShadowBrokers Leak: A Machine Learning Approach

During the past few weeks I read a lot of great papers, blog posts and full magazine articles on the ShadowBrokers Leak (free public repositories: here and here) released by WikiLeaks Vault7.  Many of them described the amazing power of such a tools (by the way they are currently used by hackers to exploit systems without MS17-010 patch) other made a great reverse engineering adventures on some of the most used payloads and other again described what is going to happen in the next feature.

A quick REVENGE Analysis

Another free weekend, another suspicious link provided by a colleague of mine and another compelling feeling to understand "how it works".  The following analysis is made "just for fun" and is not part of my professional analyses which have to follows a complete different process before being released. So please consider it as a "sport activity". A colleague of mine provided me a suspicious link which I decided to analyze.

Crypt0l0cker Revival !

A couple of days ago a colleague of mine gave me a "brand new" malicious content delivered by a single HTML page. The page was sent to an email box as part of a biggest attack. I found that vector particularly fun and so I'd like to share some of the steps who took me through a personal investigation path made not for professional usage but just for fun. At first sight the HTML page looks like the following image.

Malware Training Sets: A machine learning dataset for everyone

One of the most challenging tasks during Machine Learning processing is to define a great training (and possible dynamic) dataset. Assuming a well known learning algorithm and a periodic learning supervised process what you need is a classified dataset to best train your machine. Thousands of training datasets are available out there from "flowers" to "dices" passing through "genetics", but I was not able to find a great classified dataset for malware analyses.

Dirty COW Notes

I am not used to write about vulnerabilities because there are too much vulnerabilities out here and writing about just one of them is not going to contribute security community at all. So why am I writing about Diry Cow ? I am going to write about it because, in my personal opinion, it is huge. When I say "huge" I don't really mean it will be used to exploit the "

Cybersecurity Awareness

My little contribution on cybersecurity to national TV channel; next to Evgenij Valentinovič Kasperskij, founder of Kaspersky Anti Virus Engine.

Internet of Broken Things: Threats are changing, so are we ?

Hi Folks, this is another blog-post on internet of "broken things". As many of you are familiar with MQTT is one of the most used protocol over the Internet of Things. It's widely used in private area network - to make communications quick and light - and on public network as well - to build communication channels between sensors end / or servers messages - MQTT is a machine-to-machine (M2M)/"Internet of Things"

Summing up the ShadowBrokers Leak

Nowadays it's almost impossible to not write about EquationGroup Leak, so I'm going to start my "blog post" pushing the following picture (realised by Kaspersky Lab) which would cut-out every doubts about the leak paternity.EquationGroup VS ShadowBrokers's LeakThe leaked dump contains a set of exploits, implants and tools for hacking firewalls (code name: "Firewall Operations").  Let's have a quick look to them: Exploits: Following a list of exploit found on the published leak.

Fighting Ransomware Threats

I wrote a little bit about Ransomware general view and Ransomware general infection methods here.Today, after some more months working on the field and after having meet much more Ransomware than I thought, I'd like to write a little bit about how to "fight them".Before starting the review of some of the most known strategies to fight Ransomware let me explain why nowadays Ransomware are not "fair" as they were few months ago.

From ROP to LOP bypassing Control FLow Enforcement

Once upon a time breaking the Stack (here) was a metter of indexes and executables memory areas (here). Then it came a DEP protection (here) which disabled a particular area from being executable. This is the fantastic story of ROP (Return Oriented Programming) from which I've been working for long time in writing exploiting and re-writing "resurrectors" (software engines able to convert old exploits into brand new ROP enabled exploits), please take a look: here, here, here, here, here and here.