Latest "Whitepapers"
Unflattening ConfuserEx .NET Code in IDA
In this paper, we’re studying the ConfuserEx obfuscation mechanism of a Ginzo .NET sample. This class of obfuscator is known as code flatteners. We describe how it can be dealt with using a Python script within IDA Pro, a famous reverse-engineering tool.
16.09.2022 13:36
In this paper, we’re studying the ConfuserEx obfuscation mechanism of a Ginzo .NET sample. This class of obfuscator is known as code flatteners. We describe how it can be dealt with using a Python script within IDA Pro, a famous reverse-engineering tool.
16.09.2022 13:36
Trickbot - An analysis of data collected from the botnet
We are monitoring various threats and in that context we have collected quite some dataabout the Trickbot botnet in the past few years. This paper is based on an analysis of selectedaspects of our Trickbot data collection. Some of our analysis is rather straightforward, yet,we also take the freedom to make some speculative statements, which might turn out to be debatable or plain wrong. In that spirit we are open for discussions and are happy to receive comments by the readers of this paper.
23.09.2019 10:25
We are monitoring various threats and in that context we have collected quite some dataabout the Trickbot botnet in the past few years. This paper is based on an analysis of selectedaspects of our Trickbot data collection. Some of our analysis is rather straightforward, yet,we also take the freedom to make some speculative statements, which might turn out to be debatable or plain wrong. In that spirit we are open for discussions and are happy to receive comments by the readers of this paper.
23.09.2019 10:25
Scripting IDA Debugger to Deobfuscate Nymaim
Nymaim is active worldwide since at least 2013 and is also responsible for many infections in Switzerland. Sinkhole Data shows that Nymaim is responsible for about 2% of infected devices 1 in Switzerland that hit sinkholes the last few days. Nymaim uses powerful code obfuscation techniques. These techniques have already been discussed several times. Many approaches use code emulation. We’d like to present an approach in this paper to do so by directly using IDA’s debugger feature and IDAPython to do the same, as it might be the more generic approach in certain cases.
03.03.2017 11:30
Nymaim is active worldwide since at least 2013 and is also responsible for many infections in Switzerland. Sinkhole Data shows that Nymaim is responsible for about 2% of infected devices 1 in Switzerland that hit sinkholes the last few days. Nymaim uses powerful code obfuscation techniques. These techniques have already been discussed several times. Many approaches use code emulation. We’d like to present an approach in this paper to do so by directly using IDA’s debugger feature and IDAPython to do the same, as it might be the more generic approach in certain cases.
03.03.2017 11:30
Technical Report about the Malware used in the Cyberespionage against RUAG
We were tasked by the Federal Council to produce a report about the technical findings concerning the RUAG Incident. It is targeted towards network security professionals and is meant to support those responsible for security identifying risks within their own networks, as well as implementing additional security measures. The use and implementation of the information and recommendation, lays with each’s individual responsibility.
23.05.2016 02:00
We were tasked by the Federal Council to produce a report about the technical findings concerning the RUAG Incident. It is targeted towards network security professionals and is meant to support those responsible for security identifying risks within their own networks, as well as implementing additional security measures. The use and implementation of the information and recommendation, lays with each’s individual responsibility.
23.05.2016 02:00
Fobber Analysis
After reading the a blog post on Malwarebytes describing Fobber, a new variant of Tinba, we wanted to have a look at it ourselves. Fobber uses an interesting and unusual approach to make static analysis harder: we’ll try to explain it and give hints on how to recover the original un-encrypted shellcode. Furthermore we analysed all injection stages used by the malware and described what kind of shellcode run within each injected code.
11.09.2015 09:45
After reading the a blog post on Malwarebytes describing Fobber, a new variant of Tinba, we wanted to have a look at it ourselves. Fobber uses an interesting and unusual approach to make static analysis harder: we’ll try to explain it and give hints on how to recover the original un-encrypted shellcode. Furthermore we analysed all injection stages used by the malware and described what kind of shellcode run within each injected code.
11.09.2015 09:45
Last modification 28.03.2022
