The NSA needs your updates

(Please note this is a translated post from the Spanish version… and that 28th December is in Spain equivalent to April Fools’ Day, so this news was just a joke)

Although this finding has little more than 12 hours (it appeared yesterday in some Chinese media), it has not taken too long to spread through the US specialized media. Among others, ArsTechnica, Bruce Schenier, Wired or Dan Kaminsky have brief reviews commenting the recent findings made by Lian Li and Huan Chen, Chinese researchers from Peking University.

Apparently, all began at the end of 2013, while Li and Chen were performing forensic analysis on three compromised computers. Analyzing different Adobe update packages stored in the computers (suspected to be a vector for infection), they detected that all of them had a similar structure: the update package and an encrypted data block C1 that could vary from 65536 bytes to several MBs.

[Read more…]

Solving ‘heap’ from defcon 2014 qualifier with r2

This article will introduce r2 to resolve a simple CTF from Defcon ’14 using Linux. For those who do not know radare2 is a unix-like reverse engineering framework and commandline tools and the most important thing about it is that it is open source thus we can play with it.

Radare2 gives us the possibility to do reverse engineering and more by free as we will look on this post though we are not going too deeply into the commands. I leave it as an exercise for the reader.

Most people complain about the lack of doc that r2 has but that is far from the truth. Radare has:

  • Open source Book in which anyone can contribute.
  • Talks.
  • Asciinema showing usage examples.
  • If you append ? in each command in r2’s console you will get a little help.
  • There is a blog.
  • IRC channel on #radare.
  • Last but not least we have the source code.

[Read more…]

Unveiling Nuclear EK (IV)

(See parts I, II and III of this serie)

In the previous post we managed to obtain the original SWF, but discovered that the exploit is embedded in a ByteArray. Will we be able to obtain it?

First of all, we must extract the contents stored in the ByteArray. To do this, we need a Flash decompiler desktop: Adobe SWF Investigator (It’s free!). Once installed we open the last file obtained: uncompressed_exploit.swf. We go to “Tag Viewer” and select “DefineBinaryData” among all the tags. Then we save it by clicking in “Dump to file” and naming it as “dump_exploit.bin”, for example.

[Read more…]

Unveiling Nuclear EK (III)

(See parts I and II of this serie)

In the previous post we were about to find out why the proxy does not identify the Flash object as application/x-shockwave-flash. Let’s see.


We extract the object Bk8RH15VB1xLUk5SS1BXClYHDgVUBlNLV1UWVAkOGVQBTQZQVkQDXQs from Wireshark and check what type of file it is:


Bk8RH15VB1xLUk5SS1BXClYHDgVUBlNLV1UWVAkOGVQBTQZQVkQDXQs: application/octet-stream; charset=binary

00000000  5a 57 53 17 ad 23 00 00  3a 21 00 00 5d 00 00 20  |ZWS..#..:!..].. |
00000010  00 00 3b ff fc 8e 19 fa  df e7 66 08 a0 3d 3e 85  |..;.......f..=>.|
00000020  f5 75 6f d0 7e 61 35 1b  1a 8b 16 4d df 05 32 fe  |.uo.~a5....M..2.|
00000030  a4 4c 46 49 b7 7b 6b 75  f9 2b 5c 37 29 0b 91 37  |.LFI.{ku.+\7)..7|
00000040  01 37 0e e9 f2 e1 fc 9e  64 da 6c 11 21 33 ed a0  |.7......d.l.!3..|
00000050  0e 76 70 a0 cd 98 2e 76  80 f0 e0 59 56 06 08 e9  |.vp....v...YV...|
00000060  ca eb a2 c6 db 5a 86 7b  47 de 99 5d 68 76 38 16  |.....Z.{G..]hv8.|
00000070  bd 93 3c d3 d0 9e d3 55  63 5a da b0 db 27 e6 7c  |..< ....UcZ...'.||

[Read more…]

Unveiling Nuclear EK (II)

In the first part, we got an example of the case we want to analyze. Having the HTML files extracted with Wireshark, we can start the analysis.

(1) index.php


Simple; redirects to (2)

[Read more…]

Unveiling Nuclear EK (I)

When analyzing network traffic, we can often find patterns belonging to the already known Angler EK, Nuclear EK and Magnitude EK.

Normally sold in the black market, an Exploit Kit (EK) is a toolset that automates the exploitation of vulnerabilities on the client, aimed at browsers and plugins that a website can invoke as Adobe Flash Player, Microsoft Silverlight, Adobe Reader, Java, etc., to infect computers while surfing the Internet in what is called drive-by download attacks.

These patterns can be detected by snort rules such as:

ET CURRENT_EVENTS Cushion Redirection
ET CURRENT_EVENTS Possible Nuclear EK Landing URI Struct T1
ET CURRENT_EVENTS Malvertising Redirection to Exploit Kit Aug 07 2014
ET CURRENT_EVENTS DRIVEBY Nuclear EK Landing May 23 2014

[Read more…]

Yara for Incident Handling: a practical case

Yara is an initiative that’s become more and more popular for incident handling, especially over the last year. This project has been widely spoken about on this and other blogs.

Here I’m going to show you a practical example for using incident handling triggered by ransomware. Over the last months there has been an increase in this type of malware that, in spite of the many warnings from those of us working in security and incident handling, is still having quite a big impact. Fortunately, the most recent incidents of ransomware where I have been involved, the compromise has only affected one user each time, which allowed us to focus more on the scope of the encrypted archives than on identifying the equipment that may have been compromised.

Extension identification

One of the first cases we were involved in was an incident with CTB-Locker. On this occasion, a user reported a message appearing on his desktop informing him that his archives had been encrypted and asking for a ransom to recover them. Once part of the incident had been contained by disconnecting the equipment from the network and identifying it as the only one affected (let’s not go into this here) we went on to determine which archives had been encrypted and which ones could be recovered (we would never recommend paying the ransom).

[Read more…]

Two-step authentication, or how to make it tough for a hacker

Two-step authentication is a protection approach widely known among cyber security people but it is not that known among regular users. This article aims to teach everybody about it, as domestic user accounts are more and more targeted by hackers.... Leer Más

Taking apart office automation documents with OfficeMalScanner

One of the main routes of malware infection is through office automation documents. They represent a very potent vector of infection, specially in directed attacks and phishing campaigns.

These documents are crafted to carry hidden macros, OLE objects, executables, etc., which, once the user opens the document, conduct a series of malicious actions to obtain information with the idea of profiting from it or simply damaging the system. Generally, this type of generic malware downloads other malware for the Internet (droppers), exploits system vulnerabilities, duplicates itself to assure its lifespan in the system, exfilters user information, etc.

A very useful tool for analyzing and detecting anomalous patterns in office automation documents is the “OfficeMalScanner” suite, which you can download from the author’s web,

[Read more…]

Clearing up the complexity: Security for non-technicians

IT security is almost always complex, covering many different areas and creating the sensation of a technical equivalent to “doctors’ handwriting”.... Leer Más