Hunting malwares in the memory in the Oracle Linux 7.x


Dear readers, how are you? Last week I spoke about “Hunting malwares in the memory in the Oracle Linux 7.x” at Oracle Open World 2016 Latin America. Few photos from my session follow:

Personally, I liked this event so much because there were many interested people in learning and discovering how it is possible to detect an infection on the memory in the Oracle Linux 7.x.

I haven’t decided it yet, but eventually I will put slides out. Stay tuned!

Have a nice day.

Alexandre Borges

(LinkedIn: http://www.linkedin.com/in/aleborges and twitter: @ale_sp_brazil)

BSIDES LATAM 2016 – Hunting Malwares on the Memory


Dear readers, how are you? Yesterday, June/12, I taught a lecture titled “Hunting malwares on the memory” in BSIDES Latin America 2016. It follows few photos:

I am proud of having taken part of the first BSIDES LATAM 2016 for three reasons:

  1. Attendees from my lectures were amazing. They were smart, very interested and made good questions.
  2. Ponai Rocha (one of the organizers) was very polite and an outstanding host.
  3. BSIDES LATAM is a technical event with few vendors and quite really interesting lectures taught by experts.

Honestly, I hope my attendees have learned and gotten motivated to study a bit more about Malware and Memory Analysis.

I hope you have a nice day.

Alexandre Borges.

(LinkedIn: http://www.linkedin.com/in/aleborges and twitter: @ale_sp_brazil)

Easy anti-debugging technique during a reversing


Dear readers, how are you? Few days I ago, I received a request to publish few tips about reversing. Unfortunately, my time for writing is almost zero, but I’ve been trying to do something and it is a quick write up explaining a simple anti-debugging trick.

Look at the following code lines from a malware below (the numbering is mine):

  1. 0040866A call $+5
  2. 0040866F pop ebp ;
  3. 00408670 lea eax, [ebp+54h]
  4. 00408671 inc ebp
  5. 00408673 push eax
  6. 00408674 xor eax, eax
  7. 00408676 push dword ptr fs:[eax]
  8. 00408679 mov fs:[eax], esp
  9. 0040867C int 3
  10. ….(snip)….
  11. 00408694 nop
  12. 00408695 xor ebx, ebx
  13. 00408697 div ebx
  14. 00408699 pop dword ptr fs:0
  15. ….(snip)….

Few comments:

Line 1: Although the call $+5 instruction  appears to be complicated, it is calling the next instruction because $ means the current address  (0x0040866A) and it is adding  5 =  0x0040866F. Furthermore, the call instruction pushes the next address , which it will be the return address (RET), onto the stack.

Line2: The pop ebp instruction saves the top stack content (exactly the RET=0x0040866F) into EBP register.

Line3: The lea (load effective address) instruction (lea eax, [ebp+54h]) only sum up values. Therefore, the eax register will hold the ebp value (0x0040866F) + 0x54 = 0x004086C3

Line 4: The instruction inc ebp increases ebp register by 1. Thus, ebp = 0x00408670.

Line 5: The push eax instruction pushes the eax value (0x004086C3) onto the stack.  Looking ahead (at line 8), this address will be the address of an exception handler function.

Line 6: The xor eax,eax instruction makes eax=0.

Line 7 and 8: Both lines (push dword ptr fs:[eax] and mov fs:[eax], esp) set up an exception handler function by first “saving” the address of the current exception handler address onto stack and then copying the esp value (0x00408663) to FS register. Please, remember that Windows prepares the FS register to hold the base address address  of the current TEB (Thread Environment Block).  Additionally, the first item of this structure (which is at offset zero) is the head of a linked list of pointers to exception handler functions.

Line9: Purposely, the program generates an exception (through int 3 instruction), which is used by the debugger to implement a software breakpoint and, in this case, it causes a software trap (a kind of interrupt) to the debugger.

Therefore, if there was an attached debugger, it would take the control and it would be a terrible mistake because the int 3 instruction is a simple anti-debugging technique. The reason is that the malware expects to handle the exception (thus, the debugger should pass the exception to the malware) to dictate next steps of its operation, but if it doesn’t happen, so probably the program either will crash or make a strange thing.

Line 12: The xor ebx,ebx makes ebx =0.

Line 13: The div ebx instruction will trigger a division by zero and it is possible that the execution finishes.  Note that the div ebx instruction is wouldn’t be  executed whether the debugger had passed the exception to the malware (as it expects).

Line 14: The prior exception handler address (saved at line7) is restored from stack into the FS register through the pop dword ptr fs:0 instruction.

As a conclusion, the malware author configured an exception handler and forced the malware to trigger an exception to make additional steps (maybe changing registers and executing other instructions) during the exception handler function. If the analyst permit the debugger to catch the exception, so the malware won’t execute the intentioned steps and she/he won’t be able to understand the malware’s details.

Relax! I know that these few lines are very simple to analyze, but my intention it is to help students and beginners because the code above reflects a daily procedure of a malware analyst struggling against all kind of anti-forensic techniques (most them more complicated than this one).

Soon I will try to make a new and short post about malware analysis. Stay tuned.

I hope you have a nice day and…keep reversing.😉

Alexandre Borges

(LinkedIn: http://www.linkedin.com/in/aleborges and twitter: @ale_sp_borges)

Lecture about Malware and Memory Forensics Analsysis at UniSanta University


Dear readers, how are you? Yesterday (MAY/18), I taught a new lecture about Malware and Memory Analysis at UniSanta University. Few photos follow below:

It was a fantastic lecture where I could show a deeper memory forensic analysis than I did in other talks.

I hope you have a nice day.

Alexandre Borges

(Linkedin: http://www.linkedin.com/in/aleborges and twitter: @ale_sp_brazil)

Lecture about Malware and Memory Analysis at UNASP University


Dear readers, how are you? Yesterday, MAY/17, I taught a lecture about Malware and Memory Analysis at UNASP university. Follow few photos:

Honestly, I really had a very good time. Teachers and students were very polite and the auditorium was very organized.

I hope you are fine and have a nice day.

Alexandre Borges

(LinkedIn://www.linkedin.com/in/aleborges and twitter: @ale_sp_brazil)

My experience as a speaker


20160512_210613Hi people, how are you?

In the last ten months I have been teaching several lectures about Malware and Memory Analysis for students and professionals from several companies. I am always interested in helping people to upgrade their careers and this fact makes me very happy.

Nonetheless, I have seen several speakers, who have a perfect voice and diction, at several places talking about….nothing. It’s ridiculous because they are more interested in showing up instead of transmitting something useful. Unfortunately, they haven’t figured out that attendees usually leave their homes for learning an interesting and useful stuff, and not for hearing about obvious facts.

The same problem happens during big events where there are lots of specialists, but most them want either to sell products from their companies or to show how much they are excellent professionals. Come on! Last 16 years I have worked for excellent companies, but this fact doesn’t make me a specialist. I need to prepare good slides including a good stuff and teach them as my talk was a class. It is simple like that.

Good recommendations for speakers:

  1. Prepare your material without including tons of marketing information. For technical events, nobody wants know either about as interesting it is the product or what their promotions are. They want to receive INFORMATION.
  2. Don’t believe that your attendees are not enough qualified, please. If you are going to teach about IT security, so remember that EVERYBODY there know that they should choose a strong password. Avoid talking about basic concepts of topics such as Cloud, Virtualization, Storage, Database, and so on. Once more, most people know what a cloud is and most of them have basic concepts about a database. Instead of walking to this direction, why don’t you show a practical example (even in the slides)? Why don’t you show how to implement virtualization instead of talking about virtualization?
  3. You may not have figured out yet, but most professionals are not interesting in seeing directors talking about their companies during a panel discussion. Instead of, would not be it interesting  to see directors and vice presidents showing HOW they solved a complex problem?
  4. During the last few years, I have seen several professionals with very elegant positions such as “master instructor”, “security strategist”, “security leader”, “latin america director”, “principal engineer”, and so on. It’s cool, but these nice names don’t mean anything whether either you really don’t know about you are talking or don’t show important and substantial information for your public. Remember: you should transmit a good knowledge for helping the attendees in contructing their career.
  5. The speaker doesn’t need to talk about him and/or her! During my presentation, I usually show a slide with my credentials and say: “This is what I do”. Period. The time limit is about 10 seconds for attendees reading the qualifications and takes a picture whether they want to do it. Don’t be naïve: attendees have already searched about you on the Internet before going to the event.
  6. If you are a speaker and host of an event, so your guesses are much important than you! The event only occur because their attendees and speakers. Sponsors are very important because they support the event, but any event with many sponsors as speakers is not a good event. Please, everybody needs to learn lessons from events such as Black Hat, Recon (in Canada), Def Con and Derby Con, among many other excellent events around the world, where only people who have good information are there.
  7. Respect your public. For example, when I teach a lecture about malwares, certainly it will be unavoidable to touch a bit harder stuff such as assembly language and kernel. Nevertheless, even those attendees have difficult in understanding such topics, they can follow the explanation. This act shows a true respect with those professionals.
  8. If you are speaking in a shared event, so respect the next speaker. If your time is over, so you should try to short your explanation because you are spending the time of the next speaker. Why do you think that people show flag/banner with your remaining time during a talk?
  9. Usually, a real expert is a low profile personal. She/he starts the talks, teaches a good stuff for his/her public and tries to answer the final questions. Most time, during a serious event, nobody is interesting in hearing a series of jokes. One or two distractions are good to keep the attention, but more than it is excessive.
  10. Finally, and more important, you are NOT a pop star. When people want to talk to you after the lecture, you MUST be patient and have a conversation with everybody. Most time, attendees wait for several weeks only for exchanging few words with you. Please, respect them!

During my talks, I am a professional who try to show to you nice, hard and very technical stuff. Even that you are not able to have a complete understanding about that specific topic, you will receive enough information to study by yourself, at least. Certainly, soon you will be an expert, much better than me, and you will be able to transmit you knowledge for other professionals.

I am learning and trying to improve my skills as a speaker, but I already know what I must not do.

Study extremely hard and learn more. Never believe that you know enough. Listen more and talk less, because probably your colleague has very interesting information for you.

The information is only useful when it is exchanged.

Have a nice day.

Alexandre Borges.

LinkedIn: http://www.linkedin.com/in/aleborges

Twitter: @ale_sp_borges

Blog: http://alexandreborges.org

PS: on my twitter account, I only tweet useful information (slides, PDFs, news and articles). Rarely there is any non technical stuff.

Lecture about Introduction to Malware Detection through Memory Analysis at UniNove University


Dear friends, how are you? Yesterday (MAY/12), I taught a lecture about Introduction to Malware Detection through Memory Analysis at UniNove University. Few photos follow below:

Additionally, it follows my certificate:

UniNove_Cert

I hope you have a nice day.

Alexandre Borges

(LinkedIn:http://www.linkedin.com/in/aleborges and twitter: @ale_sp_brazil)