SVP Technology at First Data Corp; large scale system architecture, infrastructure, tech geek, reading, learning, hiking, GeoCaching, ham radio, married, kids
9916 stories

Heads-Up For Sunday, A Super 'Blood Moon' Is On The Way

1 Share
A "blood moon" seen from western Germany during a total lunar eclipse on Sept. 28, 2015.

Not only will the moon be particularly close to Earth, but it will also be bathed in a reddish light just before midnight Eastern time.

(Image credit: Patrik Stollarz/AFP/Getty Images)

Read the whole story
10 hours ago
Atlanta, GA
2 hours ago
Unfortunately, where I live, we're expecting 5cm of snow in the morning, followed by 35-50mm of rain all through Sunday into Monday morning. :(
Share this story

Researcher: vulnerability in Marvell's Wi-Fi SoC used in the PS4, Xbox One, Surface tablets, and more lets attacker hijack devices without any user interaction (Catalin Cimpanu/ZDNet)


Catalin Cimpanu / ZDNet:
Researcher: vulnerability in Marvell's Wi-Fi SoC used in the PS4, Xbox One, Surface tablets, and more lets attacker hijack devices without any user interaction  —  List of impacted devices includes PS4, Xbox One, Samsung Chromebooks, and Microsoft Surface devices.

Read the whole story
15 hours ago
Atlanta, GA
Share this story
1 public comment
5 hours ago
Pittsburgh, PA

Some Thoughts on Open Core

1 Comment

Why open core software is bad for the FOSS movement.

Nothing is inherently anti-business about Free and Open Source Software (FOSS). In fact, a number of different business models are built on top of FOSS. The best models are those that continue to further FOSS by internal code contributions and that advance the principles of Free Software in general. For instance, there's the support model, where a company develops free software but sells expert support for it.

Here, I'd like to talk a bit about one of the more problematic models out there, the open core model, because it's much more prevalent, and it creates some perverse incentives that run counter to Free Software principles.

If you haven't heard about it, the open core business model is one where a company develops free software (often a network service intended to be run on a server) and builds a base set of users and contributors of that free code base. Once there is a critical mass of features, the company then starts developing an "enterprise" version of the product that contains additional features aimed at corporate use. These enterprise features might include things like extra scalability, login features like LDAP/Active Directory support or Single Sign-On (SSO) or third-party integrations, or it might just be an overall improved version of the product with more code optimizations and speed.

Because such a company wants to charge customers to use the enterprise version, it creates a closed fork of the free software code base, or it might provide the additional proprietary features as modules so it has fewer problems with violating its free software license.

The first problem with the open core model is that on its face it doesn't further principles behind Free Software, because core developer time gets focused instead of writing and promoting proprietary software. Instead of promoting the importance of the freedoms that Free Software gives both users and developers, these companies often just use FOSS as a kind of freeware to get an initial base of users and as free crowdsourcing for software developers that develop the base product when the company is small and cash-strapped. As the company get more funding, it's then able to hire the most active community developers, so they then can stop working on the community edition and instead work full-time on the company's proprietary software.

Read the whole story
16 hours ago
Ansible is a great example of this.
Atlanta, GA
5 hours ago
I use ansible pretty heavily but not exactly “enterprise” stuff I guess, has RedHat made a big walled-garden of enterprise features since they bought it?
Share this story

PCI Council Releases New Software Framework for DevOps Era

1 Comment
The PCI Software Security Framework will eventually replace PCI DA-DSS when it expires in 2022.

Read the whole story
16 hours ago

Ordering our lava lamp wall and Geiger counters...
Atlanta, GA
Share this story

A Beginner’s Guide to Every Movie in the Marvel Cinematic Universe

1 Comment

The Marvel Cinematic Universe (MCU) celebrated its tenth birthday in May of last year and is a mind-boggling 20+ movies strong. That’s…that’s a lot. And we’re not even officially done with Phase 3 yet. If I’m reading everything right, Phase 4 will kick off in July of 2019 with Spider-Man: Far From Home. But we’ve still got Captain Marvel (March 2019) and Avengers: Endgame (May 2019) before then.

The 20 movies that are out to date can be a lot to keep track of…and that gets even more difficult if you mistakenly import non-Marvel properties (well, at least they weren’t at the time) like Deadpool and the X-Men into Marvel’s timeline and universe.

So, we thought we’d lay every movie of the MCU all out for you quick and easy-like. Here are the 20 movies that comprise the MCU to date along with what each introduced and contributed to the connected narrative that is their shared universe.

Phase One

Iron Man (May 2008)

Iron Man is the movie that started the MCU, although it was still unclear how it would work, as nothing even close to the scale of the MCU had ever been attempted in the history of cinema.

In addition, Iron Man’s greatest contribution to the overall story of the MCU was Robert Downey, Jr. as Tony Stark, which was considered very risky casting at the time. Stark’s character, genius, and the technology he introduced to the MCU was all established in this movie.

Yet, the real magic came during a post credit scene, which was absolutely a novelty at the time. That scene introduced Sam Jackson as Nick Fury and the idea of The Avengers Initiative. You also get introduced to James “Rhodey” Rhodes (but not the one we’ll have longterm), Pepper Potts, Agent Coulson, and Happy Hogan, a minor but fan-favorite character.

93% Fresh Tomatoes
$585.2 million at the Box Office

Marvel Heroes Introduced: Iron Man, Nick Fury
Villain: Obadiah Stane (Iron Monger)

The Incredible Hulk (June 2008)

The Incredible Hulk establishes the basics of the Bruce Banner / Hulk transformation, a little bit of Banner’s own science credentials, and more talk of the Avengers via a Tony Stark cameo in the post-credits scene.

And not much else, really. While the movie isn’t retconned, not much of what you’ll get from The Incredible Hulk is ever really talked about going forward, aside from an occasional appearance of General ‘Thunderbolt’ Ross in upcoming movies.

Intellectual property (IP) rights bubble up occasionally in regards to the MCU. Marvel Comics was forced to sell the movie rights to several of their characters when they filed bankruptcy following the 90s comic book bust. As a result, although Marvel purchased back the rights to the Hulk following the 2003 Ang Lee film, Universal Pictures retained the distribution rights, which is thought to have prevented further solo movies starring the Hulk.

Meanwhile, Edward Norton was recast as the Hulk by Mark Ruffalo, who has played him throughout the rest of the MCU.

67% Fresh Tomatoes
$263.4 million at the Box Office

Marvel Heroes Introduced: Hulk
Villain: The Abomination

Iron Man 2 (May 2010)

Although it isn’t the revelation that the first Iron Man movie was, Iron Man 2 was a solid sequel. From this movie we get the Rhodey we come to know and love as Don Cheadle took the acting helm from Terrance Howard, suiting up in what is called the War Machine armor which will feature occasionally right on through to Infinity War.

But the biggest addition was Scarlett Johansson being introduced as Natasha Romanoff aka Black Widow!

73% Fresh Tomatoes
$623.9 million at the Box Office

Marvel Heroes Introduced: Black Widow, War Machine
Villain: Justin Hammer, Whiplash

Thor (May 2011)

Thor was the MCU’s first trip off-world, giving viewers gods and space in a single film. That’s quite a way to expand a cinematic universe quickly.

While the earlier post-credits scene in Iron Man 2 had Agent Coulson locate Thor’s hammer, Mjolnir, popcorn munchers were now able to see Chris Hemsworth bring Thor to life on screen.

We’re also briefly introduced to the Tesseract which we later learn is one of the Infinity Stones, the artifacts that will drive the plot of MCU movies for the years to come.

77% Fresh Tomatoes
$449.3 million at the Box Office

Marvel Heroes Introduced: Thor, Odin, Heimdall, Hawkeye
Villain: Loki, The Destroyer

Captain America: The First Avenger (July 2011)

The MCU made another tonal shift by giving viewers a 1940s period piece that was gosh-golly wholesome and sincere. The big takeaway was the appearance of Chris Evans playing Steve Rogers aka Captain America.

But you actually get a whole lot in this one: Captain America (obviously), Bucky Barnes is established and then promptly killed (*wink wink*), Peggy Carter, who will go on to star in her own Agent Carter TV series, the Tesseract comes into the possession of SHIELD, and Captain America falls asleep in the Arctic in the 1940s but wakes up in New York in 2011.

80% Fresh Tomatoes
$370.6 million at the Box Office

Marvel Heroes Introduced: Captain America, Peggy Carter
Villain: Red Skull

The Avengers (May 2012)

Now the Avengers are assembled! Building upon the groundwork laid in 4 years worth of solo movies, the MCU now brought those heroes together to battle a threat that they couldn’t defeat alone.

When Cap, Tony, Thor, Hulk, Black Widow and Hawkeye circle together back-to-back, nerds everywhere pumped their fists. And although they had been introduced in previous movies, the heroes were now given a movie where they interacted with one another, something that carried forward as the MCU progressed.

Thanos is also spotted in the post credits scene.

92% Fresh Tomatoes
$1.518 Billion at the Box Office

Marvel Heroes Introduced: Maria Hill
Villain: Loki, an invading Chitauri army

Phase Two

Iron Man 3 (May 2013)

Coming off the team-up spectacle that was the Avengers, the MCU tightens back up with the 3rd Iron Man solo flick. Interestingly, the movie still made over a billion dollars at the box office despite being a solo film, highlighting the incredible popularity of Robert Downey, Jr’s portrayal of Tony Stark.

The movie didn’t introduce any new heroes, odd for the MCU. But it did do a clever twist on the Madarin, the movie’s perceived villain. Yet, like most MCU movies, the intent is never to make the villain the star, it’s always to shine a spotlight clearly on the protagonists.

80% Fresh Tomatoes
$1.214 Billion at the Box Office

Marvel Heroes Introduced: None
Villain: AIM, The Mandarin

Thor: The Dark World (November 2013)

As a contrast to the high-tech Tony Stark, the MCU took a gamble by leaning in heavily on the mythic nature of the character of Thor. The Dark World attempted to play up the Norse lore, elevate the language with an element of Shakespearean prose, and give the entire movie a mythic tone.

The gamble didn’t pay off as the movie was one of the remarkably few times that a MCU didn’t score a 80% plus fresh rating. Natalie Portman was just working for a paycheck, the villain had no charm, and the movie lacked the humor and whit that the MCU had already become known for.

It’s a film that is easily skipped, although a post-credits scene does carry forward the story of the Infinity Stones and foreshadow the Guardians of the Galaxy.

66% Fresh Tomatoes
$644.6 million at the Box Office

Marvel Heroes Introduced: None
Villain: Malekith, Loki

Captain America: The Winter Soldier (April 2014)

An over-looked strength of the MCU is how effortlessly they make radical tonal shifts in their movies. Whereas the first Cap movie was a charming period piece, Captain America: The Winter Soldier took a radical departure toward an action-packed espionage spy thriller.

Featuring an incredibly tight storyline and some of the absolute best fight choreography in all of cinema, Captain America: The Winter Soldier is among the absolute best of the MCU films, which is something to say, considering the MCU is the highest rated movie franchise of all time.

A post-credits scene begins to set up Quicksilver and Scarlet Witch, major players in Avengers: Age of Ultron.

89% Fresh Tomatoes
$714.3 million at the Box Office

Marvel Heroes Introduced: Falcon, Agent 13
Villain: Batroc the Leaper, Winter Soldier, Hydra

Guardians of the Galaxy (August 2014)

Hoo boy, the MCU went gonzo with this movie. It’s almost as if Marvel tried to see how much they could get away with and darned if everything didn’t turn out golden.

Guardians of the Galaxy was not only the most fun MCU movie to this point, but it also introduced the wackiest characters. But the wonderful thing about the movie is that it has an incredible “found family” emotional core that holds everything together.

Yondu, Nebula, Korrath, The Collector, and a hundred more characters make an appearance, cameo, or are placed as an Easter egg in this film. It’s hard to catch everything but the good news is that the movie is so darned entertaining that it begs for repeat viewings.

91% Fresh Tomatoes
$773.3 million at the Box Office

Marvel Heroes Introduced: Star-Lord, Gamorra, Drax, Rocket Racoon, Groot
Villain: Ronan the Accuser, Thanos

Avengers: Age of Ultron (May 2015)

For a second time, the Avengers assemble. Unfortunately, gone is the novelty of their first time teaming up and the movie also suffers from trying too hard. The humor is forced, the script is too packed. Yet, it’s still pretty darned good, a testament to just how darned good the MCU movies are, because even the stumbles stand head and shoulders above most.

Additionally, this movie is a strong lynchpin for what goes forward. Several new heroes are introduced, Thanos is teased yet again, and many of the emotional beats that are introduced will be born out in later movies.

75% Fresh Tomatoes
$1.405 Billion at the Box Office

Marvel Heroes Introduced: Quicksilver, Scarlet Witch, Vision
Villain: Baron von Strucker, Klaw, Ultron

Ant-Man (July 2015)

The MCU added a heist movie with Ant-Man. Think Oceans 11 meets Honey I Shrunk the Kids but with superheroes.

Ant-Man is another movie that shouldn’t work, yet it does. It is effortlessly funny, every character in the wide cast clicks, and the shrinking powers of Ant-Man added a whole new element to the action.

Both post-credits scenes were pivotal in setting up future movies, one teasing the Wasp and the other setting the stage for Civil War.

82% Fresh Tomatoes
$519.3 million at the Box Office

Marvel Heroes Introduced: Ant-Man
Villain: Yellowjacket

Phase Three

Captain America: Civil War (May 2016)

Marvel really loves to have their heroes fight each other and they finally brought that to the big screen with Captain America: Civil War. The cast is huge, featuring pretty much every hero introduced at this point. And they fight each other.

Audiences by this point had been investing in the characters for 8 years and a dozen movies. Given the scope of the movie and those aforementioned personal stakes, this is a movie that by all rights should have collapsed under its own weight. But it’s brilliant.

91% Fresh Tomatoes
$1.153 Billion at the Box Office

Marvel Heroes Introduced: Black Panther, Spider-Man
Villain: Zemo, Crossbones, themselves

Doctor Strange (November 2016)

Again, the Marvel pivots with Doctor Strange and introduces another corner of the MCU: magic. The result is a trippy origin story of the Sorcerer Supreme who is played by Benedict Cumberbatch.

Doctor Strange comes on the heels of the character-packed Civil War, so it serves as much more of a standalone film, although the characters and themes of the movie play a large part of the upcoming couple of years of the MCU.

Doctor Strange also features a clever third act and I’d be remiss if it wasn’t mentioned one more time that the visuals of the movie bring a whole new element to the MCU.

89% Fresh Tomatoes
$677.7 million at the Box Office

Marvel Heroes Introduced: Doctor Strange, Wong
Villain: Kaecilius, Dormammu

Guardians of the Galaxy, Vol. 2 (May 2017)

Marvel took everything nuts and gonzo about Guardians of the Galaxy and dialed it up to 12 1/2. Vol. 2 featured a similarly killer throwback soundtrack and took viewers to an absurd amount of new locales while also introducing hordes of new characters. The movie features a living planet for heaven’s sake.

It shouldn’t be possible for such a gloriously fun and entertaining movie to contain a powerful emotional core like Guardians of the Galaxy Vol. 2 has. Again, the Guardians movies are about found family, so while they provide as many laughs as other MCU movies, they also bring the most feels.

Vol. 2 had five post-credits scenes.

83% Fresh Tomatoes
$863.8 million at the Box Office

Marvel Heroes Introduced: Baby Groot, Mantis
Villain: Ego, Ayesha, Taserface

Spider-Man: Homecoming (July 2017)

Having bought back the rights to their own character from Sony, Marvel now endeavored to re-establish Spider-Man on screen after him being introduced in Captain America: Civil War.

Tom Holland took on the role of Peter Parker and, although the movie changed several elements in order to update them for contemporary audiences, I can’t imagine any long-time comic reader being unhappy with Spider-Man: Homecoming. This movie oozes the tone of Spider-Man. It feels like Spider-Man in a way that no other Sony-produced Spider-Man has been able to accomplish.

Spider-Man Homecoming also had a villain story better than the vast majority of superhero films.

92% Fresh Tomatoes
$880.2 million at the Box Office

Marvel Heroes Introduced: None
Villain: Vulture

Thor: Ragnarok (November 2017)

The MCU again shifts tone, both from the decent, coming-of-age story that was Homecoming and from what was previously seen in the two earlier Thor movies. Thor: Ragnarok is bonkers. It’s also the most metal movie in the MCU, the dream of Led Zeppelin fans.

It’s funny, it’s action-packed, and it features a glam Cate Blanchett as Hela as well as the ever-quirky Jeff Goldblum. Weaving elements of comic storylines like World War Hulk and Walt Simonson’s iconic 80s run, you can’t summarize this movie, you have to experience this movie, then you’ll immediately want to watch it again.

92% Fresh Tomatoes
$854.0 million at the Box Office

Marvel Heroes Introduced: Valkarie, Korg
Villain: Hela, Skurge, The Grandmaster, Surtur

Black Panther (February 2018)

After almost 20 movies, any reasonable person would have bet big money that the quality of the MCU movies would have inevitably declined by this point, yet Black Panther is arguably the best of them all, and has legitimately received buzz at award ceremonies.

Black Panther pulled back the curtain on another corner of the Marvel Universe the hidden and advanced African country of Wakanda.

The acting was superb throughout, yet the breakout performance was Michael B. Jordon playing Killmonger, the most charismatic MCU villain yet.

97% Fresh Tomatoes
$1.346 Billion at the Box Office

Marvel Heroes Introduced: Nakia, Okoye, Shuri, M’Baku
Villain: Killmonger, Klaw

Avengers: Infinity War (April 2018)

Ten years of movies brought viewers to Avengers: Infinity War, the huge story of every known hero in the MCU coming together to battle Thanos the Mad Titan who, once powered by the Infinity Gauntlet, planned to wipe out one half of all life in the universe.

Avengers: Infinity War took audiences to about a dozen crazy locales across the galaxy and juggled a cast of about 100 heroes. There is no logical way that a movie of this scope would be anything other than a convoluted mess, but it was brilliant. It remained the Marvel humor while also being thrilling and emotional.

Designed to end on a cliffhanger, the full arc of the story won’t conclude until the conclusion of Phase 3 of the MCU, which is Avengers: Endgame.

84% Fresh Tomatoes
$2.048 Billion at the Box Office

Marvel Heroes Introduced: None
Villain: Thanos, The Black Order

Ant-Man and the Wasp (July 2018)

The success of Ant-Man triggered and sequel, but this Ant-Man has a partner in Hope Van Dyne aka Wasp. Ant-Man faced consequences of his choices in Civil War and while he attempts to rebalance his home life, he receives an urgent new mission.

This features the same great humor as the first Ant-Man movie but it actually dials up the visuals even further, as the shrinking and growing rings a kinetic element to the action sequences.

Wasp was a great addition to the MCU and a post-credits scene cleverly tied the movie into the events of Avengers: Infinity War.

88% Fresh Tomatoes
$622.7 million at the Box Office

Marvel Heroes Introduced: Wasp
Villain: Ghost

Captain Marvel (slated for March 2019)

Captain Marvel is hugely anticipated not only because every Marvel movie is at this point, but also because it is the first MCU movie headlined by a female. The title character will be played by Academy Award winner Brie Larson.

The trailer teases the presence of the Skulls, who will be a killer addition to the MCU and marketing material confirms that the movie is set in the 1990s, which has brought speculation on how it will ultimately tie into current storylines.

For now, all we have is the marketing copy: “Carol Danvers becomes one of the universe’s most powerful heroes when Earth is caught in the middle of a galactic war between two alien races.”

Marvel Heroes Introduced: confirmed: Captain Marvel
Villain: unknown, although Skrulls are suspected

Avengers: Endgame (slated for May 2019)

This is it, the movie that will close out the 22-movie run of the first 3 phases of the MCU. It has been confirmed that there will be a major shake-up after Avengers: Endgame. Which heroes will continue forward? We’ll just have to wait and see, won’t we?

The trailer very few clues as to what the actual storyline holds. For now, the marketing copy is all we have: “After the devastating events of Avengers: Infinity War (2018), the universe is in ruins due to the efforts of the Mad Titan, Thanos. With the help of remaining allies, the Avengers must assemble once more in order to undo Thanos’ actions and restore order to the universe once and for all, no matter what consequences may be in store.”

Regardless, good Lord, what a run it’s been.


The post A Beginner’s Guide to Every Movie in the Marvel Cinematic Universe appeared first on Nerds on Earth.

Read the whole story
1 day ago
Quite the guide!
Atlanta, GA
Share this story

What we learned by unpacking a recent wave of Imminent RAT infections using AMP

1 Share
This blog post was authored by Chris Marczewski

Cisco Talos has been tracking a series of Imminent RAT infections for the past two months following reported data from Cisco Advanced Malware Protection's (AMP) Exploit Prevention engine. AMP successfully stopped the malware before it was able to infect the host, but an initial analysis showed a strong indication that stages exist before the deployment of the RAT. Surprisingly, the recovered samples showed no sign of Imminent RAT, but instead a commercial grade packer.

This was a series of attacks engineered to evade detection and frustrate analysis. From the outside, we have a commercially available, yet affordable packer called "Obsidium" that has been used in the past to protect the intellectual property of some legitimate software vendors. The payload results in a RAT called Imminent that has also been used previously for legitimate purposes. Imminent is a commercially available RAT that retails for $25 to $100, depending upon the size of the customer's expected user base. While it is not intended for malicious use, in this case, its detection suggested otherwise.

Although a Potentially Unwanted Application (PUA) detection approach could suffice, not everyone enables blocking of PUAs. We have other technologies in place, such as the Exploit Prevention engine, that are well-suited to detecting such threats. We hope that after reading this research, you'll have a better understanding of not only what it takes to investigate an attack using a complex packer, but also how AMP is equipped to stop such attacks that planned on successfully evading static detection or thwarting the benefits of dynamic analysis from a malware sandbox.

After AMP detected this particular strain of Imminent, and when we saw how complex the packer was that's used to hide the malware from detection, we decided to investigate further. The following dynamic run shows this:

We identified the use of a commercial-grade packer, but we were also curious about the extent of the anti-debugging and anti-virtual machine techniques employed by this particular run of the packer. It starts with several instances of overriding SEH exception handlers. This is accomplished by pushing one handler before and after FS:0, then moving the stack pointer to FS:0. This is possible since the sample is 32-bit and was not compiled with SafeSEH. Intentional access violations and illegal instructions redirect to some preparation code, leading to the initial decryption of malicious code.

Since the overrides lead to mostly preparation code, most of this can be skipped by following where all user-land exceptions must go: ntdll->KiUserExceptionDispatcher. You can pass the exception to the application and break just before the jump condition to determine if another exception exists in the chain, or if runtime can continue.

Finally, follow the pointer stored at ECX to resolve a CONTEXT structure and determine the EIP for the instruction that will be executed upon calling NtContinue. EIP can be manually resolved by following ECX at this point during runtime and applying the CONTEXT structure for a 32-bit context.

The malware decrypts and re-encrypts sections of malicious code one at a time, making it hard to determine a complete timeline for a full decryption point without manually stepping through each section. The cryptographic scheme uses AES per native x86 instructions and wrapper functions.

Past the initial code decryption, you start to see some semblance of complex API resolving, the first of which resembles other portions of the binary, but deters analysis overall: junk byte insertion for anti-disassembly.

As one might expect, this makes modern disassembler rendering of control flow graphs and function blocks quite messy. Several breakpoints and call returns later, you start to notice API strings getting tossed around the general purpose registers. With some trial and error, it's not impossible to break on the pivotal return points where the resolved API address is stored in EAX. You can then run the debugger until a call return, but you will encounter some additional access violations and illegal instructions acting as code trampolines, as shown below. The access violations and illegal instructions are a standard feature of the packer if the end user decides to include anti-debugging when running the payload through the packer.

It's also worth mentioning that resolved API addresses should not be broken on, nor jumped to by running until you hit call returns. Call returns are not always used by the packer to move to the desired API. Also, the address of the API is not used directly but is instead invoked a few instructions within the function, & the depth varies for each API. Your best course of action is to break a few calls in the API code early enough to view the original parameters that were haphazardly passed to the resolved API. What's more, the packer code will check the target of the trampoline within the API code for software breakpoints prior to redirection (0xCC, or int 3 disassembled).

After you've established such control over the debugging session, you can begin to handle the anti-debugging checks. This is a necessary step to unpack the original payload successfully. Conventional techniques of letting a sample a run and dumping full images or relevant sections of code are not possible in this case due to such checks. With this packer, the anti-debugging checks include the following:

  • Class registration, passed to CreateWindowsEx, containing a callback parameter to be called by CallWindowProc. The callback function itself invokes NtQueryInformationProcess with ProcessDebugPort set as the requested ProcessInformationClass enumeration.
  • The API is called again twice for undocumented ProcessInformationClass enumerations ProcessDebugObjectHandle and ProcessDebugFlags.
  • NtQuerySystemInformation is called with an undocumented enumeration of the SystemInformationClass parameter: SystemKernelDebuggerInformation. In this particular case, the standard SYSTEM_BASIC_INFORMATION structure is not returned, but instead, a SYSTEM_KERNEL_DEBUGGER_INFORMATION structure is returned, containing UCHAR KernelDebuggerEnabled and UCHAR KernelDebuggerNotPresent. The user can bypass this debugger check by toggling the flags appropriately.
  • CloseHandle is called for an invalid handle. When debugging a process, this will generate an exception, rather than resulting in a silent failure of the API. In this case, the exception leads back to the debugger being detected (EnumWindows->MessageBoxA->"Debugger detected…"). Discard the exception when debugging to bypass this check.
  • CreateFileA is called several times to check if file objects with the following debugger-related file names can be instantiated on the host:
    • The next check is interesting in that is resolves more than 20 APIs before commencing with the actual debugger check. Fortunately, only the last few API's are involved with the check (InternalGetWindowText, IsWindowVisible, and EnumWindows). As discussed earlier, usually getting EnumWindows at this point of the unpacking is a bad sign that you've failed a debugger check. In this case, it's different. The callback function passed to EnumWindows must be handled with a breakpoint and iterated until you see InternalGetWindowText and IsWindowVisible getting called as standalone debugger checks.
    • An arbitrary value is passed to SetLastError, followed by an intentional error. GetLastError is called to check if the set value remains, as expected when debugging.
    • GetCurrentThread grabs the current thread handle and passes it to NtSetInformationThread coupled with the ThreadHideFromDebugger enumeration from THREAD_INFORMATION_CLASS. This will detach the process from the debugger if present.
    • CheckRemoteDebuggerPresent
    • FindWindowW looking for the following debugger class names, rather than window names: ObsidianGUI, WinDbgFrameClass, ID, and OLLYDBG
    • CreateFileW checking for a failed attempt at creating \\.\VBoxGuest

    This is just a portion of the anti-debugging phase. Unfortunately, we don't have the space here to cover the malware's anti-VM techniques, but this will give you a good start. We decided to proceed with the unpacking of the sample on a bare-metal host to dump the final binary. We identified the final stage as a commercial RAT being used with malicious intent. Pivoting off a dynamic domain name revealed other samples with similarly complex packers (Themida, etc.) The host is not running one, but several control panels for various RAT's (including the one we unpacked).

    This was a series of attacks that further complicates detection strategy. In the beginning, we had a commercially available packer that has been used in the past two protect the intellectual property of legitimate software vendors. Further on, the payload resulted in a commercially available RAT that has also been used for legitimate purposes. Although a PUA detection approach could suffice in this case, we have technologies in place such as the Exploit Prevention engine to detect such threats dynamically, in addition to preventing telemetry for further investigations. Attackers are relentlessly attempting new methods of bypassing threat detection. In this particular case, commercially available software was used to no avail. The attacks were successfully stopped by the Cisco Advanced Malware Protection's (AMP) Exploit Prevention engine, and the resulting event data only helped out more by providing valuable information on what tools the attackers are using against their targets.


    Original Obsidium packed sample

    Unpacked Imminent RAT sample

    Read the whole story
    1 day ago
    Atlanta, GA
    Share this story
    Next Page of Stories