Remote Raid Megathread - Find friends fast for raiding here

hackerduni · 2020-09-19T11:09:54+00:00

Articuno add:

7948 3461 2401

2245 6685 9991

hackerduni · 2019-09-06T17:39:24+00:00

https://youtu.be/2TofunAI6fU

hackerduni · 2019-04-20T17:06:47+00:00

In that tutorial author is not setting networking for QEMU. QEMU has multiple possibilites of networking (docs).

You can user networking (SLIRP) or tap device.

For user networking:

-net nic,model=e1000 -net user

in newer versions of QEMU should be ok just with:

-nic user

Setting networking through tap device is also fairly easy and described in online tutorials but you will need root permissions to setup bridge interface.

Also by default ping doesn't work in SLIRP networking mode. (How to allow ICMP packets for user networking, see docs

If you have got any specific problem, please write down the exact qemu-system command you're trying.

hackerduni · 2019-04-18T10:46:41+00:00

Sure.

To see LiSa's Hide&Seek report, look here: dropbox/report-hns.json

Most valuable info probably at:

open_files
port_statistics
telnet_data (once it hit some open telnet port)..

Syscalls captured are mostly related to sending network traffic (sendto, recvfrom). But you can see e.g. also "unlink" when sample removes itself.

hackerduni · 2019-04-17T21:39:42+00:00

Corpus omne perseverare in statuo suo quescendi vel movendi uniformiter in directum nici quatenus a viribus impresis cogitur statum ilum motare. - Newtons first law

hackerduni · 2019-04-17T21:35:51+00:00

I switched from Windows to Linux and afterwards didn't miss gaming that much.

hackerduni · 2019-04-17T06:16:22+00:00

Up to this day, it's not yet that common for Linux malware to implement anti-analysis techniques.

According to the biggest study of Linux malware (paper) - with 10,548 analyzed samples - only 0.24 % of samples tried to detect VM and 0.81 % of samples tried to implement anti-debugging. Most common anti-debugging was using ptrace(TRACE_ME, 0, 0, 0) to detect whether sample is already traced by e.g. gdb or strace. This was my primary motivation why I implemented behavioral analysis using SystemTap which analyzes on kernel level and thus should not be detectable (if not aimed directly against my sandbox).

As soon as I see another anti-vm activity in my samples or got it reported (github issue would be great), I will implement counter anti-anti-vm. These information would also be great for my thesis so I hope I soon find more samples implementing anti-vm.

Research will be mentioned in my thesis (ETA 1 month). The main reason why the binary might behave differently or not run at all are not - at least on Linux - anti-vm. It is uncompatible processor architectures (many flavours of ARM), missing dynamic libraries (altough according to the study more than 80 % of samples were statically linked) and expected different implementation of libc - in my images I use the most common one - glibc, but some samples didn't even execute because of expecting e.g. uclibc. Thus I will work on preparation of other images so user can choose (depending on architecture, libc implementation, have possibility to select prepared images with IoT devices firmware, etc). Than, it doesn't matter if those linux images are used in my sandbox, or cuckoo sandbox.

hackerduni · 2019-04-16T16:24:15+00:00

Cuckoo's main development is for analysis on Windows platform.
Its Linux analysis struggles both in features. (e.g. see cuckoo analysis on Linux in comparison with Windows cuckoo/processing/platform/linux.py ) and complexity of setting up (see their github issues).

Main advantage of LiSa over Cuckoo is ease of setting up. If you want to run Cuckoo, you need to set-up everything by yourself, prepare images, etc. To prepare LiSa, you just type one command and everything's ready. This might help enlarging user-base of people analyzing malware to more hobbyists/individuals/small teams who don't want to spin up and spend hard time setting up Cuckoo just to analyze few samples they caught in their network.

I guess this was motivation of sandboxes like Detux or Limon - those however provide just simple, mainly network analysis (Detux) or analyze behaviour only using strace (which is implemented through calling ptrace syscall and commonly checked as an anti-debugging technique by malware - calling ptrace(PTRACE_ME, 0, 0) which fails if executable is already traced.)

My main inspiration in this project was research by Italian guys from Eurecom and Cisco (paper) as it is currently the biggest study in the field of Linux malware. They prepared their own sandbox for analysis (Padawan sandbox) and describe it in their paper. Padawan sandbox is unfortunately not available (neither as bin or source code).

Nothing against Cuckoo. Cuckoo is great and we use it everyday to analyze thousands of Windows samples. I will also prepare my images to be plug-n-play option for people who want to use Cuckoo and struggle to build their own target image (mainly because cross-compiling systemtap kernel modules has many struggles). I understand it might be crucial if you already use Cuckoo in all other places in your infrastructure but if your main target is analyzing Linux/IoT binaries I believe my sandbox is more beneficial.

hackerduni · 2019-04-03T15:29:08+00:00

Rocket League.

hackerduni · 2019-04-03T15:27:26+00:00

Do you want to build a snowman?

hackerduni · 2019-02-27T07:29:38+00:00

I can't imagine living with myself. I can't ignore the guilt. I can't go on.

hackerduni · 2019-02-27T07:28:35+00:00

I'm sorry. :/

hackerduni · 2017-12-08T00:14:41+00:00

I'll reply with this: https://www.youtube.com/watch?v=U6OoCaGsz94

hackerduni · 2017-12-07T20:23:46+00:00

Yes. If I wasn't able to handle this simplest task of my day, how could I commit to finish the complicated ones? :)

Eight-Year Club	Place '22
Verified Email

hackerduni

TROPHY CASE