May 3, 2016

Conference Circuit

The last few months have been a whirlwind of activity at Binary Guard. However, we have taken the time to hit some industry conferences. Here are a few of the conferences we recently attended:

...continue reading

Dec 7, 2015

Manual Bare-Metal Analysis in the Cloud

As a reverse engineer, you will inevitably come across suspicious samples that do not do anything in a VM, but you know are up to no good. For instance, you might be analyzing a file that was delivered as part of a spear phishing email to employees of your company. You try all your usual behavioral analysis tools under your favorite VM, but not much happens. You suspect that this sample is using anti-VM techniques to hinder your analysis.

...continue reading

Nov 9, 2015

Dissecting Inline Hooks

Ever wonder how malware is able to harvest credentials from within web browsers? The most popular method is a Man-in-The-Browser (MiTB) attack known as inline hooking (sometimes referred to as detours). Inline hooks are incredibly versatile and very common in malware. With inline hooks, malware can become puppetmaster of any process, manipulating it into doing whatever the malware author pleases. Let’s see how they do it.

...continue reading

Oct 9, 2015

Deobfuscating Shifu

Many Trojans employ anti-analysis techniques. Some of these, such as VM detection, can be cleanly defeated with our automated countermeasures. Others require a little elbow grease. Among the latter is the use of obfuscated strings, as seen in the recently discovered banking Trojan “Shifu”. In this post, we will follow a particular sample (MD5 371cdeb618d2170419f02fc3d644ef43) and shed some light on the process we used to deobfuscate these strings.

...continue reading

Like our blog? Subscribe via RSS