PDF Attack: A journey from the Exploit Kit to the Shellcode (Black Hat USA) 2013-07-31
peepdf, PDF, Tools, Analysis, Exploit Kits, Vulnerabilities, DFIR, Malware, Javascript, Shellcode
PDF Attack: A journey from the Exploit Kit to the shellcode is a workshop to show how to analyze obfuscated Javascript code from an Exploit Kit page, extract the exploits used, and analyze them. Nowadays it is possible to use automated tools to extract URLs and binaries but it is also important to know how to do it manually to not to miss a detail. We will focus on PDF documents mostly, starting from a simple Javascript Hello World document and ending with a real file used by a fresh Exploit Kit. This workshop will also include exercises to modify malicious PDF files and obfuscate them to try to bypass AV software; very useful in pentesting. The latest version of peepdf (included in REMnux, BackTrack and Kali Linux) will be used to accomplish these tasks, so this presentation covers the latest tricks used by cybercriminals like using new filters and encryption to make analysis more difficult.

Sopelka VS Eurograbber - Really 36 million EUR? (RootedCON) 2013-03-07
Malware, Botnets, Hype, Mobile, ZitMo
Sopelka botnet started life in May 2012 and was taken down by end of September of past year. This botnet was especial because it was an odd mixture of variants of the known banking trojans Tatanga, Feodo and Citadel, sending data to the same panel. Its main objective was the collection of banking credentials from European entities, mostly banks from Spain and Germany, but also The Netherlands and Italy. In addition, it made use of different mobile components for Android, BlackBerry and Symbian phones to bypass two factor authentication.

In December 2012 a "new" banking malware report was published, claiming that this trojan had stolen more than 36 million EUR from different European banks. This report and, above all, the stolen amounts were quickly published everywhere, but, in fact, this incident had a lot in common with Sopelka botnet and some details needed to be explained...really 36 million EUR?

View Spanish version

peepdf in Black Hat Europe Arsenal 2012 2012-03-16
peepdf, PDF, Tools, Analysis, Vulnerabilities, Javascript, Shellcode
Presentation of peepdf for the Black Hat Arsenal (Europe 2012), showing new features, new commands and articles related to PDF analysis with peepdf.

Social Engineering in Banking Trojans (RootedCON) 2012-03-01
Social Engineering, Trojans, Bankers, Botnets, MitMo, MitB, Injects, Detection
Social Engineering is the art of obtaining confidential information through the manipulation of the people with this knowledge. This technique is based on the fact that human beings represent the weakest link in a secure system, as somebody usually knows how to access it. The idea being that it is easier to manipulate a person than the system itself. Online banking is no exception. In this case, the most vulnerable people are the users themselves, the end clients of the banks, and the objective is to access their accounts. Cybercriminals use Social Engineering through HTML Injections to cheat on users and obtain their credentials. In this presentation a demo was performed to detect HTML Injections in web browsers.

View Spanish version

Banking Fraud Evolution - New techniques in real fraud cases (Source Seattle) 2011-06-15
Trojans, Bankers, Botnets, ZeuS, SpyEye, Tatanga, MitMo, MitB
New techniques in banking fraud are applied not only to malicious binaries, but also to how different cybercriminal groups use these binaries. Criminals always attempt to make the most of their malicious software. An example of this is the broad possibilities offered by HTML code injection. The latest injections discovered in both ZeuS and SpyEye show, once again, their continuous struggle to adapt to the changes and measures put in place to counter them. In the case of ZeuS, one of the latest strategies involves rendering useless the two-factor authentication used in numerous on-line banking operations.Similarly, in a campaign for distributing SpyEye, the group responsible for the malware injected code designed to automatically make fraudulent transfers after dynamically obtaining the destination accounts (mules) from a server. Therefore, the impact of campaigns to spread malware depends not only on the dangerousness of the malicious software itself, but also on how this software is used and the creativity of its criminal owners.

Obfuscation and (non-)detection of malicious PDF files (RootedCON) 2011-03-03
PDF, Vulnerabilities, Specifications, Obfuscation, Antivirus, Detection, peepdf
Techniques to successfully create malicious PDF files with low-detection rates, showing the weak points in actual parsers. Introduction to peepdf, a new tool that covers up the holes in the analysis of these files and which also allows their modification (obfuscation).

Updated for the CARO Workshop 2011 (2011-05-06).

PDF Overview PDF, Vulnerabilities, Specifications
Basics of PDF structure and vulnerabilities in a custom Pecha Kucha format (15x15).

Bug hunting Fuzzing, Malybuzz
Basics of fuzzing and introduction to Malybuzz and how it works.