Update 2022-01-03: I updated this blog post to work with Fedora 35, IDA Pro 7.7, and BinDiff 7.1.

BinDiff is a tool to diff to binary executables and finds differences and similarities, respectively. Originally, Zynamics developed BinDiff but a couple of years ago it was bought by Google. Even though there are alternatives like Diaphora, I still prefer BinDiff. It is the tool I utilize when analyzing a new version of a malware family. BinDiff saves me a lot of time since it detects most of the functionality in the new binary and lets me transfer annotations. Unfortunately, there are only .deb packages (Debian / Ubuntu) for Linux. Therefore, Fedora users must rebuild the .deb package to a .rpm package in order to install BinDiff on Fedora.

Continue reading →

Malware often utilizes data compression like zlib or aPLib. There are several reasons for this behavior: first, it saves space and makes binaries smaller and network transfers faster. Second, it adds another layer of obfuscation as the malware analyst needs to detect the compression algorithm first. One of the widely adopted data compression libraries in malware is zlib. For instance, malware families like GhostRat utilize zlib compression.

Continue reading →

Ransomware is our contemporary plague. It is a thriving business that attracts more and more cybercriminals every month. New ransomware gangs sprout like mushrooms. These self-proclaimed “security teams” test the security of many small to large enterprises. But their unsolicited penetration tests are not that cheap. What they leave behind is pure mayhem and a huge bill for the victims. Furthermore, some attacks are really disgusting since ransomware gangs have targeted non-profit organizations, schools, and even hospitals on various occasions.

Continue reading →