One thing on my ever-growing ToDo list was to build my own Linux system since I stumbled upon Linux from Scratch (LFS) a couple of years ago. LFS is an online book that guides you through the whole process of building your own minimal Linux system. It consists of several phases: initially, you create partitions for your new system and download all the packages you need to build it. Then, you add an initial user LFS and set up a temporary system with a clean toolchain (assembler, compiler, linker) as well as other system tools. Next, you chroot into your temporary system, create essential files and folders, mount virtual filesystems like /dev and /sys and start to compile essential packages with your new toolchain. Finally, you install boot scripts, compile the Linux kernel, install Grub, and reboot. And wait, don’t forget to pray before booting into your system!

Continue reading →

Some months ago, I analyzed a banking Trojan that employed a chain of injections. First, it hollowed an instance of svchost.exe. From there, it injected its code into several processes (especially browsers). My goal was to analyze the network protocol. Unfortunately, all processes could communicate with the CC and there was a mutual exclusion scheme that ensured only one network communicator at a time. This resulted in my process never contacting the CC and in me not seeing the network protocol.

Continue reading →

RC4 (also known as ARC4) is a simple stream cipher. It was designed in the late 1980s and its internals became known to the public in the mid-1990s. While it is a very simple and fast crypto algorithm, security researchers have discovered multiple flaws in it throughout the years. Today, it is just another broken stream cipher.

However, it is still used by software systems in the wild. Many malware families use it for encryption or better said: just for obfuscation purposes. Due to its simplicity and speed, malware authors embed it directly in their source code or statically link it into their binaries. For instance, ZLoader utilizes it to decrypt its configuration and Smokeloader encrypts its network traffic with this stream cipher.

Continue reading →