SlideShare a Scribd company logo
1 of 87
Download to read offline
Sm shing the J rs
Anthony Kasza
Sr.Threat Researcher
Palo Alto Networks
Kasza smashing the_jars
About Me
@AnthonyKasza
Enterprise security
Malware communications
DNS transaction classifiers
Threat techniques
CTF challenge author:
- PAN LabyREnth
- FIRST DRG
Presentation Overview
• Introduction
• Intro to java, jars, and
java based threats
• Java Threats
• Current threat landscape
• Defensive Techniques
• Analysis and detection
techniques
• Demo
• Unpacking, deobfuscating, reading
Java Basics
• Rich ecosystem
• JVM vs JDK vs JRE
• Often used to teach OOP
• Compiles to bytecode
• Similar to Python
• Simple to disassemble
• Architecture agnostic
• Cross platform JDK
JRE
Dev  tools
JRE  lib  source
JVM
Libraries
Reverse Engineering
Spectrum of Tribulations
Simple
Remote
Service
(Blind)
Source
Code Delphi
Java
.NET
C++C
Difficult
JAR (Java ARchive) Basics
• JAR vs Zip format
• Contents are
called resources
• Class files
• Header 0xCAFEBABE
• Constant pools
• Manifest
• META-INF/MANIFEST.MF
• Key:Values
• Similar to HTTP headers
JAR
manifest
a.class b.class
c.class d.class
a.jpg b.ico a.png
Java RAT Basics
• Various levels of maturity
• E.g. BlueBanana vs Adzok vs jSocket
• Most are kits/builders
• stub Jars
• Many use common libraries
• VirusTotal detections are often inaccurate
• jRat != Jacksbot (aka jRat)
• IMO too many RATs are detected as jRat
• Frutas != Adwind != Jsocket != etc.
• Or does it?
• IMO too many RATs are detected as Adwind
Other Java Threats
• Banload and other droppers / downloaders
• Java Ransomware
• PoC on Github [37]
• From what I can tell, written by two high school
students
• Not distributed ITW
• jbd – bind shell in java
• https://scoperchiatore.wordpress.com/java-
backdoor/
• Javafog – APT Java backdoor
A Brief Tangent: Javafog
• Identified by Kaspersky
• Malicious Jar which beaconed to
same domain as Icefog samples
• Windows specific
• Targeted?
• But then why Java?
A Brief Tangent: Javafog
Not cross platform
Icefog domain name
Common Libraries
• java.util.prefs – persistence mechanism
• Windows: registry
• Linux: hidden files in user’s home/ dir
• OSX: ~/Library/Preferences/
• Commonly (mis)used libraries
• Sigar
• Bridj
• Slf4j
• JNA / JNI [35]
• jnativehook
• Kryonet
• webcam-capture [36]
• Runtime.getRuntime().exec()
• E.g. Javafog
Adversary Types
• Opportunistic actors
• Forum skiddies and phishing/spam
• Financially motivated actors
• Banking users in Brazil (banload) [40]
• Bank systems in Singapore (adwind) [11]
• Actors targeting something specific
• PackRat – CitizenLab, Dec 2015 (Adzok, AlienSpy)
• Latin American [13]
• JavaFog – Kaspersky, Jan 2014
• Manul campaign – EFF, 2016 (jRat) [34]
Someone name
something that comes
in a jar
Things That Come in Jars
Things That Come in Jars
Frutas
Adwind
Unrecom
AlienSpy
jSocket
jBifrost
Adzok
BlueBanana
Crimson
jCage
jFect
jRAT
jSpy
OS  Celestial
Quaverse
Quarallax
OmniRAT
Ratty
Feb  2012
Jan  2013
Nov  2013
Oct 2014
July  2015
Sept  2012
2010  ?
Oct  2012
July  2013
Nov  2015
Oct  2012
Dec  2013
May  2015
Jun  2015
Nov  2015
Jun  2016
May 2016
Feb  2016
Things That Come in Jars
Frutas
Adwind
Unrecom
AlienSpy
jSocket
jBifrost
Adzok
BlueBanana
Crimson
jCage
jFect
jRAT
jSpy
OS  Celestial
Quaverse
Quarallax
OmniRAT
Ratty
Feb  2012
Jan  2013
Nov  2013
Oct 2014
July  2015
Sept  2012
2010  ?
Oct  2012
July  2013
Nov  2015
Oct  2012
Dec  2013
May  2015
Jun  2015
Nov  2015
Jun  2016
May 2016
Feb  2016
Things That Come in Jars
Frutas
Adwind
Unrecom
AlienSpy
jSocket
jBifrost
Adzok
BlueBanana
Crimson
jCage
jFect
jRAT
jSpy
OS  Celestial
Quaverse
Quarallax
OmniRAT
Ratty
Feb  2012
Jan  2013
Nov  2013
Oct 2014
July  2015
Sept  2012
2010  ?
Oct  2012
July  2013
Nov  2015
Oct  2012
Dec  2013
May  2015
Jun  2015
Feb  2016
Nov  2015
Jun  2016
May 2016
Kasza smashing the_jars
Frutas Lineage: Frutas
• Frutas PoC emerged early 2012 [2]
• Includes a simple ASCII readable ‘config.txt’ or
‘config.xml’ file
• Writes ‘frautas.lock’ file to temporary directory to
avoid concurrent executions
• Became popular among Spanish speaking
criminals circa July 2012 [1]
Frutas Lineage: Frutas
Frutas configuration files
Frutas Lineage: Frutas
Frutas lock file
Frutas Lineage: Frutas
Frutas Windows specific commands
Frutas Lineage: Adwind
• Emerged early 2013 from a rebranded Frutas [3]
• Subsequent variants began using obfuscation [4]
• Same named resources (capital vs lower case)
• Support for Android (APK binder) introduced
• Modular plugins
Frutas Lineage: Adwind
Adwind obfuscated manifest entries
Frutas Lineage: Adwind
Adwind obfuscated resource names
Frutas Lineage: Unrecom
• Rebranded Adwind around late 2013 [5] [6]
• UNiversal REmote COntrol Multi-platform
• Adwind “acquired” by LustroSoft
• Introduced LiteCoin mining plugin [7]
Frutas Lineage: Unrecom
Unrecom server class resource name
Frutas Lineage: AlienSpy
• Emerged Oct 2014
• Improvements [3]
• Sandbox detection
• TLS for C2
• Anti Analysis [8]
• Allatori Obfuscation
Frutas Lineage: AlienSpy
AlienSpy long resource name
Frutas Lineage: AlienSpy
AlienSpy Allatori usage
Frutas Lineage: AlienSpy
AlienSpy anti-analysis technique
Frutas Lineage: jSocket
• AlienSpy domain taken down after
Fidelis report (April 2015)
• jSocket emerged July 2015 [10]
• Similar to AlienSpy but used
subscription model (SaaS)
• Kaspersky estimates Jsocket (Adwind) author
[11]:
• made $200,000 per year
• sold to 1,800 customers
Frutas Lineage: jSocket
jSocket OSX obscure filenames and paths
Frutas Lineage: jSocket
jSocket OSX plist entry
Frutas Lineage: jBifrost
• Minor feature improvements from jSocket [38]
• Controller can tell if user is typing
• Serialized decryption keys in implants
Frutas Lineage: jBifrost
jBifrost vs jSocket controller UI
Images taken from Fortinet blog [38]
Adzok (aka Adsocks)
• Emerged 2010ish
(0.7.0 was around in January of 2011) [12]
• Free version used by PackRat group [13]
• Open Source [14], Free, and Pro Versions
• Still active:
• Sold online from Boliva [15]
• Twitter profile’s latest tweet was July 2015) [16]
• Similarities to Frutas
• Creates lock file
• Free version is Windows only
• Similar XML configuration file elements
Adzok (aka Adsocks)
Adzok Free only runs on Windows
Adzok (aka Adsocks)
Adzok Free configuration file
Adzok (aka Adsocks)
Adzok lock file
Adzok (aka Adsocks)
Adzok homepage
BlueBanana
• Emerged September 2012
• Obfuscated
• Encoded strings
• Class file names
• Beacons with a configured password in its first
data packet
• No longer developed
BlueBanana
BlueBanana password beaconing on OSX
BlueBanana
BlueBanana greetz
Crimson
• Oldest forum post I could find was dated Oct 2012
[17]
• The builder’s “about” section claims December 2013
• Encrypted communications
• AES
• Blowfish
• DES
• Triple DES
• Drops settings files into one of:
• sqlite database ‘Psettings.db’ – v1.2.3
• base64 encoded ‘settings.properties’ – v1.3.0
• No file dropped – v2.1.0
Crimson
Crimson dropping a sqlite db on OSX
Crimson
Crimson debugging out on Windows
Crimson
Crimson debugging out on OSX
jCage
• Emerged July 2013
• Makes use of jnativehook lib
• Seems to be focused on Windows systems
• I could not find a sample which executed on OSX
jCage
jCage searching for AV products on Windows
jCage
jCage Windows specific shutdown command
qRat (Qarallax/Quaverse)
• Emerged May 2015
• Three stage JAR loader [20]
• SaaS model (similar to jSocket)
• Used a hardcoded IPv4 and domains
• Only runs on windows
• A second version in the wild [32] recently
• Downloads auxiliary Jars from qarallax[.]com
• Runs on Macs too!
• Used to compromise US Visa applicants in Switzerland
over Skype [33] – 6 June 2016
qRat (Qarallax/Quaverse)
qRat v1 not running on OSX
qRat (Qarallax/Quaverse)
qRat v2 randomly named and hidden Jar on OSX
jRat (aka Jacksbot)
• Emerge Oct 2012
• Portions are open sourced by redpoins0n
• Plugins, scripts, uninstaller, and auxiliary tools
• https://github.com/java-rat
• Again, not everything is jRat
• Persists using [19]
• OSX: a LaunchAgent plist
• Linux: ~/.config/autostart
• Windows: Registry run key
jRat (aka Jacksbot)
jRat plist file for persistence on OSX
jFect
• Emerged Nov 2015
• Heavily obfuscated
• IRC or HTTP communications
• LaunchAgent plist for persistence on OSX
• Just like every other Java RAT
jFect
jFect C2 over IRC on Windows
jFect
jFect C2 over HTTP on OSX
jFect
jFect plist file for persistence on OSX
OmniRAT
• Emerged Nov 2015
• Multi OS implant and panel support
• Android control panel
• Hardcoded C2 (doesn’t use a configuration file)
• Android version can spread via SMS [21]
OmniRAT
OmniRAT hardcoded C2 IPv4 address
OmniRAT
OmniRAT C2 beacon using Java serialization
jSpy and OS Celestial
• jSpy emerged Dec 2013, OS Celestial is likely a
second version
• Open source library reuse
• Similar features
• Similar configuration file options
• Similar configuration parsing classes
• Overlap in domain builders beacon to
• jstealth.co[.]uk
• jstealth[.]net
• Detectable by files it drops on Windows
• Uses LaunchAgent plists for persistence on OSX
jSpy and OS Celestial
jSpy homepage
jSpy and OS Celestial
jSpy plist file for persistence on OSX
Ratty
• Was actively being developed on Github [22]
• Seems Windows is further developed than OSX
(further than Linux)
• Used a simple xor over its configuration file
• Palo Alto Networks saw this RAT being
distributed in the wild around April 5 of this year
• Disappeared from Github a few months ago
Ratty
Ratty limited Linux support
Ratty
Ratty distribution session data from April 2016
Kasza smashing the_jars
Common Java RAT Behaviors
• Obfuscators, protectors, cryptors
• Anti-vm and anti-analysis tricks
• Very long and random(ish) resource names
• Many AV’s cannot determine which family
• Hide Jar implant
• Hidden directories or temp folders
• Persistence
• Registry, startup folder, plists (KnockKnock)
• Beacon
• Variable between families
Packers, Obfuscators, Bundlers
• Allatori
• Zelix Klassmaster (aka Zelix aka ZKM)
• launch4j (jar to exe)
• Jar Bundler (removed in OS X Mountain Lion 10.8.2)
• JarToApp
• https://github.com/redpois0n/JarToApp
• jCrypt
• jarProtector
• jFuzzle
JWScan and Jardiff
Jar Deobfuscation
• Deofuscation logic is in the JAR somewhere
• Decompile class files
• Search for methods wrapping strings passed to
other methods
• If those methods do math manipulations on a
string, re-implement in Python
• Eclipse conditional breakpoints [23] [24] [25]
• Demo to follow
javadeobfuscator
• Automated deobfuscation for common
techniques and tool [39]
• Demo to follow
Analysis Hints
OSX
• OSX persistence
mechanisms [29]
• Plists
• Hidden files and
directories
• Dtrace and JVM
hotspots
• KnockKnock [31]
Windows
• Registry keys
• LNKs in Startup
Folder
• Procmon
• Regshot
Bytecode Visualizer
Bytecode-viewer
RATDecoders
• Github repository by kevthehermit [27]
• Contains static configuration decoding scripts for
many RATs
• Not just Java based ones
• Fantastic resource for building a static Intel
pipeline
• Combine with VirusTotal, Laikaboss [28], etc
• A handful of vendors are doing this internally
Pitfalls and Oversights
• Yara rules based on resource names
work except when they don’t
• Jarinjarloader is tricky
• set as the main-class in a jar’s manifest
• It then loads a different class
(from a URL or from itself)
• Manifest files are not required for
Jars to execute
Key Take Away Items
Java RATs emerged ~2010
Still not extremely popular
Their use is growing
Used by spectrum of actors
Look at the tools I mentioned, they work well
Reach out if you’re interested in
collaborating or have questions
Special Thanks
83 |	
  	
  ©	
  2015, Palo	
  Alto	
  Networks.	
  
DerbyCon Organizers
DerbyCon Audience
Tyler Halfpop
Jacob Soo
Anthony Mendez
Kevin Breen
Chris Pierce
Jørgen Bøhnsdalen
Questions?
Demo
References (1)
[1] https://cdn.securelist.com/files/2016/02/Adwind_timeline_horizontal_final.png
[2] http://www.symantec.com/connect/blogs/cross-platform-frutas-rat-builder-and-back-door
[3] https://isc.sans.edu/forums/diary/Adwind+another+payload+for+botnetbased+malspam/20041/
[4]
https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/26000/PD2
6278/en_US/McAfee_Labs_Threat_Advisory_Adwind.pdf
[5] http://www.crowdstrike.com/blog/adwind-rat-rebranding/
[6] http://blog.checkpoint.com/2016/02/24/adwind-malware-as-a-service-reincarnation/
[7] http://blog.trendmicro.com/trendlabs-security-intelligence/old-java-rat-updates-includes-litecoin-
plugin/
[8] https://www.fidelissecurity.com/sites/default/files/FTA_1015_Alienspy_FINAL.pdf
[9] https://theintercept.com/2015/08/21/inside-the-spyware-campaign-against-argentine-
troublemakers-including-alberto-nisman/
[10]
https://www.fidelissecurity.com/sites/default/files/FTA_1019_Ratcheting_Down_on_JSocket_A_PC_and_A
ndroid_Threat_FINAL.pdf
[11] https://blog.kaspersky.com/adwind-rat/11252/
[12] http://cleanbytes.net/java-trojan-horses-the-new-trojan-viruses-generation
[13] https://citizenlab.org/2015/12/packrat-report/
[14] https://sourceforge.net/projects/adsocks/
[15] http://adzok.com/
[16] https://twitter.com/Adzok_
[17] https://leakforums.net/thread-314078
[18] http://www.javaworld.com/article/2077233/core-java/bytecode-basics.html
[19] https://github.com/redpois0n/jrat-remover/tree/master/src/se/jrat/remover/removers
[20] https://www.trustwave.com/Resources/SpiderLabs-Blog/Quaverse-RAT--Remote-Access-as-a-
Service/
References (2)
[21] https://blog.avast.com/2015/11/05/droidjack-isnt-the-only-spying-software-out-there-avast-
discovers-that-omnirat-is-currently-being-used-and-spread-by-criminals-to-gain-full-remote-co
[22] https://github.com/Sogomn/Ratty
[23] https://github.com/deresz/unpacking/blob/master/README.md
[24] https://vimeo.com/165124535
[25] https://wiki.eclipse.org/FAQ_How_do_I_set_a_conditional_breakpoint%3F
[26] http://www.crowdstrike.com/blog/native-java-bytecode-debugging-without-source-code/
[27] https://github.com/kevthehermit/RATDecoders
[28] https://github.com/lmco/laikaboss
[29] https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf
[30] https://securelist.com/blog/incidents/58209/the-icefog-apt-hits-us-targets-with-java-backdoor/
[31] https://github.com/synack/knockknock
[32] http://presumptuouscommoner.blogspot.com/2016/04/post-19-or-anyone-want-jar-of-docx.html
[33] https://labsblog.f-secure.com/2016/06/07/qarallax-rat-spying-on-us-visa-applicants/
[34] https://www.eff.org/files/2016/08/03/i-got-a-letter-from-the-government.pdf
[35] http://blog.cobaltstrike.com/2013/08/29/how-to-inject-shellcode-from-java/
[36] https://github.com/sarxos/webcam-capture
[37] https://github.com/codertimo/Ransomware
[38] https://blog.fortinet.com/2016/08/16/jbifrost-yet-another-incarnation-of-the-adwind-rat
[39] https://github.com/java-deobfuscator/deobfuscator
[40] http://researchcenter.paloaltonetworks.com/2016/03/banload-malware-affecting-brazil-exhibits-
unusually-complex-infection-process/

More Related Content

What's hot

BlueHat v18 || Massive scale usb device driver fuzz without device
BlueHat v18 || Massive scale usb device driver fuzz without deviceBlueHat v18 || Massive scale usb device driver fuzz without device
BlueHat v18 || Massive scale usb device driver fuzz without deviceBlueHat Security Conference
 
BlueHat v18 || The matrix has you - protecting linux using deception
BlueHat v18 || The matrix has you - protecting linux using deceptionBlueHat v18 || The matrix has you - protecting linux using deception
BlueHat v18 || The matrix has you - protecting linux using deceptionBlueHat Security Conference
 
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...Zoltan Balazs
 
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon YangPractical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon YangLyon Yang
 
Csw2017 bazhaniuk exploring_yoursystemdeeper_updated
Csw2017 bazhaniuk exploring_yoursystemdeeper_updatedCsw2017 bazhaniuk exploring_yoursystemdeeper_updated
Csw2017 bazhaniuk exploring_yoursystemdeeper_updatedCanSecWest
 
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
Introduction to Dynamic Malware Analysis   ...Or am I "Cuckoo for Malware?"Introduction to Dynamic Malware Analysis   ...Or am I "Cuckoo for Malware?"
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"Lane Huff
 
Top 10 secure boot mistakes
Top 10 secure boot mistakesTop 10 secure boot mistakes
Top 10 secure boot mistakesJustin Black
 
Exploitation and State Machines
Exploitation and State MachinesExploitation and State Machines
Exploitation and State MachinesMichael Scovetta
 
HackInTheBox - AMS 2011 , Spying on SpyEye - What Lies Beneath ?
HackInTheBox -  AMS 2011 , Spying on SpyEye - What Lies Beneath ?HackInTheBox -  AMS 2011 , Spying on SpyEye - What Lies Beneath ?
HackInTheBox - AMS 2011 , Spying on SpyEye - What Lies Beneath ?Aditya K Sood
 
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoTCSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoTCanSecWest
 
[CB16] COFI break – Breaking exploits with Processor trace and Practical cont...
[CB16] COFI break – Breaking exploits with Processor trace and Practical cont...[CB16] COFI break – Breaking exploits with Processor trace and Practical cont...
[CB16] COFI break – Breaking exploits with Processor trace and Practical cont...CODE BLUE
 
Automated Malware Analysis and Cyber Security Intelligence
Automated Malware Analysis and Cyber Security IntelligenceAutomated Malware Analysis and Cyber Security Intelligence
Automated Malware Analysis and Cyber Security IntelligenceJason Choi
 
Injection on Steroids: Codeless code injection and 0-day techniques
Injection on Steroids: Codeless code injection and 0-day techniquesInjection on Steroids: Codeless code injection and 0-day techniques
Injection on Steroids: Codeless code injection and 0-day techniquesenSilo
 
[ENG] IPv6 shipworm + My little Windows domain pwnie
[ENG] IPv6 shipworm + My little Windows domain pwnie[ENG] IPv6 shipworm + My little Windows domain pwnie
[ENG] IPv6 shipworm + My little Windows domain pwnieZoltan Balazs
 
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis SystemScalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis SystemTamas K Lengyel
 
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)BlueHat Security Conference
 
Practical Windows Kernel Exploitation
Practical Windows Kernel ExploitationPractical Windows Kernel Exploitation
Practical Windows Kernel ExploitationzeroSteiner
 
Unifi'd Ownage
Unifi'd OwnageUnifi'd Ownage
Unifi'd OwnageTim N
 
Breaking Vaults - Stealing Lastpass Protected Secrets by Martin Vigo
Breaking Vaults - Stealing Lastpass Protected Secrets by Martin VigoBreaking Vaults - Stealing Lastpass Protected Secrets by Martin Vigo
Breaking Vaults - Stealing Lastpass Protected Secrets by Martin VigoShakacon
 

What's hot (20)

BlueHat v18 || Massive scale usb device driver fuzz without device
BlueHat v18 || Massive scale usb device driver fuzz without deviceBlueHat v18 || Massive scale usb device driver fuzz without device
BlueHat v18 || Massive scale usb device driver fuzz without device
 
BlueHat v18 || The matrix has you - protecting linux using deception
BlueHat v18 || The matrix has you - protecting linux using deceptionBlueHat v18 || The matrix has you - protecting linux using deception
BlueHat v18 || The matrix has you - protecting linux using deception
 
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
 
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon YangPractical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
 
Csw2017 bazhaniuk exploring_yoursystemdeeper_updated
Csw2017 bazhaniuk exploring_yoursystemdeeper_updatedCsw2017 bazhaniuk exploring_yoursystemdeeper_updated
Csw2017 bazhaniuk exploring_yoursystemdeeper_updated
 
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
Introduction to Dynamic Malware Analysis   ...Or am I "Cuckoo for Malware?"Introduction to Dynamic Malware Analysis   ...Or am I "Cuckoo for Malware?"
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
 
Top 10 secure boot mistakes
Top 10 secure boot mistakesTop 10 secure boot mistakes
Top 10 secure boot mistakes
 
Exploitation and State Machines
Exploitation and State MachinesExploitation and State Machines
Exploitation and State Machines
 
HackInTheBox - AMS 2011 , Spying on SpyEye - What Lies Beneath ?
HackInTheBox -  AMS 2011 , Spying on SpyEye - What Lies Beneath ?HackInTheBox -  AMS 2011 , Spying on SpyEye - What Lies Beneath ?
HackInTheBox - AMS 2011 , Spying on SpyEye - What Lies Beneath ?
 
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoTCSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
 
[CB16] COFI break – Breaking exploits with Processor trace and Practical cont...
[CB16] COFI break – Breaking exploits with Processor trace and Practical cont...[CB16] COFI break – Breaking exploits with Processor trace and Practical cont...
[CB16] COFI break – Breaking exploits with Processor trace and Practical cont...
 
Automated Malware Analysis and Cyber Security Intelligence
Automated Malware Analysis and Cyber Security IntelligenceAutomated Malware Analysis and Cyber Security Intelligence
Automated Malware Analysis and Cyber Security Intelligence
 
Android Attacks
Android AttacksAndroid Attacks
Android Attacks
 
Injection on Steroids: Codeless code injection and 0-day techniques
Injection on Steroids: Codeless code injection and 0-day techniquesInjection on Steroids: Codeless code injection and 0-day techniques
Injection on Steroids: Codeless code injection and 0-day techniques
 
[ENG] IPv6 shipworm + My little Windows domain pwnie
[ENG] IPv6 shipworm + My little Windows domain pwnie[ENG] IPv6 shipworm + My little Windows domain pwnie
[ENG] IPv6 shipworm + My little Windows domain pwnie
 
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis SystemScalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System
 
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
 
Practical Windows Kernel Exploitation
Practical Windows Kernel ExploitationPractical Windows Kernel Exploitation
Practical Windows Kernel Exploitation
 
Unifi'd Ownage
Unifi'd OwnageUnifi'd Ownage
Unifi'd Ownage
 
Breaking Vaults - Stealing Lastpass Protected Secrets by Martin Vigo
Breaking Vaults - Stealing Lastpass Protected Secrets by Martin VigoBreaking Vaults - Stealing Lastpass Protected Secrets by Martin Vigo
Breaking Vaults - Stealing Lastpass Protected Secrets by Martin Vigo
 

Viewers also liked

kyoungju_kwak_the_new_wave_of_cyber_terror
kyoungju_kwak_the_new_wave_of_cyber_terrorkyoungju_kwak_the_new_wave_of_cyber_terror
kyoungju_kwak_the_new_wave_of_cyber_terrorPacSecJP
 
Pac sec2016 flyer_agenda
Pac sec2016 flyer_agendaPac sec2016 flyer_agenda
Pac sec2016 flyer_agendaPacSecJP
 
Akila srinivasan microsoft-bug_bounty-(publish)
Akila srinivasan microsoft-bug_bounty-(publish)Akila srinivasan microsoft-bug_bounty-(publish)
Akila srinivasan microsoft-bug_bounty-(publish)PacSecJP
 
Mickey pac sec2016_final_ja
Mickey pac sec2016_final_jaMickey pac sec2016_final_ja
Mickey pac sec2016_final_jaPacSecJP
 
Andersson hacking ds_mx_with_sdr_pac_sec_2016_english
Andersson hacking ds_mx_with_sdr_pac_sec_2016_englishAndersson hacking ds_mx_with_sdr_pac_sec_2016_english
Andersson hacking ds_mx_with_sdr_pac_sec_2016_englishPacSecJP
 
Villegas first pacsec_2016
Villegas first pacsec_2016Villegas first pacsec_2016
Villegas first pacsec_2016PacSecJP
 
Nishimura finding vulnerabilities-in-firefox-for-i-os-(nishimunea)
Nishimura finding vulnerabilities-in-firefox-for-i-os-(nishimunea)Nishimura finding vulnerabilities-in-firefox-for-i-os-(nishimunea)
Nishimura finding vulnerabilities-in-firefox-for-i-os-(nishimunea)PacSecJP
 
Moony li pacsec-1.8
Moony li pacsec-1.8Moony li pacsec-1.8
Moony li pacsec-1.8PacSecJP
 
Anıl kurmuş pacsec3
Anıl kurmuş pacsec3Anıl kurmuş pacsec3
Anıl kurmuş pacsec3PacSecJP
 
Kavya racharla ndh-naropanth_fin
Kavya racharla ndh-naropanth_finKavya racharla ndh-naropanth_fin
Kavya racharla ndh-naropanth_finPacSecJP
 
Lucas apa pacsec slides
Lucas apa pacsec slidesLucas apa pacsec slides
Lucas apa pacsec slidesPacSecJP
 
Ahn pacsec2017 key-recovery_attacks_against_commercial_white-box_cryptography...
Ahn pacsec2017 key-recovery_attacks_against_commercial_white-box_cryptography...Ahn pacsec2017 key-recovery_attacks_against_commercial_white-box_cryptography...
Ahn pacsec2017 key-recovery_attacks_against_commercial_white-box_cryptography...PacSecJP
 
Lucas apa pacsec_slides_jp-final
Lucas apa pacsec_slides_jp-finalLucas apa pacsec_slides_jp-final
Lucas apa pacsec_slides_jp-finalPacSecJP
 
Yuki chen from_out_of_memory_to_remote_code_execution_pac_sec2017_final
Yuki chen from_out_of_memory_to_remote_code_execution_pac_sec2017_finalYuki chen from_out_of_memory_to_remote_code_execution_pac_sec2017_final
Yuki chen from_out_of_memory_to_remote_code_execution_pac_sec2017_finalPacSecJP
 
Yunusov babin 7 sins pres atm v2
Yunusov babin 7 sins pres atm v2Yunusov babin 7 sins pres atm v2
Yunusov babin 7 sins pres atm v2PacSecJP
 
Rouault imbert alpc_rpc_pacsec
Rouault imbert alpc_rpc_pacsecRouault imbert alpc_rpc_pacsec
Rouault imbert alpc_rpc_pacsecPacSecJP
 
Di shen pacsec_final
Di shen pacsec_finalDi shen pacsec_final
Di shen pacsec_finalPacSecJP
 
Kavya racharla ndh-naropanth_fin_jp-final
Kavya racharla ndh-naropanth_fin_jp-finalKavya racharla ndh-naropanth_fin_jp-final
Kavya racharla ndh-naropanth_fin_jp-finalPacSecJP
 
Maxim Bullet Proof Hosting Services pac_sec_jp
Maxim Bullet Proof Hosting Services pac_sec_jpMaxim Bullet Proof Hosting Services pac_sec_jp
Maxim Bullet Proof Hosting Services pac_sec_jpPacSecJP
 
Andersson hacking ds_mx_with_sdr_pac_sec_2016_japanese
Andersson hacking ds_mx_with_sdr_pac_sec_2016_japaneseAndersson hacking ds_mx_with_sdr_pac_sec_2016_japanese
Andersson hacking ds_mx_with_sdr_pac_sec_2016_japanesePacSecJP
 

Viewers also liked (20)

kyoungju_kwak_the_new_wave_of_cyber_terror
kyoungju_kwak_the_new_wave_of_cyber_terrorkyoungju_kwak_the_new_wave_of_cyber_terror
kyoungju_kwak_the_new_wave_of_cyber_terror
 
Pac sec2016 flyer_agenda
Pac sec2016 flyer_agendaPac sec2016 flyer_agenda
Pac sec2016 flyer_agenda
 
Akila srinivasan microsoft-bug_bounty-(publish)
Akila srinivasan microsoft-bug_bounty-(publish)Akila srinivasan microsoft-bug_bounty-(publish)
Akila srinivasan microsoft-bug_bounty-(publish)
 
Mickey pac sec2016_final_ja
Mickey pac sec2016_final_jaMickey pac sec2016_final_ja
Mickey pac sec2016_final_ja
 
Andersson hacking ds_mx_with_sdr_pac_sec_2016_english
Andersson hacking ds_mx_with_sdr_pac_sec_2016_englishAndersson hacking ds_mx_with_sdr_pac_sec_2016_english
Andersson hacking ds_mx_with_sdr_pac_sec_2016_english
 
Villegas first pacsec_2016
Villegas first pacsec_2016Villegas first pacsec_2016
Villegas first pacsec_2016
 
Nishimura finding vulnerabilities-in-firefox-for-i-os-(nishimunea)
Nishimura finding vulnerabilities-in-firefox-for-i-os-(nishimunea)Nishimura finding vulnerabilities-in-firefox-for-i-os-(nishimunea)
Nishimura finding vulnerabilities-in-firefox-for-i-os-(nishimunea)
 
Moony li pacsec-1.8
Moony li pacsec-1.8Moony li pacsec-1.8
Moony li pacsec-1.8
 
Anıl kurmuş pacsec3
Anıl kurmuş pacsec3Anıl kurmuş pacsec3
Anıl kurmuş pacsec3
 
Kavya racharla ndh-naropanth_fin
Kavya racharla ndh-naropanth_finKavya racharla ndh-naropanth_fin
Kavya racharla ndh-naropanth_fin
 
Lucas apa pacsec slides
Lucas apa pacsec slidesLucas apa pacsec slides
Lucas apa pacsec slides
 
Ahn pacsec2017 key-recovery_attacks_against_commercial_white-box_cryptography...
Ahn pacsec2017 key-recovery_attacks_against_commercial_white-box_cryptography...Ahn pacsec2017 key-recovery_attacks_against_commercial_white-box_cryptography...
Ahn pacsec2017 key-recovery_attacks_against_commercial_white-box_cryptography...
 
Lucas apa pacsec_slides_jp-final
Lucas apa pacsec_slides_jp-finalLucas apa pacsec_slides_jp-final
Lucas apa pacsec_slides_jp-final
 
Yuki chen from_out_of_memory_to_remote_code_execution_pac_sec2017_final
Yuki chen from_out_of_memory_to_remote_code_execution_pac_sec2017_finalYuki chen from_out_of_memory_to_remote_code_execution_pac_sec2017_final
Yuki chen from_out_of_memory_to_remote_code_execution_pac_sec2017_final
 
Yunusov babin 7 sins pres atm v2
Yunusov babin 7 sins pres atm v2Yunusov babin 7 sins pres atm v2
Yunusov babin 7 sins pres atm v2
 
Rouault imbert alpc_rpc_pacsec
Rouault imbert alpc_rpc_pacsecRouault imbert alpc_rpc_pacsec
Rouault imbert alpc_rpc_pacsec
 
Di shen pacsec_final
Di shen pacsec_finalDi shen pacsec_final
Di shen pacsec_final
 
Kavya racharla ndh-naropanth_fin_jp-final
Kavya racharla ndh-naropanth_fin_jp-finalKavya racharla ndh-naropanth_fin_jp-final
Kavya racharla ndh-naropanth_fin_jp-final
 
Maxim Bullet Proof Hosting Services pac_sec_jp
Maxim Bullet Proof Hosting Services pac_sec_jpMaxim Bullet Proof Hosting Services pac_sec_jp
Maxim Bullet Proof Hosting Services pac_sec_jp
 
Andersson hacking ds_mx_with_sdr_pac_sec_2016_japanese
Andersson hacking ds_mx_with_sdr_pac_sec_2016_japaneseAndersson hacking ds_mx_with_sdr_pac_sec_2016_japanese
Andersson hacking ds_mx_with_sdr_pac_sec_2016_japanese
 

Similar to Kasza smashing the_jars

Securing the Container Pipeline at Salesforce by Cem Gurkok
Securing the Container Pipeline at Salesforce by Cem Gurkok   Securing the Container Pipeline at Salesforce by Cem Gurkok
Securing the Container Pipeline at Salesforce by Cem Gurkok Docker, Inc.
 
Docker Security
Docker SecurityDocker Security
Docker Securityantitree
 
深層学習ライブラリの環境問題Chainer Meetup2016 07-02
深層学習ライブラリの環境問題Chainer Meetup2016 07-02深層学習ライブラリの環境問題Chainer Meetup2016 07-02
深層学習ライブラリの環境問題Chainer Meetup2016 07-02Yuta Kashino
 
openioc_scan - IOC scanner for memory forensics
openioc_scan - IOC scanner for memory forensicsopenioc_scan - IOC scanner for memory forensics
openioc_scan - IOC scanner for memory forensicsTakahiro Haruyama
 
Toward dynamic analysis of obfuscated android malware
Toward dynamic analysis of obfuscated android malwareToward dynamic analysis of obfuscated android malware
Toward dynamic analysis of obfuscated android malwareZongXian Shen
 
Introduction to Android Development and Security
Introduction to Android Development and SecurityIntroduction to Android Development and Security
Introduction to Android Development and SecurityKelwin Yang
 
Do you lose sleep at night?
Do you lose sleep at night?Do you lose sleep at night?
Do you lose sleep at night?Nathan Van Gheem
 
Central Iowa Linux Users Group: November Meeting -- Container showdown
Central Iowa Linux Users Group: November Meeting -- Container showdownCentral Iowa Linux Users Group: November Meeting -- Container showdown
Central Iowa Linux Users Group: November Meeting -- Container showdownAndrew Denner
 
Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Lions, Tigers and Deers: What building zoos can teach us about securing micro...Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Lions, Tigers and Deers: What building zoos can teach us about securing micro...Sysdig
 
Windows container security
Windows container securityWindows container security
Windows container securityDocker, Inc.
 
Rapid Android Application Security Testing
Rapid Android Application Security TestingRapid Android Application Security Testing
Rapid Android Application Security TestingNutan Kumar Panda
 
On non existent 0-days, stable binary exploits and
On non existent 0-days, stable binary exploits andOn non existent 0-days, stable binary exploits and
On non existent 0-days, stable binary exploits andAlisa Esage Шевченко
 
PPS Java Overview Unit I.ppt
PPS Java Overview Unit I.pptPPS Java Overview Unit I.ppt
PPS Java Overview Unit I.pptRajeshSukte1
 
PPS Java Overview Unit I.ppt
PPS Java Overview Unit I.pptPPS Java Overview Unit I.ppt
PPS Java Overview Unit I.pptCDSukte
 
The Final Frontier
The Final FrontierThe Final Frontier
The Final FrontierjClarity
 
RubyStack: the easiest way to deploy Ruby on Rails
RubyStack: the easiest way to deploy Ruby on RailsRubyStack: the easiest way to deploy Ruby on Rails
RubyStack: the easiest way to deploy Ruby on Railselliando dias
 
Cloudfoundry Overview
Cloudfoundry OverviewCloudfoundry Overview
Cloudfoundry Overviewrajdeep
 

Similar to Kasza smashing the_jars (20)

Securing the Container Pipeline
Securing the Container PipelineSecuring the Container Pipeline
Securing the Container Pipeline
 
Securing the Container Pipeline at Salesforce by Cem Gurkok
Securing the Container Pipeline at Salesforce by Cem Gurkok   Securing the Container Pipeline at Salesforce by Cem Gurkok
Securing the Container Pipeline at Salesforce by Cem Gurkok
 
Docker Security
Docker SecurityDocker Security
Docker Security
 
深層学習ライブラリの環境問題Chainer Meetup2016 07-02
深層学習ライブラリの環境問題Chainer Meetup2016 07-02深層学習ライブラリの環境問題Chainer Meetup2016 07-02
深層学習ライブラリの環境問題Chainer Meetup2016 07-02
 
openioc_scan - IOC scanner for memory forensics
openioc_scan - IOC scanner for memory forensicsopenioc_scan - IOC scanner for memory forensics
openioc_scan - IOC scanner for memory forensics
 
Toward dynamic analysis of obfuscated android malware
Toward dynamic analysis of obfuscated android malwareToward dynamic analysis of obfuscated android malware
Toward dynamic analysis of obfuscated android malware
 
4055-841_Project_ShailendraSadh
4055-841_Project_ShailendraSadh4055-841_Project_ShailendraSadh
4055-841_Project_ShailendraSadh
 
Introduction to Android Development and Security
Introduction to Android Development and SecurityIntroduction to Android Development and Security
Introduction to Android Development and Security
 
Do you lose sleep at night?
Do you lose sleep at night?Do you lose sleep at night?
Do you lose sleep at night?
 
Central Iowa Linux Users Group: November Meeting -- Container showdown
Central Iowa Linux Users Group: November Meeting -- Container showdownCentral Iowa Linux Users Group: November Meeting -- Container showdown
Central Iowa Linux Users Group: November Meeting -- Container showdown
 
Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Lions, Tigers and Deers: What building zoos can teach us about securing micro...Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Lions, Tigers and Deers: What building zoos can teach us about securing micro...
 
Windows container security
Windows container securityWindows container security
Windows container security
 
Rapid Android Application Security Testing
Rapid Android Application Security TestingRapid Android Application Security Testing
Rapid Android Application Security Testing
 
On non existent 0-days, stable binary exploits and
On non existent 0-days, stable binary exploits andOn non existent 0-days, stable binary exploits and
On non existent 0-days, stable binary exploits and
 
Containers and Security for DevOps
Containers and Security for DevOpsContainers and Security for DevOps
Containers and Security for DevOps
 
PPS Java Overview Unit I.ppt
PPS Java Overview Unit I.pptPPS Java Overview Unit I.ppt
PPS Java Overview Unit I.ppt
 
PPS Java Overview Unit I.ppt
PPS Java Overview Unit I.pptPPS Java Overview Unit I.ppt
PPS Java Overview Unit I.ppt
 
The Final Frontier
The Final FrontierThe Final Frontier
The Final Frontier
 
RubyStack: the easiest way to deploy Ruby on Rails
RubyStack: the easiest way to deploy Ruby on RailsRubyStack: the easiest way to deploy Ruby on Rails
RubyStack: the easiest way to deploy Ruby on Rails
 
Cloudfoundry Overview
Cloudfoundry OverviewCloudfoundry Overview
Cloudfoundry Overview
 

More from PacSecJP

Ryder robertson security-considerations_in_the_supply_chain_2017.11.02
Ryder robertson security-considerations_in_the_supply_chain_2017.11.02Ryder robertson security-considerations_in_the_supply_chain_2017.11.02
Ryder robertson security-considerations_in_the_supply_chain_2017.11.02PacSecJP
 
Ryder robertson pac-sec skeleton 2017_jp
Ryder robertson pac-sec skeleton 2017_jpRyder robertson pac-sec skeleton 2017_jp
Ryder robertson pac-sec skeleton 2017_jpPacSecJP
 
Yuki chen from_out_of_memory_to_remote_code_execution_pac_sec2017_final-j
Yuki chen from_out_of_memory_to_remote_code_execution_pac_sec2017_final-jYuki chen from_out_of_memory_to_remote_code_execution_pac_sec2017_final-j
Yuki chen from_out_of_memory_to_remote_code_execution_pac_sec2017_final-jPacSecJP
 
Rouault imbert view_alpc_rpc_pacsec_jp
Rouault imbert view_alpc_rpc_pacsec_jpRouault imbert view_alpc_rpc_pacsec_jp
Rouault imbert view_alpc_rpc_pacsec_jpPacSecJP
 
Di shen pacsec_jp-final
Di shen pacsec_jp-finalDi shen pacsec_jp-final
Di shen pacsec_jp-finalPacSecJP
 
Anıl kurmuş pacsec3-ja
Anıl kurmuş pacsec3-jaAnıl kurmuş pacsec3-ja
Anıl kurmuş pacsec3-jaPacSecJP
 
Ahn pacsec2017 key-recovery_attacks_against_commercial_white-box_cryptography...
Ahn pacsec2017 key-recovery_attacks_against_commercial_white-box_cryptography...Ahn pacsec2017 key-recovery_attacks_against_commercial_white-box_cryptography...
Ahn pacsec2017 key-recovery_attacks_against_commercial_white-box_cryptography...PacSecJP
 
Yunusov babin 7sins-pres_atm_v4(2)_jp
Yunusov babin 7sins-pres_atm_v4(2)_jpYunusov babin 7sins-pres_atm_v4(2)_jp
Yunusov babin 7sins-pres_atm_v4(2)_jpPacSecJP
 
Shusei tomonaga pac_sec_20171026_jp
Shusei tomonaga pac_sec_20171026_jpShusei tomonaga pac_sec_20171026_jp
Shusei tomonaga pac_sec_20171026_jpPacSecJP
 
Shusei tomonaga pac_sec_20171026
Shusei tomonaga pac_sec_20171026Shusei tomonaga pac_sec_20171026
Shusei tomonaga pac_sec_20171026PacSecJP
 
Marc schoenefeld grandma‘s old handbag_draft2_ja
Marc schoenefeld grandma‘s old handbag_draft2_jaMarc schoenefeld grandma‘s old handbag_draft2_ja
Marc schoenefeld grandma‘s old handbag_draft2_jaPacSecJP
 
Marc schoenefeld grandma‘s old handbag_draft2
Marc schoenefeld grandma‘s old handbag_draft2Marc schoenefeld grandma‘s old handbag_draft2
Marc schoenefeld grandma‘s old handbag_draft2PacSecJP
 
Kasza smashing the_jars_j-corrected
Kasza smashing the_jars_j-correctedKasza smashing the_jars_j-corrected
Kasza smashing the_jars_j-correctedPacSecJP
 
Jurczyk windows metafile_pacsec_jp3
Jurczyk windows metafile_pacsec_jp3Jurczyk windows metafile_pacsec_jp3
Jurczyk windows metafile_pacsec_jp3PacSecJP
 
Jurczyk windows metafile_pacsec_v2
Jurczyk windows metafile_pacsec_v2Jurczyk windows metafile_pacsec_v2
Jurczyk windows metafile_pacsec_v2PacSecJP
 
Wenyuan xu Minrui yan can you trust autonomous vehicles_slides_liu_final
Wenyuan xu Minrui yan can you trust autonomous vehicles_slides_liu_finalWenyuan xu Minrui yan can you trust autonomous vehicles_slides_liu_final
Wenyuan xu Minrui yan can you trust autonomous vehicles_slides_liu_finalPacSecJP
 
Wenyuan xu Minrui Yan can you trust autonomous vehicles_slides_liu_final-ja
Wenyuan xu Minrui Yan can you trust autonomous vehicles_slides_liu_final-jaWenyuan xu Minrui Yan can you trust autonomous vehicles_slides_liu_final-ja
Wenyuan xu Minrui Yan can you trust autonomous vehicles_slides_liu_final-jaPacSecJP
 
Nishimura i os版firefoxの脆弱性を見つけ出す_jp
Nishimura i os版firefoxの脆弱性を見つけ出す_jpNishimura i os版firefoxの脆弱性を見つけ出す_jp
Nishimura i os版firefoxの脆弱性を見つけ出す_jpPacSecJP
 
Moony li pacsec-1.5_j4-truefinal
Moony li pacsec-1.5_j4-truefinalMoony li pacsec-1.5_j4-truefinal
Moony li pacsec-1.5_j4-truefinalPacSecJP
 

More from PacSecJP (19)

Ryder robertson security-considerations_in_the_supply_chain_2017.11.02
Ryder robertson security-considerations_in_the_supply_chain_2017.11.02Ryder robertson security-considerations_in_the_supply_chain_2017.11.02
Ryder robertson security-considerations_in_the_supply_chain_2017.11.02
 
Ryder robertson pac-sec skeleton 2017_jp
Ryder robertson pac-sec skeleton 2017_jpRyder robertson pac-sec skeleton 2017_jp
Ryder robertson pac-sec skeleton 2017_jp
 
Yuki chen from_out_of_memory_to_remote_code_execution_pac_sec2017_final-j
Yuki chen from_out_of_memory_to_remote_code_execution_pac_sec2017_final-jYuki chen from_out_of_memory_to_remote_code_execution_pac_sec2017_final-j
Yuki chen from_out_of_memory_to_remote_code_execution_pac_sec2017_final-j
 
Rouault imbert view_alpc_rpc_pacsec_jp
Rouault imbert view_alpc_rpc_pacsec_jpRouault imbert view_alpc_rpc_pacsec_jp
Rouault imbert view_alpc_rpc_pacsec_jp
 
Di shen pacsec_jp-final
Di shen pacsec_jp-finalDi shen pacsec_jp-final
Di shen pacsec_jp-final
 
Anıl kurmuş pacsec3-ja
Anıl kurmuş pacsec3-jaAnıl kurmuş pacsec3-ja
Anıl kurmuş pacsec3-ja
 
Ahn pacsec2017 key-recovery_attacks_against_commercial_white-box_cryptography...
Ahn pacsec2017 key-recovery_attacks_against_commercial_white-box_cryptography...Ahn pacsec2017 key-recovery_attacks_against_commercial_white-box_cryptography...
Ahn pacsec2017 key-recovery_attacks_against_commercial_white-box_cryptography...
 
Yunusov babin 7sins-pres_atm_v4(2)_jp
Yunusov babin 7sins-pres_atm_v4(2)_jpYunusov babin 7sins-pres_atm_v4(2)_jp
Yunusov babin 7sins-pres_atm_v4(2)_jp
 
Shusei tomonaga pac_sec_20171026_jp
Shusei tomonaga pac_sec_20171026_jpShusei tomonaga pac_sec_20171026_jp
Shusei tomonaga pac_sec_20171026_jp
 
Shusei tomonaga pac_sec_20171026
Shusei tomonaga pac_sec_20171026Shusei tomonaga pac_sec_20171026
Shusei tomonaga pac_sec_20171026
 
Marc schoenefeld grandma‘s old handbag_draft2_ja
Marc schoenefeld grandma‘s old handbag_draft2_jaMarc schoenefeld grandma‘s old handbag_draft2_ja
Marc schoenefeld grandma‘s old handbag_draft2_ja
 
Marc schoenefeld grandma‘s old handbag_draft2
Marc schoenefeld grandma‘s old handbag_draft2Marc schoenefeld grandma‘s old handbag_draft2
Marc schoenefeld grandma‘s old handbag_draft2
 
Kasza smashing the_jars_j-corrected
Kasza smashing the_jars_j-correctedKasza smashing the_jars_j-corrected
Kasza smashing the_jars_j-corrected
 
Jurczyk windows metafile_pacsec_jp3
Jurczyk windows metafile_pacsec_jp3Jurczyk windows metafile_pacsec_jp3
Jurczyk windows metafile_pacsec_jp3
 
Jurczyk windows metafile_pacsec_v2
Jurczyk windows metafile_pacsec_v2Jurczyk windows metafile_pacsec_v2
Jurczyk windows metafile_pacsec_v2
 
Wenyuan xu Minrui yan can you trust autonomous vehicles_slides_liu_final
Wenyuan xu Minrui yan can you trust autonomous vehicles_slides_liu_finalWenyuan xu Minrui yan can you trust autonomous vehicles_slides_liu_final
Wenyuan xu Minrui yan can you trust autonomous vehicles_slides_liu_final
 
Wenyuan xu Minrui Yan can you trust autonomous vehicles_slides_liu_final-ja
Wenyuan xu Minrui Yan can you trust autonomous vehicles_slides_liu_final-jaWenyuan xu Minrui Yan can you trust autonomous vehicles_slides_liu_final-ja
Wenyuan xu Minrui Yan can you trust autonomous vehicles_slides_liu_final-ja
 
Nishimura i os版firefoxの脆弱性を見つけ出す_jp
Nishimura i os版firefoxの脆弱性を見つけ出す_jpNishimura i os版firefoxの脆弱性を見つけ出す_jp
Nishimura i os版firefoxの脆弱性を見つけ出す_jp
 
Moony li pacsec-1.5_j4-truefinal
Moony li pacsec-1.5_j4-truefinalMoony li pacsec-1.5_j4-truefinal
Moony li pacsec-1.5_j4-truefinal
 

Recently uploaded

Computer 10 Lesson 8: Building a Website
Computer 10 Lesson 8: Building a WebsiteComputer 10 Lesson 8: Building a Website
Computer 10 Lesson 8: Building a WebsiteMavein
 
LESSON 5 GROUP 10 ST. THOMAS AQUINAS.pdf
LESSON 5 GROUP 10 ST. THOMAS AQUINAS.pdfLESSON 5 GROUP 10 ST. THOMAS AQUINAS.pdf
LESSON 5 GROUP 10 ST. THOMAS AQUINAS.pdfmchristianalwyn
 
Bio Medical Waste Management Guideliness 2023 ppt.pptx
Bio Medical Waste Management Guideliness 2023 ppt.pptxBio Medical Waste Management Guideliness 2023 ppt.pptx
Bio Medical Waste Management Guideliness 2023 ppt.pptxnaveenithkrishnan
 
Vision Forward: Tracing Image Search SEO From Its Roots To AI-Enhanced Horizons
Vision Forward: Tracing Image Search SEO From Its Roots To AI-Enhanced HorizonsVision Forward: Tracing Image Search SEO From Its Roots To AI-Enhanced Horizons
Vision Forward: Tracing Image Search SEO From Its Roots To AI-Enhanced HorizonsRoxana Stingu
 
WordPress by the numbers - Jan Loeffler, CTO WebPros, CloudFest 2024
WordPress by the numbers - Jan Loeffler, CTO WebPros, CloudFest 2024WordPress by the numbers - Jan Loeffler, CTO WebPros, CloudFest 2024
WordPress by the numbers - Jan Loeffler, CTO WebPros, CloudFest 2024Jan Löffler
 
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...APNIC
 
Check out the Free Landing Page Hosting in 2024
Check out the Free Landing Page Hosting in 2024Check out the Free Landing Page Hosting in 2024
Check out the Free Landing Page Hosting in 2024Shubham Pant
 
LESSON 10/ GROUP 10/ ST. THOMAS AQUINASS
LESSON 10/ GROUP 10/ ST. THOMAS AQUINASSLESSON 10/ GROUP 10/ ST. THOMAS AQUINASS
LESSON 10/ GROUP 10/ ST. THOMAS AQUINASSlesteraporado16
 
Introduction to ICANN and Fellowship program by Shreedeep Rayamajhi.pdf
Introduction to ICANN and Fellowship program  by Shreedeep Rayamajhi.pdfIntroduction to ICANN and Fellowship program  by Shreedeep Rayamajhi.pdf
Introduction to ICANN and Fellowship program by Shreedeep Rayamajhi.pdfShreedeep Rayamajhi
 
Presentation2.pptx - JoyPress Wordpress
Presentation2.pptx -  JoyPress WordpressPresentation2.pptx -  JoyPress Wordpress
Presentation2.pptx - JoyPress Wordpressssuser166378
 
TYPES AND DEFINITION OF ONLINE CRIMES AND HAZARDS
TYPES AND DEFINITION OF ONLINE CRIMES AND HAZARDSTYPES AND DEFINITION OF ONLINE CRIMES AND HAZARDS
TYPES AND DEFINITION OF ONLINE CRIMES AND HAZARDSedrianrheine
 
Zero-day Vulnerabilities
Zero-day VulnerabilitiesZero-day Vulnerabilities
Zero-day Vulnerabilitiesalihassaah1994
 

Recently uploaded (12)

Computer 10 Lesson 8: Building a Website
Computer 10 Lesson 8: Building a WebsiteComputer 10 Lesson 8: Building a Website
Computer 10 Lesson 8: Building a Website
 
LESSON 5 GROUP 10 ST. THOMAS AQUINAS.pdf
LESSON 5 GROUP 10 ST. THOMAS AQUINAS.pdfLESSON 5 GROUP 10 ST. THOMAS AQUINAS.pdf
LESSON 5 GROUP 10 ST. THOMAS AQUINAS.pdf
 
Bio Medical Waste Management Guideliness 2023 ppt.pptx
Bio Medical Waste Management Guideliness 2023 ppt.pptxBio Medical Waste Management Guideliness 2023 ppt.pptx
Bio Medical Waste Management Guideliness 2023 ppt.pptx
 
Vision Forward: Tracing Image Search SEO From Its Roots To AI-Enhanced Horizons
Vision Forward: Tracing Image Search SEO From Its Roots To AI-Enhanced HorizonsVision Forward: Tracing Image Search SEO From Its Roots To AI-Enhanced Horizons
Vision Forward: Tracing Image Search SEO From Its Roots To AI-Enhanced Horizons
 
WordPress by the numbers - Jan Loeffler, CTO WebPros, CloudFest 2024
WordPress by the numbers - Jan Loeffler, CTO WebPros, CloudFest 2024WordPress by the numbers - Jan Loeffler, CTO WebPros, CloudFest 2024
WordPress by the numbers - Jan Loeffler, CTO WebPros, CloudFest 2024
 
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
 
Check out the Free Landing Page Hosting in 2024
Check out the Free Landing Page Hosting in 2024Check out the Free Landing Page Hosting in 2024
Check out the Free Landing Page Hosting in 2024
 
LESSON 10/ GROUP 10/ ST. THOMAS AQUINASS
LESSON 10/ GROUP 10/ ST. THOMAS AQUINASSLESSON 10/ GROUP 10/ ST. THOMAS AQUINASS
LESSON 10/ GROUP 10/ ST. THOMAS AQUINASS
 
Introduction to ICANN and Fellowship program by Shreedeep Rayamajhi.pdf
Introduction to ICANN and Fellowship program  by Shreedeep Rayamajhi.pdfIntroduction to ICANN and Fellowship program  by Shreedeep Rayamajhi.pdf
Introduction to ICANN and Fellowship program by Shreedeep Rayamajhi.pdf
 
Presentation2.pptx - JoyPress Wordpress
Presentation2.pptx -  JoyPress WordpressPresentation2.pptx -  JoyPress Wordpress
Presentation2.pptx - JoyPress Wordpress
 
TYPES AND DEFINITION OF ONLINE CRIMES AND HAZARDS
TYPES AND DEFINITION OF ONLINE CRIMES AND HAZARDSTYPES AND DEFINITION OF ONLINE CRIMES AND HAZARDS
TYPES AND DEFINITION OF ONLINE CRIMES AND HAZARDS
 
Zero-day Vulnerabilities
Zero-day VulnerabilitiesZero-day Vulnerabilities
Zero-day Vulnerabilities
 

Kasza smashing the_jars

  • 1. Sm shing the J rs Anthony Kasza Sr.Threat Researcher Palo Alto Networks
  • 3. About Me @AnthonyKasza Enterprise security Malware communications DNS transaction classifiers Threat techniques CTF challenge author: - PAN LabyREnth - FIRST DRG
  • 4. Presentation Overview • Introduction • Intro to java, jars, and java based threats • Java Threats • Current threat landscape • Defensive Techniques • Analysis and detection techniques • Demo • Unpacking, deobfuscating, reading
  • 5. Java Basics • Rich ecosystem • JVM vs JDK vs JRE • Often used to teach OOP • Compiles to bytecode • Similar to Python • Simple to disassemble • Architecture agnostic • Cross platform JDK JRE Dev  tools JRE  lib  source JVM Libraries
  • 6. Reverse Engineering Spectrum of Tribulations Simple Remote Service (Blind) Source Code Delphi Java .NET C++C Difficult
  • 7. JAR (Java ARchive) Basics • JAR vs Zip format • Contents are called resources • Class files • Header 0xCAFEBABE • Constant pools • Manifest • META-INF/MANIFEST.MF • Key:Values • Similar to HTTP headers JAR manifest a.class b.class c.class d.class a.jpg b.ico a.png
  • 8. Java RAT Basics • Various levels of maturity • E.g. BlueBanana vs Adzok vs jSocket • Most are kits/builders • stub Jars • Many use common libraries • VirusTotal detections are often inaccurate • jRat != Jacksbot (aka jRat) • IMO too many RATs are detected as jRat • Frutas != Adwind != Jsocket != etc. • Or does it? • IMO too many RATs are detected as Adwind
  • 9. Other Java Threats • Banload and other droppers / downloaders • Java Ransomware • PoC on Github [37] • From what I can tell, written by two high school students • Not distributed ITW • jbd – bind shell in java • https://scoperchiatore.wordpress.com/java- backdoor/ • Javafog – APT Java backdoor
  • 10. A Brief Tangent: Javafog • Identified by Kaspersky • Malicious Jar which beaconed to same domain as Icefog samples • Windows specific • Targeted? • But then why Java?
  • 11. A Brief Tangent: Javafog Not cross platform Icefog domain name
  • 12. Common Libraries • java.util.prefs – persistence mechanism • Windows: registry • Linux: hidden files in user’s home/ dir • OSX: ~/Library/Preferences/ • Commonly (mis)used libraries • Sigar • Bridj • Slf4j • JNA / JNI [35] • jnativehook • Kryonet • webcam-capture [36] • Runtime.getRuntime().exec() • E.g. Javafog
  • 13. Adversary Types • Opportunistic actors • Forum skiddies and phishing/spam • Financially motivated actors • Banking users in Brazil (banload) [40] • Bank systems in Singapore (adwind) [11] • Actors targeting something specific • PackRat – CitizenLab, Dec 2015 (Adzok, AlienSpy) • Latin American [13] • JavaFog – Kaspersky, Jan 2014 • Manul campaign – EFF, 2016 (jRat) [34]
  • 14. Someone name something that comes in a jar
  • 15. Things That Come in Jars
  • 16. Things That Come in Jars Frutas Adwind Unrecom AlienSpy jSocket jBifrost Adzok BlueBanana Crimson jCage jFect jRAT jSpy OS  Celestial Quaverse Quarallax OmniRAT Ratty Feb  2012 Jan  2013 Nov  2013 Oct 2014 July  2015 Sept  2012 2010  ? Oct  2012 July  2013 Nov  2015 Oct  2012 Dec  2013 May  2015 Jun  2015 Nov  2015 Jun  2016 May 2016 Feb  2016
  • 17. Things That Come in Jars Frutas Adwind Unrecom AlienSpy jSocket jBifrost Adzok BlueBanana Crimson jCage jFect jRAT jSpy OS  Celestial Quaverse Quarallax OmniRAT Ratty Feb  2012 Jan  2013 Nov  2013 Oct 2014 July  2015 Sept  2012 2010  ? Oct  2012 July  2013 Nov  2015 Oct  2012 Dec  2013 May  2015 Jun  2015 Nov  2015 Jun  2016 May 2016 Feb  2016
  • 18. Things That Come in Jars Frutas Adwind Unrecom AlienSpy jSocket jBifrost Adzok BlueBanana Crimson jCage jFect jRAT jSpy OS  Celestial Quaverse Quarallax OmniRAT Ratty Feb  2012 Jan  2013 Nov  2013 Oct 2014 July  2015 Sept  2012 2010  ? Oct  2012 July  2013 Nov  2015 Oct  2012 Dec  2013 May  2015 Jun  2015 Feb  2016 Nov  2015 Jun  2016 May 2016
  • 20. Frutas Lineage: Frutas • Frutas PoC emerged early 2012 [2] • Includes a simple ASCII readable ‘config.txt’ or ‘config.xml’ file • Writes ‘frautas.lock’ file to temporary directory to avoid concurrent executions • Became popular among Spanish speaking criminals circa July 2012 [1]
  • 21. Frutas Lineage: Frutas Frutas configuration files
  • 23. Frutas Lineage: Frutas Frutas Windows specific commands
  • 24. Frutas Lineage: Adwind • Emerged early 2013 from a rebranded Frutas [3] • Subsequent variants began using obfuscation [4] • Same named resources (capital vs lower case) • Support for Android (APK binder) introduced • Modular plugins
  • 25. Frutas Lineage: Adwind Adwind obfuscated manifest entries
  • 26. Frutas Lineage: Adwind Adwind obfuscated resource names
  • 27. Frutas Lineage: Unrecom • Rebranded Adwind around late 2013 [5] [6] • UNiversal REmote COntrol Multi-platform • Adwind “acquired” by LustroSoft • Introduced LiteCoin mining plugin [7]
  • 28. Frutas Lineage: Unrecom Unrecom server class resource name
  • 29. Frutas Lineage: AlienSpy • Emerged Oct 2014 • Improvements [3] • Sandbox detection • TLS for C2 • Anti Analysis [8] • Allatori Obfuscation
  • 30. Frutas Lineage: AlienSpy AlienSpy long resource name
  • 32. Frutas Lineage: AlienSpy AlienSpy anti-analysis technique
  • 33. Frutas Lineage: jSocket • AlienSpy domain taken down after Fidelis report (April 2015) • jSocket emerged July 2015 [10] • Similar to AlienSpy but used subscription model (SaaS) • Kaspersky estimates Jsocket (Adwind) author [11]: • made $200,000 per year • sold to 1,800 customers
  • 34. Frutas Lineage: jSocket jSocket OSX obscure filenames and paths
  • 36. Frutas Lineage: jBifrost • Minor feature improvements from jSocket [38] • Controller can tell if user is typing • Serialized decryption keys in implants
  • 37. Frutas Lineage: jBifrost jBifrost vs jSocket controller UI Images taken from Fortinet blog [38]
  • 38. Adzok (aka Adsocks) • Emerged 2010ish (0.7.0 was around in January of 2011) [12] • Free version used by PackRat group [13] • Open Source [14], Free, and Pro Versions • Still active: • Sold online from Boliva [15] • Twitter profile’s latest tweet was July 2015) [16] • Similarities to Frutas • Creates lock file • Free version is Windows only • Similar XML configuration file elements
  • 39. Adzok (aka Adsocks) Adzok Free only runs on Windows
  • 40. Adzok (aka Adsocks) Adzok Free configuration file
  • 43. BlueBanana • Emerged September 2012 • Obfuscated • Encoded strings • Class file names • Beacons with a configured password in its first data packet • No longer developed
  • 46. Crimson • Oldest forum post I could find was dated Oct 2012 [17] • The builder’s “about” section claims December 2013 • Encrypted communications • AES • Blowfish • DES • Triple DES • Drops settings files into one of: • sqlite database ‘Psettings.db’ – v1.2.3 • base64 encoded ‘settings.properties’ – v1.3.0 • No file dropped – v2.1.0
  • 47. Crimson Crimson dropping a sqlite db on OSX
  • 50. jCage • Emerged July 2013 • Makes use of jnativehook lib • Seems to be focused on Windows systems • I could not find a sample which executed on OSX
  • 51. jCage jCage searching for AV products on Windows
  • 52. jCage jCage Windows specific shutdown command
  • 53. qRat (Qarallax/Quaverse) • Emerged May 2015 • Three stage JAR loader [20] • SaaS model (similar to jSocket) • Used a hardcoded IPv4 and domains • Only runs on windows • A second version in the wild [32] recently • Downloads auxiliary Jars from qarallax[.]com • Runs on Macs too! • Used to compromise US Visa applicants in Switzerland over Skype [33] – 6 June 2016
  • 54. qRat (Qarallax/Quaverse) qRat v1 not running on OSX
  • 55. qRat (Qarallax/Quaverse) qRat v2 randomly named and hidden Jar on OSX
  • 56. jRat (aka Jacksbot) • Emerge Oct 2012 • Portions are open sourced by redpoins0n • Plugins, scripts, uninstaller, and auxiliary tools • https://github.com/java-rat • Again, not everything is jRat • Persists using [19] • OSX: a LaunchAgent plist • Linux: ~/.config/autostart • Windows: Registry run key
  • 57. jRat (aka Jacksbot) jRat plist file for persistence on OSX
  • 58. jFect • Emerged Nov 2015 • Heavily obfuscated • IRC or HTTP communications • LaunchAgent plist for persistence on OSX • Just like every other Java RAT
  • 59. jFect jFect C2 over IRC on Windows
  • 60. jFect jFect C2 over HTTP on OSX
  • 61. jFect jFect plist file for persistence on OSX
  • 62. OmniRAT • Emerged Nov 2015 • Multi OS implant and panel support • Android control panel • Hardcoded C2 (doesn’t use a configuration file) • Android version can spread via SMS [21]
  • 64. OmniRAT OmniRAT C2 beacon using Java serialization
  • 65. jSpy and OS Celestial • jSpy emerged Dec 2013, OS Celestial is likely a second version • Open source library reuse • Similar features • Similar configuration file options • Similar configuration parsing classes • Overlap in domain builders beacon to • jstealth.co[.]uk • jstealth[.]net • Detectable by files it drops on Windows • Uses LaunchAgent plists for persistence on OSX
  • 66. jSpy and OS Celestial jSpy homepage
  • 67. jSpy and OS Celestial jSpy plist file for persistence on OSX
  • 68. Ratty • Was actively being developed on Github [22] • Seems Windows is further developed than OSX (further than Linux) • Used a simple xor over its configuration file • Palo Alto Networks saw this RAT being distributed in the wild around April 5 of this year • Disappeared from Github a few months ago
  • 70. Ratty Ratty distribution session data from April 2016
  • 72. Common Java RAT Behaviors • Obfuscators, protectors, cryptors • Anti-vm and anti-analysis tricks • Very long and random(ish) resource names • Many AV’s cannot determine which family • Hide Jar implant • Hidden directories or temp folders • Persistence • Registry, startup folder, plists (KnockKnock) • Beacon • Variable between families
  • 73. Packers, Obfuscators, Bundlers • Allatori • Zelix Klassmaster (aka Zelix aka ZKM) • launch4j (jar to exe) • Jar Bundler (removed in OS X Mountain Lion 10.8.2) • JarToApp • https://github.com/redpois0n/JarToApp • jCrypt • jarProtector • jFuzzle
  • 75. Jar Deobfuscation • Deofuscation logic is in the JAR somewhere • Decompile class files • Search for methods wrapping strings passed to other methods • If those methods do math manipulations on a string, re-implement in Python • Eclipse conditional breakpoints [23] [24] [25] • Demo to follow
  • 76. javadeobfuscator • Automated deobfuscation for common techniques and tool [39] • Demo to follow
  • 77. Analysis Hints OSX • OSX persistence mechanisms [29] • Plists • Hidden files and directories • Dtrace and JVM hotspots • KnockKnock [31] Windows • Registry keys • LNKs in Startup Folder • Procmon • Regshot
  • 80. RATDecoders • Github repository by kevthehermit [27] • Contains static configuration decoding scripts for many RATs • Not just Java based ones • Fantastic resource for building a static Intel pipeline • Combine with VirusTotal, Laikaboss [28], etc • A handful of vendors are doing this internally
  • 81. Pitfalls and Oversights • Yara rules based on resource names work except when they don’t • Jarinjarloader is tricky • set as the main-class in a jar’s manifest • It then loads a different class (from a URL or from itself) • Manifest files are not required for Jars to execute
  • 82. Key Take Away Items Java RATs emerged ~2010 Still not extremely popular Their use is growing Used by spectrum of actors Look at the tools I mentioned, they work well Reach out if you’re interested in collaborating or have questions
  • 83. Special Thanks 83 |    ©  2015, Palo  Alto  Networks.   DerbyCon Organizers DerbyCon Audience Tyler Halfpop Jacob Soo Anthony Mendez Kevin Breen Chris Pierce Jørgen Bøhnsdalen
  • 85. Demo
  • 86. References (1) [1] https://cdn.securelist.com/files/2016/02/Adwind_timeline_horizontal_final.png [2] http://www.symantec.com/connect/blogs/cross-platform-frutas-rat-builder-and-back-door [3] https://isc.sans.edu/forums/diary/Adwind+another+payload+for+botnetbased+malspam/20041/ [4] https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/26000/PD2 6278/en_US/McAfee_Labs_Threat_Advisory_Adwind.pdf [5] http://www.crowdstrike.com/blog/adwind-rat-rebranding/ [6] http://blog.checkpoint.com/2016/02/24/adwind-malware-as-a-service-reincarnation/ [7] http://blog.trendmicro.com/trendlabs-security-intelligence/old-java-rat-updates-includes-litecoin- plugin/ [8] https://www.fidelissecurity.com/sites/default/files/FTA_1015_Alienspy_FINAL.pdf [9] https://theintercept.com/2015/08/21/inside-the-spyware-campaign-against-argentine- troublemakers-including-alberto-nisman/ [10] https://www.fidelissecurity.com/sites/default/files/FTA_1019_Ratcheting_Down_on_JSocket_A_PC_and_A ndroid_Threat_FINAL.pdf [11] https://blog.kaspersky.com/adwind-rat/11252/ [12] http://cleanbytes.net/java-trojan-horses-the-new-trojan-viruses-generation [13] https://citizenlab.org/2015/12/packrat-report/ [14] https://sourceforge.net/projects/adsocks/ [15] http://adzok.com/ [16] https://twitter.com/Adzok_ [17] https://leakforums.net/thread-314078 [18] http://www.javaworld.com/article/2077233/core-java/bytecode-basics.html [19] https://github.com/redpois0n/jrat-remover/tree/master/src/se/jrat/remover/removers [20] https://www.trustwave.com/Resources/SpiderLabs-Blog/Quaverse-RAT--Remote-Access-as-a- Service/
  • 87. References (2) [21] https://blog.avast.com/2015/11/05/droidjack-isnt-the-only-spying-software-out-there-avast- discovers-that-omnirat-is-currently-being-used-and-spread-by-criminals-to-gain-full-remote-co [22] https://github.com/Sogomn/Ratty [23] https://github.com/deresz/unpacking/blob/master/README.md [24] https://vimeo.com/165124535 [25] https://wiki.eclipse.org/FAQ_How_do_I_set_a_conditional_breakpoint%3F [26] http://www.crowdstrike.com/blog/native-java-bytecode-debugging-without-source-code/ [27] https://github.com/kevthehermit/RATDecoders [28] https://github.com/lmco/laikaboss [29] https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf [30] https://securelist.com/blog/incidents/58209/the-icefog-apt-hits-us-targets-with-java-backdoor/ [31] https://github.com/synack/knockknock [32] http://presumptuouscommoner.blogspot.com/2016/04/post-19-or-anyone-want-jar-of-docx.html [33] https://labsblog.f-secure.com/2016/06/07/qarallax-rat-spying-on-us-visa-applicants/ [34] https://www.eff.org/files/2016/08/03/i-got-a-letter-from-the-government.pdf [35] http://blog.cobaltstrike.com/2013/08/29/how-to-inject-shellcode-from-java/ [36] https://github.com/sarxos/webcam-capture [37] https://github.com/codertimo/Ransomware [38] https://blog.fortinet.com/2016/08/16/jbifrost-yet-another-incarnation-of-the-adwind-rat [39] https://github.com/java-deobfuscator/deobfuscator [40] http://researchcenter.paloaltonetworks.com/2016/03/banload-malware-affecting-brazil-exhibits- unusually-complex-infection-process/