Inside “4 horses club” malware >> social details :)


It’s too big for twitter, so I post it as separate blog post.

Some time ago I posted info about ransomware from “4 horses club”. Grab it HERE.

Here is login page of this Aff program for partners (click for bigger pic)


Read more… 0.3 released – Python script to upload samlpes to VirusTotal


Finished automation of a process to upload samples from multiple trackers.

Hope You can add it to Your systems and daily jobs.

History, requirements and installation – see here

Link to

don’t forget to remove _.txt )

What added: 

1. Added check of sample, if it already present on VirusTotal database. If so – just data dumped to log

2. If sample not present – it uploaded to VirusTotal.

3. All info about samples: Is sample new, SHA256 hash, detect ratio and URL to review – dumped to vtlog.txt at same dir

4. Comments added – in case You need to comment samples. by default enabled on already detected samples. Edit comment variable if needed. Currently there is a problem to comment just submitted file – will be solved.

5. All this within ToS of VirusTotal and thx to them for good tool 🙂

Hope it useful not to me 🙂

Stay Safe

D.L. – Yet another Python script to upload samlpes to


this is SMALL simple Python script to upload bulk of malware samples to

Grab here [don’t forget to remove _.txt at the end]

To use – need python installed, VirisTotal API key and Requests library for python

How to install Requests library: 

Install it with pip

$ pip install requests

or easy_install

$ easy_install requests

How to et API key of

1. register on

2. Go to Profile -API and grab the key

3. Incert it in api_key variable value in script before You run it Usage:

python path/to/malware.exe

But major usage is – upload mass of samples at once.

python  path/to/*

Output to console, in JSON format.

This is beta, no comments, ratings and nice output logs present here, just raw upload.

Request features and I’ll update the script.

Stay Safe



Bank Trojan for Brazil users


I am rookie binary reverser.. Many of my friends and colleges are really good at it, and I really appreciate they help.

But…. (there is always but, You noticed? 🙂 )

Have to learn it by myself – cannot always ask their help 🙂

However, If You work with Exploit kits, organized crime gangs and big sizes of threat, malware is too complicated to begin with. For me, at least 🙂

So – I got some link that was reported as “generic trojan downloader” – well, not yet named, so can be some custom trojan, that I can practice on?

Note: All those who already ruled the binary reversing – please have a look only if You interested in beginner’s research 🙂 Anyway, as always – critics is welcome.

And Yes, I know my English is terrible. As Korben Dallas said: “Listen lady, I only speak two languages: English and bad English.”

In this case I speak only bad English 🙂 But really trying to keep it in censorship.

Ok, as usual:

Disclaimer: All links provided lead to malicious or potentially malicious resources. Do not click there on any link, or don’t run any file, without proper knowledge, env prepared and skills trained.

Read more…

DoS vs DDoS – why “D” make difference here


It’s all started from my Granma (R.I.P.)

Anyway, since Brian Krebs make those mistakes, I have to write this 🙂 At least, for my lovely Granny (both of them)

Well – DoS is denial of service attack – it’s not just end-up with massive packet flood, even if Wiki say so in first sentence. It require tech skills and knowledge to by one computer cause local or remote Denial of Service to service\daemon. If You doubt it – have a look at – all this DoS exploits. If Yor Granma can do this, I want to read her blog – she is fabulous lady then! 🙂

And Yes, for now causing DDoS is usually pressing F5 in browser or sending huge ping-s to server. Or LOIC\HOIC – as press-one-button solution for less sophisticated Granmas, in case there are many of them You can aggregate 🙂

Sorry for being bit sarcastic – but it cold outside and late 🙂

See Ya


Do You need a laptop to be a hacker?


Hacker is more way of life than IT knowledge and tech skills. 🙂
Obvious? Sure, all truth is obvious. But this is not what I was talking about.

There is an old  Russian joke about how to hack an ATM:

– To hack an ATM, You need a sledgehammer, black mask and laptop. You wear mask, and smash ATM with sledgehammer till it totally broken, than take money and leave.

– And what laptop for?

– What kind of hacker You are without laptop?!!

Well, actually You are 🙂 And here is morning story:

We have few building with complicated system of elevators. Each building  have separate “smart management” system for elevators management, there at least 2 different systems present, and each of them make a noticeable mistakes for frequent elevator users.

So, I am standing in lobby, no going up elevators, all of them up, only one is empty and going down. “What the hell” – I think, – “lets go down and then up”. I am getting in and prepare to wait. At last second man jump-in the elevator, about 50, says:  “Hi! Up or down?”. “Up” – I say, – “but elevator goes down first”.

So, he step on the way of the elevator closing door, and begin to rapidly press button of upper level he needs. Elevator make a try to close door, then again, then short “beep” and arrow “Down” change with arrow “Up” and we going up…

“Don’t forget to press a button”- he said.

“Nice trick, good knowledge of computers, some system bag?” – I am sure guy is somehow related to elevator systems.
“What? No! Just with this stupid elevators You have to take an control in Your hands, otherwise You will never arrive in time” – he said. – “In the [other building] this trick not working, but there is a way too…”, – and he explains me how to stop elevator in other building…

“See You around! come to visit us at [salesmen company name]!” and he left on his level.

And now I am typing this, because apparently joke should be rewritten – You don’t need a laptop to be a hacker 🙂

“Practical Malware Analysis” – by Michael Sikorski and Andrew Honig


This is definitely Must Read book for anyone who begin in malicious code analysis, even for fun or profit (or both, You lucky bastards!)
Anyway, grab all Your failures and collection of executables, open the book and start to understand the stuff You messing with.
Even no need in short-lines, book 100% handy. Buy it, worth each $.

Target: Management


I do not remember, who said (and have no time to google it), that basic things so embarrassing to repeat them, so at the end no one remember them.

Well, lets embarrass ourself 🙂

At least twice here I mentioned, that from attacker point of view management computers and devices are best for penetrating, using as first base and hiding the tool-kits in.

About almost 10 years ago in some very secure facility I was called to incident response to some hi-ranked executive. Screams of him I heard from 2 levels below in elevator. Bravely walking thru scared personnel, I walked in office and after brief set of swearing about all IT, our dept and me personally,  got problem details:

USB stick was entered in work computer, some popup appear and no matter how many times he closed it – it still there. So – he called his secretary, and tried in both reception computers – same here. Then he sent disk to his vice – same there. And this is all because IT is “bunch of parasites”. Then they called IT, so someone can came and fix it, because meeting in 30 minutes and he unable to work with presentation he did yesterday all night on his home PC.

Cool. I came, because we got alarm system goes crazy about virus outbreak all over the facility. When I looked at the monitor – huge AV popup with virus warning blinking on the desktop. “Remove it now, I need  to work!” – he ordered. I took a step aside and called CSO of the facility, to report status of situation and request permission to proceed with quarantine and cleanup. And, actually, to back me up with my decision…

Well, to make long story short, hi-ranked idiot got offline computer to finish his presentation, incident was not placed in company security report and I got first and last warning from CSO on this short job in my career.

How this can be handled? Further notes for new CSO or person in charge for Security in company:

1. Make sure You have full understanding with management about what You doing, and what is importance level of Your Job. (Damn, last year media did for You all your job – just mention all those leaks, hacks and disclosures in You quarter report and drop a hint that even our company have smaller, but also painful  secrets).

2. To make sure You success with point 1, You should attend to those meetings, and be able to properly explain Yourself. See recent talks on Defcon, Brucon and 28c3 – about how and what should be told to executives. Make sure they know why they pay Your salary for 🙂

3. Ok – You in management circle of trust (well, al least circle of visibility al least )and able to explain Yourself – this is time to suggest solution for better security. But the proper way: what now, what to improve, what profit (in time, cost etc) and bottom line: value in money. It’s not complicated, it’s just matter of study.

4. Know your enemy – make sure You know what flaws of Your organisation. It’s never 100% secure, so make sure You know it well enough. It will save You from some smart-ass appear on next meeting who will inform You that “You not doing Your job well”. Be a pro in what You do at first.

5. Have good contacts with all third-party software vendors, contractors and servcie providers. Not Your scope? Maybe, but it will allow You to SAVE MONEY to Your company, by providing more reliable solutions, more targeted implementations and faster solving of ‘critical problems” applied by Your colleagues-managers. It add points to Your credibility.

6. If You cannot change the course and decisions taken without Your approval or even consult, make sure You at least:

– report to Your supirior (CEO, owner?) that You suggested otherwise. No need to add all Your thoughts, better to add few key points and also key flaws of current decision that taken.

– have all those reports saved and archived for future use.

– make sure You looking for another job, where You can provide Your professional skills and improve company for benefit of it’s workers and management.

That’s it 🙂

Tags :   

“Mastering IIS 7 Implementation and Administration” (John Paul Mueller, 2007, Sybex)


Well, long promise since last post, ah? 🙂

Another IIS security book, “Mastering IIS 7 Implementation and Administration” by John Paul Mueller. Bit old (2007 print), but still very good. You can look at it here.

Short headlines for myself:

P193 Chapter “Understanding the .NET security model”.
With .NET applications author devide few levels of security:
– Windows level – all concerned OS itself, patches, NTFS permissions etc.
– Control code access to Your system – use proper permissions, bcause it’s really easy to trick code perform malicious actions.
– Role-based security – use RBAC model for deviding standart and administrative tasks.

p194 – write it down: “The theory behind Windows security is simple. Every object has a lock and every object requestor has a key. If the requestor’s key fits the lock, then the requestor gains access to the object and the resources it provides. This is token-based security.”
User-level access:
– limited to combination of individual and group rights on object.
– rights managed by superuser-administrator
– administrator have almoust unrestricted access to Windows OS.
– ULA depends on SID, assigned with token
– Token contains Discretionary Access Control List (DACL) and a Security Access Control List (SACL)
– Token applied on logon process and to apply newrly added permissions – logon process should be repeated.

Token, assigned to user SID during creation session (logon process) is key.

Security Descriptor (lock in previous metaphora):
– have information, what rights user needed to access object.
– if rights of token is meet or exceed needed rights – access granted.
– each one have 5 main sections:
– header and flags: include version, list of control flags.
– Owner SID
– Group SID: default group
– SACL: auditing feature
– DACL: (array) – control object use by assigning users\groups.
Also in the book: .NET security    features as part of role-based security, permission calculator from MS (permcalc.exe), etc.
Specially for developers of IIS code – Code-Based security (p212)

P223 – ch10 – Configuring Application security.
which contains info about:
– Manage authorization settings
– Define authorization rules
– Manage server certificates
– Use SSL to secure an application
– Configure .NET users
– Configure role-based security settings
– Configure code-based security settings
– Save user settings

Actually, more than enough information than usually needed for basic understanding, and it’s great. If You security pro\developer who works with IIS etc – You definitely should look at this book.

“Dissecting the Hack – The F0rb1dd3n Network” (Jayson E. Street, Kent Nabors, 2010, Syngress)


You can look at book here

Well, fiction story with the following explanation. Somehow similar to reading the “Hobbit” and then to have explanations about it.
Anyway, for beginners, another way to gather fast knowledge in USA security community and major ideas.
Common weakness of this type of books, IMHO, is  limited range of view. All of them use same way of thinking:
– Our (in most cases – USA) guys are good 🙂
– Others are ba-a-a-d! (Eastern Europe, Asia, Middle East etc.), yeah, also cruel and stupid 🙂
This and some additional attached streams in this kind of fiction pose the silent idea that world in war for some time.
Yeah, and additional thoughts: Western community well know western security experts. Not much European and completely zero knowledge about Eastern Europe\Asia and Middle East security community. Fact, that came from 90-s till 2010, as shown by this book. Well, Zero knowledge about something fully correlate with areas of “Bad guys”. 🙂 Pixar – “Day and  Night” – just to say it in Your simple language.

Tags :