What does it take to become a good reverse engineer? – 10 minute mail

How much money and effort does it take to become a good reverse engineer? Do you even need to be one?

There are no universally acceptable answers to these questions. Software reverse engineering (RE) is not a science but a skillset combined with specific knowledge and backed by a lot of experience.

For several years, we have been sharing the RE knowledge that we accumulated in the form of training sessions provided to paying customers. These sessions took from two days at the SAS conference to complete five workdays in the extended version, and covered many aspects of our own work, primarily in IDA Pro and the in-lab reverse-engineering framework.

A typical piece of code disassembled in IDA Pro

Due to the novel 2019 coronavirus disease, our schedule for the training sessions has changed completely. But not only this; the reversing landscape itself has changed since last year. Released in March 2019, the free and open-source reverse engineering tool called Ghidra lowered the barrier to entry into the field.

The same piece of code viewed in Ghidra

So, while we are all working from home and, hopefully, have time to learn something new, why not tear some binary code apart and pick up some reverse engineering skills? This may prove especially helpful if your work is related to malware, incident response or forensics.

It is certainly not feasible to learn RE in one webinar. Within one hour, we will outline the typical workflow that we follow when analyzing malware. We will dissect real-life malicious code using both IDA Pro and Ghidra, and use some of the most useful features of these disassemblers.

The rest, as in many other disciplines, comes with experience. And, we are still looking forward to seeing you in our reverse engineering training sessions at SAS Conference 2020 (two days) or elsewhere (a whole week!).


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

SAS, sweet SAS – 10 minute mail

As you may already know from our social network posts, we have rescheduled the SAS 2020 conference for November 18-21 due to the COVID-19 pandemic and to ensure your safety. Though we still think that Barcelona is a great place to meet and it will not be a “real” SAS if we cannot hug, shake hands and touch beer glasses in that beautiful city, we cannot just leave it all until November. That is why we invite you to SAS at Home, a series of webinars scheduled to kick off very soon, on the 28th-30th of April.

For each of the three days, we have prepared presentations and master classes by world-renowned information security experts, who will share their expertise, best practice and tricks. We will be talking about APT groups, zero-day vulnerabilities and exploits, sophisticated attacks, and the state of the information security industry. As for master classes, Igor Kuznetsov will cover some of the most useful techniques for reverse engineering malware during his webinar, Static Binary Analysis: The Essentials. And that is just one example. Last but not least, Eugene Kaspersky himself will deliver a keynote address in the good old SAS tradition.

To learn more about SAS at Home, follow us on Twitter and Instagram. Do not miss your chance to spend your self-isolation days as usefully as possible and meet the world’s top information security experts, even if not in person. See you all at SAS at Home!


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

YARA webinar follow up | Securelist – 10 minute mail

If you read my previous blogpost, “Hunting APTs with YARA” then you probably know about the webinar we’ve done on March 31, 2020, showcasing some of our experience in developing and using YARA rules for malware hunting.

In case you’ve missed the webinar or if you attended and want to re-watch it, you can find the recording here:

As requested by many of you, we are also making the slides available through SlideShare:

Unfortunately, we were forced to cut short the broadcast as we were running out of time. Nevertheless, we received a number of interesting questions and as I promised, I will try to answer them below. Thanks to everyone who participated and appreciate all the feedback and ideas!

YARA webinar – questions

  1. Can you share the presentation? (multiple)

    Sure, please find the link above for SlideShare.

  2. Hi Costin! what is the point of writing a rule on the exploit and not about the vulnerability? (from Ari)

    Hi Ari, hope you guys are doing well! In this case, we are trying to hunt an unknown 0day exploit, therefore, we don’t know which vulnerability it exploits. The only thing we can try to hunt for are the artifacts that the exploit developer left in his older exploits of the same kind (in this case, Silverlight). For more details, please see our blogpost: The mysterious case of CVE-2016-0034: the hunt for a Microsoft Silverlight 0-day.

  3. I’ll add an xml-based switch to show Imphash in lowercase, in pestudio! (from Marc)

    Thanks Marc, appreciated, and sorry for mispronouncing your last name! Everyone, in case you aren’t already using Pestudio for your initial malware assessment, go check it out.

  4. “Your italian is pretty good man / your italian is not so bad / Your italian is great 🙂 ” – various amici

    Thank you! Perhaps not surprisingly, Romania used to be a Roman colony 2000 years ago, which is why our languages are so similar. Wishing you guys all the best, stay safe and stay healthy!

  5. When you are looking or other languages, does the “pe.language” catch all hexbyte formats? (I.e. UTF-8 and UTF-16 will show mandarin characters in different hex bytes) (from Jono)

    That’s a good question. In reality, pe.language actually cycles through all the resources in the PE file and returns true if the language of at least one resource matches the one you are looking for. So it doesn’t really searching for any characters in the file, only using the metadata from the resource section.

  6. Can please explain “not for all i” in criteria – from Rohit, referring to the generic YARA rule from example 3
    Indeed, this is one tricky rule. Just to make it easier, I’m showing the solution below:

    In essence, the rule works as follows: first, the version_info structure field named “CompanyName” should contain “Microsoft”, which means the file is claiming to be from Microsoft. Secondly, it needs to be signed with a digital certificate, so pe.number_of_signatures should be larger than 0. Finally, we check if there is at least one issuer for all the certificates used to sign the file that is not Microsoft nor VeriSign. Why “not for all”? Well, it’s a reverse logic – for all the certificates, we want to make sure the signatures are either from Microsoft or VeriSign. If at least one sig is found that is not from these two, the file is suspicious. Another way to do this would be to keep “and for all” and apply the not inside the loop, switching the “or” for an “and”. (because not (a or b) ==not a and not b)

  7. Do you have any open source database of good and benign files to test against false positives? (from Ramon)

    Hey Ramon, thanks for the question! Please turn to slide 37 for advice on how to build a benign sample set for QA and false positives testing.

  8. When you specify the “filesize” attribute within your rule – what denomination do you target? Bytes, Kilobytes, Megabytes etc…? (from James)

    By default, the filesize is expressed in bytes, so 200000 would be 200000 bytes. The YARA syntax also supports KB and MB, with KB multiplying by 1024 and MB by 2^.20.

  9. Would you recommend using the xor modifier now for this stuff? (from John) referring to slide 39:

    In particular, the example on the right side is from Shamoon2 samples, where some of the strings would be XOR’ed by a one byte key which kept changing from sample to sample. Interesting enough, YARA supports the “xor” modifier, since version 3.8 (or so). However, the xor modifier is always applied last, so for our case above, it would work, as the zeroes in the wide strings would be xor’ed as well! Therefore, we need to bruteforce the strings and use them like in the case above, if zeroes are not xor’ed.

  10. How long does it take to scan your full collection with a normal YARA rule? (from Juan Aleister-Crowley)

    The entire Kaspersky malware collection, which is possibly one of the largest in the world, takes between 1 and 2 weeks to scan entirely, on a cluster of a few hundred computers. However, in most case, we resort to scanning subsets, such as recent samples or known APT samples already tagged by our robots, which takes between minutes and up to a day or two.

  11. What is your experience of using matching on the PE Rich Header? (from Axel)

    Good question! While in theory the pe module could allow for creation of rules that match on the decrypted Rich header, we haven’t played much with that. This is however something we’ve explored in connection to the Hades APT attack on the Winter Olympics and the associated false flag that relied on the Rich header from a Lazarus sample.

  12. What are some best practices around managing a collection of YARA rules? Rules harvested from the web as well as the ones internally developed. Are there any specific tools dedicated to maintaining such a collection? Do you just use Git? (from V)

    Hey V, thanks for the question! This is indeed one of the trickiest things and I have to admit that I do not know of a perfect solution yet. Indeed, there are some YARA management frameworks, but I can’t say I’m a big fan of any of them in particular. I do use Git for this purpose, but I also lack a nice visual interface that would allow me to search, edit and run them against samples with a click.

  13. Better speed if checking the file size before the rules? (from Damien)

    That’s a good question. According to Victor, the condition is evaluated by a decision tree, so the order is not necessarily the one that you put in the syntax. To be honest, I do prefer to put the filesize check first, perhaps for “superstition” reasons 🙂

  14. Here is a question “5 of ($b*)” means “any 5 of ($b*)” or “first 5 of ($b*)” (from Yerbol)

    Indeed, that means any (sub-)group of five $b strings.

  15. Hi, why is important and good indicator to use PDB paths in a YARA sigs? (from Adrian)

    Based on our experience, PDB paths, in particular unique looking folder names from PDB paths, are very good for detection of future malware from the same author. For example, taking an EternalBlue scanner from Omerez, that is used by the CobaltGoblin group, it has the following PDB inside:
    C:OmerezProjectsEternal BluesEternalBlueScannerobjReleaseEternalBlues.pdb
    A YARA rule that matches on “C:OmerezProjects” could find other tools from the same author.

If you have more questions about the YARA webinar, please feel free to drop us a line in the comments box below or on Twitter: @craiu.

P.S. Special note for those trying to do the iOS/MacOS homework – if you write the rules but don’t have access to a platform to run them for hunting purposes, please drop us a note at: yarawebinar [at] kaspersky.com

Thanks and stay safe!
Costin


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Hunting APTs with YARA | Securelist – 10 minute mail

For the past few years, we have been spreading our knowledge and experience of using YARA, often called a pattern matching swiss knife for malware researchers (and everyone else). Most of the time, this took the form of the Kaspersky training course titled, “Hunting APTs with YARA Like a GReAT Ninja”. The first YARA training session of that kind took place in February 2016, on the beautiful islands of Tenerife. We have had hundreds of participants attend sessions in over a dozen countries since then.

Our next YARA training session was scheduled to take place in Barcelona, during SAS 2020, however, the global situation and the spread of the novel 2019 coronavirus disease, aka COVID-19, forced us to postpone both the conference and the training.

Meanwhile, we have been receiving a lot of requests to make our YARA hands-on training available to more people. We are working on this and we should soon be able to provide it as an online training experience. Stay tuned for updates by following us on Twitter: @craiu @kaspersky.

With many people working from home and spending even more time online, it is also likely the number of threats and attacks will increase as well. Therefore, we have decided to share some of the YARA experience we have accumulated during recent years, in the hope that all of you will find it useful for keeping threats at bay.

So, if you have wondered how to leverage YARA better and how to achieve a new level of knowledge in APT detection, mitigation and response, it all boils down to a couple of secret ingredients and lots of work. While the work is up to you, we can help a bit with a preview of the secret ingredients.

Long story short:

When: March 31, 14:00 GMT
Where: BrightTalk – https://kas.pr/z2o2
Who: Security researchers and incident response personnel, malware analysts, security engineers, network security analysts, APT hunters and IT security staff

During the webinar, we will demonstrate examples of real-world hunting rules we have developed internally at GReAT. For instance, these allowed us to find zero-days in-the-wild, financial APT tools, malware targeting crypto-investors, or APT tools that sabotage and tag SSL traffic.

For researchers, knowledge of YARA opens up several interesting opportunities:

  • First of all, this can be a great starting point for a carrier in threat intelligence.
  • It can help you make your day-to-day work more efficient.
  • You can start hunting for APT samples on platforms such as VirusTotal. All major APTs’ tools have been uploaded on VirusTotal at some point in time; one just needs knowledge and some luck to find those needles.
  • You can start hunting for APTs on your office/home computers, which might bring some interesting, and sometimes, surprising, results.

For organizations, this webinar will be useful if they commonly deal with problems, such as:

  • Managing multiple YARA rulesets from various sources; understanding which rules are good enough for detection, which ones are good for hunting and which ones should be avoided
  • Testing for false positives
  • Using YARA for incident response
  • Enhancing your SOC
  • How to keep calm and start using YARA with KLara.

Last but not least, if you want to share feedback or if you have #yara questions that you would like answered at the webinar, please feel free to drop us some comments on Twitter. See you on March 31!


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Hunting APTs with YARA | Securelist – 10 minute mail

For the past few years, we have been spreading our knowledge and experience of using YARA, often called a pattern matching swiss knife for malware researchers (and everyone else). Most of the time, this took the form of the Kaspersky training course titled, “Hunting APTs with YARA Like a GReAT Ninja”. The first YARA training session of that kind took place in February 2016, on the beautiful islands of Tenerife. We have had hundreds of participants attend sessions in over a dozen countries since then.

Our next YARA training session was scheduled to take place in Barcelona, during SAS 2020, however, the global situation and the spread of the novel 2019 coronavirus disease, aka COVID-19, forced us to postpone both the conference and the training.

Meanwhile, we have been receiving a lot of requests to make our YARA hands-on training available to more people. We are working on this and we should soon be able to provide it as an online training experience. Stay tuned for updates by following us on Twitter: @craiu @kaspersky.

With many people working from home and spending even more time online, it is also likely the number of threats and attacks will increase as well. Therefore, we have decided to share some of the YARA experience we have accumulated during recent years, in the hope that all of you will find it useful for keeping threats at bay.

So, if you have wondered how to leverage YARA better and how to achieve a new level of knowledge in APT detection, mitigation and response, it all boils down to a couple of secret ingredients and lots of work. While the work is up to you, we can help a bit with a preview of the secret ingredients.

Long story short:

When: March 31, 14:00 GMT
Where: BrightTalk – https://kas.pr/z2o2
Who: Security researchers and incident response personnel, malware analysts, security engineers, network security analysts, APT hunters and IT security staff

During the webinar, we will demonstrate examples of real-world hunting rules we have developed internally at GReAT. For instance, these allowed us to find zero-days in-the-wild, financial APT tools, malware targeting crypto-investors, or APT tools that sabotage and tag SSL traffic.

For researchers, knowledge of YARA opens up several interesting opportunities:

  • First of all, this can be a great starting point for a carrier in threat intelligence.
  • It can help you make your day-to-day work more efficient.
  • You can start hunting for APT samples on platforms such as VirusTotal. All major APTs’ tools have been uploaded on VirusTotal at some point in time; one just needs knowledge and some luck to find those needles.
  • You can start hunting for APTs on your office/home computers, which might bring some interesting, and sometimes, surprising, results.

For organizations, this webinar will be useful if they commonly deal with problems, such as:

  • Managing multiple YARA rulesets from various sources; understanding which rules are good enough for detection, which ones are good for hunting and which ones should be avoided
  • Testing for false positives
  • Using YARA for incident response
  • Enhancing your SOC
  • How to keep calm and start using YARA with KLara.

Last but not least, if you want to share feedback or if you have #yara questions that you would like answered at the webinar, please feel free to drop us some comments on Twitter. See you on March 31!


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Meet Disposable mail this summer! | Disposable mail Blog – 10 minute mail

We’ve got some cool events coming up and we’re looking forward to discussing security at tech conferences, meetups and webinars. Check out this blog post for a complete list of events we’ll be attending this summer and autumn. If you’d like to schedule a meeting with us in advance or get hold of us at any of the events, just drop us a line at hello[at]detectify.com or reach out to us on Twitter. We can’t wait to meet you!

Gothenburg’s first annual Security Fest kicks off in June and we’ll be there! Our knowledge advisor Frans Rosén will share some great stories about his life as a bug bounty hunter.

Date and time: Thursday, June 2, 2016; 15:45 to 16:45
Location: Gothenburg, Sweden
Twitter: @securityfest

If you want a chance to listen in on a conversation between some of the world’s top security researchers, don’t miss this webinar! Join us at this webinar for a chat about bug bounties, the latest vulnerabilities, and tips on how to write safer code.

Date and time: Wednesday, June 15, 2016; 20.00 UTC+2
Location: Google Hangouts → sign up TBA
Twitter: @nerdearla


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Disposable mail at PHP Meetup | Disposable mail Blog – 10 minute mail

On May 11th, we co-organised a PHP security meetup together with PHP Stockholm at SUP46, where our knowledge advisor Frans Rosén talked about vulnerabilities and ways to make PHP code more secure. Over 60 PHP experts attended this event and we loved discussing security in such a great environment! We enjoyed chatting to everyone and listening to the talks by the other two speakers at the meetup, Magnus Nordlander from Fervo and Davey Shafik from Akamai.

The video of Frans’ talk is now up and running, so go on and watch it if you’d like to know more about PHP security!

In between the talks, there was food and beer, and plenty of opportunities for networking and PHP chat. The team was decked out in Disposable mail gear!

DetectifyTeam

We’re looking forward to hosting more events and sharing our security knowledge. And don’t forget, we’ve got stickers… 🙂

DetectifyTeam

Stay safe!
//The Disposable mail Team


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Meet Disposable mail! | Disposable mail Blog – 10 minute mail

Our schedule for the autumn and winter is quickly filling up and we’re looking forward to all the awesome events we’ll be attending! In this blog post, you can find our events diary for the next few months, so make sure to swing by, say hello, and grab some stickers. If you’d like to schedule a meeting and have a chat with us at any of these events, just drop us a line at hello[at]detectify.com or reach out to us on Twitter.

SEPTEMBER

Nordic.js

Our knowledge advisor Frans Rosén will talk about security best practices at Nordic.js, a JavaScript conference in Stockholm, giving the audience a hands-on toolkit on how to integrate security in your everyday workflow, mixed with thrilling examples of his own security findings and bug bounty stories.

Date and time: September 8, 14.00-14.30
Location: Stockholm, Sweden
Twitter: @nordicjs

Guest lecture for IT security students at Iftac

Invitation only! We can’t wait to visit Iftac, a school in Hudiksvall, and meet IT security students! Frans Rosén is going to give a talk and share his knowledge with students studying to become IT security professionals.

Date and time: September 15, 10.00-12.00
Location: Iftac, Hudiksvall

Workshop: Web security for startups – Go hack yourself or someone else will

Attackers frequently target vulnerabilities, then find websites that have them – they are not always looking to hack specific companies. This talk will show you what everyday security mistakes developers usually make and how you can use automation to stay on top of security. We will also include a short Disposable mail demo and hold a Q&A session about the tool, web security and the hacker community. Join us to find out how security can be fun, easy and automated – so that you do not need to spend all your time worrying about it.

Date and time: September 21, 11.30-13.00
Location: Stockholm, Sweden
Twitter: @sup46

OCTOBER

Breakfast seminar: White hat hacking for the CIO – How do hackers think?

What should you do in order to protect yourself online, and what are the most common mistakes? Basefarm and Disposable mail invite you to a joint breakfast seminar in central Stockholm. One of the highest ranked hackers in the world will be telling his story, explaining the much talked about hacker culture and describing the most critical security bugs he has encountered during his career as a bug hunter. Michael Pettersson, responsible for IT security at Bonnier News, will also be sharing how they’re working on security.

Date and time: October 5, 8.00-9.30
Location: SUP46
Sign up: Basefarm

Sikkerhetssymposiet

Frans Rosén will guide you through web security best practices that will help you start working proactively with security. Frans will explain how companies can benefit from independent security researchers and ethical hacking – the people you will never be able to recruit to a regular 9 to 5 job.

 

Sikkerhetssymposiet-2016

Date and time: October 18-19, time TBA
Location: Bergen, Norway
Twitter: @SikkSymp

DECEMBER

Code Europe 

In December, Frans Rosén will speak at Poland’s biggest conference for programmers. Watch this space!

Date and time: December 5,  time TBA
Location: Krakow, Poland


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

3 quick questions with Security Awards nominee Jonatan Haltorp – 10 minute mail

Security Awards is a yearly event arranged by the Swedish publication Skydd och Säkerhet, where the aim is to highlight persons or companies that are improving the security industry. Disposable mail’s backend developer Jonatan was one of the finalists for Security Awards’ Security Student of 2016, so we caught up with him right after the event to ask him about the Swedish education system and his personal IT security role models.

jonatan-haltorp detectify security awards

How do you think IT security education in Sweden could be improved?
Identify and make the most of individuals who are motivated and have high ambitions regardless of their age.  One example is Mathias, who hacked Google when he was only 13. People like him should be involved in the education system.

Do you have any advice for people who want to learn about IT security?
Have patience, everyone is a beginner once. Take your time to understand and solve a challenge. There are all sorts of practical exercises on the Internet (many for free!), so focus your security training on what interests you the most.

Who would you like to hand out your own security award to?
Alexander Peslyak, also known as Solar Designer, a Russian hacker who was a pioneer of memory corruption. And my teacher Johan Bogg at IFTAC who does his best to educate students about security, even though it is a difficult subject to keep up to date with.

Jonatan and the Disposable mail team want to congratulate Annie Myhr, who received the award for Security Student of 2016! 


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Disposable mail’s Martina Janevska on stage at Swetugg 2017 – 10 minute mail

Yesterday, the Swetugg conference in Stockholm, Sweden, gathered hundreds of developers for a full day of talks and best practices. Disposable mail’s software engineer Martina Janevska was one of this year’s speakers. The room was filled when she stepped on stage and started to guide the audience through common vulnerabilities and her previous security mistakes. Martina used her own 2-year old code to demonstrate how much she has learnt about security since she started to work at Disposable mail – with her new security skillset, she actually hacked her old code to find out how vulnerable it was at the time she built it.

Here are Martina’s slides:

And the Youtube video:

One of Martina’s key takeaways was “It’s never too late to start learning about security”, so why don’t you start off with testing how your code stacks up against OWASP Top 10 with a free Disposable mail security scan? Let us analyze your code from a hacker’s perspective and give you a detailed report on what you passed or failed.

Stay safe!

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.