Yotam Gottesman, Security Researcher, enSilo

Yotam Gottesman, Security Researcher, enSilo

Unpacking junkie. A knack for reverse engineering only to re-engineer later. Ping me.

Command Injection/Elevation – Environment Variables Revisited

Vulnerabilities, command injection, elevation, variables, enSilo Breaking Malware, UAC, Windows, code injection, enSilo Corporate and Product

Windows environment variables can be used to run commands and can also be used to bypass UAC, allowing an attacker with limited privileges to take complete control of the system. This code leverages a rather unusual scenario within Windows OS.

This is a continuation of our research as described in a previous post: Elastic Boundaries – Elevating

Read More

Adding UAC Bypass to the Attacker’s Tool Set

Research, enSilo Corporate and Product, Windows, UAC, Malware

Recently enSilo researchers, as part of our ongoing quest for endpoint protection, revealed a new way that attackers can bypass Microsoft’s User Access Control (UAC) mechanisms.

Read More

Elastic Boundaries – Elevating privileges by environment variables expansion

Vulnerabilities, bypass UAC, elevation, environment variable, path redirect, variable expansion, enSilo Breaking Malware, UAC, Windows, code injection, enSilo Corporate and Product

Even though any process is provided with variables from its environment, they are often overlooked by users, developers and sometimes even the OS itself.

Read More

Furtim: The Ultra-Cautious Malware

Research, enSilo Corporate and Product, Furtim, Malware, Windows

Furtim is the latest stealthy malware, found in the wild, and its discovery is credited to @hFireF0X. (We wrote more about Furtim malware here.)

Clearly, Furtim’s developers were more interested in keeping their malware hidden from security’s prying eyes than hitting more targets. With stealth a key component, we code-named this downloader

Read More

Analyzing Furtim: Malware that Avoids Mass-Infection

Malware, Furtim, enSilo Breaking Malware, Windows, enSilo Corporate and Product

Overview

Recently we came across a new malware strain, first discovered by @hFireF0X, and at point of discovery, it was not detected by any of the 56 anti-virus programs tested by VirusTotal service. (We wrote more about Furtim malware here.)

Read More

ArdBot: An Inside Look into Malware in the Making

Research, enSilo Corporate and Product, ArdBot, Windows

Crediting R136a1 who published malware samples a few days ago on a forum, we found these samples under development. We quickly went ahead and analyzed one, allowing us a unique view into malware at such an early development stage.

Read More

ArdBot: A Malware Under Construction

Malware, ArdBot, enSilo Breaking Malware, Windows, enSilo Corporate and Product

Recently we came across a new sample of the ArdBot malware, appearing on kernelmode, credited to R136a1. We wrote more about ArdBot here.

A research of this sample showed a malware strain that is not yet ready for production use and provided an interesting peek inside a malware’s development process.

Read More

A Technical Breakdown of ModPOS

Web Malware, Malware, ModPOS, POS malware, enSilo Breaking Malware, Windows, Windows XP, enSilo Corporate and Product

ModPOS is the latest in the string of POS malware that’s making the news. As its family name implies, this malware is intent on one: stealing credit card information.

Read More

Moker, Part 2: Capabilities

Web Malware, Malware, APT, Moker, RAT, enSilo Breaking Malware, Windows, enSilo Corporate and Product

A few days ago, we published a blog entry on an advanced malware called Moker, and discussed the different challenges that Moker placed to avoid detection and anti-dissection, as part of enSilo’s continuing improvement of our endpoint security software.

Now that we have the stripped down malware sample, it’s time to analyze the actual malware.

Read More

Moker: A new APT discovered within a sensitive network

Research, enSilo Corporate and Product, APT, RAT, Windows, Malware, Moker

Recently, enSilo found an Advanced Persistent Threat (APT) residing in a sensitive network of a customer. This APT appears to be a Remote Access Trojan (RAT) that is capable of taking complete control of the victim’s computer. To date, this APT is unknown and does not appear in VirusTotal. Moker was the file description that the malware author

Read More