Moker, Part 1: Dissecting a New APT Under the Microscope

Windows, Web Malware, Malware, APT, Moker, RAT, enSilo Breaking Malware

Recently, we came across Moker, an advanced malware residing in a sensitive network of a customer. Since the malware did not try to access an external server, but rather tamper with the system inner workings, we decided to give this malware a second look. (This kind of work is part of developing complete endpoint security software.)

Read More

Class Dismissed: 4 Use-After-Free Vulnerabilities in Windows

Vulnerabilities, Windows, vulnerability, exploit, enSilo Breaking Malware

Introduction

Today, Microsoft released their latest Patch Tuesday. This Patch includes a fix for CVE-2015-2363, a complementary patch to CVE-2015-2360 from last month. The two CVEs together bundles within themselves IMPORTANT-rated exploitable vulnerabilities which we responsibly disclosed to Microsoft.

Read More

“Selfie”: A Tool to Unpack Self-Modifying Code using DynamoRIO

tools, Windows, Malware, enSilo Breaking Malware, Endpoint Protection

TL;DR: In this blog post we describe Selfie, a tool we have developed that automates finding the OEP for a majority of malwares packed with self-modifying code. The Selfie tool is now open-sourced, compiled to 32-bit, and can be found here.

Read More

Vulnerability Patching: Learning from AVG on Doing it Right.

Vulnerabilities, Windows, enSilo Breaking Malware

Introduction

As part of our research, we analyze the intricate relationship between Anti-Virus and Operating Systems (OS). During this process, we came across a vulnerability in AVG Internet Security 2015 build 5736 + Virus database 8919 released January 13th 2015.

The vulnerability? The affected AVG product had allocated a memory page with RWX

Read More

One Bit To Rule Them All: Bypassing Windows 10 Protections Using a Single Bit

Windows, Windows 10, vulnerability, exploit, enSilo Breaking Malware

Introduction

Today, Microsoft released their latest Patch Tuesday. This Patch includes a fix for vulnerability CVE-2015-0057, an IMPORTANT-rated Windows exploitable vulnerability which we responsibly disclosed to Microsoft a few months ago. (enSilo researchers often discover new vulnerabilities in out continuing work towards complete endpoint

Read More