ANALYSIS OF GENERIC PASSWORD FOUND IN CRYPTKEEPER

ANALYSIS OF GENERIC PASSWORD FOUND IN CRYPTKEEPER Antiy CERT Draft: February 02, 2017, 15:00 Published: February 02, 2017, 15:00 Updated: February 02, 2017, 15:00 Background On January 31, 2017, an article entitled “Cryptkeeper Linux Encryption App Fails at Job, Has One Letter Skeleton Key -……

Continue Reading

THE ANALYSIS OF EQUATION DRUG —THE FOURTH ANALYSIS REPORT OF EQUATION GROUP

the Analysis of EQUATION DRUG —the FOURTH analysis REPORT OF Equation group Antiy CERT Download   Draft: January 13, 2017 16:00 Published: January 16, 2017 10:00 Updated: January 25, 2017 14:30   Words for This Version On the basis of previously published reports, Antiy CERT has provid……

Continue Reading

FROM EQUATION TO EQUATIONS

         FROM EQUATION TO EQUATIONS Revealing the multi-platform operational capability of Equation Group                 Antiy CERT     Download Draft: Jan. 15, 2014 16:43 (UTC+8) Published: Nov. 4, 2016 10:00 (UTC+8) Updated: Nov. 4, 2016 13:00 (UTC+8) 1 Background From February 2015, An……

Continue Reading

The Dances of White Elephant – A Cyber Attack from South Asian Subcontinent

The Dances of White Elephant – A Cyber Attack from South Asian Subcontinent PDF Download Antiy CERT  First version: 17:00, July 1, 2016 First release: 10:00, July 10, 2016 Updated version: 15:00, July 18, 2016   1 Overview During the past four years, engineers from Antiy Labs have paid clos……

Continue Reading

TECHNOLOGICAL AND CHARACTERISTIC ANALYSIS OF NEW VARIANT OF RANSOMWARE FAMILY TESLACRYPT

Technological and characteristic analysis of new variant of Ransomware family TeslaCrypt Antiy CERT download First Edition: 17:44, Apr.7, 2016 Pub Date: 14:23, Apr.8, 2016 Update: 10:07, Apr.8, 2016 1 Introduction Antiy CERT recently found a new variant of ransomware TeslaCrypt, named TeslaCrypt ……

Continue Reading

Comprehensive Analysis Report on Ukraine Power System Attacks

Comprehensive Analysis Report on Ukraine Power System Attacks     1 Event Overview   December 23, 2015, the Ukrainian power sector suffered malware attacks. Ukrainian news media TSN reported on the 24th: “At least three power regions were attacked, leading to hours of blackou……

Continue Reading

FIRST BITCOIN RANSOMWARE WITH CHINESE PROMPTS“LOCKY”

First Bitcoin ransomware with chinese prompts“locky” Antiy CERT Download First Edition: 9:26, Feb.18, 2016 Pub Date: 14:04, Feb.19, 2016 Update: 14:04, Feb.19, 2016     1          Introduction   Antiy CERT found a new kind of ransomware named “Locky” that can encrypt more than 100……

Continue Reading

2015 Network Security Retrospect and Prospect

2015 Network Security Retrospect and Prospect 2015 Antiy Annual Security Report Antiy CERT Download       First Edition: 14:21, Dec 8, 2015 Pub Date: 09:00, Jan 7, 2016 Update: 17:30, Jan 7, 2016     Content   Introduction The Layered APT                        Th……

Continue Reading

A TROJAN THAT CAN MODIFY THE HARD DISK FIRMWARE ——A Discovery to the Attack Components of the EQUATION Group

A Trojan That Can Modify the Hard Disk Firmware ——A Discovery to the Attack Components of the EQUATION Group Antiy Labs Time of the first version: 10:00 a.m. March 5, 2015 The updated time of this version: 09:45 a.m. March 9, 2015   1. Background   According to the emergency study, An……

Continue Reading

An Analysis on the Principle of CVE-2015-8651

An Analysis on the Principle of CVE-2015-8651 Antiy PTA Team 0x00 Preface   On December 28, 2015, Adobe issued a security announcement that they have repaired 19 vulnerabilities in one breath. The vulnerability CVE-2015-8651 submitted by Huawei security research department was mentioned in t……

Continue Reading

AN ANALYSIS REPORT OF DDOS SAMPLE WITH THE DIGITAL SIGNATURE

An Analysis Report of DDoS Sample with the Digital Signature By Antiy PTA Team 1    Overview   Recently, a malicious DDoS program with the expired signature has been detected by Antiy PTA team through the situation awareness system. The digital signature of the sample is stole from NHN USA I……

Continue Reading

AN ANALYSIS ON TARGETED TROJAN ATTACK WITH “INTERVIEW” AS A SOCIAL ENGINEERING TOOL

An Analysis on Targeted Trojan Attack with “Interview” as a Social Engineering Tool By Antiy CERT Download   First release: December 3, 2015, 10:21 Update: December 5, 2015, 5:21   1. Overview   In the evening of December 2, 2015, Antiy earlier-warning monitor system perceived the……

Continue Reading

AN ANALYSIS REPORT OF BLACKMAILER TROJAN SPREAD BY EMAILING JS SCRIPT

An Analysis Report of Blackmailer Trojan Spread by Emailing JS Script By Antiy PTA Group Download First draft: December 4, 2015, 11: 11 1      Introduction   A new blackmailer variant email with new transmission characters was captured by Antiy Threat Situational Awareness System on Decembe……

Continue Reading

Analysis and Review of Xcode Unofficial Supply Chain Pollution Incident (XcodeGhost)

Analysis and Review of Xcode Unofficial Supply Chain Pollution Incident (XcodeGhost) AVL TEAM & ANTIY CERT     First release time: Sep. 20, 2015,22:00 Updating time: Sep. 30, 2015,8:41     Abstract   Xcode is the integrated development tool (IDE) running on Mac OS ……

Continue Reading

A LARGE NUMBER OF SERVERS BY HFS ARE EXPLOITED TO SPREAD MALWARE

A large number of servers by HFS are exploited to spread malware Antiy CERT Download First publish time: 17:00, Sep 15, 2015. Update time: 17:00, Sep 15, 2015.   1      Production Recently, the third generation Honeypot Wind-capture System of Antiy captured a downloader sample. After the s……

Continue Reading

UNCOVERING THE FACE OF RANSOMWARE

UNCOVERING THE FACE OF RANSOMWARE ——Antiy CERT Download 1          Introduction Recently, more and more security threats posed by ransomware, researchers from Antiy Labs felt obliged to investigate them to uncover the face of ransomware. September 2013, SecureWorks, the threat response departmen……

Continue Reading

Association Analysis on Some Group Mail Samples Using Social Engineering Techniques

Association Analysis on Some Group Mail Samples Using Social Engineering Techniques Antiy Labs First release time: 16:37, April 28, 2015 Update time of this version: 16:37, May 27, 2015   Contents   1       Background 2       Analysis of E-mail  2.1        Extraction of Metadata of the……

Continue Reading

ANALYSIS ON APT-TO-BE ATTACK THAT FOCUSING ON CHINA’S GOVERNMENT AGENCY

Analysis on APT-to-be Attack That Focusing on China’s Government Agency Antiy CERT Download First release time: 14:32, May 27, 2015 Updated time of this version: 14:32, May 27, 2015   Contents   1       Background 2       Analysis on incident sample 2.1         Leading files and……

Continue Reading

COMPREHENSIVE ANALYSIS REPORT ON TROJAN/ANDROID.EMIAL.AS[RMT,PRV,EXP], “PHOTO ALBUM”

COMPREHENSIVE ANALYSIS REPORT ON TROJAN/ANDROID.EMIAL.AS[RMT,PRV,EXP], “PHOTO ALBUM” Download AVL Mobile Security Team of Antiy     First Release Time: 15:02 May 15, 2015 Update Time of This Version: 21:13 May 15, 2015 Current Latest Version: V2.1   1          Overvie……

Continue Reading

Analysis on the Encryption Techniques of EQUATION Components

First Edition: April 16, 2015 Second Update Version: April 18, 2015   Antiy analysis team has started the analysis of “EQUATION” since February 2015. After the report of the first article, the subsequent analysis did not make more progress or even highlight. Based on this situat……

Continue Reading

Analysis on DDoS Attack Organization- “Chicken_mm”

ShadowHunter Team of Antiy Labs Abstract   This article focuses on a cross-platform DDoS attack organization called “Chicken_mm” and gives an analysis. DDoS tools developed by this organization use SSH weak passwords and server vulnerabilities to control many Linux chickens……

Continue Reading

Review of the Year of 2014, the Moment of Network Security

——The annual report of network security in 2014 Security Research and Emergency Response Center of Antiy Labs   Download Contents 1 PROLOGUE 2 APT 3 SEVERE VUNERABILITIES 4 THE GENERALIZATION AND DISTRIBUTION OF SECURITY THREATS 5 DATA BREACH 6 MALWARE ON PC PLATFORM 7 THE STATISTICS OF MAL……

Continue Reading

The Remote Execution Vulnerability of IIS Reoccurred: Watch out for the New Codered

Security Research and Emergency Response Center of Antiy Labs Release: 00:37, April 16, 2015 Latest version: 08:10, April 16, 2015   Introduction to the vulnerability Microsoft has patched several vulnerabilities in April 2015, which involved Windows, OFFICE, IE, IIS and so on. The amounts ……

Continue Reading

A TROJAN THAT CAN MODIFY THE HARD DISK FIRMWARE ——A Discovery to the Attack Components of the EQUATION Group

a Trojan that can modify the hard disk firmware_V1.3 ——A Discovery to the Attack Components of the EQUATION Group Antiy Labs Time of the first version: 10:00 a.m. March 5, 2015 The updated time of this version: 09:45 a.m. March 9, 2015   Download  

Continue Reading

A COMPREHENSIVE ANALYSIS REPORT ON SANDWORM-RELATED THREATS (CVE-2014-4114)_V0.7——and Analysis on the Problem Detected by ShadowBox

A COMPREHENSIVE ANALYSIS REPORT ON SANDWORM-RELATED THREATS (CVE-2014-4114)_V0.7 ——and Analysis on the Problem Detected by ShadowBox Security Research and Emergency Response Center of Antiy Labs   First Release Time: 21:40 Oct.15, 2014 Update Time of This Version: 14:30 Oct.24, 2014  ……

Continue Reading

The Association Threat Evolution of Bash and The Current Status of Malware in UNIX-Like System_V1.7 ——Series Three of Bash Shellshock Analysis

The Association Threat Evolution of Bash and The Current Status of Malware in UNIX-Like System_V1.7 ——Series Three of Bash ShellshockAnalysis Security Research and Emergency Response Center of Antiy Labs First Release Time: 10:00, October9, 2014 Update Time of This Version: 17:10, October14, 20……

Continue Reading

The Analysis Report About Relevant Malware Samples of Shellshock _V1.9 ——Series Two of Bash Shellshock

The Analysis Report About Relevant Malware Samples of Shellshock _V1.9 ——Series Two of Bash Shellshock Security Research and Emergency Response Center of Antiy Labs     First Release Time: 17:00, September 29, 2014 Update Time of This Version: 9:30, October 19, 2014 Contents 1 Outli……

Continue Reading

A Comprehensive Analysis on Bash Shellshock (CVE-2014-6271)_V1.53 ——Series One of Bash Shellshock Analysis

A Comprehensive Analysis on Bash Shellshock (CVE-2014-6271)_V1.53 ——Series One of Bash ShellshockAnalysis Security Research and Emergency Response Center of Antiy Labs     First Release Time: 10:00, September 25, 2014 Update Time of This Version: 11:20, October 13, 2014     ……

Continue Reading

A Comprehensive Analysis on Bash Shellshock (CVE-2014-6271)

First Release Time: 10:00, September 25, 2014 Update Time: 13:20, September 29, 2014 In September 24th, 2014 Bash was announced to have remote code execution vulnerability, the Security Research and Emergency Response Center of Antiy Labs (Antiy CERT) determined according to the information at th……

Continue Reading

AVL SDK for Mobile Has Won the Security Award from AV-TEST

The world’s top security software certification authority— AV-TEST has announced on 11th February local time in Germany the winners of the AV-TEST AWARD 2013 which includes 5 awards in mobile platforms and traditional Windows platforms. AVL SDK for Mobile by Antiy Labs has won the award of &……

Continue Reading

A Hidden Way of Malware on Android

Background In Android operation system, APK is the ZIP format file that contains several normal files and executable files. In a normal APK file, the compressed root directory includes a DEX executable file named classes.dex, and it may contain a shared object file or several shared object files w……

Continue Reading

Anti-Virtual Machine and Anti-Sandbox in Malware

With the development of APT confrontation technology, people often use virtualization technology to detect the unknown malware when analyzing. Some security vendors in RSA Conference also use this technology to analyze anti-APT; what’s more, the traditional antivirus vendors and Botnet Tracking Te……

Continue Reading

Specification of Malicious URL

With the rapid development of internet in the recent years, malware is very prevalent and brings severe threats to users. Most kinds of malware depend on URL as transmission carrier to control or transmit in order to support themselves. Therefore, whether the URL is safe or not makes huge effects ……

Continue Reading

The Latest APT Attack by Exploiting CVE2012-0158 Vulnerability

Format overflow vulnerabilities are often exploited by APT attacks. In this type of vulnerabilities, CVE2012-0158 is the most commonly used one in the past year. Generally, the carrier of such vulnerability is a Rich Text Format (RTF) file, the internal data of which is saved as a hexadecimal stri……

Continue Reading

Challenge Caused by DLL Hijacking Malware against Active Defense Technology

The malware, taking advantage of DLL to hijack vulnerabilities, which appeared in 2000 has begun to make further use of normal signature software to confront active defense now. This method has become more and more popular. This kind of malware is usually made up of the following two parts: the no……

Continue Reading

The Encoding Rules about Floating-point Instruction

Recently, we find that some samples call floating-point instructions when OPCODE extracting them. The existing disassemble machine has no support for the floating-point instructions, so the support needs to be added. However, we have some difficulties when classifying the floating-point instructio……

Continue Reading

Analysis of Android Spyware

With the portable feature, intelligence terminals like mobile phone combine such privacy information as the user’s current location, contacts, and the communication record in one. Based on such feature, some applications have developed the functions of tracking and information monitoring to satisf……

Continue Reading

Analysis of a Sample Spread by New IE Zero-day (CVE-2012-4969)

On 17th, September 2012 the security researcher Eric Romang published an article Zero-Day Season Is Really Not Over Yet [1] at his blog, which reveals a new kind of IE Zero-Day vulnerability. This vulnerability has become the top topic and Microsoft has published the patch for it [2]. Antiy CERT a……

Continue Reading

Bitcoin Miner Malware

What is Bitcoin? Bitcoin [1] is a kind of digital currency generated by the open source P2P software. It possesses the quality of not being able to be frozen or tailed, no tax payment and low transaction cost. It can also be redeemed at real cash value according to the current exchange rate as sho……

Continue Reading

The Protection Mechanism and Removal Strategy of SMSZombie

Introduction In recent days, many security vendors like TrustGo and Symantec have followed the tracks of and made relevant analysis on this malware. More attentions are paid to its malicious behaviors (see references). The malware lures a user to install it by pornographic pictures or wallpaper ap……

Continue Reading

Analysis on the Flame

It is the first time that we are faced with such a situation: our research team has been analyzing Flame worm for almost one month and we plan to continue. When Stuxnet broke out, we attempted to carry out long-term analysis, but due to certain limits, we stopped the analysis after 10 days. After ……

Continue Reading

Analysis of Android Trojan Gapp

The analysis report of the Gapp trojan can be downloaded from here.

Continue Reading

Comprehensive Analysis of the Carrier IQ’s Products

Background Recently, Android developer Trevor Eckhart found Carrier IQ software could gather user privacy information. This software is pre-installed into phones by Carrier IQ and its wireless carriers. Carrier IQ officially claims: “Carrier IQ is the leading provider of Mobile Service intelligenc……

Continue Reading

34 Repackaged Android Applications are Found in Official Market

On May 30, Software with embedded malware appeared on the official Android market. On June 2, according to statistics from multiple parties, there were 34 infected applications uploaded via 6 developer accounts (see the Appendix). It was reported that 30,000 to 120,000 users had downloaded the sof……

Continue Reading

Vulnerabilities Found in Industrial Control Systems from Different Vendors

According to an alert published by US-CERT’s control system security team, 36 remote attack vulnerabilities were found this week. Several SCADA products of Siemens, Iconics, 7-Technologies and RealFlex Technologies, as well as human-computer interaction products of BroadWin are affected. Currently……

Continue Reading

Temporary Solution for Adobe Zero-day Vulnerability (CVE-2011-0609)

On March 16, 2011, Antiy CERT intercepted a malware sample targeting a vulnerability in Adobe products. Antiy engineers have confirmed that the vulnerability has been widely exploited. Attackers can send an Excel (.xls) document with an embedded Flash (.swf) file as an attachment. If users open th……

Continue Reading

Analysis of Android Trojan Adrd

The trojan ADRD (aka HongTouTou), spreading through a number of forums and downloads, has been embedded into more than 10 legal applications. It can open several system services. It can also upload infected cell phone’s information (IMEI, IMSI, and version) to the control server every 6 hours and ……

Continue Reading

Report on the Worm Stuxnet Attack

Recently, numerous news media have reported incidence about Stuxnet worm. Described as “super weapon”, “Pandora’s Box”, it has attacked the SIMATIC WinCC SCADA system of Siemens. The Stuxnet worm erupted in July this year. It utilizes at least four vulnerabilities of Microsoft operating system, in……

Continue Reading