Modern Malware intelligence


More people pay attention on cyber security world this year, the tremendously cyber security incidents  known as ATM thieves,  NSA scandal, IoT DDOS & recently WannaCry ransomware cyber security incident. Since more and I forgot. But those incidents have common criteria. The culprits of the infection techniques are given by malware technology.


Before the term malware was introduced by Yisrael Radai in 1990, malicious software was referred to as computer viruses. A conceptual idea categories Malware to the following elements such as trojan horses, worms, spyware, RootKit and Botnet. For more details, please refer to below diagram for references.


How modern technique fight against malware:

Preventive control mechanism

Address Space Layout Randomization (ASLR):

This feature randomizes how and where important data is stored in memory, making it more likely that attacks that try to write directly to system memory will fail because the malware can’t find the specific location it need.

Data Execution Prevention (DEP):

This feature substantially reduces the range of memory that code can run in.

How malware break the ice

Evasion technique against Sandbox

Evasion technique 1:

To avoid Sandbox detection –  Refresh the malware body (executable file) frequently (Checksum – hash) such a way benefits avoid signature-based antivirus software detection.

Evasion technique 2:

Malware can search through physical memory for the strings, new generation of malware commonly used to detect memory artifacts. For instance by default, Metasploitable’s network interfaces are bound to the NAT and Host-only network adapters, and the image should never be exposed to a hostile network (This is the vulnerability of metasploit , they fixed already). Malware contains intelligence detect sandbox status.  No activities will be taken once sandbox has been detected.

Evasion technique 3:

Sandbox might uses a pipe \\\\.\\pipe\\cuckoo for the communication between the host system and the guest system. A malware can request the file to detect the virtual environment.

Evasion technique 4:

Since open source applications are popular in IT world. And therefore a lot of security analysis will built their own sandbox. The cuckoo sandbox deployment covered certain amount of percentage. Meanwhile malware enhance their intelligence. They can detect the cuckoo agent. Cuckoo uses a python agent to interact with the host guest. By listing the process and finding python.exe or pythonw.exe or by looking for an in the system, a malware can detect Cuckoo.

Evasion technique 5:

Most of the modern workstation  has installed at least 4GB or more memory. Malware developer setup the intelligence that machines with less memory size may become a sandbox setup.

Evasion technique against Virtual machine environment
Red Pill

Red Pill is a technique to detect the presence of a virtual machine. The code display below can be used to detect whether the code is executed under a VMM or under a real environment.

Red Pill developed by Joanna Rutkowska

Swallowing the Red Pill is more or less equivalent to the following code (returns non zero when in Matrix):

     int swallow_redpill () {
unsigned char m[2+4], rpill[] = “\x0f\x01\x0d\x00\x00\x00\x00\xc3”;
*((unsigned*)&rpill[3]) = (unsigned)m;
return (m[5]>0xd0) ? 1 : 0;

Remark: SIDT instruction (encoded as 0F010D[addr]) can be executed in non privileged mode (ring3) but it returns the contents of the sensitive register, used internally by operating system.

Theory: The virtual machine monitor must relocate the guest’s IDTR to avoid conflict with the host’s IDTR. Since the virtual machine monitor is not notified when the virtual machine runs the SIDT instruction, the IDTR for the virtual machine is returned. Thereby the process gets the relocated address of IDT table. It was observed that on VMWare, the relocated address of IDT is at address 0xffXXXXXX, while on Virtual PC it is 0xe8XXXXXX.

No Pill (Store Global Descriptor Table-SGDT & Store Local Descriptor Table-SLDT)

The sgdt and sldt instruction technique for VMware detection is commonly known as No Pill. The No Pill technique relies on the fact that the LDT structure is assigned to a processor not an Operating System. The LDT location on a host machine result zero. While a virtual machine result non-zero.

Evasion technique: Especially POS system

Malware use a smart way to evade of sandbox. The method is use hash to replace API program name, uses a table of hash values to ignore certain processes from being parsed by sandbox.

Intangible of attack benefits evasion of sandbox detection

We alert ourself that malware most likely using below methods to avoid sanbox antivirus or sandbox detection.

  • Hide the code which may be recognized as malicious. This is generally done using encryption.
  • Code the decryption stub in such a way it is not detected as a virus nor bypassed by emulation/sandboxing.

However we known that there are intangible of attacks on internet. Such work style of attack benefits for malware avoid the sandbox detection.

PE inject:

PE injection looks more powerful than classic code injection technique. Whereas it does not require any shell coding knowledge. The malicious code can be written in regular C++ and relies on well documented Windows System and Runtime API. Compared to DLL injection the main asset of PE injection is that you don’t need several files, the custom malicious code self inject inside another normal process and therefore it might possibilities to bypass detection.

Example for reference:

Hacker compromise a web site and lure the visitor visit the web page. During the visit an message alert the visitor that in order to display correct content, they need to download the font. From technical point of view, antivirus might detect the malicious once download if it is a known virus. Otherwise the malware can execute the following actions:

Socket creation and network access
Access to filesystem
Create threads
Access to system libraries
Access to common runtime libraries

How does malware complete the job?

Calculate the amount of memory (need to allocate)
  1. /* Get image of current process module memory*/
  2. module = GetModuleHandle(NULL);
  3. /* Get module PE headers */
  4. PIMAGE_NT_HEADERS headers = (PIMAGE_NT_HEADERS)((LPBYTE)module + ((PIMAGE_DOS_HEADER)module)->e_lfanew);
  5. /* Get the size of the code we want to inject */
  6. DWORD moduleSize = headers->OptionalHeader.SizeOfImage;
Calculate the new addresses to set in the distant process
  1. /* delta is offset of allocated memory in target process */
  2. delta = (DWORD_PTR)((LPBYTE)distantModuleMemorySpace – headers->OptionalHeader.ImageBase);
  3. /* olddelta is offset of image in current process */
  4. olddelta = (DWORD_PTR)((LPBYTE)module – headers->OptionalHeader.ImageBase);
The relocation data directory is an array of relocation blocks which are declared as IMAGE_BASE_RELOCATION structures.
  1. typedef struct _IMAGE_BASE_RELOCATION {
  2. ULONG VirtualAddress;
  3. ULONG SizeOfBlock;
Relocation data directory

Relocation Block 1                                        | Relocation Block 2
VAddr|SizeofBlock|desc1|desc2|desc3| VAddr|SizeofBlock|desc1|…
32b      32b                16b       16b      16b     |

Relocation descriptors in all relocation blocks, and for each descriptor, modify the pointed address to adapt it to the new base address in the distant process
  1. /* Copy module image in temporary buffer */
  2. RtlCopyMemory(tmpBuffer, module, moduleSize);
  3. /* Get data of .reloc section */
  4. PIMAGE_DATA_DIRECTORY datadir = &headers->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC];
  5. /* Point to first relocation block copied in temporary buffer */
  6. PIMAGE_BASE_RELOCATION reloc = (PIMAGE_BASE_RELOCATION)(tmpBuffer + datadir->VirtualAddress);
  7. /* Browse all relocation blocks */
  8. while(reloc->VirtualAddress !=0)
  9. {
  10. /* We check if the current block contains relocation descriptors, if not we skip to the next block */
  11. if(reloc->SizeOfBlock >=sizeof(IMAGE_BASE_RELOCATION))
  12. {
  13. /* We count the number of relocation descriptors */
  14. DWORD relocDescNb = (reloc->SizeOfBlock – sizeof(IMAGE_BASE_RELOCATION)) / sizeof(WORD);
  15. /* relocDescList is a pointer to first relocation descriptor */
  16. LPWORD relocDescList = (LPWORD)((LPBYTE)reloc + sizeof(IMAGE_BASE_RELOCATION));
  17. /* For each descriptor */
  18. for(i =0; i < relocDescNb; i++)
  19. {
  20. if(relocDescList[i]>0)
  21. {
  22. /* Locate data that must be reallocated in buffer (data being an address we use pointer of pointer) */
  23. /* reloc->VirtualAddress + (0x0FFF & (list[i])) -> add botom 12 bit to block virtual address */
  24. DWORD_PTR *p = (DWORD_PTR *)(tmpBuffer + (reloc->VirtualAddress + (0x0FFF & (relocDescList[i]))));
  25. /* Change the offset to adapt to injected module base address */
  26. *p -= olddelta;
  27. *p += delta;
  28. }
  29. }
  30. }
  31. /* Set reloc pointer to the next relocation block */
  32. reloc = (PIMAGE_BASE_RELOCATION)((LPBYTE)reloc + reloc->SizeOfBlock);
  33. }

Once the code is injected, hacker can attempt to call its functions.

Overall comment on above matter:

Above details only provide an idea to reader know your current situation in Cyber World.  There are more advanced hacking technique involved.  The motivation driven myself to do this quick research. My goals is going to let’s IT users know more in this regard.


Coming soon!
How does the advanced technology fight with Dark Power

Advanced technology against Dark Power










How to rescue yourself on this month. SMB flaw, apply to all windows platform


By connecting to a malicious SMB server, a vulnerable Windows client system may crash (BSOD) in mrxsmb20.sys

Blocking outbound SMB connections – TCP ports 139 and 445 along with UDP ports 137 and 138 – from the local network to the wide area network…..said US CERT

Reminder: Mrxsmb20.sys driver handles SMB 2.0 and SMB 3.0 traffic.

Windows OS design objective: In Windows 8, the SMB 3.0 protocol is supported. The Mrxsmb10.sys driver handles legacy SMB traffic, and the Mrxsmb20.sys driver handles SMB 2.0 and SMB 3.0 traffic.

Phenomenon: We have confirmed that without apply the patch on May those Windows 10 , Windows 8.1 client systems as well as the server equivalents of these platforms, Windows Server 2016 and Windows Server 2012 R2 are all encountered SMB vulnerability. In the sense that it is vulnerable.

Current Situation 1: If you are windows OS home user (all windows OS platform), be aware and confirm apply below hot-fix to your home workstation.

Current Situation 2:If you are IT guy maintained whole bunch of MS windows server. You are the technical expert and believed that the hotfix you apply already. But I would like to bring your attention of on server SMB registry.

What’s the reason to point out the SMB registry. It is a quick way to isolate the problem once you suspect that you file server may encounter malicious attack. As a matter of fact, registry check is one of the fast path know what is happen in malware movement.

Regarding to the subject matter, our objective is going to discuss how to rescue yourself this month due to SMB flaw, right? I written an techincal article yesterday mainly highlight the SMB flaw. For more details, please find below url for reference.

Does SMB mess up the world? But he is sick always! …Wanacrypt0r, SMB worm,…etc

Any information update will keep posted. Thank you for your kind attention.

Does SMB mess up the world? But he is sick always! …Wanacrypt0r, SMB worm,…etc


Ransomware (#wanacrypt0r #wannacry #ransomware #wcry) outbreak since last Friday 12th May 2017 till this week. Believed that no room discuss here since you are easy to get the information update on internet. However SMB is our discussion topic today. As we know SMB ver 1 is the culprits of Wanacrypt. The side effect looks only affected outdated windows OS (2003,XP,Me and Vista) or recently end of support product (Windows 2008 instead of 2008 R2)! In the meantime, do you have issue to worry like myself on SMB version 2 and version 3?

SMB critical flaw historical background:

Vulnerability in Microsoft Windows SMB2 -_Smb2ValidateProviderCallback()  flaw found 2009.

An attacker could exploit this flaw to disable the remote host or to execute arbitrary code on it.
Solution: As a workaround, you can disable SMB2 by editing the registry.Under the hive HKLM\\System\\CurrentControlSet\\Services\\LanmanServer\\Parameters

Create the key ‘Smb2’ (of type REG_DWORD) and set it to ‘0’

On August 11, 2015 Microsoft released  SMB Server fix on SMB (MS15-083 – Microsoft Windows SMB Memory Corruption Vulnerability). An authenticated remote code execution vulnerability exists in Windows that is caused when Server Message Block (SMB) improperly handles certain logging activities, resulting in memory corruption. A successful exploit could corrupt memory in such a way as to allow the attacker to execute arbitrary code. A successful exploit could result in a complete system compromise.

SMB architecture

The structure of the header is as follows:

   UCHAR  Protocol[4];
   UCHAR  Command;
   SMB_ERROR Status;
   UCHAR  Flags;
   USHORT Flags2;
   UCHAR  SecurityFeatures[8];
   USHORT Reserved;


Why SMB always encounter vulnerabilities? Why old version of SMB need to stay on windows OS?

NSA surveillance  tool kit named EternalBlue exploits a vulnerability on SMB. From my personal point of view, not surprise! Since no operation systems are prefect, right! But the earliest time SMB encountered flaw was back time to 2009. A flaw was found on Microsoft SRV.SYS Driver. The symptom exploit that a Remote Code Execution vulnerability in Microsoft SMB Servers (WriteAndX Invalid DataOffset).

Remark: Srv.sys is a Windows driver. A driver is a small software program that allows your computer to communicate with hardware or connected devices. This means that a driver has direct access to the internals of the operating system, hardware etc (see below picture for reference). Microsoft suggest that Srv.sys should be set to start on demand since it is only communicate with old fashion client such as windows XP.

Command: sc config srv start=demand

Regarding to security vendor Rapid 7 findings on 2009, Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table exploits an out of bounds function table dereference in the SMB.

Looks irritating, we are not going to post all the flaws. But I am interested that is there something get wrong from fundamental design causes such non stop vulnerability. As far as I know, all SMB family are easy to causes vulnerable. Even though SMB3! An official announcement by Microsoft highlight that transferring files by using SMB2 or SMB3 causes memory leak on a windows computer (see below url for reference). And then Microsoft issued a hotfix held on 2017.

Our Observation:

Take the latest reference as an example. See how the weakness of SMB. Yes, it is not a SMB2 or 3.  Since SMB2 and SMB3 obtain their own design weakness on memory validation (see above description). OK, Let’s go. We start the journey.

Equation Group’s (NSA) wake up all the IT guys, attacker can easy initiate a Ring 0 attack relies on SMB. They  took below action:

  1. Determine x86 or x64
  2. Confirm and locate the IDT(Interrupt Descriptor Table) from the KPCR( (Kernel) Processor Control Region).
  3. Viewing Physical Memory Addresses in OllyDbg, Traverse backward from memory address. That means from end return to 1st interrupt handler to find ntoskrnl.exe base address.
  • If the beginning of the file does not begin with “MZ” or “ZM”, it is not an DOS or Windows executable image. Otherwise you may have one of the following types of executable formats: plain DOS, NE (Windows 16-bit), LE (16-bit VXD), PE32, or PE32+ (PE64).
  • Determine if you have a plain DOS executable by looking at the e_lfanew value. A plain DOS executable will have an out-of-range e_lfanew pointing outside of the limits of the file, a zero, or if the offset happens to be in range, the signature at its offset won’t match any signatures below.
  • Try to match the signature of the “in-range” offset pointed to by e_lfanew with the following WORD or DWORD values:
    "PE" followed by two zero bytes if the image is a PE32 or PE32+ (PE64) and is further determined by the "magic" in the NT Optional Header
    "NE" indicates the image is a 16-bit Windows executable
    "LE" indicates the image is a 16-bit Virtual Device Driver (VXD)

5. Reads ntoskrnl.exe’s exports directory, and uses hashes to find ExAllocPool/ExFreePool/ZwQuerySystemInformation functions.

Remark: If you would like to call ZwQuerySystemInformation, a parameter need attach with the command. You must input buffer as size of SYSTEM_PROCESS_INFORMATION. And then checking the return value and return requied size. If the return is not success, you must make the second call with input buffer of requied size (i.e.size return from the first call).

6. Calls ZwQuerySystemInformation with the SystemQueryModuleInformation argument, which loads a list of all drivers. It uses this to locate Srv.sys, an SMB driver.

7. Switches the SrvTransactionNotImplemented() function pointer located at SrvTransaction2DispatchTable[14] to its own hook function.

Remark: Npp buffer + 0x100 directly written before the leak out of the function table

Above scenario happen SMB or SMB v1 only.  But when we know SMB2 and SMB3 also found vulnerability on memory side.  My research is on the way, my friend I will keep you posted if there is anything updating.

Security Alert ! Trap of wannacry – status update on 29th May 2017

Is it anti-tradition? IT folks, do you white list ifferfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com. Expert was told, the strange design of Wannacry will stop spread the ransomware to known subnet once he can get in touch with his C&C server. But do you think this is a trap? I speculated that ramsomware intend to create this trap fool the guy who think this is a solution and then can easy go to their internal network in 2nd phase. So the better idea is that do not input this domain into your whitelist. Cheers!

Information update on 18th May 2017

Recently Wana Decrypt0r 2.0 C&C server:

  • 57g7spgrzlojinas.onion
  • xxlvbrloxvriy2c5.onion
  • 76jdd2ir2embyv47.onion
  • cwwnhwhlz52maqm7.onion

Wana Decrypt0r 2.0 modify the Windows Registry Editor and target the following sub-keys:

HKCU\Control Panel\Desktop\Wallpaper

Encryption algorithms:

  • AES (Advanced Encryption Standard) 128 –  cannot be decrypted the file until you receive the FEK (File Encryption Key). This key may be the only method to decrypt the files .

Structure of an Encrypted File

Rivers-Shamir-Adleman or RSA – Wanncry design objective intent to generate unique public and private keys for each of the files. This makes the decryption of each file separate and very difficult and unique process.


Attention: If no data backup on hand, it is hard to say pay the ransom is the solution. Since WanaCrypt0r .WNCRY contained extreme destroy concept and enforce to delete the shadow volume copies and eradicate all chances of reverting your files via backup on the infected computer (see below destroy scenario command syntax). The security concern is that it is hard to guarantee that it is virus free after hard disk encrypt on victim machine. As a matter of fact, WannCry via an Exploit kit, Dll file attack, malicious JavaScript or a drive-by download of the malware. No evident to proof that WannCrypt0r will remove his footprint after victim pay the ransom and therefore victim machine still vulnerable until execute a low level format of the hard disk and reinstall all the application. But it is hard to tell at this moment. Therefore it must be handle the data carefully after you pay the ransom.

The extreme destroy command syntax are shown as below:

  1. vssadmin delete shadows /all /quiet2.
  2. wmic shadowcopy delete

Remark: At user level below command can do in the following step: Go to Start Menu-All Programs-Accessories,then right-click Command Prompt and select Run As Administrator,because Administrative privileges are required to use BCDEdit to modify BCD

3. bcdedit /set boostatuspolicy ignoreallfailures
4. bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet

Hints and Resolution found on 19th May 2017

Hints that Windows 7, XP, Windows 2003 (x86 confirmed), Vista and 2008 and 2008 R2 instead of Windows 10 . The OS itself  keeps a copy of the two prime numbers that it provided to WannaCry in memory.  Those primes can be recovered. It is possible to relies on this feature to compute the encryption key and then used to decrypt all encrypted data. A tool make use of above criteria and might have way to decrypt your data. For more details, please refer to below url for reference.

If above hints can’t help and you would like to keep the encrypted data. You can do the following.

Backup all your files (00000000.eky and remaining files). May be in future, there is new resolution which provide the key decrypt your data.

Part 3 : Blockchain technology – Trend benefits finance and crime


Take on public transportation today (11th May 2017), the headline news display on advertisement screen guide me start the discussion on block chain technology again.  It looks a realistic situation intend to boots up block chain technology growth. Let’s take a quick seen!

As of 6 February 2016, there are 15.2 million bitcoins circulation of a capped total of 21 million.

Bitcoins current status: As of today 11th May 2017
  • Total volume: 1800 Billion of dollars
  • 4 days exchange volume equal to 30 Billion of dollars

Block chain space Radical changes on 2017

In 2017 Microsoft announced their participation in the newly formed Enterprise Ethereum Alliance. Joining them are also companies such as Intel, J.P. Morgan, BNY Mellon, BP, ING, Thomson Reuters and blockchain startups. In general, my idea on key word “Ethereum” only focus on security incident. Sounds like that I am not suggest anyone to create Ethereum to let hackers get away your money.

Quote:  “In general, the Ethereum community is on board with the notion that we do not have to do things exactly the way that things are done in other crypto communities,”  -shortcut from Bloomberg Business week.

As a matter of fact, new technology has technical limitation not the 1st day we heard, but it has the mature model finally, right?  So I am not keen to my stubborn to say not suggest to use. Perhaps a positive discussion might provide more positive idea in this regard.

High Level understand of Ethereum

Ethereum is an open-source, public, blockchain-based distributed computing platform featuring smart contract (scripting) functionality.

Platform‎: ‎x86, ARM

Initial release‎: ‎30 July 2015

Written in‎: ‎C++‎, ‎Go‎, ‎Rust

Operating system‎: ‎Clients available for Linux, ‎Windows‎, ‎macOS‎, ‎POSIX‎, ‎Raspbian

Technical weakness on security viewpoint

Programming language: C++

Security problems with C and C++ programs is hard to avoid the following issue:

  • buffer overflow attack
  • Integer problems in C/C++
  • File I/O risks
  • Temporary files / a C++ TOCTOU vulnerability
  • Unicode bug‎

Programming language: Go

How are blockchain application developed by “GO”. What is “Go”? “Go” is a free and open source created at Google in 2007 by Robert Griesemer, Rob Pike, and Ken Thompson . Like other programming language, this programming language contain their design limitation. The vulnerability found this year was shown that the “Go” SSH library (x/crypto/ssh) by default does not verify host keys, facilitating man-in-the-middle attacks. Default behavior changed in commit e4e2799 to require explicitly registering a hostkey verification mechanism.

Programming language: Rust

Rust is a general purpose programming language sponsored by Mozilla Research. It is designed to be a “safe, concurrent, practical language”, supporting functional and imperative-procedural paradigms. Rust is syntactically similar to C++, but is designed for better memory safety while maintaining performance. Rust only panics from integer overflow when in debug mode. So it looks that this programming languages suitable for developers build block chain system application.

Remark: Developer Analyst firm Redmonk charted Rust’s move on the Github rankings from 46 to 18.

Modern cyber technology crisis

Ransomware attack is the 1st priority of concern:

Ransomware (Wannacry) attack hits 99 countries with UK hospitals among targets yesterday. As we know the specifics attack are leveraging a Windows exploit harvested from the NSA called EternalBlue ( –  the vulnerabilities could allow remote code execution if an attacker sends specially crafted messages to a Microsoft Server Message Block 1.0 (SMBv1) server). As a result it trigger the one to many attacks within the internal network.  Since it relies on SMB so it spread out in extremely fast way. We are not going to discuss this incident today.

The reflections of this incident let us know the design weakness can kill the system within 1 minutes and broadcast the attack to neighbor.  Be reminded that even though block chain or Ethereum technology network are built by group. It is a star topology network. A benefits for system and network resilience. However it increase the inherent risk.

Peer-to-peer communications between nodes running Ethereum clients run using the underlying ÐΞVp2p Wire Protocol. It is very secure. However if a trust client being compromised. From techincal point of view, hacker will more easy to infiltrate into it. Besides, the objective of ransomware  target  for ransom (money).  If the victim workstation (Ethereum client) or mobile phone (Ethereum client) was compromised by ransom (whole hard drive encrypted). A  high possibility to pay for the ransom otherwise he will lost more money.


As said, Ethereum deploy a high standard of secure protocol ( ÐΞVp2p Wire Protocol). However you can drill down in different area see whether can find out the design limitation.  For instance a well known vulnerability. A Java Debug Wire Protocol remote code execution. The problem was that JDWP ( Java Debug Wire Protocol) is one layer within the Java Platform Debugger Architecture (JPDA). JDWP does not use any authentication and could be abused by an attacker to execute arbitrary code on the affected server. Any impact here!

But my concern is on fast synchronization process. In the mean time I am still analysis what is the possibility to fool the remote peer on GetNodeData step. For more detail, please refer below specification.

Fast synchronization (PV63) specification:

GetNodeData [+0x0d, hash_0: B_32, hash_1: B_32, …] Require peer to return a NodeData message. Hint that useful values in it are those which correspond to given hashes.

NodeData [+0x0e, value_0: B, value_1: B, …] Provide a set of values which correspond to previously asked node data hashes from GetNodeData. Does not need to contain all; best effort is fine. If it contains none, then has no information for previous GetNodeData hashes.

GetReceipts [+0x0f, hash_0: B_32, hash_1: B_32, …] Require peer to return a Receipts message. Hint that useful values in it are those which correspond to blocks of the given hashes.

Receipts [+0x10, [receipt_0, receipt_1], …] Provide a set of receipts which correspond to previously asked in GetReceipts.


Our discussion stop here today. I will provide more update in this regard. Thank you.


Part 2:Blockchain technology situation – Malware join to bitcoin mining

Part 2:Blockchain technology situation – Malware join to bitcoin mining

Part 1:Blockchain technology situation – A Tales of Two Cities


Who spying on me? Da Vinci or Archimedes?


Archimedes’ principle is a law of physics fundamental to fluid mechanics.

Leonardo Da vinci  is widely considered one of the most diversely talented individuals ever to have lived.

Since they are the famous scientists. They dedicate their inventions to the world. But we known the infamous tools in cyber world for the government surveillance program. The most famous eavesdropping feature type of malware. Those surveillance tools make use of similar naming convention. From general point of view, it looks that it is not respect of these two great scientists!

About  Da vinci  Spy tools

A powerful spy software developed by Italian hack team, the tool benefits to track a person’s calls and other communications in real-time.  This tools only sell to law enforcement or government agent. Italian Hacking Team was hacked by other hacker group on 2015. More than 400GB of data, including source code, internal documents and emails that could reveal the identity of customers display on embedded torrent file share link. A rumors were told that Italian hack team blamed their customer unethical collect their technology and hack them.

About Archimedes tool

We all known tool used by the CIA named “Archimedes”  open to the world through WikiLeaks on 5th May 2017. Archimedes developed by CIA engineering development Group. The project code so called UMBRAGE project.  It is a interested project code name. The definition of Umbrage means offense; annoyance; displeasure: to feel umbrage at a social snub; to give umbrage to someone; to take umbrage at someone’s rudeness.


 Da vinci  Spy tool

Da vinci spy tool relies on JAR (Java ARchive) , Microsoft Office and Adobe Flash Player design limitation as a infection media to fulfill their remote control system (RCS) criteria (see below). A more advance technique of tool easy to fool the cyber defense mechanism since this is a unknown attack (zero day) and therefore it will be more easily to spread out the spyware fulfill their objective.

1. Self-signed JAR
2. CVE-2012-4167: Integer overflow in Adobe Flash Player
3. CVE-2010-3333: Stack-based buffer overflow in Microsoft Office
4. CVE-2012-5054: Integer overflow in the copyRawDataTo method in the Matrix3D class in Adobe Flash Player
5. CVE-2012-1682: Unspecified vulnerability in the Java Runtime Environment (JRE)
6. CVE-2013-0633: Buffer overflow in Adobe Flash Player


Archimedes is an update to Fulcrum 0.6.1. The design objective of Fulcrum. Fulcrum will direct a target machine’s HTTP client traffic to the URL of the attacker’s choice. The technique involves ARP Spoofing to Get In the Middle and HTTP Traffic Injection. The simple conceptual idea shown in below picture.

Archimedes (Fulcrum 0.6.2) focus windows OS with high flexibility. The attacker can execute Fulcrum as an EXE with Compiled Parameters. In order to avoid anti-virus program protection .The remote attacker can run as DLL with rundll32.exe with CommandLine Parameters. The tool itself is not sophisticated. Attacker can easy to get rid following files (f32.exe,f32.dll,fs32.exe,fs32.dll,f.cfg and f.log). The normal computer user do not know what is happen.

Capability and Flexibility

Da vinci  Spy tool:

Capability: small footprint,  unknown vulnerability (zero day)

Flexibility: Antivirus program not easy to detect until vulnerabilities found by vendor

Archimedes :

Capability: small footprint,  similar normal application program service daemon

Flexibility: Antivirus program not easy to detect until vulnerabilities found by vendor


Both spy tools (Da vinci  &  Archimedes (Fulcrum 0.6.2))are using inline hooking technique (see below).

However Archimedes (Fulcrum 0.6.2) looks develop infiltration technique from layer 2. For instance ARP cache poisoning.  Both spy tools entry point (infiltration) looks have differences! Da vinci more focus on layer 7 (application) and Archimedes run on layer 2. Seems it is hard to proof the integrity of the rumors (Italian hack team blamed their customer unethical collect their technology and hack them). But it is not the absolute answer. Let’s keep our eye open on wiki-leaks to know more!




Proof of idea! Who bear unredressed injustice APT activities in 2013.

Wiki released confidential document on 28th April, 2017, the details is exposed how government enforcement agency (CIA) counterfeit Russian and Chinese cyber activities. We receive the basic understanding of the Scribbles . To be honest, it is common that when government agency take the criminal action. However of this confidential information exposed. My reflections drive me to review my former written articles on other discussion forum during 16th April 2016. I was question that engage the investigation on Advanced Persistence threat (APT) might mislead the direction of the result. Their mechanism contains many shadow nodes. The shadow nodes located in different areas and countries. It can take this advantage and convert as political tool. The overall idea to me on this issue, I can do a scenario replay to assembly the story. Since this is only my speculation and imagination. As a matter of fact, it looks with high possibility. If you are interest, please go ahead to read more.

The story given out from my memories, it is talking about 4 years ago. The senior person (owner) of a consulting company email account was hacked. The security guru found that there is a Advanced Persistence threat (APT) activities given by China. A rumours were told that the people who found this so called Advanced Persistence threat (APT) is the anonymous group. This powerful under ground group found out this incident and intend to provides hints and finger print let the security consultant found out the truth. My personal opinion is that such incident might contained some shadow node. Also it is easy to counterfeit the attack. Today it looks that the secret information exposed by Wiki leak provides more possible factors. At the same time it make people queries the result in 2013. At least I am the one who question this result. Below is my speculation how CIA counterfeit the cyber activities let the APAC countries especially China bare unredressed injustice causes.

Latest WikiLeaks release shows how the CIA uses computer code to hide the origins of its hacking attacks and ‘disguise them as Russian or Chinese activity’

Recap my discussion details on 16th April 2016

An unauthorized person gains access to a network and stays there undetected for a long period of time. Cyber security terminology so called APT attack. APT style attack confused security experts. Their mechanism contains many shadow nodes. The shadow nodes located in different areas and countries. It can take this advantage and convert as political tool. It is a sword. Careerist can blame another country that they are dishonest using internet. Who’s cast a unrighted wrong, believed that attached diagram can provide an idea to you in this regard.