I am a white hat fellow who deals with malware construction techniques. Most of the time, I use them in my trainings in malware analysis and various offensive fields.

I am compiling my work in form of a book, which will cover a wide range of techniques, their analysis, detection and countermeasures.

Ask me anything.

My Proof: http://adhokshajmishraonline.in/2015/12/hosting-a-reddit-ama/

EDIT: It is midnight here, and I have an exam tomorrow morning. Keep posting questions, I will respond after coming back from exam.

EDIT2: Exam over, and I am back here.

Comments: 273 • Responses: 87  • Date: 

InTupacWeTrust27 karma

Is there such a thing as a good firewall and antivirus combo?

rdrand34 karma

Comodo firewall works pretty good. For antivirus, Avira, Avast, BitDefender etc are there. Check their rankings online. Generally their home edition works good. Even free versions are good for decent enough security.

shaqule_brk18 karma

What do you say to people that adress anti-virus software as snake-oil?

rdrand30 karma

My standard reply: It is perfectly possible to not get infected while not using any AV, but in case you get infected from some stuff, that could have been detected and prevented by a half decent AV, don't come to me.

Angoth10 karma

You covered the easy cases.

  • Not infected - not protected
  • Infected - caught and prevented
  • Infected - not protected

What about?

  • Infected - had AV

I think that's where the previous question was relevant.

DoctorPotatoe20 karma

The one way to stop this is for people to stop downloading great_big_folder_of_porn.rar.exe.

rdrand12 karma


rdrand4 karma

This is where witch hunt starts, depending upon severity of the case. Result can be anywhere from "Meh, reinstall whole thing", to "Whaddadeya, call the ERT right now".

PlNKERTON3 karma

I work in IT, and malwarebytes has never failed me. It has even picked up time other software has failed to, like Norton and Sophos. What are your opinions about malwarebytes?

rdrand8 karma

MalwareBytes is a very good software when it comes to detection. I get it installed everywhere I have been called.

fonetiklee25 karma

Common Sense 2015 is the best way to prevent infections

rdrand38 karma

Common sense is not so common.

Randomacts6 karma

Don't forget to upgrade to 2016

MenstruatingMuffin6 karma

For $855.55 we'll upgrade you to 2016S Pro Platinum Enterprise.

rdrand7 karma

How much for Home edition?

Majorparkinson19 karma

How Does making Malware benefit you? Do you make money from it?

rdrand29 karma

I don't sell malware. I use those techniques in my offensive trainings, and detection/prevention of those techniques in defensive trainings. Apart from trainings I have done audits, and hardening too.

Sometimes I wear an consultant hat too, mostly if there is some malware related case (incident response, for example).

Majorparkinson5 karma

oh okely dokely i misunderstood :P

Vooders33 karma

It's all about the hat colour.

  • White Hat: Ethical hacker/pen tester
  • Black Hat: Evil hacker, wants all your data
  • Grey hat: wheres the money at?

totally_rocks14 karma

And red hat?

screen3172 karma

Fedora wearers

rdrand3 karma

Ball cap wearer here :D

nebuchadnezzarVI2 karma

From google research it looks like red hat is just linux. Don't know why they made their own hat.

rdrand3 karma

Because white/grey/black hats are too mainstream maybe?

rdrand3 karma

A lot of people misunderstand ;)

totally_rocks12 karma

I think part of the problem is your wording. I'm sure it's accurate, but to a layman, offensive training in malware techniques sounds like you're teaching people to fuck with my computer.

rdrand3 karma

True that. I have been asked whether I sell malware countless times.

Offensive techniques are more geared towards testing the security systems in place. Something like pentesting of AV and related stuff.

MisterInfalllible1 karma

Tell people you're a security researcher, maybe?

rdrand1 karma

When I am speaking from some public stage, I identify myself as an independent security researcher who is more interested into malware and cryptography.

But that does not help much: bunch of attendees come to me asking for 0 days exploits, malware etc to sell in underground market.

Mostly I speak about offensive stuff, so people assume that I am constantly breaking into one thing or another.

Zeeshi789716 karma

What are your best methods for persistence and stealth in a windows based system?

rdrand15 karma

Rootkits. I have used Managed Code Rootkits for both of them. If something needs to be limited to usermode for whatever reason, it can be injected into some process, and then can be hidden by removing its entry from some queues. Obviously. DLL cannot be kept at hard disk, so we keep it encrypted, decrypt it RAM and inject it directly from the RAM.

There are many more methods to hide. Which methods will be used depends upon exact case at hand.

Zeeshi78974 karma

But the detection ratio is almost close to obvious for the methods mentioned above how would you suggest to keep an evasive manner for persistence. VBR is in the rumors any insights on that.

rdrand4 karma

That depends upon how you perform injections. CreateRemoteThread will get flagged immediately. Perform the injections indirectly instead (using proxies, by hijacking etc.)

There is no hard and fast rule of evasion. You gotta try various methods, and see how it works out. Generally, scattering the techniques here and there helps (basically, make it a multi-piece malware so that no single piece is flagged on its own.)

KerbalDankProgram16 karma

What is the coolest malware technique you have ever seen?

rdrand29 karma

  1. Running mutation engine entirely on graphics card (independent of CPU), without CUDA or AMD APP support.

  2. Firmware level malware (http://www.tripwire.com/state-of-security/security-data-protection/backdoors-hardware-attacks-rakshasa-malware/)

  3. Hypervisors in rootkits (http://www.zdnet.com/article/blue-pill-the-first-effective-hypervisor-rootkit/)

i-am-qix1 karma

without CUDA or AMD APP support

Soooo... OpenCL?

rdrand2 karma

Not OpenCL. OpenGL shaders.

i-am-qix1 karma

Why use OpenGL shaders when OpenCL is available?

rdrand2 karma

Because OpenCL does not work on older hardware.

truckthunders13 karma

Ransomware scares the crap out of me.

What's the best course of action if one of those bastards pop up?

Is there a good defense?

rdrand7 karma

Always keep a recent working backup, and make sure your users have some common sense.

In some cases, when ransomware is using symmetric cryptography (encryption and decryption keys are same), it is possible to recover data by grabbing the key from reverse engineering of ransomware. Still, it is a serious pain in ass, so having a backup, and recovering from it is the best way to go.

Generally ransomware uses asymmetic crypto (something like RSA), and in this case you are out of luck. Backup is the only way.

BTW, DON'T pay ransom to those retards. It is never a good idea.

executivemonkey1 karma

How do people get infected by ransomware? Is it possible to get it even if you don't click on links in unexpected emails or run .exe files from dodgy sites?

rdrand3 karma

The same way people get infected by any other malware.

Not completely impossible, but you will be pretty much safe if you follow Common Sense of Internet 101.

Ischemia247 karma

Are there any effective steps we can take to prevent malware infection that most people aren't aware of? (Other than using common sense, don't click that suspicious thing and then click through warning prompts about it, etc)

rdrand9 karma

Malware infection can be avoided just by being careful, and following classical gyan (common sense, don't click that suspicious thing and then click through warning prompts about it, etc)

ervaibhav431 karma

do you speak hindi

rdrand3 karma

Yes I do.

ervaibhav431 karma

apne sikhi h bad m ya nationality ki wajah se ?? :P

rdrand5 karma

हिन्दी मेरी मातृभाषा है|

English: Hindi is my mothertongue.

ervaibhav431 karma

you wrote that you are giving exams ,may I ask which exam?

rdrand1 karma

BCA first semester. Signed up for a distance learning course, just for sake of a damn degree.

RumandWork6 karma

How much of your consultant work in the business boils down to "Of course having a 3 letter password was a bad idea." Or similar?

rdrand15 karma

around 30-45%.

Vitztlampaehecatl1 karma

Speaking of three letter passwords, is a 4-digit PIN reasonably secure? I wouldn't think it is, due to only having 9 characters to choose from compared to an alphanumeric pass.

rdrand3 karma

You should use passphrase on phone too. I guess almost all phones have option to use passphrase in place of some short pin.

FSx96 karma

What books or learning material would you recommend for someone getting started in this field?

gamasenninsama1 karma

What IDA Pro alternative would you recommend for those who can't afford.

And how about debuggers? I've been using immunity and Ollydbg so far.

rizzit156 karma

How does one get into this sort of field? (i.e white-hat hacking & malware development)

rdrand11 karma

By studying about malware techniques from malware analysis books, and then deploying them in Proof of Concept malware. Knowledge of reverse engineering, assembly, C, C++ will be helpful. Also, one should learn about his target platform in depth.

You can grab some malware samples, and try to analyze them. Learn how they work, and then try to replicate the behaviour. With time, a lot of things will become obvious, and you will be able to invent new malware techniques too.

If you can find some malware techniques related course, attend it. Most of the time they are restricted to corporate and gov people.

I too give malware related trainings. Let me know if you are interested.

msd19941 karma

Where did you learn reverse engineering? I took assembly in school, cs major, and would like to learn. I've done some basic things with ollydbg but nothing even remotely advanced. Any suggestion on where/how to start learning?

AlexanderS41 karma

I too give malware related trainings. Let me know if you are interested.

I'm interested, can you give me more details?

rdrand3 karma

Let us discuss in private message.

jpe776 karma

One of the reasons I use Ubuntu (and its flavors) is the reputation for safety from viruses and malware. Is that reputation deserved?

rdrand34 karma

They are safe from common malware just because LINUX is not mainstream in desktop segment. It is perfectly possible, and not too difficult to make malware for LINUX platform.

Second thing, average Windows user is dumber than average LINUX user. Average Windows user will download and run freemoviedownloader.exe, but av average LINUX user won't, (assuming it is valid ELF binary and can be run).

Before someone gets offended on my second point, please note that this is my general observation. Everyone is different, and exceptions are everywhere.

timoto9 karma

Also you did say average, there are a lot of terrible users of windows - my dad freaked out over a banner ad that said his computer had 18 viruses, so he clicked on it, getting a virus. I don't think he even knows what Linux is - Linux 80% of the time is used by people who know how to use a computer safely, because there is a higher barrier of entry.

Windows users obviously still can be computer literate, it's just taking all the terrible usage of computers brings their average down.

rdrand14 karma

I agree. Even my parents are like that. My dad has heard that there is something called LINUX. He once asked me why do I use LINUX, because it is supposed to be used by scientists, and I am not a scientist. No idea where he got this information.

Hacking? Are you stealing money from banks, kid? That's what all hackers do, no?

On a serious note, barrier to entry definitely helps.

konaya8 karma

Silly question perhaps, but why do you keep putting Linux in all-caps?

rdrand3 karma

Out of habit. I don't even remember how and when did I caught this habit.

konaya1 karma

Yeah, I wonder that too, because unlike UNIX it has never at any time in Linux's history been a correct way to type it.

Let's throw in a serious question too, then. If you were to look into making malware for Linux, what would be your first thoughts on possible vectors?

rdrand2 karma

Rootkits, infected loader, shared object hijacking (similar to DLL hijacking, but on Linux), maybe injecting shared objects etc etc.

In case you asked about vectors to get malware on target machine, it will be through some vulnerability which results in arbitrary code execution. Run a shellcode which downloads and plants the malware. Obviously, privilege escalation will also be required, so one more vvlnerability for that.

punaisetpimpulat2 karma

That would have huge implications, since many Linux users have no tools for detecting an infection like that. Do you think they should?

rdrand1 karma

Right now, there are not that many malware for Linux, so having common sense, and being careful is more than enough to remain safe.

I don't even know whether some AV exists for Linux or not.

punaisetpimpulat1 karma

Many Linux users never download binaries from websites. Repositories are the preferred source for software, because it's secure and convenient.

Now that iOS, Android and Windows 8+10 have introduced this app store/repository thinking to the mainstream, do you think it will reduce infections in the main population? Obviously some individuals will still download stupid stuff like ultimate_pron_collection.zip.exe, but I'm interested in the large masses who don't. They download their games and wallpapers from an app store, which should be malware free. Do you think this change will improve the security of most users?

rdrand1 karma

Malware authors will start pushing fraudelant apps in app store. There already have been such cases on Google Play Store and Apple App Store (or whatever it is called).

But still, this will improve the security to some extent, because every submission is subject to security scrutiny before it gets published for public access. It is possible to avoid detection in scrutiny stage, but still it will prevent lame attempts.

mr-satan2 karma

There is plenty of malware for Linux based systems!

Vitztlampaehecatl2 karma

Yeah, but the simple things like banner ads saying "YOUR COMPUTER HAS ELEVEN VIRUSES, CLICK HERE TO FIX" aren't even gonna come close to fooling someone savvy enough to properly run Linux.

Also, Linux makes up much, much less of the OS market than Windows does, and you'd get a lot more effectiveness with a Windows virus than a Linux-only one.

rdrand1 karma

In server market, Linux dominates. But then those servers are hardened, and patched.

In server segment, malware is a lucrative idea to get some benefits.

cha0sss4 karma

I am very knowledgable in IT for close to 20 years, though I never finished college. Is it possible to get into that side of the industry with certifications alone? Such as the certified ethical hacker programs?

Did you watch Mr. Robot? If so, what were your thoughts?

rdrand5 karma

Wow mate, high five. I am just 23, and I too am drop out. No certifications so far. All I have is some knowledge gained by self study, and some talk in conferences in related topics (most of them are related to cryptomalware and malicious crypto stuff). Certificates related to field (like GIAC GREM etc) will help definitely.

Yeah I watched Mr. Robot. Although hacking is not depicted totally accurately, still it is much much better than in random hacker movies. Psychology of Elliot is strikingly similar to some hardcore people I know. I would say, similar psychology is pretty common. Most of the techniques showcased there are accurate upto decent level.

dacash12 karma

I'm in the same boat, never finished high school, but i program in pretty much all popular languages, i admin all sorts *nix box. I have a very good knowledge in white hat hacking and more.

But for some sad reason most of the world runs on certification, you need to make contacts that will give you work and spread your name to other companies. Once you get to know some people and people recommend you then you don't needs certs.

rdrand1 karma

Certificates work like a proxy to judge people. Giving some work, and then evaluating it is very time consuming, that's why people want to see degrees and certifications.

But yeah, once you get a good name, certifications and degrees don't matter much. Except for HR people who think CEH is very hardcore course which makes you super 1337 c00l hax0r.

SuleymanSimayoglu3 karma

I've recently seen that ads use a device's mic to listen the environement and cross check other devices in the house to target tailored ads. Are you guys doing anything to prevent this?

rdrand4 karma

Right now, nope. I mostly deal with malicious stuff in native code, kernel land or .NET.

One way to prevent this is to deny access to hardware, or maybe hook the APIs and cancel the call if it seems to be coming from some ad in browser. Just an idea.

df98a98u3 karma

a malware guy

uhh, which malware guy?

rdrand4 karma

One of the many :P

Reascr3 karma

But do hackers actually wear colored hats?

At the very least I like to think they do

rdrand2 karma

No, we don't. Except when we are having fun (parties, tours blah blah)

seattleandrew3 karma

Compared to mobile OS' how has the malware game changed with the proliferation of sandboxing and permission schemes? Is it harder to create effective malware?

rdrand4 karma

I am not mobile domain, so will ask a friend and update you.

Overall, sandboxing and permissions are not major hurdles. All you need is a single vulnerability to bypass permissions (FYI, such vulnerability exists in kernel v4.2.5; did not test later versions).

Is it harder to create effective malware? Not much, as long as you have in-depth knowledge of target OS, architecture, platform/runtime etc. By in depth, I mean really really deep knowledge.

In a war between evil and good geniuses, evil genius ALWAYS wins.

EDIT: Finally android dude responded, and his response is pasted here verbatim

RESPONSE Yes it is pretty hard. Malware on mobile phones makes sense only through 0day exploit or via user dumbness. This dumbnes needs to be much more serious that dumbness required of a user to run a malware on his/her windows pc. END RESPONSE

Haduken2g2 karma

I am honestly scared, because within my first months of using Android I got an adware. A friend of mine even got a ransomware that rooted the phone, elevated its priority, moved itself to /system, filled phone's storage with very disturbing videos that had to come from the deepest corners of the deep web (I could still access MTP) blocked access to safe mode, removed the recovery mode and all that was working was really the bootloader.

What the fuck did we do basides enabling external sources and installing an App that was "independent" and "not distrubuted through the play store"? We both installed an App that was "independent" and "not distrubuted through the play store" I guess.

rdrand1 karma

Stick to Play Store. Submissions are scrutinized before publishing, so chances of hitting a malware are low (but not zero).

Haduken2g1 karma

Is Amazon Underground fine? I get a lot of apps from it and I do not really know whether I should trust it or not

rdrand2 karma

I have never used Amazon Underground. Check their policies. If they are scrutinizing submission (which I hope they do), you can trust the apps to sufficient extent.

No company wants to spoil its reputation by delivering malicous apps. Be limited to apps launched by well known companies/brands/publishers.

Haduken2g1 karma

Thank you!

rdrand2 karma


interwebsreddit3 karma

Can you talk about the state of Mac Malware? Specifically, and the impact Rootless (system integrity protection) may have?

rdrand2 karma

I am sorry, I have no experience of Mac. I will check with my friends, and if I can get something, I will share it here.

tatambra3 karma

What do you think about sandboxing untrusted programs with e.g. Sandboxie or with any other similar software? Do they offer enough protection from common malware and does any known malware have techniques to escape sanboxes?

rdrand8 karma

Sandboxes are very common method to analyze the malware dynamically. But you should not trust it too much, and malware tends to disguise as a non-malicious program if it detects presence of sandbox, or sometimes even virtual machine.

I don't directly deal with analysis of new malware, so I cannot give you a list. But there are malware known to detect and even escape sandbox.

PS: Sandbox detection techniques are more generic (as in, they work on multiple sandboxes) than sandbox escape techniques. Escape techniques are mostly specific to sandbox in question, sometimes specific to a particular version.

MrPopo92 karma

What's the salary for your position.?

rdrand1 karma

I am not on a full time job, so there is nothing like a fixed salary. My charges vary from project to project, depending upon type and scale of work, time and effort required, whether it can be done from home or I need to fly to another part of world etc.

jkonrad2 karma

How do you test against AV products? Do you have some setup where you can submit a hack to all the engines at once to check for detection?

rdrand7 karma

You can use some online scanner like VirusTotal (https://www.virustotal.com/)

Keep in mind that if you send some sample to these scanners, they will be shared with AV companies too. That means, I can kiss goodbye to my lovely malware once I test it on some online scanner.

Generally, I send my malware samples to some friends who have multiple VMs with different AV scanners. VM is booted from fresh snapshot, signatures are updated, network is disconnected, snapshot is taken, malware is tested, and then VM is restored to previous snapshot.

It is even possible to automate all this stuff, one of my friend has automated all this for Qemu running on LINUX server.

No need to mention, they all are from similar domain (but more into analysis and/or incident response side).

Johndope582 karma

Why do macs not get viruses? Is this even true. As a Mac user, I've never used any sort of defence mechanism to keep my computer protected. but now.. I kinda feel the need to because it seems bizzare to me that just because it's a mac..it can't be harmed. Can you recommend any useful products to keep me protected?

rdrand5 karma

Malware for Mac have been in wild for some time. Again, Mac is not dominating in desktop segment, and therefore is not primary target for malware.

You can try MalwareBytes Anti-Malware (https://www.malwarebytes.org/antimalware/mac/), Kaspersky Internet Security for Mac (http://www.kaspersky.com/security-mac) etc. Please note that I am not a Mac user, so I have no first hand experience. I just googled, and shared some top results.

fndrcz2 karma

How easy is it to get malware online? When can even experienced users be fooled?

rdrand3 karma

Getting a malware online is not that difficult. Have you seen those ads which claim that your system is infected, and you need to click here to get rid of them? They are spreading malicious stuff.

Want to fool experienced users? That depends how much experience they have. The more experience they had, the hard it is to fool them.

64fanatic1 karma

How safe am I then if I use an ad blocker+tracking cookie blocker and noscript?

rdrand1 karma

Very much safe. Chances of hitting a malware from some website is very low for you.

ltjbr1 karma

How good is Windows 10 built in protection?

rdrand1 karma

Most of them can be bypassed. I have not worked on every single security feature yet (because most of the time I am on Linux).

FL4TOUT1 karma

Most of this thread has been in response to Malware that has infected their computers but I haven't seen anything regarding infected websites. What is your experience with infected websites, open source platforms, web application firewalls, etc? What should someone do if their website gets infected?

rdrand2 karma

I have no experience of web application firewalls.

Generally infected websites spread malware through ads (flash), applets (java), or javascripts. You can restore it to clean state if you have backup of entire website.

Make sure you patch the exploited vulnerabilities too. Go for periodic pen-testing, hire someone who can do it for you, ask him to pen-test, get it patched.

MasterAgent471 karma

What are your qualifications? What languages have you learnt?

All the theory stuff and writing part of Computer Science, will it be useful? I hate writing all that, but before my teacher taught programming(he does a shitty job at explaining)(and he made us write a lot of stuff) I had learnt the basics of programming and had coded in C++. I did not WRITE a single word. I just read and created simple codes that would execute flawlessly. I would say that there needs to be more focus on practicals.

I plan to focus on Computer Science because I want to become a game programmer. But that writing part in school bores me.

Note: The theory I'm talking about here is just definitions of this and that.

rdrand1 karma

Formally, I am just Intermediate (10 + 2) from CBSE Board. Took admission in BTech CSE, but dropped as faculty was total shit.

I have learnt C, C++, assembly, C#, Python (little bit). I learnt many more languages and technologies, but forgot most of them due to zero contact for long time.

Theory part of CS, definitely. Pay special attention to data structures (not only how to implement one, but also when and where to use it, as well as when and where to avoid it), various algorithms (apart from implementation, learn use cases of them. You should know when to use algo A, and when to use algo B for same job.) and analysis part, theory of computing, automata etc. Bonus points if you grok compiler design too (it will teach you a lot of usefull skills like how to write a parser, dependency graphs, aggressive optimizations etc). Only definitions won't benefit much.

Writing part? Are you referring to assignments? They are utter crap and huge waste of time and effort (at least in India, except IITs (I guess, no first hand exp), IISc, NITs). Better to invest your time in practicing programming or some other stuff you are interested in (sketching? sports maybe?).

I hate writing all that, but before my teacher taught programming(he does a shitty job at explaining)(and he made us write a lot of stuff) I had learnt the basics of programming

I can relate with this part. I don't know which part of world you are from, but the description look so much like Indian system.

MasterAgent471 karma

I am from India. Cbse board. The board is so shitty.

Thanks for the advice.

I plan to become a programmer. I will have to take admission is B.Cs.

What are a few good places for my course where I Can get lots of internship opportunities too?

rdrand1 karma

Cbse board. The board is so shitty.

Board is not shitty, teachers are.

For internship, check with various startups in Bangalore, Kochi etc.

PirateElectricAreWe1 karma

Why do people make Malware such as Trojan Horses in the first place? Is it really just sociopathy and bastardness?

rdrand6 karma

That differs from person to person. There are people who develop malware because they can, there are people who are developing for money and selling to scammers and other cyber criminals, there are people who develop because they can (bragging rights, you know).

Then there are people like me, who do it out of curiosity, and share the knowledge with others so that they can secure themselves; can investigate malware powered cyber crime and/or incident etc.

birdieFart1 karma

Do you wear any actual hats? (e.g. - fedora, trilby, ball cap, etc)

rdrand6 karma

In summer, I wear ball caps. Fedora is not that popular here.

taH_pagh_taHbe1 karma

How easy is it to get a job as a skilled malware reverser?

rdrand2 karma

Skilled malware reversers are almost always in demand. How much work you can grab is mostly dependent upon your skill set, experience, and contacts.

For a full time job, you may try in AV companies, Emergency Response Teams etc.

benstwhite1 karma

What would you recommend for server side security? (For Windows server 2012R2)

rdrand1 karma

A good firewall with good configuration, a solid AV, IDS, multilayer security (if one layer gets compromised, another will save you) etc.

Don't push some new piece of software straight on live server (even if it is an update). Test it on another machine, confirm its authenticity, and then install on actual server.

A server admin will be in better place to suggest this.

lucrosus1 karma

Any advice to Mac users on vulnerabilities?

rdrand2 karma

Sorry, did not get you. Would you mind clarifying the question a bit?

gourav1241 karma

how to learn linux programming which languages are best suited for this ?

lurgar1 karma

Do you perform any reporting to companies if you discover a vulnerability or something like that? I'm curious how you've been received if you have tried to help a company out.

rdrand2 karma

Nope. I don't report at all. I just keep that into my collection.

Actually, many people are very skeptical about malware people. They be like, "He may plant some malware in our system/network if he gets pissed off. Better to keep him away from us".

lurgar1 karma

That's the attitude I was thinking was common. I appreciate the work you do if that helps :)

rdrand2 karma

Thank you for appreciation :)

XTremeMinecraft1 karma

On the school computers, we use VMware and for some reason, Yahoo! for chrome and (not)RealDownloader auto install. The C: drive doesn't save, is there any way to remove these?

rdrand1 karma

I am not an expert on Windows admin stuff, but my first guess is policies. One way is to get access of administrator account, and change policies for user account. There are many ways to access administrator account even if you don't know the password (overwriting NTLM hashes or bruteforcing them using bootable disk; creating a naive backdoor etc etc). Use Google.

PS: Don't do it on school systems. Play on your own instead.

MsNewKicks1 karma

How well do the common OTC/retail firewall software programs work?

rdrand1 karma

They well pretty well, if you know how to configure them properly. Most of the time, it is not the firewall which was shitty, it is the configuration which is shitty.

Bissquitt1 karma

As an IT professional I have come to swear by Malwarebytes as my first stop for infection removal, usually because its also often the last due to the system being "cleaned"

What is your opinion on the software?

rdrand2 karma

It is pretty good software, and I recommend it to most of the clients.

burythepower1 karma

What easy-to-run anti-malware detection and removal software would you recommend to remove the most common malware after an infection, such as drive-by malicious ads etc?

rdrand2 karma

Use some bootable scanner, boot with it, and scan. You can use one from Avira (http://www.avira.com/en/download/product/avira-rescue-system)

There are other vendors too. A simple Google search should reveal them.

silent_cat1 karma

Do you take part in CTFs (Cature the Flag competitions)? Do you feel they are representative?

rdrand1 karma

No, I don't play CTFs. Ob course they are representative of reverseing capabilities of the teams.

Ciscopete241 karma

Your "Proof" should have just been a virus

rdrand1 karma

I can't do that for obvious reasons. Do you really want noobs to play with malware? and fuck some random systems??

lock_cmpxchg1 karma

Do you do malware analysis or development? bit confused with your bio there.

What exactly do you mean by malware construction techniques? Are you referring to packer/crypter?

What sort of kernel malware have you written? What do you think about newer Windows protections like PatchGuard? Does isolated usermode prevents any of your techniques?

What you mean by managed rootkits? Written in managed languages like C#/Java? Who writes rootkits in managed languages anyway?

Have you ever written any proper malware other than for your training?

If you have exams tomorrow, what's the big hurry in doing a AMA today?

rdrand1 karma

Mostly development, some analysis work too.

I am referring to rootkits (syscall hooking, injection by live memory patching etc etc), loggers, stealers, injectors, cryptomalware, mutation engines (aka self modifying codes) etc.

All kernel rootkits I have written are for Linux. Made one for system wide monitoring using syscall hooks, another one to infect /dev/random and /dev/urandom. I have not tried those newer features yet, as I am working on some rootkits and mutation techniques on Linux (they can be ported to Windows and Mac too)

Managed rootkits are written in managed languages like C# and Java. .NET is preinstalled on Windows, so obviously it gives one more attack surface.

Yeah, as a research work to get it published. I have submitted one in BloomCON, held by Bloomsburg University.

Exams are boring. :P

lock_cmpxchg1 karma

None of these technique seems to be new or advanced (known from ages, many of them are).

Who writes rootkits in C#? What you mean by it gives more attack surface? You are not exploiting anything inherent to .NET framework, are you?

rdrand1 karma

True that. Most of the advanced work is related to GPU powered malware (again not a new idea), or sometimes sound-card powered malware (only on high end sound cards which are powered by programmable DSPs).

While it is true that most of these techniques are known since ages, same method does not work for too long. Software is changed, bugs are fixed, AV and other security systems become smarter etc. You need to keep updating your methods even for known techniques.

.NET Framework provides a way to hide malicious code. Nothing inherent to .NET is being exploited.

kid_miracleman1 karma

What are your thoughts on next-generation endpoint protection solutions such as Cylance, CrowdStrike, SentinelOne, etc?

rdrand1 karma

They give peace of mind most of the time. Although nothing stops a dedicated hacker from screwing you given enough time and resource, you will be pretty much safe from wild threats.

PS: 0 experience of these products. The above stuff is coming from some friends.

fcuke5r51 karma

I am interested with Linux and it's security(I use it too.) How well protected are stupid users that do not have root access that 'click around' and what additional security measures should we add for them?

rdrand6 karma

Clicking around will result in browser based attacks.

Not having root access (assuming you cannot have root access), eliminates a lot of lame attempts. SInce most of the malware in wild is for Windows, you are pretty safe.

Additional security measures: don't be stupid.