Kategorie
Protect Your WordPress Sites with CrowdSec>
4 Innovative Ways Cyberattackers Hunt for Security Bugs
QR Codes Offer Easy Cyberattack Avenues as Usage Spikes
3 Zero-Day Exploits Hit SonicWall Enterprise Email Security Appliances
WARNING: Hackers Exploit Unpatched Pulse Secure 0-Day to Breach Organizations
How we fought bad apps and developers in 2020
Providing safe experiences to billions of users and millions of Android developers has been one of the highest priorities for Google Play for many years. Last year we introduced new policies, improved our systems, and further optimized our processes to better protect our users, assist good developers and strengthen our guard against bad apps and developers. Additionally, in 2020, Google Play Protect scanned over 100B installed apps each day for malware across billions of devices.
Users come to Google Play to find helpful, reliable apps on everything from COVID-19 vaccine information to new forms of entertainment, grocery delivery, communication and more.
As such, we introduced a series of policies and new developer support to continue to elevate information quality on the platform and reduce the risk of user harm from misinformation.
- COVID-19 apps requirements: To ensure public safety, information integrity and privacy, we introduced specific requirements for COVID-19 apps. Under these requirements, apps related to sensitive use cases, such as those providing testing information, must be endorsed by either official governmental entities or healthcare organizations and must meet a high standard for user data privacy.
- News policy: To promote transparency in news publishing, we introduced minimum requirements that apps must meet in order for developers to declare their app as a “News” app on Google Play. These guidelines help promote user transparency and developer accountability by providing users with relevant information about the app.
- Election support: We created teams and processes across Google Play focused on elections to provide additional support and adapt to the changing landscape. This includes support for government agencies, specially trained app reviewers, and a safety team to address election threats and abuse.
Our core efforts around identifying and mitigating bad apps and developers continued to evolve to address new adversarial behaviors and forms of abuse. Our machine-learning detection capabilities and enhanced app review processes prevented over 962k policy-violating app submissions from getting published to Google Play. We also banned 119k malicious and spammy developer accounts. Additionally, we significantly increased our focus on SDK enforcement, as we've found these violations have an outsized impact on security and user data privacy.
Last year, we continued to reduce developer access to sensitive permissions. In February, we announced a new background location policy to ensure that apps requesting this permission need the data in order to provide clear user benefit. As a result of the new policy, developers now have to demonstrate that benefit and prominently tell users about it or face possible removal from Google Play. We've begun enforcement on apps not meeting new policy guidelines and will provide an update on the usage of this permission in a future blog post.
We've also continued to invest in protecting kids and helping parents find great content. In 2020 we launched a new kids tab filled with “Teacher approved” apps. To evaluate apps, we teamed with academic experts and teachers across the country, including our lead advisors, Joe Blatt (Harvard Graduate School of Education) and Dr. Sandra Calvert (Georgetown University).
As we continue to invest in protecting people from apps with harmful content, malicious behaviors, or threats to user privacy, we are also equally motivated to provide trusted experiences to Play developers. For example, we’ve improved our process for providing relevant information about enforcement actions we’ve taken, resulting in significant reduction in appeals and increased developer satisfaction. We will continue to enhance the speed and quality of our communications to developers, and continue listening to feedback about how we can further engage and elevate trusted developers. Android developers can expect to see more on this front in the coming year.
Our global teams of product managers, engineers, policy experts, and operations leaders are more excited than ever to advance the safety of the platform and forge a sustaining trust with our users. We look forward to building an even better Google Play experience.
Pulse Secure Critical Zero-Day Security Bug Under Active Exploit
Improve Your Cyber Security Posture by Combining State of the Art Security Tools
Swiss Army Knife for Information Security: What Is Comprehensive Protection?
Hackers threaten to leak stolen Apple blueprints if $50 million ransom isn't paid
When cryptography attacks – how TLS helps malware hide in plain sight
Novel Email-Based Campaign Targets Bloomberg Clients with RATs
Google issues Chrome update patching seven security vulnerabilities>
Camera hack peels back layers of embedded Linux>
Časovaná bomba? Čtvrtina lidí oprávnění mobilních aplikací vůbec neřeší
Targeted Malware Reverse Engineering Workshop follow-up. Part 2
If you have read our previous blogpost “Targeted Malware Reverse Engineering Workshop follow-up. Part 1“, you probably know about the webinar we conducted on April 8, 2021, with Kaspersky GReAT’s Ivan Kwiatkowski and Denis Legezo, to share best practices in reverse engineering and demonstrate real-time analysis of recent targeted malware samples. The experts also had a fireside chat with Igor Skochinsky of Hex-Rays and introduced the Targeted Malware Reverse Engineering online self-study course.
The webinar audience having been so active – it was a very pleasant surprise, thanks again! – not only were we unable to address all the incoming questions online, we didn’t even manage to pack the rest of them in one blogpost. So here comes the second part of the webinar follow-up.
Questions related to malware analysis- How common are opaque predicates in legitimate software? Can these predicates be leveraged as detection signatures?
Ivan: It is difficult to provide an answer encompassing all legitimate software. As a general rule, obfuscation or evasion techniques can provide a relevant weak signal potentially indicating malicious behavior, but should not be used for detection.
Denis: We mostly deal with malicious, not legit code, but I would not expect such tricks there. What for — protection? I would not expect opaque predicates even from third-party protectors. - Do you often come across binary obfuscation methods like nanomites, control flow flattening or VM in malwares?
Ivan: Such techniques are extremely rare, possibly because attackers know that the presence of such protections will raise suspicion.
Denis: We met several flattening cases lately. I could also name a couple of cases of custom internal VM usage in malware. So, not often, but they do exist. - When it comes to packed executables, are automated unpackers usually good enough (like using dynamic instrumentation to detect tail jump and so forth) or is it more about manual work?
Ivan: It turns out that packed executables are not as widespread as you would think. They turn up so rarely that I always default to manual work.
Denis: We mostly deal with targeted malware, and packing executables are not common in this world, I agree. - Do we also see any “exotic” commercial packers like vmprotect?
Ivan: We don’t, however, if this is of interest to you, I strongly recommend you to watch Vitaly Kamluk’s presentation on the subject.
Denis: Not in this training, but again, I would not say such tools are too popular in the world of targeted malware. Mostly due to being detected by security products, I suppose. - What are the most creative anti-reversing tricks from malware creators you have seen so far?
Ivan: I would name the LuckyMouse APT which deploys stripped down malware samples containing none of its configuration anymore, once saved somewhere on the victim’s machine. Generally speaking, they’re very good at making sure that files obtained by defenders are incomplete.
Denis: The best anti-reversing trick I have seen is a seasoned software design pro with brain-damaging multi-module development style and 30 years of experience on the other side of the court. The only thing you want to do after the encounter is to yell at him/her, your disassembler, your PC, and yourself. But when you are done at last — well, this is the reason why we do it.
You can find the full syllabus here.
- Is the training focused on static reverse engineering or do you use dynamic analysis (e.g. debug/emulation) as well? Is the virtual lab analysis limited to static one?
Ivan: We occasionally use debugging, and debuggers are available in the VM. Most of the work, however, takes place in IDA Pro.
Denis: Ah, our deep belief in static analysis has affected the training for sure. But we do debugging as well, it is true. For example, in the LuckyMouse track. - Will the analysis exercises deal only with the “final” malicious payloads/files or with analyzing the entire infection chains (e.g. downloader -> dropper/injector -> shellcode)?
Ivan: It is closer to the other way around. When we have no time to show everything, we focus on the most complex parts of the infection chain (the beginning), tackle all the problems, and leave the easy part (looking at the unobfuscated final stage) as an exercise for the audience. - You have mentioned that a lot of course time will be spent discussing deobfuscation mechanisms. Will there also be a chapter/section dealing on bypassing anti-reversing mechanisms?
Ivan: The course is organized around the specific real malware cases. There is no theory segment on obfuscation. However, we show many samples that use different techniques and demonstrate how to approach each one of them. - Does the course cover the C2 protocol traffic analysis?
Ivan: To some extent, yes. One of the tracks is entirely dedicated to analyzing a network utility, understanding and re-implementing its custom protocol.
Denis: For example, in the Topinambour track, you deal with simple C2 communication protocol analysis from the reversing point of view: it means means by analyzing the code you come to understand what to expect from the traffic. - Do you cover both IDA Python and IDC during the course?
Ivan: We only cover IDA Python, but the participants are free to use IDC if they choose to. - Will you teach any countermeasures against this kind of anti-reversing techniques?
Ivan: It’s our intentional choice to focus on real-life cases; and it is a fact that the vast majority of samples I have worked on involved no such protections. One of the malware specimens shown in the course has Anti-VM detection, which doesn’t bother us as we are just reading the code. - What malicious document formats will be analyzed in the training?
Ivan: The malicious document studied in the course is the InPage exploit.
Denis: The InPage file format is based upon Compound Document Format, and we will analyze how the Biodata campaign operators had embedded the shellcode into it. - If you detect such antimalware techniques, will there be a link to your previous Yara training: how to write a good detection rule to find such complex anti obfuscation techniques?
Ivan: As you will probably see, the course is quite packed as it is! We may make a comment here and there about what could be a good Yara rule, but only in passing. I am, however, certain that the training will help you write better Yara rules. - Shall we also learn to write or automate these anti obfuscation tasks at scale?
Ivan: Yes, a large part of the course focuses on defeating the various protections that prevent us from seeing the actual payload!
- The course seems to include various topics on RE. Anything that has been left out? Probably saved for a future update to the course.
Ivan: There are many things we could not get into. Rust/Go malware, CPU architectures beyond x86 and x64, ARM arch and Mac OS, etc. But we believe we were able to provide a varied yet realistic sample of what we usually encounter.
Denis: In the third-level reverse engineering course from Kaspersky, you may expect the use of a decryption framework to facilitate such typical reversing tasks. - Does the course address any malware employing unique file formats, thus requiring one to create an IDA loader module? How often do you deal with malware that uses unique file formats? It is something I am looking to learn.
Ivan: This is a use case not covered by the course, and in fact one that I have yet to encounter.
Denis: One quite unique _document_ format with the shellcode in it is featured in the course, but it needs no loader module, as you understand. Pity, but your topic seems to be out of the scope of this training. We are planning to create additional reversing screencasts from time to time — let’s think about covering this, too.
- Will it be possible to do the exercises in a personal lab at home to analyze the samples of the course?
Ivan: Due to legal restrictions in some countries, participants are required to work in the dedicated virtual lab that we provide and the VM cannot be downloaded. The good news is that it contains all the necessary tools, including a full version of IDA Pro. - Can the lab hours be extended if required?
Ivan: Virtual machines will indeed be suspended after 100 hours of runtime. We can extend the hours on a case-by-case basis, but we expect this should be enough to complete all the tracks of the training. - Do we need to RDP from a VM?
Ivan: The virtual environment is accessed directly from the web browser. - Are the VM’s stealthy for the malware, or can they be detected through redpill/no-pill techniques?
Ivan: The VMs provided in the training make no attempt at concealing what they are. Most of the malware provided does not particularly try to prevent execution in virtualized environments, and in any case the training is focused on static analysis with IDA Pro. - If we write IDA scripts, can we extract them to our home environment at the end?
Ivan: Sadly, this will not be possible. But the scripts you write should remain relatively modest in size, and will probably not be generic enough to allow future use anyway.
You can check information on prerequisites here.
- Do you have any good recommendations on how to prepare for the training? Any prerequisites for this course?
Ivan: I would advise to check out the demo version of the training. It should give you an idea of whether you meet the prerequisites, and we also provide a number of third-party resources in the introduction in case you need a bit of preparation. - Is knowledge of cryptographic algorithms also required? Or shall we learn how to detect them in the binaries?
Ivan: We touch on that subject lightly. In most cases, figuring out which cryptographic algorithm is used is straightforward. If not, some help will be provided during the solution segments. - Knowledge of which languages is required?
Ivan: Python scripting is required at some point. Other than that, familiarity with compiled languages, such as C or C++, is recommended.
- How much support or guidance will be available if I get stuck on an exercise?
Ivan: We will collect your requests through helpdesk. Also a monthly call with the trainers is scheduled to answer your questions about the course. Otherwise, we are generally available on Twitter: @JusticeRage and @legezo.
- Does the Targeted Malware Reverse Engineering training provide for some kind of exam/cert at the end?
Ivan: There is no exam as such, although each track contains challenging knowledge checks and quizzes to check your progress. Certification will be awarded to all participants who complete all the tracks of the course.
- How much will this course cost?
Ivan: $1,400 VAT included.
Future plans/Future courses
- What is the difference between the Targeted Malware Reverse Engineering training and the upcoming third-level Advanced Malware Analysis training?
Ivan: This is an intermediate-level course, while the upcoming one will be an advanced expert-level course.
Update Your Chrome Browser ASAP to Patch a Week Old Public Exploit
Open letter to the research community
Dear all,
In light of recent events, we have received many words of encouragement in comments on social media, through direct messages, and over the phone. We truly appreciate your support. It means a lot to us.
Over the years, we have detected and helped fix a huge number of vulnerabilities in applications and hardware from almost all renowned vendors, such as Cisco, Citrix, Intel, Microsoft, Siemens, and VMware.
All this would be impossible without close collaboration with the best infosec researchers, or without vendors' proactive approach and willingness to cooperate with research centers like ours in fixing all detected vulnerabilities. In line with the responsible disclosure policy, we only announce new vulnerabilities by agreement with vendors, and only after the vendor itself confirms it has fixed the bug and delivered the patch to customers.
We believe this approach makes our world better and more secure.
To unite our community, we started Positive Hack Days (PHDays), the biggest international security forum in Russia. Cybersecurity specialists and business leaders now have an opportunity to connect with white hats and cybersecurity geeks who know firsthand what a true pentest is and are willing to share their experience.
To gain more practical knowledge on how cybercriminals operate in actual life, every year for more than a decade now, we have held The Standoff, an attackers-vs-defenders cyberbattle set in a real-world environment. Only this way, under hyper-realistic conditions, is it possible to learn how infrastructure components can be attacked and how to protect them. The Standoff and PHDays threw their doors open to capture-the-flag (CTF) teams from many countries, including Russia, the U.S., Kazakhstan, India, Japan, and the UAE. Even the world’s top CTF teams, such as PPP, Carnegie Mellon University's competitive hacking team, have sharpened their skills in cyberexercises at The Standoff cyber-range.
Following our principle of open knowledge for the community, we made the event available to everyone. All-comers could watch videos of interesting talks, try their hand at detecting vulnerabilities or warding off a cyberattack, as well as freely monitor the cyberbattle traffic and take this expertise away with them so as to better protect their companies, develop efficient antihacker products, and create securer solutions and components.
Openness of information and knowledge, responsible disclosure, and a hands-on approach to cybersecurity are our key values. As such, we cannot but promise hot new infosec research, continued wide support for the community, and a host of new interesting conferences.
Thank you very much for your support, and see you all at PHDays 10!
Please also go check out our collection of best infosec findings in the past three years, and share it with your colleagues.
Denis Baranov,
Managing Director, Head of Research Department at Positive Technologies
Mozilla Fixes Firefox Flaw That Allowed Spoofing of HTTPS Browser Padlock
Firefox 88 patches bugs and kills off a sneaky JavaScript tracking trick
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- …
- následující ›
- poslední »
