Contact Sales

GoSecure Blog

Final-Connect-Image.jpg

RDP Man-in-the-Middle - Smile! You're on Camera

As part of our four-month internship at GoSecure, we chose to work on creating a Remote Desktop Protocol (RDP) honeypot. To achieve this, we used a Linux server with an RDP man-in-the-middle (MITM) program that redirects traffic to a real Windows Server.

When searching for tools, we found RDPY, a Python RDP library with a MITM implementation. However, RDPY had several limitations both in features and design choices for our use case. This led us to create our own library, which reuses some parts and concepts from RDPY.

In this blog post, we will showcase our newly release open-source project, PyRDP, which is usable both as a MITM and as a library to experiment with the protocol. We will demonstrate both use cases by describing an incident we had with a malicious user that compromised our honeypot.

Read More

Topics: malware, Research, Honeypot, RDP, tool, man-in-the-middle, Featured

Chaos: a Stolen Backdoor Rising Again

This post describes a backdoor that spawns a fully encrypted and integrity checked reverse shell that was found in our SSH honeypot, and that was presented at GoSec 2017 in Montreal. We named the backdoor ‘Chaos’, following the name the attacker gave it on the system. After more research, we found out this backdoor was originally part of the 'sebd' rootkit that was active around 2013.

Read More

Topics: malware, botnet, Featured

Opinion: Petya, NotPetya and what's wrong with our industry?

In the last few days, we closely followed the malicious software outbreak that took control of about 12,500 devices, mostly in Ukraine and Russia, demanding a $300 ransom from the infected device’s owner. Although this new attack is fascinating, we noticed that the associated stories quickly got out of hand.

Read More

Topics: malware, Ransomware, industry, media, opinion

Introducing Malboxes: a Tool to Build Malware Analysis Virtual Machines

Malware analysis is like defusing bombs. The objective is to disassemble and understand a program that was built to do harm or spy on computer users (oops, this is where the bomb analogy fails, but one gets the point). That program is often obfuscated (ie: packed) to make the analysis more complex and sometimes dangerous. This blog post introduces a tool that we have built that creates Windows Virtual Machines (VMs) without any user interaction. Those VMs are preconfigured with malware analysis tools and security settings tailored for malware analysis. We will then explore how to use the tool, its architecture and where we want to take it.

Read More

Topics: malware, devops, tool, malboxes, Featured

BlackHat Europe 2016: Ego-Market

For those who missed it, here is the video of our BlackHat Europe 2016 presentation titled EGO-MARKET: When People's Greed for Fame Benefits Large-Scale Botnets:

Read More

Topics: malware, blackhat, conference, video, moose

Exposing the EGO MARKET: the cybercrime performed by the Linux/Moose botnet

Cybercrime is an evolving phenomenon and offenders are continuously adapting to find new techniques to monetize their illicit activities. Our research paper and upcoming BlackHat Europe presentation - EGO MARKET: When People’s Greed for Fame Benefits Large-Scale Botnets - is about Linux/Moose, a botnet that conducts social media fraud. This blog post is a summary of our paper.

Read More

Topics: malware, Research, botnet, criminal market, paper, Featured

Internet of Threats, an OWASP Montreal Presentation

Our own Olivier Bilodeau will be presenting with Thomas Dupuy of ESET Canada Reseach about malware affecting "Internet of Things" (IoT) devices. A free event hosted by OWASP Montréal in downtown Montreal.

The presentation will be in French with the slides in English.

Here is the abstract:

More and more devices are connected to the Internet. Under the moniker "Internet of Things" (IoT) these "things" generally run an embedded Linux system of the MIPS or ARM architecture. The unresolved problem of software updates and short vendor support cycle combined with the lack of effort into systems security and application security makes these devices an easy target. This last year we have analyzed several malware samples targeting these architectures. Internet accessible embedded systems are being compromised via vulnerabilities (like Shellshock) or because of their weak default configuration.

Our presentation will cover some of the analysis we performed:

  • - Linux/Moose, a malware that propagates by itself and perform social network fraud on Twitter, Facebook, Instagram and more
  • - LizardSquad and foreign actors that are leveraging embedded systems to perform distributed denial of service attacks (DDoS)
  • - Win32/RBrute, desktop malware that changes router settings in order to infect more victims. This is distributed by the Sality botnet.
  • - An Exploit Kit that leverages router vulnerabilities through a Web browser to perform "DNS poisoning"

Finally, some advice will be given to the audience in order to help protect themselves, their organizations and their families.

Read More

Topics: malware, IoT, conference, linux, moose