A new Adventure

A new Adventure

Hi All! I am proud to annunce that, starting form 10th March 2014, I have started a new Job. I am a Security Engineer (this time without “Senior” adjective unfortunately) in the Malware Research Team of Sourcefire. Sourcefire is a great company that deals with Network security solution, hardware and software, and it’s the creator of SNORT IDS and ClamAv antivirus. It has been acquired in the last year by Cisco System Inc. Welcome Sourcefire! …

Continue reading →

X64 Memory segmentation – Is the game over?

X64 Memory segmentation – Is the game over?

In these days that I was currently quite free, I have took the occasion to deepen a feature of all X64 systems… Indeed last month, when I was analysing a sample of Expiro File infector, I encountered an instruction like this: mov r11, gs:10h Of course, according to the code context, and to my previous x86 experience, the previous opcode will move the content of current Teb (thread environment block) Stack limit field, in r11 …

Continue reading →

Anatomy of a new 64 bit file infector

Anatomy of a new 64 bit file infector

Hi all! I am still alive . I am proud to release here my last analysis about a multi-architecture file infector. It’s name is Expiro. This analysis is the first I made as an independent security researcher and it’s not related to any company. I hope that it can be useful for all others security researchers like me. Here is the complete document: www.andrea-allievi.com/files/Expiro_Analysis_2013.pdf I have deep inspected Expiro dropper because I was very curious …

Continue reading →

We are returning back

Hi All! How are you? I am here, due to some company politic decisions I haven’t updated this blog for a long time… I am now working on a new big analysis… Stay tuned! Andrea

Continue reading →

Windows 8 Security – AppContainer Sandbox

Windows 8 Security – AppContainer Sandbox

Hi All! I’m happy to introduce here the result of my last 2 months of work. I have indeed finished my big analysis on Windows 8 AppContainers. The 14 pages article has been completely reviewed and terminated on 5th June 2013. Due to some commercial issues, my company has published it just last week. The full article is available here: http://news.saferbytes.it/analisi/2013/07/securing-microsoft-windows-8-appcontainers/ I am even working on an application able to start whatever Win32 application under …

Continue reading →

NosuchCon Conference – Final day

NosuchCon Conference – Final day

Hi! This day of NoSuchCon conference was very exiting. Unfortunately was the last one… I woke up quite early this morning, after a great Conference party organized the evening before at “La rotonde de la Villette” pub in Paris… I met a lot of security researcher there, and had a beer altogether. I found indeed that there are some very good and clever italian researchers that do a work very closely to mine. We have …

Continue reading →

NosuchCon – Day 2

NosuchCon – Day 2

Hi all! This day was the second one, attending NosuchCon conference…. In the morning we have seen a good analysis on a new kind of BIOS rootkit, able to resist to even a BIOS reflashing. Its name is “The Flea”. Entire work was presented by John Butterworth, Corey Kallenberg, Xeno Kovah (guys from Mitre). I think that it could be a very strong and interesting project… We have seen furthermore a presentation of ARM exploitations …

Continue reading →

NosuchCon Conference – Day 1

NosuchCon Conference – Day 1

Hi all! As promised I am starting to write a series of 3 blog posts regarding my visit to NoSuchCon conference here in Paris… I have just attended the first of the three days of this good Security conference. Researchers from all over the world have presented some interesting topics. In my opinion the most important and useful (for at least this first day) is the one showed by Mateusz Jurczyk. He has discussed some …

Continue reading →

Personal Firewall: We really live in a secure environment?

Personal Firewall: We really live in a secure environment?

Today I would like to introduce a great analysis I have done in February 2012, when I was still working for PrevX and I was studying Windows Kernel communications interfaces. This analysis treats NDIS and WSK DDIs (Device Driver Interfaces): make some tests on some Security solutions available in the year 2012, and defines general guidelines to correctly implement something good with NDIS. All tests have been made with the aim to bypass Personal firewall …

Continue reading →

New Blog, new resources

Hi All! I’m proud to announce that my new blog is almost ready! A lot of new features, graphics and contents. New blog is available here: www.andrea-allievi.com. Have fun! Andrea

Continue reading →