You will find below some of the various resources and publications that I’ve publically written and distributed. Please note that some of these are very old and may contain outdated information….
For any question, requests or information just mail me at info@andrea-allievi.com
Published articles (in chronological order):
- 11/01/2016 – ZeroAccess, an innovative malware
Source: My Blog
In the same time that a new dropper of Zeroaccess/Sirefef malware has been found in the wild, after 2 years of bureaucracy problems I was able to publish a detailed analysis of the previous ZeroAccess rootkit. This sample brought some interesting and funny tricks with the goal to evade its detection and achieve the stealth in the victim system. - 10/12/2015 – CryptoWall 4 – The Evolution Continues
Source: Talos Intel Blog
CryptoWall 4 is the latest evolution of Cryptowall. Here I present the entire analysis of the dropper and highlight the pro and cons of using an RSA-2048 asymmetric encryption algorithm. Furthermore I describe the encryption methodology (and the new random file name generation routine), and show its new encrypted file format. - 08/09/2015 – Microsoft Windows CDD Font Parsing KernelMemory Corruption
Source: Talos Intel Blog
This post was co-authored by Andrea Allievi and Piotr Bania
In this post I have analysed my first vulnerability research job. There is indeed a memory corruption vulnerability located deep inside the CDD Font Parsing Kernel driver. This vulnerability (that is a memory-boundaries check error) could lead to a local kernel code execution if exploited well. - 27/04/2015 – TeslaCrypt – Decrypt It Yourself
Source: Cisco TALOS Blog
This post was co-authored by Andrea Allievi and Emmanuel Tacheau
I would like to present here my analysis of TeslaCrypt ransomware. The malware lies: it claims to use an asymmetric RSA-2048 encryption, but this is not the truth. It uses instead a standard symmetric AES-CBC encryption. In its first version, it is possible to decrypt all the files using our tool. Our research has indeed produced a useful tool that has helped thousand people that were infected by TeslaCrypt. It’s funny to see that after our tool, the malware authors have updated their malware, inserting even an elliptic-curve cryptography (asymmetric) used to encrypt the master AES key. - 09/02/2015 – Cryptowall 3.0: Back to the Basics
Source: Cisco TALOS Blog
This post was co-authored by Andrea Allievi and Earl Carter
This is the natural continuation of the CryptoWall 2 analysis. The next version of the dropper has been put under the microscope: the sample has lost a lot of the previous interesting features, like the exploits inside it, but has acquired the usage of the I2P network (besides the TOR one) for the communication with the C&C Servers, maintaining its stealth. - 06/01/2015 – Ransomware on Steroids: Cryptowall 2.0
Source: Cisco TALOS Blog
This post was co-authored by Andrea Allievi and Earl Carter
An analysis of the last CryptoWall 2.0 ransomware that uses an entire customized TOR client to communicate with its C&C servers. Very interesting is the feature that enables the sample to mix 32 bit and 64 bit code inside its 32 bit PE executable. The sample can indeed switch between the 2 execution modes directly and call 64 bit APIs from its 32 bit Executable without pass from WOW64… - 28/10/2014 – Threat Spotlight: Group 72, Opening the ZxShell
Source: Cisco TALOS Blog
This post was co-authored by Andrea Allievi, Douglas Goddard, Shaun Hurley, and Alain Zidouemba. (thanks guys! 🙂 )
ZxShell is a Remote Administration Tool (RAT) used as cyber-espionage operations. The entire RAT has been reversed and analysed. It is a great weapon for the attackers: is able to do a lot of things when installed in the target victim workstation. The infection contains even a Kernel-mode rootkit used for the stealth. The rootkit is interesting in particular for the strange method used for communication with the User-mode dll. - 04/09/2014 – Malware Using the Registry to Store a Zeus Configuration file
Source: Talos Intel Blog
The author of this blog post is Shaun Hurley. I am only the co-author:-)
An introduction to a very tricky malware executable (a sample of ZBot trojan), encrypted multiple times. The sample, after decrypting itself, download its configuration file from internet. After it successfully decrypted an analysed it, it proceeds to re-encrypt the file with one of 4 different encryption methods (choosed randomly) and stores its entire content in the Windows Registry… - 14/08/2014 – The Windows 8.1 Kernel Patch Protection
Source: Talos Intel Blog
The first analysis of the Windows 8.1 Kernel Patch Protection available. The document starts from the reverse of the Anti-Patchguard code located inside the Uroburos rootkit. Then the Windows 8.1 Patchguard initialization code is showed. The Kernel Patch Protection main code and data structures is described, and an introduction to my disarming method is given. The Disarming of Windows 8.1 Patchguard will be showed at the next NoSuchCon conference. - 26/06/2014 – Exceptional behavior: the Windows 8.1 X64 SEH Implementation
Source: Talos Intel Blog
This document explains the nitty-gritty details of the Structure Exception Handling feature of the 64 bit versions of Windows (especially Windows 8). It describes the “Exception directory” of a 64 bit PE file, the data structures associated, and the software implementation of the SEH Exceptions and C++ Exceptions in the Nt Kernel (and in the “Ntdll” module). Furthermore an itroduction of two obscure concepts, the Collided Unwind and the Frame Consolidation Unwind, is presented. - 22/04/2014 – Snake Campaign: A few words about the Uroburos Rootikit
Source: Talos Intel Blog
An introductive analysis of the powerful rootkit included in the Snake Campaign. The rootkit part of the infection was very interesting thanks to its capabilities to infect even the 64 bit versions of Microsoft Windows Operating System (until Windows 7). This is the first introductive article to the Windows 8.1 Anti-Patchguard project. - 10/07/2013 – Securing Microsoft Windows 8: AppContainers
Source: Saferbytes new website
An extensive analysis on Windows 8 security model. Part 1 deeply concern the new Windows 8/8.1 Sandboxed environment (AppContainers) and explains how to extend it even for standard Win32 applications. Appcontainers feature was reversed and deeply analysed; article describes in great details Lowbox token creation procedure (in user and kernel mode). There is also a quick overview of others Windows 8 Security mitigations and a descripition of how OS draws and manages new Windows 8 Metro start menù.
This publication is also linked in a Tom’s Hardware article avaiable here - 28/02/2013 – Saferbytes x86 memory bootkit: new updated build is out
Source: Saferbytes blog
Windows OSs physical memory management brief analysis and description of new x86 Memory Bootkit release that enable each 32 bit Windows OS to use all physical memory (overcome 4GB physical memory limit).
This publication is also linked in a Tom’s Hardware article avaiable here - 18/09/2012 – UEFI Technology: Say Hello to the Windows 8 Bootkit!
Source: Saferbytes blog
An extensive analysis on Windows 8 UEFI Kernel, EFI Boot loader and Boot manager. A brief introduction on UEFI Architecture and the development of the first Windows 8 UEFI Bootkit Proof of Concept, able to bypass Driver Signing Enforcement and Patchguard…. A must read for Security Researchers!This pubblication was also linked in the following sites:
The Register
Il Software (italian language)
Tom’s Hardware (italian language)
HWFiles (italian language) - 04/08/2012 – X86 4GB memory limit from a technical perspective
Source: Saferbytes blog
X86 Microsoft Operation Systems Memory Limits brief technical analysis and a tool developed to overcome them - 15/06/2012 – Sinowal: MBR rootkit never dies! (and it always brings some new clever features)
Source: Saferbytes blog
Third technical Analysis paper on last evolution of Sinowal rootkit and its new techniques used for concealing in Windows Kernel - 21/12/2011 – Sinowal: the evolution of MBR Rootkit continues
Source: Saferbytes website
Second technical analysis paper about Sinowal rootkit focused especially on its bootkit part. - 08/01/2011 – TDL4 Analysis Paper: a brief introduction and how to debug it
Source: AaLl86 old website
TDL4 brief Analysis paper focused on its bootkit part and KDCOM.DLL kernel system dll replacement… - 19/03/2011 – Carberp – a modular information stealing trojan
Source: Pxnow – PrevX blog
Complete analysis paper of Carberp modular information stealing trojan written with Marco Giuliani. The analysis was also published in Spanish language in Infospyware.net website and is available here - 28/08/2011 – X64 Mbr Rootkit – Your pc is under attack again (italian language)
Source: AaLl86 old website
Extensive technical guide about the building of a 64 bit rootkit project (bootkit + kernel mode rootkit) able to defeat all Windows 7 kernel protection features like Patchguard and Driver Signing Enforcement. This pubblication has allowed the graduation of the author (Computer Security specialization, Università degli studi di Milano Bicocca, Italy). It is written in italian language.
Further useful, old, and ancient resources:
- AaLl86 Website (italian language) – My own old website that I have started developing in the year 2004 when I was still at High School. You can find a lot of ancient utility and application in it.
- AaLl86 Forum (italian language) – My old test forum.
That’s all!