AaLl86 Security

Hello folks! Long time no updating my blog. The work, book, and a minimum of social life are killing my free time 🙂 So, here we go… … on last 17th June 2018 I gave a talk at the BSides Conference in my own city, Milano. It was really nice to return back home, see my family and friends, even if for a small amount of time. The talk was about Intel TXT, aka Trusted …

Hi All!   It has been a long time since I have not updated this blog. As usual a lot of things are going on, and the free time is always very tight 🙂 Today I just want to share with my readers the results of my reverse engineering work that I did on HyperV and I have presented in the last edition of the Recon Conference in Montreal. This edition (May 2017) was quite …

In this week I have flew home, after spending few weeks in Seattle for the Blue Hat and some meeting with the team (and even for some fun in the night, I admit 😉 ). For whoever doesn’t know, starting from the September 2016 I am a Security Researcher of the Threat Intelligence Center of Microsoft Ltd (MSTIC). BlueHat was great. Me and my friend Richard Johnson (@richinseattle) have presented a talk regarding our last …

Hi All! Recently I stumbled upon the new ZeroAccess dropper. In the “KernelMode.info” community, on the 3rd January 2016, R136a1 has posted the new sample. The dropper is quite innovative. I was working on some Crypto stuff, and still have no time to deepen analyse it, but I have realized that Kryptoslogic has been already written an introductive analysis (Great job buddies). I have realized that this is the time to present here an old …

Hi All! Before starting, I would like to say that, as usual, all the thoughts and info inside this post are my opinions and don’t belong to my company. Tomorrow will be the day of the public presentation of Windows 10. In this post I would like to say something about some very interested features of the new OS. I think indeed that this release brings a lot of new innovative features (from a Security …

Hi All! After 6 months of inactivity I found the time to update my blog. Today I would like to speak about the last NoSuchCon Conference in Paris, where I have had the pleasure to be a speaker. The presented project has been the following one: “Understanding and defeating Windows 8.1 Kernel Patch Protections: it’s all about gong fu! (part 2)” The talk analyses in details the Kernel Patch Protection implementation of the latest 64 …

Hi All! I am proud to annunce that, starting form 10th March 2014, I have started a new Job. I am a Security Engineer (this time without “Senior” adjective unfortunately) in the Malware Research Team of Sourcefire. Sourcefire is a great company that deals with Network security solution, hardware and software, and it’s the creator of SNORT IDS and ClamAv antivirus. It has been acquired in the last year by Cisco System Inc. Welcome Sourcefire! …

In these days that I was currently quite free, I have took the occasion to deepen a feature of all X64 systems… Indeed last month, when I was analysing a sample of Expiro File infector, I encountered an instruction like this: mov r11, gs:10h Of course, according to the code context, and to my previous x86 experience, the previous opcode will move the content of current Teb (thread environment block) Stack limit field, in r11 …

Hi all! I am still alive 🙂 . I am proud to release here my last analysis about a multi-architecture file infector. It’s name is Expiro. This analysis is the first I made as an independent security researcher and it’s not related to any company. I hope that it can be useful for all others security researchers like me. Here is the complete document: www.andrea-allievi.com/files/Expiro_Analysis_2013.pdf I have deep inspected Expiro dropper because I was very …

Hi All! How are you? I am here, due to some company politic decisions I haven’t updated this blog for a long time… I am now working on a new big analysis… Stay tuned! Andrea