Using AI to write Malware?! (Short Film on the ethical reasoning)
🗣Techryptic
Just like art it takes away from the creators. And I love to automate.
👤thadude400
It can also be trained to write malware in a particular style ie impersonation
👤quzaire
Author here, wanted to start the conversation on AI being used in our field.
AI can be used in software reverse engineering for several purposes. It can be used to automate the process of reverse engineering a software program to identify its structure and components. AI can also be used to detect malicious code or vulnerabilities in a software program. AI can also be used to identify and analyze patterns in the code in order to gain insight into how the program works and how to improve it.
Finally, AI can be used to automate the process of generating documentation for a software program, which can be used by developers to understand how the program works.
👤Techryptic
🎖@malwr
🗣Techryptic
Just like art it takes away from the creators. And I love to automate.
👤thadude400
It can also be trained to write malware in a particular style ie impersonation
👤quzaire
Author here, wanted to start the conversation on AI being used in our field.
AI can be used in software reverse engineering for several purposes. It can be used to automate the process of reverse engineering a software program to identify its structure and components. AI can also be used to detect malicious code or vulnerabilities in a software program. AI can also be used to identify and analyze patterns in the code in order to gain insight into how the program works and how to improve it.
Finally, AI can be used to automate the process of generating documentation for a software program, which can be used by developers to understand how the program works.
👤Techryptic
🎖@malwr
YouTube
AI Writes Malware?!
I used OpenAI (text-davinci-003) to write code and look at the ethical reasoning behind it.
Following both Youtube/OpenAI TOS, it doesn't actually write malware, instead it write functions.
OpenAI has the power to revolutionize the way machines interact with…
Following both Youtube/OpenAI TOS, it doesn't actually write malware, instead it write functions.
OpenAI has the power to revolutionize the way machines interact with…
The Windows Process Journey — csrss.exe (Client Server Runtime Subsystem)
The goal of “csrss.exe” (Client Server Runtime Subsystem) is to be the user-mode part of the Win32 subsystem (which is responsible for providing the Windows API). “csrss.exe” is included in Windows from Windows NT 3.1. It is located at “%windir%\\System32\\csrss.exe” (which is most of the time C:\\Windows\\System32\\csrss.exe).
From Windows NT 4.0 most of the Win32 subsystem has been moved to kernel mode — “With this new release, the Window Manager, GDI, and related graphics device drivers have been moved to the Windows NT Executive running in kernel mode” (https://learn.microsoft.com/en-us/previous-versions//cc750820(v=technet.10)?redirectedfrom=MSDN#XSLTsection124121120120?redirectedfrom=MSDN#XSLTsection124121120120)). Thus “csrss.exe” manages today GUI shutdowns and windows console (today it is “cmd.exe”).
Overall, we can say that today “csrss.exe” handles things like process/threads, VDM (Visual DOS machine emulation), creating of temp files and more (https://j00ru.vexillium.org/2010/07/windows-csrss-write-up-the-basics/) . It is executed by “local system” and there is one instance per user session. Thus, at minimum we will have two (one for session 0 and on for session 1) — as shown in the screenshot below. “csrss.exe” has a handle for each process/thread in the specific session it is part of. Also, for each running process a CSR_PROCESS structure is maintained (https://www.geoffchappell.com/studies/windows/win32/csrsrv/api/process/process.htm), by the way we can leverage this fact for identifying hidden processes (like by using “psxview” from the volatility framework — https://github.com/volatilityfoundation/volatility/wiki/Command-Reference-Mal#psxview).
“smss.exe” is the process which starts “csrss.exe” together with “winlogon.exe” (more about it in a future writeup), after finishing “smss.exe” exits. In case you want to read more about “smss.exe” you can read the following link (https://medium.com/@boutnaru/the-windows-process-journey-smss-exe-session-manager-subsystem-bca2cf748d33). By the way, from Windows 7 (and later) “csrss.exe” executes “conhost.exe” instead of drawing the console windows by itself (I am going to elaborate about that in the next writeup).
Lastly, “csrss.exe” loads “csrsrv.dll”, “basesrv.dll” and “winsrv.dll” as shown in the screenshot below. If we want to go over some of the source code of “csrss.exe” we can use the ReactOS which is a “A free Windows-compatible Operating System”, which is hosted in github.com. The relevant code of the entire subsystem can be found at https://github.com/reactos/reactos/tree/master/subsystems/csr. We can also debug “csrss.exe” using WinDbg, it is important to know that since Windows “csrss.exe” is a protected process so it can be debugged form kernel mode only (https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/debugging-csrss). A list of all the “csrss.exe” API list can be found here https://j00ru.vexillium.org/csrss\_list/api\_table.html.
https://preview.redd.it/cbrjyid38n3a1.png?width=1498&format=png&auto=webp&s=614e9a773e17d29f5288d4dc9e4f191f97c46708
🗣boutnaru
🎖@malwr
The goal of “csrss.exe” (Client Server Runtime Subsystem) is to be the user-mode part of the Win32 subsystem (which is responsible for providing the Windows API). “csrss.exe” is included in Windows from Windows NT 3.1. It is located at “%windir%\\System32\\csrss.exe” (which is most of the time C:\\Windows\\System32\\csrss.exe).
From Windows NT 4.0 most of the Win32 subsystem has been moved to kernel mode — “With this new release, the Window Manager, GDI, and related graphics device drivers have been moved to the Windows NT Executive running in kernel mode” (https://learn.microsoft.com/en-us/previous-versions//cc750820(v=technet.10)?redirectedfrom=MSDN#XSLTsection124121120120?redirectedfrom=MSDN#XSLTsection124121120120)). Thus “csrss.exe” manages today GUI shutdowns and windows console (today it is “cmd.exe”).
Overall, we can say that today “csrss.exe” handles things like process/threads, VDM (Visual DOS machine emulation), creating of temp files and more (https://j00ru.vexillium.org/2010/07/windows-csrss-write-up-the-basics/) . It is executed by “local system” and there is one instance per user session. Thus, at minimum we will have two (one for session 0 and on for session 1) — as shown in the screenshot below. “csrss.exe” has a handle for each process/thread in the specific session it is part of. Also, for each running process a CSR_PROCESS structure is maintained (https://www.geoffchappell.com/studies/windows/win32/csrsrv/api/process/process.htm), by the way we can leverage this fact for identifying hidden processes (like by using “psxview” from the volatility framework — https://github.com/volatilityfoundation/volatility/wiki/Command-Reference-Mal#psxview).
“smss.exe” is the process which starts “csrss.exe” together with “winlogon.exe” (more about it in a future writeup), after finishing “smss.exe” exits. In case you want to read more about “smss.exe” you can read the following link (https://medium.com/@boutnaru/the-windows-process-journey-smss-exe-session-manager-subsystem-bca2cf748d33). By the way, from Windows 7 (and later) “csrss.exe” executes “conhost.exe” instead of drawing the console windows by itself (I am going to elaborate about that in the next writeup).
Lastly, “csrss.exe” loads “csrsrv.dll”, “basesrv.dll” and “winsrv.dll” as shown in the screenshot below. If we want to go over some of the source code of “csrss.exe” we can use the ReactOS which is a “A free Windows-compatible Operating System”, which is hosted in github.com. The relevant code of the entire subsystem can be found at https://github.com/reactos/reactos/tree/master/subsystems/csr. We can also debug “csrss.exe” using WinDbg, it is important to know that since Windows “csrss.exe” is a protected process so it can be debugged form kernel mode only (https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/debugging-csrss). A list of all the “csrss.exe” API list can be found here https://j00ru.vexillium.org/csrss\_list/api\_table.html.
https://preview.redd.it/cbrjyid38n3a1.png?width=1498&format=png&auto=webp&s=614e9a773e17d29f5288d4dc9e4f191f97c46708
🗣boutnaru
🎖@malwr
j00ru//vx tech blog
Windows CSRSS write up: the basics | j00ru//vx tech blog
The following post entry opens a series of CSRSS-oriented articles, aiming at describing the uncovered CSRSS mechanism internals, present in the Windows OS for more than fifteen years now. Although some great research has already been carried out by a few…
₿uyer ₿eware: Fake Cryptocurrency Applications Serving as Front for AppleJeus Malware - North Korea in action
🗣digicat
🎖@malwr
🗣digicat
🎖@malwr
Volexity
₿uyer ₿eware: Fake Cryptocurrency Applications Serving as Front for AppleJeus Malware
Over the last few months, Volexity has observed new activity tied to a North Korean threat actor it tracks that is widely referred to as the Lazarus Group. This activity […]
DuckLogs - New Malware Strain Spotted In The Wild as part of a Malware as a Service - performs multiple malicious activities such as Stealer, Keylogger, Clipper, Remote access, etc.
🗣digicat
🎖@malwr
🗣digicat
🎖@malwr
Cyble
Cyble - DuckLogs - New Malware Strain Spotted In The Wild
Cyble analyzes DuckLogs - a new Malware-as-a-Service that provides sophisticated malware features to Threat Actors at a relatively low price.
kitabisa/teler release v2.0.0-dev
🗣dwisiswant0
Nice. So this kind of got me thinking why not just use suricata or Snort as an IPS since teler „just detects“ and basically my conclusion
Docker Compose:
Nginx (terminates HTTPS) -> Snort -> nginx-> PHP (in my case)
I mean technically you’d re-encrypt after snort and send it the rest of the way but in Docker I think it’s fine to send unencrypted from snort to Webserver (if not exposed)
👤coder_karl
🎖@malwr
🗣dwisiswant0
Nice. So this kind of got me thinking why not just use suricata or Snort as an IPS since teler „just detects“ and basically my conclusion
Docker Compose:
Nginx (terminates HTTPS) -> Snort -> nginx-> PHP (in my case)
I mean technically you’d re-encrypt after snort and send it the rest of the way but in Docker I think it’s fine to send unencrypted from snort to Webserver (if not exposed)
👤coder_karl
🎖@malwr
GitHub
GitHub - teler-sh/teler: Real-time HTTP Intrusion Detection
Real-time HTTP Intrusion Detection. Contribute to teler-sh/teler development by creating an account on GitHub.
Noob here, tried adding via hash sets, but failed. Any idea on how to add in SHA1 values in the Metadata for Autopsy while viewing a outlook.pst file? I'm able to view the MD5 & SHA256 hash values of the file, however I'm unable to view the SHA1 value. Any advise would be greatly appreciated
🗣LMJR500Army
Looks like only MD5 and SHA256 are supported as of the last revision to hashdb. See here: https://github.com/sleuthkit/autopsy/issues/175
👤positronikal
🎖@malwr
🗣LMJR500Army
Looks like only MD5 and SHA256 are supported as of the last revision to hashdb. See here: https://github.com/sleuthkit/autopsy/issues/175
👤positronikal
🎖@malwr
