illustration by Craig Simmons

Introduction During the last decade, different types of malware have been targeting Linux servers; Elknot, Encoder, Mirai, LuaBot, NyaDrop, Gayfgt etc. Most of them are used for DDoS purpose but there are some exceptions. Rex is one of them. In this article we’ll try to present a detailed analysis of Rex. Rex is a new […]

Introduction 2 years ago, Thierry F. wrote an article in this blog about a technique that could allow a driver to inject a DLL in a process ( This was based on the reverse engineering of the field PEB.KernelCallbackTable, which is untyped and completely undocumented. You may have discovered, through the article mentioned above that, […]

In this post, we want to share some notes on how to exploit heap-based overflow vulnerabilities by corrupting the size of memory chunks. Please note that we do not present here original content but only want to share with the community two detailed write-up. The first one exploits a basic heap-based overflow by enlarging the […]

In May 2016, Softpedia wrote an article about a Drupal web ransomware. This malware exploits an SQL Injection on CMS Drupal, changes admin credentials and asks for bitcoins to unlock content. After locking the website, a malware is executed on the server: After this ends, the last uploaded file is a binary file written in […]

A deep look inside a recent campaign In malware ecosystem, there is some old malware families are able to adapt their propagation methods and successfully continue to infect many users. It is the case of Gamarue (Aka Andromeda). I will explain here how this new Gamarue campaign spreads via malicious JavaScript in emails spam. Early […]

As you can see, we have been working on ransomware over the past few days. This time, we are talking about TeslaCrypt. TeslaCrypt is a ransomware spread by e-mails or exploit kits. It encrypts your files and asks you to pay in order to retrieve the decryption key. The current version is 3.0. Many analysis […]

A malware calling itself « CTB-locker » is spreading over some websites since the 12th of February 2016. This campaign is different to classical ransomware attacks that focus only on workstations, at first sight, CTB-locker seems also to focus on websites in order to encrypt all files located in the server. I found this campaign […]

Haka is an open source network security oriented language that allows writing security rules and protocol dissectors. In this first part of a two-part series, we will focus on writing security rules. What is Haka Haka is an open source security oriented language that allows specifying and applying security policies on live captured traffic. Haka […]

Hacking point of sales (PoS) systems is a very trendy topic. A lot of PoS malware can be found in the wild (jackPOS, gamaPOS, Backoff, FighterPOS…). At every big breach of PoS systems, media talk about sophisticated attacks involving high skills and great tools. But sometimes, it can be very easy to compromise a PoS […]

If you are used to play with honeypots, you have inevitably met the ELF.BillGates malware. It is a known[1] botnet spread over Internet for 4 years. In a nutshell, ELF.BillGates is a (Chinese) DDOS botnet with backdooring features. It is a binary file with many behaviors depending on the installation path[2]: Gate 0: Infection Monitor […]