Lastline Labs

Clemens Kolbitsch

Clemens is Security Researcher and engine developer at Lastline. As a lead-developer of Anubis, he has gained profound expertise in analyzing current, malicious code found in the wild. He has observed various trends in the malware community and successfully published peer-reviewed research papers. In the past, he also investigated offensive technologies presenting results at conferences such as BlackHat.
Find me on:

Recent Posts

Party like it’s 1999: Comeback of VBA Malware Downloaders [Part 3]

Posted by Clemens Kolbitsch on 11/10/16 2:25 PM

Authored by:  Clemens KolbitschAlexander Sevtsov, and Arunpreet Singh

Read More

Topics: Lastline Labs, lastline, vba, vba downloaders

Lifting the Seams of the Shifu "Patchwork" Malware

Posted by Clemens Kolbitsch on 9/4/15 3:55 PM

Authored by: Clemens Kolbitsch and Arunpreet Singh

Read More

Topics: Evasive Malware, Full-system Emulation, APT, Shifu, Banking Trojan

Awakening Dormant Functionality in Malware Programs

Posted by Clemens Kolbitsch on 8/26/15 10:00 AM

Authored by: Clemens Kolbitsch, Joe Giron, and Arunpreet Singh

Over recent years, we have seen a rapid evolution of security products. Whenever a new technology is introduced, it tackles shortcomings of its predecessor, but also faces new challenges as attackers adapt to the changing security landscape.

Read More

Topics: Malware Behavior, Full-system Emulation, Wild Neutron, Dormant Functionality

Does Dyre malware play nice in your sandbox?

Posted by Clemens Kolbitsch on 5/8/15 6:00 AM

Recent media coverage drew a lot of attention to a new variant of the Dyre/Dyreza malware family that is evading traditional sandbox-based analysis systems. At the same time, F-Secure highlighted similar tricks found in Tinba malware. Not only are individual families starting to detect and evade traditional sandboxes - it’s becoming a much more global and mainstream trend, as we covered recently at RSA.

A recent post in our series The Hammer Strikes describes how we allow any security solution to play in our sandbox, which allows integration of the Lastline platform with other technologies already present in a customer environment.

But what if malware doesn’t want to play in your sandbox?

In this post, we highlight how malware behaves in a FUSE (full-system emulation) analysis environment, how even evasive samples can still be detected, and that it’s time to let go of traditional sandboxing approaches, as they are falling further and further behind.

Read More

Topics: Full-system Emulation, Dyreza Malware, Tinba Malware, Dyre Malware

High-Resolution Dynamic Analysis of Windows Kernel Rootkits

Posted by Clemens Kolbitsch on 3/17/15 10:00 AM

Many recently-discovered sophisticated attacks against Windows users have been found to use at least one component executing in the kernel of the operating system. Examples for such APT attacks are Equation, Regin, Dark Hotel, or Turla/Uroburos, and they have received a lot of scrutiny from the security and research community.

These threats are particularly pernicious because their kernel components are running with the highest level of permissions available on a computer system. As such, it is very difficult for traditional antivirus systems to detect (or protect) a computer system from these attacks, because the attacker is running with the same (or higher!) permissions as the AV solution.

At the same time, it is far from trivial to analyze such kernel-based APTs inside a traditional sandboxing system, as kernel behavior often lies outside the scope of what can be monitored using traditional hooking mechanisms.

In this post, we will show how the latest release of the Lastline Breach Detection Platform using a full-system emulation approach defeats even the latest version of kernel-based attacks. In a series of follow-up posts, we will focus on individual APT families and techniques, and detail how our sandbox can be used to analyze and detect these threats.

Read More

Topics: Malware Analysis, Turla, Uroburos, Equation, Dark Hotel, Regin, Kernel Rootkit Analysis

Analyzing an “Ultra-Advanced APT Tool” Using High-Resolution Dynamic Analysis

Posted by Clemens Kolbitsch on 5/29/14 11:02 PM

Earlier this week, Sam Bowne (@sambowne) posted a nice example of how to write a simple keylogger in a few lines of Python. He used this code to evaluate a few sandboxes, including Lastline. The full code can be found on Sam’s blog, but the essential lines can be seen in the following snippet of code:

Read More

Topics: Keyloggers

Detecting Keyloggers on Dynamic Analysis Systems

Posted by Clemens Kolbitsch on 5/28/14 9:00 AM

Authored by: Kevin Hamacher, Dario Filho, Clemens Kolbitsch

One notorious functionality present in many variants of today’s advanced malware is the ability to steal sensitive user information. Taking control of a targeted machine, an adversary has basically unlimited abilities to secretly monitor the actions performed by an unsuspecting victim who uses the infected machine. The type of data stored on a typical machine, and to which the attacker has access to, ranges from user account credentials (such as usernames and passwords), to financial data (such as credit card numbers or transaction secrets), and even personal data (such as social security numbers).

Very often, malware is specialized in capturing and identifying different types of information typed by the victim, allowing the collection of very specific information in which the attacker is interested. Typical examples are information entered in a login form for a specific URL, or values that resemble social security numbers (SSN) or credit card numbers.

Read More

Topics: Dynamic Malware Analysis, Keyloggers

Analyzing Environment-Aware Malware

Posted by Clemens Kolbitsch on 2/19/14 1:59 PM

A look at Zeus Trojan variant called Citadel evading traditional sandboxes

Fighting traditional sandboxes (or dynamic analysis systems in general) typically comes in the form of detecting the analysis environment or evading analysis through means of behavior triggers as mentioned in a previous blog post: Using High-Resolution Dynamic Analysis for BHO Trigger Detection. Some variants of the notorious Zeus trojan family use a different approach to hinder analysis: Host fingerprinting.

In this evasion technique, the malware sample computes a unique fingerprint of the host when it infects the system and embeds this fingerprint inside the malware binary. Whenever the malware starts execution, a new fingerprint of the host running the program is computed and compared to the original host’s fingerprint. This enables the malware sample to detect if it is running in an unexpected environment, and to take different set of actions in this case.

Zeus trojan host fingerprint check
Read More

Topics: Malware Research, Evasive Malware, Full-system Emulation

Using High-Resolution Dynamic Analysis for BHO Trigger Detection

Posted by Clemens Kolbitsch on 2/4/14 5:34 PM

Looking at how malware analysis engines evolved over the last decade, the trend is quite obvious: Dynamic analysis systems are replacing purely static ones or at least combine elements from both approaches. While the advantages of dynamic analysis are convincing - resilience against code obfuscation or encryption - attackers have various techniques at hand to complicate dynamic analysis and possibly evade these systems.

Read More

Topics: Evasive Malware, Lastline Analyst

Subscribe to Email Updates