Monday, November 28, 2016

Dr. Zakir Naik Hits Back With All The Answers!!!

Dr. Zakir Naik Hits Back With All The Answers!!!


Replies to Questions posed by PTI

Q1: Do you plan to challenge the ban in Court? If yes, when?
A: Yes, the ban will be challenged as soon as possible God willing. My legal team in Delhi and Mumbai are considering all legal options possible.

Q2: Why did you give donation of Rs 75 lakh to Rajiv Gandhi Charitable Trust?
A: IRF carries out several social programmes in education and health. It does so by donating money to several other NGOs, hospitals and educational institutions. This is done by granting scholarships to needy students and donating money to hospitals for treatment of the poor who cannot pay for expensive surgeries. IRF also runs its own Free medical clinic in Mumbra, Mumbai that gives free treatment to more than 5000 patients a month. Under a similar programme, IRF donated Rs 50 lakhs to RGCT few years ago, which the Trust later returned in July 2016 for reasons better known to them.

Q3: Do you agree that some youths who have joined ISIS have been influenced by you?
A: No, I don’t agree with that. It is atrocious even to imply that.
I am followed by more than 100 million people from across the world through television, Facebook and YouTube. Alhumdulillah, tens of thousands of people have come closer to Islam after listening to my talks and videos on topics that have ranged from Misconceptions about Islam, Qur'an & Modern Science, Education, Women’s Rights in Islam, Family Issues, Islamic View on Terrorism and Jihad & many others. I do agree that I inspire tens of thousands of people to come closer to Islam but every fan of mine may not do everything I say. Once a person comes closer to Islam, there are possibilities that he is exposed to other speakers as well, some of whom misguide them in the name of Islam. They encourage them to kill innocent people, which is totally against the Qur'an. If you listen to my talks, you will not find a single video where I have condoned terrorism or killing any innocent human beings. I’ve been giving lectures for more than 20 years and there’s not a single lecture where I’ve ever encouraged anyone to kill any other innocent human being, whether Muslim or non-Muslim. In the media and elsewhere, I am being misquoted through half sentences and out of context clips, which try to give an impression that I promote terrorism. I’m totally against terrorism. I condemn all acts of terrorism, including killing of innocent human beings, which is considered as the second major sin in Islam. Islam and Qur'an are totally against all acts of terrorism, including killing of innocent human beings. And that is what I’ve always preached.

It is wrong to imply that a few miscreants who joined terror groups were influenced by me. I’m sure you agree that I have good oratory skills. So if I was really spreading terror, wouldn’t I have made a few lakh terrorists by now? Not just a handful? The fact is that I’ve always preached peace and harmony, and how to become good human beings by following Qur'anic tenets. In a fan following of millions, there may be a handful of antisocial elements who will go astray and take up violence. But they are surely not following what I’ve told them. The moment they pick up senseless violence, they cease to be Islamic and they surely lose my support.

Q4: Theresa May was the first leader who had banned Dr Zakir Naik when she was British home minister. Why are you blaming Modi government?
A: I am not banned in UK. I have been ‘excluded’, which means I cannot enter UK. A ban would have meant banning my speeches on television, my NGO as well as my books, audio and video CDs. None of that has happened. My organization and my published materials are very much in circulation in UK and doing some commendable work in spreading the message of peace in Islam. Even the exclusion in UK was politically motivated since the earlier government the Labour Party a few months ago when they were in power before myself being excluded, the head of Counter Terrorism had send a senior officer to request me to help them to reach those Muslims whom they felt were misguided.

In fact, for my work spanning over two decades and even after being excluded from UK in 2010 I’ve been awarded some of the highest civilian awards by several countries, like Malaysia, Dubai, Sharjah & Gambia including the King Faisal Prize for Service to
Islam by King Salman of Saudi Arabia which is the most prestigious award of the Islamic World similar to the Nobel
Prize for Peace. My talks continue to attract lakhs of people from all

It is only in India, my homeland, that even after attracting hundreds of thousands of audience for several years I have been banned. Imagine I was invited twice in the last few years before the Modi government came to power to the National Police Academy in Hyderabad which is the most prestigious training institute for Indian Police to address the IPS officers. Most of the officers I addressed may yet be in service. Do you mean to say that this prestigious Institution invited a person who promotes terrorism to address the IPS officers. This ban is truly unfortunate and undoubtedly politically motivated. Like in UK where the Counter Terrorism head disagreed with the exclusion but had to give in to the then Home Secretary here in India too I am positive that the officers in NIA & other Departments after doing thorough research for more than 4 months may have surely realized that I am far away from promoting terrorism have no choice but to give in to the political pressures. More unfortunately, it is also indicative of the grim state of affairs existing in my beloved homeland since the Modi government took over two-and-a-half years ago.

Q5: Why are you not coming back to India?
A: I’m an NRI and my work keeps me away for most part of the year. I’ve been away since May 2016.
As for addressing the current controversy, I’ve repeatedly offered my cooperation to governmental agencies in their investigations. Till a few days ago, no agency bothered to contact me, ask me questions, send me any notice or even lodge an FIR against me. Till date there’s been no contact and the only FIR lodged against me was done after the ban.

Q6: The NIA has found several proofs that can link IRF to ISIS. What you like to say about it?
A: Any talks of links to Anti ISIS is pure fabrication. For the past three months, there is a concerted effort by the government and its agencies to create an air of negativity around me and label me as a hatemonger. And till date, they’ve not provided a single proof to substantiate their claims. That’s because none exist, and all that agencies are claiming are chatter and nothing else. What I’m doing now is the same work I’ve been doing for 25 years. Do you really think my so called “terrorist activities” would have been hidden from multiple intelligence agencies for so long? Most of my statements quoted for banning me have been made by me 8 to 18 years ago. One needs to look at these allegations from a political viewpoint. These allegations started when the current Modi government took over and that says a lot of things.

Q7: Do you think Modi government is anti-Muslim?
A: I don’t think, I know it is anti-Muslim. The last decade and a half has several evidences of Modi’s anti-Muslim behaviour and actions. And the most recent one is the banning of IRF, while the likes of Rajeshwar Singh, Yogi Adityanath and Sadhvi Prachi flourish under him.
But why ask me, ask the hundreds of millions of Indians Muslims who will tell you that Modi is anti-Muslim. And that makes him a danger to the Indian democracy.

Q8: NIA claims that IRF funded Anas, a youth from Rajasthan who apparently has joined an ISIS outfit. What’s your reaction to that?
A: IRF funds education of underprivileged children from across the country. It’s been doing that for several years now. It gives scholarships of more than Rs 1 crore every year. Scholarships are given in the field of medicine, engineering, management studies accountancy, etc. Thousands of needy students have benefitted from it over the years.

I’m in no position to confirm or refute regarding IRF funding Anas because all of IRF’s documents have been taken away after the ban. I can tell you that it is highly improper - and childish - to allege that IRF’s scholarship money was used to “fund terror”. That’s not possible because the scholarship amount goes straight to the institution and not to the student. Once the student submits the fee structure of his institution, a cheque is made out in the name of the institution and sent directly to the institution. In some cases, the student may have paid the fees by taking loans or organising money from someone if the last date will be due. In such a case, IRF pays to the student's account directly. Can anyone digest the claim that IRF funds terror and out of Rs 64 crores received in past 25 years, used only Rs 80,000 for funding terror?

Q9: There are allegations of money laundering by IRF in the funds received from abroad. Your reaction.
A: There is a concerted witch hunting going on with an objective of implicating me by hook or by crook. The 47 crore in question came from my personal account in Dubai to my personal account in Mumbai in the last six plus years. It was duly declared by me in the returns and used for lawful activities including giving gifts & loans to my family members. I don’t know where is the problem in that? The media has claimed that government authorities disclosed that Dr Zakir Naik's family members have received money from Middle Eastern countries. I challenge the authorities to prove that any of my immediate family members have received even a small fraction of the 47 crores from Middle Eastern countries they are claiming.
Here is a perspective. Every year more than 12 billion US dollars (over Rs 80,000 crores) is officially sent from UAE to India by NRIs and a majority of that amount is sent by non-Muslims. I have sent an average of Rs 7.8 crores a year back to India in the past 6 years (total Rs 47 crores). It is all official. It’s the money I earned as an NRI sent back to India through official channels. What is illegal about it? There are hundreds of non Muslims sending more than hundred crore rupees every year from UAE to India. Let me remind you that out of the list of 100 richest Indians living in the Gulf countries 80% are non-Muslims.
There is another figure of Rs 64 crores that media is saying that ED is claiming that IRF collected illegally. Although I cannot confirm this figure as accurate because we don’t have the documents with us anymore, it is surely an amount received by IRF in donations over the last 25 years. That is close to Rs 2.50 crores per year. Lesser in earlier years & more in later years. More importantly, what the NIA is not saying is that more than Rs 50 crores out of the total are donations received from Indians living right here in India.
IRF received about Rs 14 crores in the FCRA account over the past 15 years. Out of this, about Rs 4 crores were from NRIs living abroad. Only about Rs 10 crores were received from foreign donors in the last about 15 years. All of this was duly declared to the MHA, including the amounts, the names and the addresses of the donors. So, where is the question of money laundering?
If the government really thinks IRF is doing money laundering then why do they not ban & close down all the institutions we have given donations to which was published in the media. All the donations we gave to all the organizations & institutions are legal and within the framework of law. Why do they only talk about Rajiv Gandhi Trust? Why do they not close down Kirti Somaiya Trust in Sion Mumbai, Nair Hospital in Mumbai Central, Devilal Memorial Trust, Association of Management Studies & many others as published in media few days ago? Why are they only after IRF Educational Trust which is managing Islamic International School? The answer is they want to misuse their power on Minorities. If they have the guts why do they not ban & close down 100% of all the organizations we have funded.

Q10: Has anyone promised you help ?
A: By the grace of the Almighty, my work and following are spread across the world. I have received from several Muslim countries a response better than what I had expected. If it comes to that, God willing many Muslim countries will roll the red carpet for this humble servant of Allah.

Q11. Have you got the passport of Malaysia?
A: The Indian media has repeated hundreds of times in the last 4 months that I was banned in Malaysia. Now it takes a somersault and is saying that I have been given the passport of Malaysia. How can a person who is banned in a country be given a passport of that country.
Both these reports are absolutely false without any proof.

Q12. Some allege that the Zakat money received by IRF is not utilized as per the Islamic law?
A: All the money received by IRF is not from Zakaat. Alhamdulillah every rupee received as Zakaat is utilized as per the Islamic rules of Zakaat. All donations & Zakaat received are utilized appropriately as per the rules of Shariah (Islamic law) & the donors request if any (as long as the request is permitted by Shariah)

#IndiaToday #TimesNow #CNN #BBC #NDTV #AajTak #India #IncredibleIndia

Friday, November 4, 2016

Successor For Hubble Telescope:

The biggest telescope ever made was Hubble Telescope. This hubble space telescope was launched on 1990 to Earth lower orbit, which is around 559 km from the Earth, orbit height. Its speed on the orbit is 7.5 km/s, i.e. 27000 km per hour.

The cost was around 2.5 billion USD for the Hubble Telescope.

Image result for hubble space telescope

Now, Nasa started working on new Telescope, which is dubbed as successor of Hubble and it is bigger than Hubble. Hubble's successor will be 100 times more powerful than old. An Ariane 5 rocket will launch this space telescope in October 2018.

Goal of this new telescope to explore the earliest galaxy created on this universe.


Post created by
newWorld

Monday, October 10, 2016

How true is the statement "The best minds of my generation are thinking about how to make people click ads"?

Who works on advertisement optimization?
It is true that companies like Google, Yahoo, Facebook, NetFlix and Microsoft have big research departments with a lot of highly educated and smart people who do a lot of mathematics to optimize their business models. At least microsoft, netflix and yahoo are publishing a lot of papers in the field.
Most of the time these researchers came from famous universities or have close partnerships with them.
My former university the Hasso-Plattner-Institut e.g. is involved in research together with SAP, IBM, Microsoft and Schufa.

What are they doing?
The papers are most ot the time about mathematical models to predict the future on a solid basis. Typical problems that you have in advertisment are:

  1. Hypothesis testing
  2. Explore exploit dilemma
  3. Clustering target groups
  4. Big data issues
  5. Online learning
  6. Calculating and maintaining quantiles on the fly
  7. Parallel execution
  8. Margin utility
  9. Non linear optimization

These techniques are not only useful for optimizing advertisment but the methodology that is developed can be adapted by other people as well.
e.g. a lot of the techniques that are used to find the best ad with minimal loss comes originally from medical trials that tried to minimize the deaths of people during finding the best drug.

The important thing is that these results get published and are usable for other researchers.
At least the following industries should use the models from advertisment:

  • engineering
  • healthcare
  • construction
  • aerospace
  • project management
  • country budget allocation

Currently it is still a challenge to do so.

So you would say that the people optimizing advertisement are wasting their talent and instead should cure cancer or decrypt our DNA.
The truth is that they might develop the methodology to actually do so.

Getting paid for developing is a must have. Unfortunately ads are currently a well paid business.
Nevertheless I know a lot of people working for the silicon valley companies and one of their preconditions is that they are allowed to publish their work.
If you go to google scholar you might want to search for papers from:

  • Yehuda Koren
  • Deepak Agarwal
  • Weinan Zhang
  • Mark Slee
  • Torben Brodt

They all work for famous company and they try to make the world better by participating in the global research space.

So from my perspective to answer the two questions:

The best minds of my generation are thinking about how to make people click ads.

  • Yes, this is true


  • No, as long as they publish their work and it can be used to cure cancer they are doing a great job

The Prize in Economic Sciences 2016:

The Prize in Economic Sciences 2016 is awarded to
Oliver Hart and Bengt Holmström
“for their contributions to contract theory”
What is Contract theory?
Contract theory provides us with a general means of understanding contract design. One of the theory’s goals is to explain why contracts have various forms and designs. Another goal is to help us work out how to draw up better contracts, thereby shaping better institutions in society. Should providers of public services, such as schools, hospitals, or prisons, be publicly or privately owned? Should teachers, healthcare workers, and prison guards be paid fixed salaries or should their pay be performance-based? To what extent should managers be paid through bonus programmes or stock options?
Contract theory does not necessarily provide definitive or unique answers to these questions. However, the power of the theory is that it enables us to think clearly about the issues involved and help us understand the potential pitfalls when designing new contracts.
PRESS RELEASE: goo.gl/QFe99s
POPULAR INFORMATION: goo.gl/1WIbyg
SCIENTIFIC BACKGROUND: goo.gl/cH2htK
From the Press release:
The long and the short of contracts
Modern economies are held together by innumerable contracts. The new theoretical tools created by Hart and Holmström are valuable to the understanding of real-life contracts and institutions, as well as potential pitfalls in contract design. Society’s many contractual relationships include those between shareholders and top executive management, an insurance company and car owners, or a public authority and its suppliers. As such relationships typically entail conflicts of interest, contracts must be properly designed to ensure that the parties take mutually beneficial decisions. This year’s laureates have developed contract theory, a comprehensive framework for analysing many diverse issues in contractual design, like performance-based pay for top executives, deductibles and co-pays in insurance, and the privatisation of public-sector activities. In the late 1970s, Bengt Holmström demonstrated how a principal (e.g., a company’s shareholders) should design an optimal contract for an agent (the company’s CEO), whose action is partly unobserved by the principal. Holmström’s informativeness principle stated precisely how this contract should link the agent’s pay to performance-relevant information. Using the basic principal-agent model, he showed how the optimal contract carefully weighs risks against incentives. In later work, Holmström generalised these results to more realistic settings, namely: when employees are not only rewarded with pay, but also with potential promotion; when agents expend effort on many tasks, while principals observe only some dimensions of performance; and when individual members of a team can free-ride on the efforts of others.
In the mid-1980s, Oliver Hart made fundamental contributions to a new branch of contract theory that deals with the important case of incomplete contracts. Because it is impossible for a contract to specify every eventuality, this branch of the theory spells out optimal allocations of control rights: which party to the contract should be entitled to make decisions in which circumstances? Hart’s findings on incomplete contracts have shed new light on the ownership and control of businesses and have had a vast impact on several fields of economics, as well as political science and law. His research provides us with new theoretical tools for studying questions such as which kinds of companies should merge, the proper mix of debt and equity financing, and when institutions such as schools or prisons ought to be privately or publicly owned. Through their initial contributions, Hart and Holmström launched contract theory as a fertile field of basic research. Over the last few decades, they have also explored many of its applications. Their analysis of optimal contractual arrangements lays an intellectual foundation for designing policies and institutions in many areas, from bankruptcy legislation to political constitutions.
#NobelPrize

Sunday, August 28, 2016

I Have A Dream!!!

August 28, 1963, Martin Luther King calls to end the racism in USA and also leading to civil rights and economical rights in the country. Nearly two hundred fifty thousand civil right supporters witnessed the speech and inspired millions to stand on that dream.

Everyone must have a dream, but it is worth enough to inspire millions. Dr. Martin Luther King did and inspire the millions.

Thursday, August 25, 2016

Submarine secret Leak

Highly classified information on what makes six submarines being built in Mumbai so crucial for India's security have been leaked - more than 22,000 pages that serve as the operating manual of the Scorpene submarine have been made available with excerpts released online by an Australian newspaper.

The Scorpenes, being built for 3.5 billion dollars at the Mazgaon docks at Mumbai, are considered some of the most advanced of their class in the world. They are so silent underwater that they are extremely difficult, if not impossible to detect. But now their sonar capabilities, the noise they generate and details of the combat system they are armed with are totally exposed.

 
HIGHLIGHTS
  •  Secret combat capability of 6 Scorpene submarines leaked
  •  Submarines being built at Mazgaon docks near Mumbai
  •  French manufacturer DCNS landed the $3.5 billion deal​
Post by
newWorld

Saturday, August 20, 2016

Malware Abusing SWIFT BANKING

SWIFT is aware of a malware that aims to reduce financial institutions' abilities to evidence fraudulent transactions on their local systems. Contrary to reports that suggest otherwise, this malware has no impact on SWIFT's network or core messaging services
 
Threat Actor
The shared subroutines are displayed as evidence to relate the SWIFT intrusion activity to the Lazarus group. It is believed to be Lazarus group from North Korea, as threat actor. Because, many of this samples contain the similar subroutines. Their findings supported a claim that these were the only two pieces of software with this shared code.
 
The Anomali Labs team has conducted deeper research into a very large malware data repository. This process utilized the yara signature below to search for the shared subroutines. At first, we believed it would produce a lot of false positives. Instead, this search not only failed to result in any false positives, but also turned up five other pieces of malware which share this code. We see this as a possible attribution of the Lazarus group attacks to other attacks that involved these same five pieces of malware code.
 
Malware FamilyMd5 hash Notes
SWIFT BanSwift5d0ffbc8389f27b0649696f0ef5b3cfeevchk.bat dropper
SWIFT Fake Foxit Reader0b9bf941e2539eaa34756a9e2c0d5343A Fake Foxit Reader submitted to Virustotal from Vietnam in December 2015 (similar sample detailed athttps://blogs.mcafee.com/mcafee-labs/attacks-swift-banking-system-benefit-insider-knowledge/)
SMBWorm558b020ce2c80710605ed30678b6fd0cKnown North Korean Malware
Memory dump with SMBWorm96f4e767aa6bb1a1a5ab22e0662eec86 
Unknown "hkcmd" toolb0ec717aeece8d5d865a4f7481e941c5
1st Submitted from Canada, likely from an AV organization. 2016/04/22.
PE Build Date of December 2010.
imkrmig.exe5a85ea837323554a0578f78f4e7febd8An unknown backdoor posing as a Korean sample of Microsoft Office 2007.
Table 1. Malware families and samples known to include the Lazarus Wipe File routine.
rule AnomaliLABS_Lazarus_wipe_file_routine {
 meta:
     author = "aaron shelmire"
     date = "2015 May 26"
     desc = "Yara sig to detect File Wiping routine of the Lazarus group"
 strings:
     $rand_name_routine = { 99 B9 1A 00 00 00 F7 F9 80 C2 61 88 16 8A 46 01 46 84 C0 }
     /* imports for overwrite function */
     $imp_getTick = "GetTickCount"
     $imp_srand = "srand"
     $imp_CreateFile = "CreateFileA"
     $imp_SetFilePointer = "SetFilePointer"
     $imp_WriteFile = "WriteFile"
     $imp_FlushFileBuffers = "FlushFileBuffers"
     $imp_GetFileSizeEx = "GetFileSizeEx"
     $imp_CloseHandle = "CloseHandle"
     /* imports for rename function */
     $imp_strrchr = "strrchr"
     $imp_rand = "rand"
     $Move_File = "MoveFileA"
     $Move_FileEx = "MoveFileEx"
     $imp_RemoveDir = "RemoveDirectoryA"
     $imp_DeleteFile = "DeleteFileA"
     $imp_GetLastError = "GetLastError"
condition:
     $rand_name_routine and (11 of ($imp_*)) and ( 1 of ($Move_*))
}
 
 
Other previously known Lazarus Group samples:
 
138464214c78a73e3714d784697745acbf692ef40419d31418e4018e752cb92b
bdcfa3b6ca6b351e76241bca17e8f30cc8f35bed0309cee91966be9bd01cb848
ddebee8fe97252203e6c943fb4f9b37ade3d5fefe90edba7a37e4856056f8cd6
4d4b17ddbcf4ce397f76cf0a2e230c9d513b23065f746a5ee2de74f447be39b9
e2ecec43da974db02f624ecadc94baf1d21fd1a5c4990c15863bb9929f781a0a
eff542ac8e37db48821cb4e5a7d95c044fff27557763de3a891b40ebeb52cc55
f6cb8343444771c3d03cc90e3ac5f76ff9a4cb9cd41e65c3b7f52b38b20c0c27
 
 
Mode of entry - How intrusions usually occur
 
Even though in this case we do not have all the information about the attack, every intrusion usually follows the steps below:
 
Gaining access to the internal network
 
This is the first challenge every external intrusion must overcome. Gaining access to the internal network will allow the attackers to move laterally (gain access to other systems with the same privileges as the one they have accessed) and, eventually, vertically (gaining more privileges in a network).
In order to gain access to the internal network, the attackers use mostly two methods:
 
-Phishing campaign
A successful phishing campaign targeting the company and deploying a backdoor will allow the attackers to connect to at least one of the computers in the company, from which they can start to move laterally and vertically.
 
-RCE vulnerability or misconfiguration in the external network
Due to a misconfiguration, or a vulnerability that allows Remote Command Execution (RCE), the attacker will be able to execute commands on the remote host.
 
This is probably the case for the Bangladesh Bank. The bank was using outdated switches without firewalls to connect to the SWIFT infrastructure.
 
Taking control of the internal network
 
Once the attackers have gained access to the internal network, there's usually the need to escalate privileges, all the way up to the user with the most privileges (for example Domain Administrator in Windows networks). This way, they can move freely around the network, entering any system and eventually accessing all the data in the network. This is usually carried-out exploiting vulnerabilities from applications or from the operating system. It's also possible to use social engineering to achieve this goal. In some cases, this second step is not necessary, because the authors may have already accessed the necessary systems to perform the attack.
 
Files used for the investigation:
MD5: 0b9bf941e2539eaa34756a9e2c0d5343
MD5: 909e1b840909522fe6ba3d4dfd197d93
 
 
Entry point:
In the case of the Vietnamese bank, the file used for the attack is a fake version of the popular PDF reader Foxit. The malware installs itself in the original Foxit installation directory and renames the original file to FoxltReader.exe.
 
Once the user starts using the fake reader, the malware executes and writes to a log file in the temp directory C:\\Windows\temp\\WRTU\ldksetup.tmp. Analyzing this file, we see the log data is XOR encoded using the value 0x47.
 image1.gif
Was this malware part of a targeted attack?
 Yes, absolutely. As in the malware used against the Bangladeshi bank, we found the SWIFT code for the target in multiple places in the malware.
image2swift target.png
Yara rules:
rule banswift :banswift {
meta:
description = "Yara rule to detect samples that share wiping function with banswift"
threat_level = 10
strings:
$snippet1 = {8844240DB9FF03000033C08D7C242DC644242C5F33DBF3AB66AB5368800000006A0353AA8B84244010000053680000004050C644242AFF885C242BC644242C7EC644242DE7}
/*
88 44 24 0D mov [esp+102Ch+var_101F], al
B9 FF 03 00 00 movecx, 3FFh
33 C0 xoreax, eax
8D 7C 24 2D lea edi, [esp+102Ch+var_FFF]
C6 44 24 2C 5F mov [esp+102Ch+var_1000], 5Fh
33 DB xorebx, ebx
F3 AB rep stosd
66 AB stosw
53 push ebx ; _DWORD
68 80 00 00 00 push 80h ; _DWORD
6A 03 push 3 ; _DWORD
53 push ebx ; _DWORD
AA stosb
8B 84 24 40 10 00 00 moveax, [esp+103Ch+arg_0]
53 push ebx ; _DWORD
68 00 00 00 40 push 40000000h ; _DWORD
50 push eax ; _DWORD
C6 44 24 2A FF mov [esp+1048h+var_101E], 0FFh
88 5C 24 2B mov [esp+1048h+var_101D], bl
C6 44 24 2C 7E mov [esp+1048h+var_101C], 7Eh
C6 44 24 2D E7 mov [esp+1048h+var_101B], 0E7h
*/
$snippet2 = {25 FF 00 00 00 B9 00 04 00 00 8A D0 8D 7C 24 30 8A F2 8B C2 C1 E0 10 66 8B C2 F3 AB}
/*
25 FF 00 00 00 and eax, 0FFh
B9 00 04 00 00 movecx, 400h
8A D0 mov dl, al
8D 7C 24 30 lea edi, [esp+30h]
8A F2 mov dh, dl
8B C2 moveax, edx
C1 E0 10 shleax, 10h
66 8B C2 mov ax, dx
F3 AB rep stosd
*/
condition:
all of ($snippet*)
}
In the code, we found that the malware uses the original driver fpdsdk.dll from the Foxit SDK to execute the transformation of the files.

image3.gif
IOC details for this bbswift malware:
Malicious IP:
hxxp://196(.)202(.)103(.)174/al?
 
Network IOC Detection Example for this malware:
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"TROJAN Possible BBSwift/Banswift/Bankswi/Alreay/TSPY_ALSOF status report HTTP Outbound"; content:"GET"; http_method; content:"|2F|al|3F 2D 2D 2D|"; http_uri; fast_pattern; pcre:"/^GET\x20.*\x2F\x2D{3}[CNO]$/U"; classtype:trojan-activity; reference:url,baesystemsai.blogspot.com/2016/04/two-bytes-to-951m.html; sid:9000000; rev:1;)
 
 
Conclusion
In both attacks we can see that the attackers have done their reconnaissance properly and may have used an insider to get the details they needed to prepare their attacks. In the Bangladeshi case, for example, the malware samples are tuned to the environment and how the banking system operates, including the supported software, databases, and printer. In the Vietnamese case, the malware is also tuned to fit the environment. The attackers knew that the bank used Foxit and replaced it with a fake version. The attackers have a very good understanding of the SWIFT messaging system and how to manipulate the system to prevent the detection of their fraudulent attempts of transferring the money. The malware in each attack was compiled just before the attack happened.
Although both attacks were discovered at some point during the attempts to transfer large amounts of money, the actors may well have executed a few test runs to check their operations before the real attacks.


Post made by





 
 
References:
 
 
 
 
 
 
 
 
 


Operating system - Part 1:

 In our blog, we published several articles on OS concepts which mostly on the perspective for malware analysis/security research. In few in...