As you may have noticed, over the last month or so, both this site and Portcullis Labs have moved from being accessible over plain-text HTTP to only being accessible over HTTPS. In doing so, Portcullis are acknowledging that not only are your personal details important to us, but that the days of being able to trust what your browser downloads are fast disappearing. Continue reading

Portcullis is very pleased to have been accepted onto the CESG-supported CREST Cyber Security Incident Response (CSIR) Scheme. That Portcullis’ application was accepted at the first attempt demonstrates the validity of the approach taken with our CTADSTM incident response service since its launch in 2010. Continue reading

As part of an ongoing review of how our research activities have performed, we’ve taken the opportunity to redefine our process of disclosing vulnerabilities to better align with current good practice. As a result of this, we’ve prepared a new Co-ordinated Disclosure Policy and assigned members of our technical team to drive the processes that underpin it.

The first change is that we’ve moved from Responsible to Co-ordinated. This is largely a semantic change, but reflects the mature industry view that using the word responsible is loaded and puts researchers in a difficult position even where they have attempted to co-ordinate a disclosure. This is a view that has previously been recognised by Microsoft amongst others, so we believe the market is ready for the change. Continue reading

We are pleased to announce, following the launch of the G-Cloud4, that Portcullis Computer Security Ltd has been selected as a supplier under the new G-Cloud framework.

As a leading provider of information security services, Portcullis is authorised to provide Information Assurance and Cyber Security Services under Lot 4 of the programme which covers Specialist Cloud Services.

Portcullis’ Consultants help our clients to effectively manage the gamut of security risks that threaten to compromise their networks or steal their intellectual property. Portcullis enables companies to turn information security into a business driver for their organisation. Continue reading

To coincide with our 21st birthday on November 11th, Portcullis Computer Security Ltd is pleased to announce that it has been awarded certification to ISO 27001; the internationally recognised standard for information security management. Getting this independently verified status demonstrates that Portcullis as an organisation is adhering strictly to industry best practice and has implemented a robust management framework with respect to the governance of information security.

Achieving ISO 27001 accredited status means that Portcullis will have had to meet over 100 different checks and balances relating to the storage, security and handling of confidential data. Consequently our clients can rest assured that their valuable information is safe in our hands. Continue reading

Over the past few weeks, Portcullis has shared two parts of a three part series on “MutexName: “UFR_Stealer_2600″. The previous articles, part 1, focussed on a one-shot information stealing malware, while part 2, discussed “information gathering”.

In the very last article, part 3, we are going through the data-exfiltration steps that involve data compression and encryption, and finally we analyze the few Anti-Reversing tricks present in this
malware sample.

Data Ex-filtration

Now that the malware is finished collecting data from the host, it will go through a series of steps in order to compress, encrypt, and finally send the data over to the attacker’s FTP server. Continue reading

The following is part 2 of a series of 3 blog posts. In this article we go through the preparation stage that is undertaken to later exfiltrate the stolen data, which starts with connecting to a remote FTP server and goes on with temporarily storing the data in the host that will be later sent to the attacker.

Part 1 focussed on a one-shot information stealing malware. If you have missed the first article, please click here!

Connecting to the FTP server

The malware will initially retrieve the local date/time in the following format: “d-m-y_h-m-s”. Continue reading

The following is part 1 of a series of 3 blog posts, in which we go through an information stealing malware. We will be discussing the type of information it is interested in, as well as the way it stores and sends this information to the malicious FTP server. Furthermore, we will do an overview of a few Anti-Reversing tricks that we located during the analysis of this malware.


Recently, we identified a malware sample, the sole purpose of which was to steal information, including login credentials and other host related information. This is, of course, nothing new. What we found interesting about this particular sample, was that the malware does not attempt to achieve persistence on the ‘infected’ host. Continue reading


With hundreds of thousands of malware samples floating around the internet, AV companies have to struggle everyday in order to keep their detection signatures updated. These malware samples are not necessarily all functionally different to each other, but most of them try to appear different in an attempt to bypass AV products.

In reality, the concept of polymorphism is still much more popular than metamorphism. The reason for this is, that polymorphism as we know it today, through malware samples is far easier to achieve.

While metamorphism requires re-implementing parts of the code, while keeping the same functionality, polymorphism is generally applied by keeping the code intact but encrypting it each time with a different method or via the use of different encryption keys. Metamorphism also commonly uses the insertion of junk code that can be changed quickly, making it effective at defeating static detection, though the insertion of junk code. This could also be considered as ‘cheap metamorphism’ since no real re-implementation of the code was done, but the code does appear different. Continue reading