We would like to introduce the first of our “Ghosts in the Endpoint” series, a report prepared by FireEye Labs that documents malicious software not being detected in the wild by traditional signature-based detections.
In this study, all the families identified are samples from VirusTotal (VT) with zero detections, but detected as malicious by our Multi-Vector Virtual Execution (MVX) Engine. We also added a few samples with very low detection rates (VT <=3) but with interesting bypass techniques.
Our goal is to share indicators that help the AV community and others improve their detection coverage.
The study includes samples submitted to VT in 2015 that were still found undetected or with minimal detection rates as of January 2016 (see VT detection Tables in the Appendix).
The following samples were identified in our research:
Suspected APT malware:
Malware without attribution:
Malware that remains undetected by more than 56 different AV vendors over a long period of time is worth investigating. This section briefly describes the malware and techniques identified in the undetected samples. A full list of indicators can be found in the IOC section at the end.
1. 4b3858c8b35e964a5eb0e291ff69ced6 - 201507.xlsx
Type: XLSX
Description: CVE-2015-5119 (Flash exploit exposed in the Hacking Team leak)
Attribution: Suspected APT threat group targeting Taiwan
Current detection: 0/53
First Submission: July 13, 2015
Last Submission: January 27, 2016
Time undetected in VT: At least 6 months
This Excel document is PKZIP compressed (following the Open XML Format) with the structure shown in Figure 1:
Figure 1: Structure of XLSX document
When the spreadsheet is opened, a dialog prompts the victim to allow unknown embedded content to be played, as shown in Figure 2. In this case, social engineering is needed to convince the victim to execute the malicious Flash object.
Figure 2: Excel document content and prompt
When the victim allows the embedded content to be played, the activeX1.xml file is read to locate the OLE Control to be used (which corresponds to Macromedia Flash Player, as shown in Figure 3) through the ClassID attribute to finally load the Flash Exploit embedded in the activeX1.bin object.
Figure 3: Content of activeX1.xml file
The embedded Flash exploit corresponds to CVE-2015-5119, one of several zero-day exploits identified following the Hacking Team leak in July 2015.[2]
A look at the Flash Action Script (AS) reveals code similar to that from the Hacking Team Exploit, such as the class name exp1_fla/MainTimeLine, the function name TryExpl() with the same use-after-free technique, and even the same error message “can’t cause UaF” as shown in Figure 4.
Figure 4: Flash exploit code
The combination of the class name exp1_fla() and classes ShellMac64, ShellWin32 and ShellWin64 built into the exploit (see Figure 5) were not observed in the original Hacking Team version of the exploit, suggesting that the group responsible for this malicious Excel file modified the original exploit code.
Figure 5: Flash Action Script classes from malicious Excel file
The exploit drops a variant of the backdoor we call GOODTIMES (also known as Linopid). The backdoor communicates to Taiwan-based IP addresses 220.128.223.75 and 220.134.47.67 on ports 8080 and 443 via HTTP.
While this particular GOODTIMES sample has not been attributed to a specific threat group, GOODTIMES has previously been used by suspected APT actors. Based on previously identified targets and the use of Traditional Chinese language and Taiwan-centric themes in spear phishing messages and decoy documents, the group appears to focus on Taiwanese targets.
1. New delivery mechanism: The leaked CVE-2015-5119 Flash exploit has been used by a wide range of threat groups, including other APT groups such as APT3 and APT18[3]. Previous delivery methods entailed luring the victim to click on a malicious link (delivered via a spear phishing message) where the malicious Flash exploit was hosted on a web page. In this case, the suspected APT group responsible for the GOODTIMES backdoor changed the delivery mechanism by embedding the exploit as ActiveX object inside the Excel Open XML Format (PKZIP compressed).
2. In addition, while an ActiveX object would normally be embedded inside a Compound File Binary Format[4], in this case the uncompressed Flash content is embedded directly in the Excel file, right after the ClassID, as shown at Figure 6.
Figure 6: Embedded Flash object
· The above steps might be enough to avoid proper parsing of the malicious Flash object. This is the first time we have seen a CVE-2015-5119 sample embedded in an Excel document this way.
2. 22da029dd4e018b7c7135a03d0ba9b99
Type: Win32 binary
Description: A variant of the UPS backdoor
Attribution: suspected APT3
Current detection: 0/57
First Submission: August 6, 2015
Last Submission: February 2, 2016
Time undetected in VT: At least 6 months
UPS is a backdoor capable of uploading and downloading files, creating a reverse shell, reconfiguring itself to use different command and control (CnC) servers, and acting as a proxy server. It uses a custom binary protocol to communicate with its CnC server and it encrypts this custom protocol using a TLS TCP connection.
While this particular UPS sample has not been attributed, UPS is commonly used by the China-based APT3.
Potential AV bypassing reason
1. Junk code insertion: Examining this UPS sample, we see a significant amount of “junk code” potentially designed to mask the malicious nature of the binary, as well as to complicate analysis or reverse engineering efforts.
In Figure 7 we see the backdoor executing a jump to address 0x4043AB by forcing the “jump if greater than” comparison to be true by moving a large value (0x4A2E88E4) to the ebx register and then comparing it with a hardcoded lower value (0x6A1E839), after which a large number of junk instructions are skipped (red square). This strategy can be seen through several different execution paths.
Figure 7: Decompiled UPS sample showing junk code
3. aedd5d8446cc12ddfdc426cca3ed8bf0 -S-old.xlsb
Type: XLSB
Description: VBA Macro + Metasploit Shellcode Loader Backdoor
Attribution: Suspected Middle Eastern-based APT
Current detection: 1/52
First Submission: September 28, 2015
Last Submission: January 28, 2016
Time undetected in VT: At least 4 months
This particular sample, an Excel Binary Workbook file,[5] has only one generic detection on VT, so we believe it is still worth mentioning in this report.
When the spreadsheet is opened, the victim is shown a table of Israeli holidays and prompted to enable macros to view the full list, as shown in Figure 8:
Figure 8: Malicious Excel file showing calendar data
When the macro is executed it creates a Windows binary in memory as shown in Figure 9. Note the Chr(77) + Chr(90) builds the MS-DOS header magic number “MZ”.
Figure 9: Macro concatenating bytes to form a Windows binary
The binary is written to the file system with the file name NTUSER.dat{GUID}.exe as shown in Figure 10.
Figure 10: Creating the Windows binary
In this case, the GUID selected corresponds to Scriptlet.TypeLib ActiveX object, creating the file name NTUSER.dat{FB9D87AE-8FEA-4583-98AB-2FB396EAB5FC}.exe (md5 6aab47b18afacbfa7423f09bd1fa6d25) that is later executed via the ShellExecute() API with the SW_HIDE parameter to run silently.
Finally, the executable comes with an embedded Metasploit Shellcode loader that connects to 84.11.146.62 on port TCP 13661.
While this sample has not been attributed, similar techniques (use of XLSB files with embedded, obfuscated macros; creation of the file name NTUSER.dat{GUID}.exe; use of the binary to download additional malware) and the same CnC IP address have been referenced in reporting on a suspected Middle Eastern-based APT group known as “Rocket Kitten”, primarily targeting Middle Eastern and European organizations.
Potential AV bypassing reason
1. The byte concatenation inside the VBA Macro, used to build a Win32 binary at runtime, helps to bypass signature-based detection.
4. 4e51143b01e99afc3bd908794d81d3cb
Type: HWP
Description: Hancom Office HWP Exploit
Attribution: None
Current detection: 3/53
First Submission: July 31, 2015
Last Submission: February 2, 2016
Time undetected in VT: At least 6 months with 3 generic detections
This sample, a Hangul Word Processor (HWP) document, has only three generic detections on VT, so we found it to be worth analyzing for this report.
When opened, the HWP document displays Korean text and some photographs, as shown in Figure 11. Behind the scenes the document will exploit vulnerable versions of Hancom Office, dropping and executing a malicious file.
Figure 11: Content of malicious HWP document
Internally, the document structure includes three sections, where section 0 will trigger a Type Confusion vulnerability while parsing the content of the paragraph located at the data record structure HWPTAG_PARA_TEXT starting at offset 0x1C (see uncompressed section 0 at Figure 12). The logic bug will cause the string starting at offset 0x50 to be treated as a control structure. This control structure contains a fake object at offset 0x56 pointing to an address (0x0e0a0e0a) filled by a heap spray that eventually will redirect the execution flow to the shellcode.
Figure 12: Section0 malformed paragraph
A similar type confusion vulnerability has been previously documented by Ahnlab,[6] however, the vulnerability trigger is different.
Section 2 has an uncompressed size equal to 112MB, used to perform the heap spray and expecting to place the shellcode at a memory address close to 0x0e040e04. In Figure 13, the beginning of the shellcode can be seen (uncompressed).
Figure 13: Start of shellcode
The shellcode drops a file on disk and executes it via HncBLXX.HncShellExecute-> SHELL32.ShellExecute. This generates a connection to a compromised Korean automotive website and attempts to retrieve a file with a .JPG extension, which we suspect may be a second-stage binary. However, the file was no longer available on the website at the time of our analysis.
This particular sample has not been attributed to any threat group. However, the use of malicious HWP documents is notable, as that format is specific to a regional word processing program used heavily in South Korea and in particular by the South Korean government. While the use of malicious HWP files could simply indicate regional targeting by unspecified threat actors, similar exploits have been used in the past by suspected APT groups.
Potential AV bypassing reason
1. Heap Spray technique change: Similar exploits used to be created with multiple large-size sections in order to spray the heap. This exploit fulfills the same purpose but with only one large-size section.
2. Vulnerability triggered in a different format: A similar type confusion vulnerability described in this section was seen implemented in the Open XML Format (HWPX extension)[7], but this time ported to the Compound File Binary Format (HWP extension).
5. 497eddab53c07f4be1dc4a8c169261a5 - Barclays_Q22015_IMS_excel_tables.xlsm
Type: XLSM
Description: VBA Macro + VBScript generated from spreadsheet
Attribution: None
Current detection: 1/54
First Submission: Julio 08, 2015
Last Submission: January 27, 2016
Time undetected in VT: At least 7 months
This sample, an Excel macro-enabled file, has only one generic detection. The embedded macro creates an encoded Visual Basic (VBE) file that connects to a CnC site and allows remote control of the victim’s computer. As we had not previously observed this backdoor, we named it OccultAgent.
When the XLSM file is opened, the user is prompted to enable macros, as shown in Figure 14. The instructions are displayed in both English and Greek:
Figure 14: Prompt to enable macros
The macro drops an encoded VBScript file named ocagent.vbe (69df0c3bab5e681c2e5eb5951a64776e), obtained from the data in a spreadsheet cell (see Figure 15), to C:\octemp001\ and executes it. The script connects to hxxp://0x5E469BFD, which is equivalent to hxxp://94.70.155.253, via the victim’s web browser.
Figure 15: Obfuscated script embedded in spreadsheet cell
The first stage Macro source code can be seen in Figure 16.
Figure 16: Embedded VBA macro
The dropped ocagent.vbe VBScript is essentially a backdoor that connects to the CnC server at 94.70.155.253 to register the victim’s computer and to obtain commands to run on the victim’s machine.
Potential AV bypassing reason
The following steps may be sufficient to bypass AV detection:
1. Adding encoded VB script into a spreadsheet cell allows attackers to hide the malicious code.
2. Representing the IP address in hexadecimal format may be sufficient to bypass regular expressions trying to match standard 32-bit IP addresses (dotted decimal notation).
**6. dc15336e7e4579c9c04c6e4e1f11d3dd -**dedinho no cuzinho.rtf
Type: RTF
Description: RTF file with embedded executable
Attribution: None
Current detection: 0/54
First Submission: October 22, 2015
Last Submission: January 15, 2016
Time undetected in VT: At least 3 months
In this attack scenario, the victim receives an RTF document that appears to contain an embedded JPG image. The embedded file is actually an executable that attempts to hide its file extension by using a long sequence of underscore characters (e.g., Copy of foto.jpg<underscores>.exe (see Figure 17).
Figure 17: RTF document with embedded file
The embedded binary (d409dc7e1ca0c86cb71e090591f16146) is packed with RLPack[8]. It drops a second Borland Delphi binary packed with a customized version of UPX, which will then drop the Spy-Net RAT on the system.
Spy-Net[9] allows an attacker to interact with the victim via a remote shell to upload/download files, interact with the registry, run processes and services, capture images of the desktop, and record from the webcam and microphone. It also contains functionality to extract saved passwords and turn the victim into a proxy server.
A beacon to dennyhacker[.]no-ip.org on TCP port 81 prepended with an ASCII representation of the length of the payload (33) and followed by a pipe and a new line character confirms Spy-Net activity:
00000000 33 33 7c 0a 33|.
The RAT commands are translated to Portuguese to adapt the attack to Brazilian victims; some command examples are shown below (additional commands are listed in the Appendix):
Configuracoesdoserver = Server settings
Listarjanelas = List windows
Finalizarconexao = End connection
Listarchaves = List keys
Potential AV bypassing reason
1. Packers are commonly used to obfuscate code in order to bypass traditional signature-based detection. The use of multiple files packed with two different packers may be sufficient to bypass detection.
7. b1f43ca11dcf9e60f230b9d6d332c479 – Book2 - Copy.xls
Type: XLSX
Description: VBA + Python Shellcode loader
Attribution: None
Current detection: 0/54
First Submission: September 20, 2015
Last Submission: January 28, 2016
Time undetected in VT: At least 6 months
When opened, this Excel document appears to be blank but contains the VBA macro shown in Figure 18.
Figure 18: VBA Macro with OLE Object
The macro will instantiate an OLE Object and load it via the xlVerbPrimary verb. The embedded OLE object contains two files:
Once file.exe is executed it launches a copy of the Windows calculator (calc.exe) as a decoy. However, behind the scenes it performs a Metasploit reverse TCP Connect to a CnC server.
The unpacked version of file.exe is obfuscated python that can be seen in Figure 19.
Figure 19: Python Shellcode
The following steps describe the process in greater detail:
Potential AV bypassing reason
Multiple tricks to evade detection can be seen here:
8. 95e89fd65a63e8442dcf06d4e768e8f1- Doc1.docm
Type: DOCM
Description: VBA + PowerShell + Netcat as Backdoor
Attribution: None
Current detection: 0/53
First Submission: June 19, 2015
Last Submission: January 26, 2016
Time undetected in VT: At least 7 months
The word document comes with a simple message shown in Figure 20.
Figure 20: Message distractor
When the VBA macro is executed (see Figure 21), PowerShell code is loaded from the document’s comments (see Figure 22):
Figure 21: Loading malicious code
Figure 22: Code embedded in the document comments
The PowerShell script will act as a backdoor to allow remote access to the compromised machine. The script will download and execute netcat to listen on IP 192.168.52.129 and port 3724. Once a connection is received, a PowerShell shell will be sent (via –e powershell.exe option) to the client (PowerShell Reverse shell) as shown in Figure 23.
Figure 23: Malicious code content
It is interesting to note that attackers are moving from traditional command prompt shells (cmd.exe) to PowerShell shells (powershell.exe), which are actually more powerful. For example, PowerShell allows the use of WMI (Windows Management Instrumentation), something not readily accessible via the standard command prompt[12].
The script references a non-routable (RFC1918) IP address, so we suspect that the script was either a proof of concept or meant to be used during the lateral movement phase in a specific internal environment that uses this IP space.
Potential AV bypassing reason
1. Use of the .docm extension may evade extension-based parsers.
2. Embedding the PowerShell script in the document’s comments and executing it from a VB macro adds another layer of complexity. While this is clearly a suspicious behavior, it is not properly identified by signature-based detection.
We identified several other examples of malware using VBA Macros with PowerShell to mainly run shellcode loaders that allow attackers to gain remote access to victims’ machines. Another example is shown below; it has two VT detections, but serves as an example of a very common variant seen in the wild.
9. 8de1ebacb72f3b23a8235cc66a6b6f68 – Polnoe_raspisanie_igr.xlsm
Type: XLSM
Description: VBA Macro + PowerShell – Shellcode Loader
Attribution: None
Current detection: 2/54
First Submission: October 14, 2015
Last Submission: January 28, 2016
Time undetected: 3.5 months with two generic detections
When the Excel document is opened, a message is displayed in Russian. The user is even provided with a link to a legitimate article describing how to enable macros (see Figure 24).
Figure 24: Excel file with legitimate link
When the VBA Macro runs, it executes a PowerShell script that Base64-decodes and decompresses a second-stage PowerShell Script that will be used as the shellcode loader in memory (see Figure 25).
Figure 25: PowerShell script being built on the fly via VB script
PowerShell uses the Invoke-Expression (or IEX) call to execute the decompressed string, similar to the eval() functionality from other programming languages.
The Shellcode in this case comes hardcoded in the second stage PowerShell script, loaded and executed from memory with the following syntax:
$z=$o::CreateThread(0,0,$x,0,0,0); Start-Sleep -Second 100000
Where $x contains the Shellcode loaded in memory that eventually will connect to the domain spl[.]noip[.]me. Based on DNSDB query, the domain spl[.]noip[.]mepreviously resolved to Russian IP 81.23.177.72.
Most of the VBA Macro + PowerShell scripts we identified were created with the macro_safe.py[13] and unicorn.py[14] scripts, often used for penetration testing.
Potential AV bypassing reason
1. The .xlsm extension may bypass extension-based parsers
2. Using the VBA Macro in the first stage to build the first PowerShell script via concatenation provides an easy way to bypass signature-based detection
3. The PowerShell scripts are Base64 encoded and compressed
**10. cda305a6a6c6ace02597881b01a116e3 -**CVE-2013-1331-doc.docx
Type: DOCX
Description: Office Downloader
Attribution: None
Current detection: 0/55
First Submission: January 12, 2015
Last Submission: January 16, 2016
Time undetected in VT: The whole year and counting!
In 2013, a stack-based buffer overflow triggered while parsing PNG images was exploited in the wild against MS Office 2003 and Office for Mac. CVE-2013-1331 was assigned to the vulnerability.
The malicious samples did not include the PNG directly embedded in the document; rather, the PNG file was loaded from the Internet by using the INCLUDEPICTURE option[15].
This new sample uses a different option from the new XML Format called “Relationships” in order to download a resource from the Internet, as seen at Figure 26.
Figure 26: XML content loading the PNG image remotely
The same domain was used back in 2013, but now with a different download technique. Although the vulnerability has been patched by Microsoft, the aforementioned technique can be used to download any resource from the Internet.
Potential AV bypassing reason
1. Use of the XML ‘Relationship’ instead of the original INCLUDEPICTURE method to download resources from the Internet is a novel technique that may not be recognized.
2. Based on the code shown above, it is clear that the intention is not to download a .gif image but a .php resource. Signature-based engines should easily detect the unusual resource name with multiple dots.
Threat actors of all types continue to improve their techniques to compromise organizations and remain undetected within an environment. Our study identified a number of techniques that successfully bypassed many AV engines:
1. Alternate techniques to embed objects within Office documents that may not be recognized by AV engines.
2. The use of a multi-stage infection approach in order to look unsuspicious at each stage:
a. A document downloading an image from the Internet that cannot be flagged as malicious at that stage
b. A VBA Macro script loading malicious content from spreadsheet cells
3. Multiple techniques to load malicious content from Office documents:
a. Embedded as ActiveX
b. Embedded as OLE Binary
c. Embedded in the document’s comments
d. Embedded in the spreadsheet cell
4. Standalone packed binaries containing malicious Python scripts.
5. Multi-layer Packing: RLPack + Custom UPX.
6. The combination of multiple scripting languages to allow the attackers to obfuscate malicious code, such as VBA Script building malicious PowerShell scripts.
In several cases we note that the attackers are reusing known exploits (such as CVE-2015-5119 or CVE-2013-1331), but changing the delivery method; or leveraging obfuscation, encoding, encryption, or multiple layers of packing to disguise their malicious scripts or backdoors.
For proper detection, it is essential to monitor an attack through its entire life cycle – not simply when a suspicious document or file first enters a network. This approach is necessary to detect and block multi-stage infection strategies. While initial events (such as the delivery of a macro-enabled spreadsheet) may appear innocuous, eventually a later stage of the attack will trigger detection.
It is much easier to stop an attack – including a multi-stage attack – when it first occurs, to include detecting known and unknown exploits (zero days), or even threats that require user interaction such as macros inside documents.
This detection approach is the core logic behind FireEye Multi-Vector Virtual Execution (MVX) technology.
Indicators of Compromise - IOCs
Network Based:
4b3858c8b35e964a5eb0e291ff69ced6
POST /0000/a242550.asp
IP: 220.128.223.75
TCP Port: 8080
4e51143b01e99afc3bd908794d81d3cb
GET /bbs/file/machinery/machine_body.jpg
IP: cncauto.co.kr
PORT: 80
8de1ebacb72f3b23a8235cc66a6b6f68
IP: spl.noip.me
TCP Port: 80
b1f43ca11dcf9e60f230b9d6d332c479
IP: 31.168.144.18
TCP Port: 443
aedd5d8446cc12ddfdc426cca3ed8bf0
IP: 84.11.146.62
TCP Port: 13661
497eddab53c07f4be1dc4a8c169261a5
GET /ocagnt/gethooks.asp
IP: 94.70.155.253
TCP Port: 80
GET /ocagnt/enckeys
IP: 94.70.155.253
TCP Port: 80
GET /ocagnt/getstatus.asp
IP: 94.70.155.253
TCP Port: 80
dc15336e7e4579c9c04c6e4e1f11d3dd
IP: dennyhacker.no-ip.org
TCP Port: 81
Host-Based:
dc15336e7e4579c9c04c6e4e1f11d3dd
C:\Windows\System32\install\server.exe (copy of dropped binary) d409dc7e1ca0c86cb71e090591f16146
%AppData%\Local\Temp\XX–XX–XX.txt
Mutex created:
x_X_PASSWORDLIST_X_x
x_X_BLOCKMOUSE_X_x_
MUTEX MUTEX_PERSIST
497eddab53c07f4be1dc4a8c169261a5
c:\octemp001\
C:\octemp001\enccmdresults.txt
C:\octemp001\ikeycharvalue.txt
C:\octemp001\enchostnameres.txt
C:\octemp001\certutil.txt
C:\octemp001\cert.txt
C:\octemp001\commands.txt
C:\octemp001\prevcommands.txt
C:\octemp001\enccmdresults.txt
C:\octemp001\enccmdresults2.txt
c:\octemp001\key.txt
Figure 27 shows the MD5s with zero detection detailed on this report.
Figure 27: 2015 samples from VT with zero detections in 2016
Some exceptions to this study were added for samples with low detection rates, but with only generic detection (that is, not detected as part of any specific code family), that used an interesting technique or that were suspected of being used by an APT group (see Figure 28).
Figure 28: Samples with low and / or generic detection
dc15336e7e4579c9c04c6e4e1f11d3dd – Brazilian RAT
Some interesting commands from the RAT in Portuguese language:
0002A3A8: pingtest
0002A3BC: tentarnovamente
0002A3E0: mouseposition
0002A3F8: keyboardkey
0002A40C: webcaminactive
0002A424: webcamgetbuffer
0002A43C: webcam
0002A44C: desktop
0002A45C: stopsearch
0002A470: listarvalores
0002A488: maininfo
0002A49C: configuracoesdoserver
0002A4BC: disconnect
0002A4D0: uninstall
0002A4E4: renameservidor
0002A4FC: enviarexecnormal
0002A518: enviarexechidden
0002A534: executarcomandos
0002A550: openweb
0002A560: downexec
0002A574: resumetransfer
0002A58C: listardrives
0002A5A4: listararquivos
0002A5BC: execnormal
0002A5D0: execinv
0002A5E0: deletardir
[1] Hangul Word Processor is a word processing application developed by South Korean software firm Hancom.
[2] http://www.securityweek.com/zero-day-exploits-leaked-hacking-team-breach
[3] https://www.fireeye.com/blog/threat-research/2015/07/demonstrating_hustle.html
[4] https://msdn.microsoft.com/en-us/library/dd942138.aspx
[5] An XLSB file is stored in binary format instead of the normal XML format, allowing the file to be read from and written to much faster. See https://technet.microsoft.com/en-us/library/dd797428.aspx
[6] http://asec.ahnlab.com/1035
[7] https://www.fireeye.com/content/dam/fireeye-www/global/en/blog/threat-research/FireEye_HWP_ZeroDay.pdf
[8] http://www.pcworld.com/product/997528/rlpack-basic-edition.html
[9] https://www.fireeye.com/blog/threat-research/2014/07/the-little-signature-that-could-the-curious-case-of-cz-solution.html
[10] Py2Exe is a distutils extension to create standalone windows programs from python scripts. See https://sourceforge.net/projects/py2exe/.
[11] https://github.com/rapid7/metasploit-framework/blob/master/modules/encoders/x86/shikata_ga_nai.rb
[12] http://www.howtogeek.com/163127/how-powershell-differs-from-the-windows-command-prompt/
[13] https://github.com/khr0x40sh/MacroShop/blob/master/macro_safe.py
[14] https://raw.githubusercontent.com/trustedsec/unicorn/master/unicorn.py
[15] http://blogs.technet.com/b/srd/archive/2013/06/11/ms13-051-get-out-of-my-office.aspx